Comment:

Should add the following to the "privacy" section: Note that privacy considerations apply to Person, Practitioner and RelatedPerson records in addition to Patient's.

While Organization, Location, Device and other non-person-identifying records are generally subject to less stringent security precautions, such data must still be protected to avoid safety issues (e.g. someone maliciously changing the ingredients associated with a drug to cause/fail to cause alerts)

Devices can be linked to Patients. If this occurs, they must be protected as any other patient-linked element

Summary:

Beef up privacy section