This page is part of the Hybrid / Intermediary Exchange (v1.0.0: STU1) based on FHIR R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions
Note: This section contains conformance requirements, noted with “SHALL”, “SHOULD” and “MAY”.
The Pass-Through Security approach defines the interaction between the initiator and the destination, with minimal involvement of the intermediary. As described below, it supports this implementation guide’s passive intermediary model. It may also be suitable for other models where the intermediary plays a more active role in serving or modifying the returned content.
Communication security SHALL conform with the guidelines stated in FHIR Security.
When using TLS:
In this exchange model, trust is negotiated or established solely between the originator and destination. The destination SHALL determine whether it trusts the originator or not; any intermediaries involved in the exchange SHALL play a passive, “pass through” role in the process.
Required behavior:
Implementers MAY adopt UDAP workflows for client registration, authentication and authorization as described in the HL7 / UDAP Security for Scalable Registration, Authentication, and Authorization FHIR Implementation Guide
Implementers of this guide SHOULD follow core FHIR security principles and protect patient privacy as described in the FHIR Security and Privacy Module which:
The FHIR security specification is available here.