Existing Wording: No wording exists.

Proposed Wording: Include privacy and security implications for each use case. Provide IG interaction specific guidance on use of security labels for access control, indications of contexts in which privacy consent directives may be needed or must be enforced, and do more than point at Smart on FHIR as it is not yet able to support the previous requirements.

Comment:

No discussion about privacy and security anywhere that I could find in the entire IG despite use cases with questionable compliance with HIPAA limitations on the ability of payers to access or providers to disclose treatment PHI to facilitate payer business requirements under HIPAA operations. No indication that compliance with or enforcement of HIPAA and additionally protective privacy laws is to be supported using HL7 and other standards, include security labels on C-CDA and FHIR Resources, access control standards such as Smart on FHIR and XSPA SAML for patient's rights to restrict disclosure to payers, prohibitions on redisclosure, limitations on purposes of use, tracking audit events, provenances and accounting of disclosures. Among all of the DaVinci IGs, this is the least supportive of privacy/security by design.

Summary:

No discussion about privacy and security anywhere that I could find in the entire IG