Existing Wording: As a result, queries seeking the status of the prior authorization response may come from multiple systems. Servers SHALL permit access to the prior authorization response to systems other than the original submitter. They SHALL require a match on both patient coverage id (identifier on the Claim.patient) and prior authorization id (Claim.identifier) to ensure access is only granted to individuals who know both - and thus have demonstrated a need to know.[...] if the authorizationresponseid submitted is not the 'current' authorization response identifier (because subsequent additions/changes/cancellations have been made to the prior authorization request), the returned record SHALL be the 'current' authorization response - even though it no longer has the same identifier. I.e. If a search is for a 'replaced' prior authorization, the search result SHALL include the 'current' prior authorization response for the most recent replacing prior authorization request.

Comment:

While the first section quoted in cell 10N is privacy protective because it requires PA response requesters other than the original submitter to include both the patient coverage id and the PA id to ensure "a need to know", the second section quoted in 10N indicates that a PA response requester other than the original submitter would still get access even if their "need to know" may have changed. E.g., a care team member may leave the team and should no long have access to the PA responses. Conclusion is that just knowing the original PA id and the patient coverage id is not sufficient access control for subsequent queries.

Summary:

Knowing the original PA id and the patient coverage id is not sufficient access control for subsequent queries.