Existing Wording: Because of the way that some user agents and proxies treat GET and POST requests, in addition to the get based search method above, servers that support search SHALL also support a POST based search

Comment:

As both GET and POST support are required for conformance, this seems like a good place to identify the possibility of sensitive content and PHI in the GET request parameters. While the link to the Security-Communications page appears on the search.html page, it should also be reiterated in this section. Implementers should not have to dig to be made aware of the need to secure client and server logs outside of the TLS communication endpoints, particularly if support of GET is a conformance requirement.

Summary:

Suggestion for more guidance/warning on need to secure logs, if support for GET and POST are required for search conformance.