Stream: smart
Topic: Consent for selective scope by patient user for CuresAct
Sagar Shah (Dec 08 2020 at 20:44):
Is there a mandate as per CuresAct rule to allow patient users to selectively provide consent for certain scopes (and not all) during authorization? If so, Has anyone implemented it using KeyCloak as OIDC server with custom consent screens?
Robert Scanlon (Dec 09 2020 at 20:01):
I'm not sure if this is what you are referring to, but ONC's Standardized API criteria does include guidance stating that systems must grant patients the ability to select subsets of scopes in order to meet the certification criteria:
As part of the “permission-patient” “SMART on FHIR Core Capability” in § 170.215(a)(3), Health IT Modules presented for testing and certification must include the ability for patients to authorize an application to receive their electronic health information (EHI) based on FHIR resource-level scopes. Specifically, this means patients would need to have the ability to authorize access to their EHI at the individual FHIR resource level, from one specific FHIR resource (e.g., “Immunization”) up to all FHIR resources necessary to implement the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2).
Although Health IT Modules presented for testing and certification must include the ability for patients to authorize an application to receive their EHI based on FHIR resource-level scopes, Health IT Modules are not prohibited from presenting authorization scopes in a more user-friendly format (e.g. grouping resources under categories, renaming the scopes for easier comprehension by the end-user, using more granular scopes), as long as the ability for patients to authorize applications based on resource-level scopes is available, if requested by the patient.
Sagar Shah (Dec 09 2020 at 20:39):
Thanks @Robert Scanlon - Yes that's what I was referring to. I was also willing to find if anyone has implemented such a capability using keycloak
Venu Gopal (Dec 09 2020 at 20:57):
@Sagar Shah just asking I think you were part of this meet. Did this not answer the question? I'm asking as, I want to use this as a base for my use case, although not in the context of U S
Sagar Shah (Dec 09 2020 at 21:16):
Hi @Venu Gopal - We did not have enough time to cover this aspects of keycloak.we mainly covered smart on FHIR (patient selection) need and launch parameters and some criteria about refresh token in that 1 hour meet.
Sagar Shah (Dec 09 2020 at 21:17):
I've checked for the same in keycloak discourse as well, but usual no replies or recommendations I have found so far - https://keycloak.discourse.group/t/consent-management-with-selective-scope-authorization/6337
Last updated: Apr 12 2022 at 19:14 UTC
