Existing Wording: Payers SHALL require the DTR application to authenticate in order to retrieve resources when PHI is exchanged. In the case that authentication is required, the following JSON structure SHALL be populated by the payer system. This JSON is based on the structure for FHIR Authorization in CDS Hooks.

Comment:

Perhaps I'm simply not imagining the intent of the IG author. I don't understand how the DTR app is intended to authenticate to the payer system. The DTR app is launched from a card, or an EHR launch from the EHR. Exactly when does the payer provide this json object containing an access token to its own FHIR server? Please don't let the answer be the appContext field. Note that since the first ballot, you've changed this page to be inconsistent with itself. Has this critically important flow actually been implemented?

Summary:

Has this critically important part of the spec actually been implemented? I don't see how it would work….