Stream: inferno
Topic: Displaying scopes to a Patient
Lakshmi Bhamidipati (Mar 31 2021 at 21:33):
Hello,
For a patient app, during the Auth process, is it required that the authorization server display the individual scopes (to check/uncheck) for a patient to allow/deny individual resource access? The only scope we are thinking of allowing a user to check/uncheck is offline_access (for refresh token). We will have the ability for a 3rd party app to specify scopes at the time of registration. However, from a user experience perspective, we were wondering if it is required to support the ability to allow a user to individually select/unselect resource scopes during the authentication/authorization process. Thanks.
Robert Scanlon (Apr 01 2021 at 02:30):
ONC requires the ability for patients to allow/deny individual resources, though you have wide latitude in what the authorization UI itself looks like. From the CCG:
- As part of the “permission-patient” “SMART on FHIR Core Capability” in § 170.215(a)(3), Health IT Modules presented for testing and certification must include the ability for patients to authorize an application to receive their electronic health information (EHI) based on FHIR resource-level scopes. Specifically, this means patients would need to have the ability to authorize access to their EHI at the individual FHIR resource level, from one specific FHIR resource (e.g., “Immunization”) up to all FHIR resources necessary to implement the standard adopted in § 170.213 and implementation specification adopted in § 170.215(a)(2).
- Although Health IT Modules presented for testing and certification must include the ability for patients to authorize an application to receive their EHI based on FHIR resource-level scopes, Health IT Modules are not prohibited from presenting authorization scopes in a more user-friendly format (e.g. grouping resources under categories, renaming the scopes for easier comprehension by the end-user, using more granular scopes), as long as the ability for patients to authorize applications based on resource-level scopes is available, if requested by the patient.
There has been discussion recently about the offline_access grant/deny 'requirement', which is unclear due to inconsistency between the rule language and the SMART specification. ONC is reviewing that now and may clarify if that is a requirement or not. But that is separate from the resource-level grant/deny requirement, which seems pretty clear.
Lakshmi Bhamidipati (Apr 01 2021 at 10:42):
Thanks @Robert Scanlon
Last updated: Apr 12 2022 at 19:14 UTC
