FHIR Chat · Asking patients for consent · smart

Stream: smart

Topic: Asking patients for consent

view this post on Zulip Sagar Shah (Jan 12 2021 at 17:00):

What's the best way to ask patients for consent for following scopes on login? But first question before that, is it required as per SMART or as per ONC rule? Or can it be given implicitly?

  • openid
  • fhirUser
  • launch/patient

As i understand, these scopes are technical in nature and are kind of hard to put in a way that non-technical people may understand.
Any suggestions here!

view this post on Zulip John Moehrke (Jan 12 2021 at 17:22):

consent tends to be handled at a different level than at OAuth... not everywhere, just a tendency.

Often Consent is handled within the Resource Server and is not exposed at the OAuth level. See the Consent resource.

There is a OAuth solution that did focus on Consent -- UMA HEART -- this would be orchestrated as a cascaded OAuth along with SMART. So you would have SMART deal with app authorization and user authorization; and HEART dealing with consent authorization.

view this post on Zulip John Moehrke (Jan 12 2021 at 17:23):

See the Security and Privacy pages in the FHIR specification http://hl7.org/fhir/secpriv-module.html

view this post on Zulip Josh Mandel (Jan 12 2021 at 17:23):

I'm hearing this as a question about best practices and requirements for implementing SMART App Launch

view this post on Zulip Josh Mandel (Jan 12 2021 at 17:24):

For patient apps, you definitely want to make sure there is an explicit approval step where a patient allows access before you proceed.

view this post on Zulip Michele Mottini (Jan 12 2021 at 17:26):

...but you do not have to ask explicit approval for specific scopes like openid - some generic statement is OK

view this post on Zulip Josh Mandel (Jan 12 2021 at 17:26):

The descriptions for these Scopes that you listed above are basically "allow the app to know who you are and see your contact details" (fhirUser + openid scopes) and "allow the app to have access to the patient record you have selected" (launch/patient scope -- though usually this is used in conjunction with specific patient data access scopes like patient/Immunization.read so it is easier to explain these together, like "allow the app to see which select patient you have selected and see immunizations for this patient"

view this post on Zulip Josh Mandel (Jan 12 2021 at 17:26):

Agreed @Michele Mottini -- hopefully this aligns with the paragraph I was typing above :-)

view this post on Zulip Josh Mandel (Jan 12 2021 at 17:27):

(Part of what we are recommending in our updated guidance for smart is that server authors should publish more details about the kinds of explanatory language they use for these approvals so that it's easier for developers to get a sense of common practices.)

view this post on Zulip Josh Mandel (Jan 12 2021 at 17:27):

(In the meantime, I would definitely recommend registering with some of the EHR vendor sandboxes and having a look at the approval screens they render.)

view this post on Zulip Sagar Shah (Jan 12 2021 at 20:39):

Appreciate the clarifications on this here!

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -