This page is part of the PACIO Functional Status Implementation Guide (v1.0.0: STU 1) based on FHIR R4. This is the current published version in its permanent home (it will always be available at this URL). For a full list of available versions, see the Directory of published versions
The FHIR specification includes a set of security considerations including security, privacy, and access control (see FHIR Security). These considerations apply to diverse use cases and provide general guidance for choosing among security specifications for particular use cases.
This Implementation Guide leverages the SMART-on-FHIR and OAuth2.0 standards, which add authentication and authorization capabilities to FHIR. This architecture is intended to maximize the number of clinical systems that conform to this guide as well as to allow for easy growth and extensibility of system capabilities in the future.
The sharing of data with a patient-controlled third-party app is accomplished through the patient’s HIPAA Right of Access, which allows the patient to use their data in any way they desire. As a result, the third-party app may not be a HIPAA Covered Entity or Business Associate of a covered entity and may not be covered by HIPAA controls in the use of data, sensitive or otherwise.
The patient or authorized caregiver SHALL authenticate using credentials that have been issued, or recognized and accepted, by the provider. These are typically the provider’s credentials for a patient portal or health information exchange network.