FHIR Chat · Smart Scope - patient/*.read - Consent Screen · smart

Stream: smart

Topic: Smart Scope - patient/*.read - Consent Screen

view this post on Zulip Vishak OS (Apr 01 2019 at 16:17):

HI,

I've a question regarding the SMART scope - patient/*.read. When this scope is present, is it mandatory that the user should be displayed with Individual Implemented Resources like Medication, Observation in the Consent Screen or A text saying that - the application is trying to access your medical information.

view this post on Zulip Josh Mandel (Apr 12 2019 at 20:18):

The information displayed on an approval screen isn't mandated by the specification --but obviously there's a responsibility on the part of whoever's hosting this authorization screen to correctly and clearly communicate this to a patient. For a scope like "patient/*.read" this might not list each individual resource type; it might give examples and explain the categories (as well as the fact that new data could be shared in the future).

view this post on Zulip Yunwei Wang (Apr 14 2019 at 20:48):

Is there any "real" EHR server allows patient/*.read?

view this post on Zulip John Moehrke (Apr 15 2019 at 14:23):

what are you considering is a problem? @Yunwei Wang

view this post on Zulip Yunwei Wang (Apr 15 2019 at 15:21):

I know Cerner does NOT allow *.read. App has to explicitly list resource it needs, like Patient/Condition.read, Patient/Observation.read. I assume Epic has the same requirment (need to double check). I am wondering what is the implementation from other EHR vendors. I think that *.read and *.write poses the secruity and liability problem on both server and client.

view this post on Zulip Michael Donnelly (Apr 26 2019 at 17:15):

You're correct, @Yunwei Wang.

view this post on Zulip Josh Mandel (May 02 2019 at 03:10):

Epic does support patient/*.read in the sense that a client can ask for it, and can complete the authorization process.

view this post on Zulip Josh Mandel (May 02 2019 at 03:10):

In practice I think it's ignored (as all scopes requested over the wire at launch time are ignored) in favor of pre-configured scopes from app-creation time.

view this post on Zulip Josh Mandel (May 02 2019 at 03:11):

Cerner is the only EHR I know that blows up when a client tries to request "patient/*.read" (and Kevin and I have had a few hours of intense discussion about this ;-))

view this post on Zulip Josh Mandel (May 02 2019 at 03:11):

EHRs that work include Epic, ECW, Allscripts, GE, NextGen

view this post on Zulip Michael Donnelly (May 03 2019 at 02:52):

In practice I think it's ignored (as all scopes requested over the wire at launch time are ignored) in favor of pre-configured scopes from app-creation time)

That's true.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -