Isn't the Token duration only a concern for authorizing sending the CommunicationRequest? - PCDE #89

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Persuasive
    • Priority: Medium
    • US Da Vinci PCDE (FHIR)
    • STU3
    • Financial Mgmt
    • (profiles) [deprecated]
    • 4.2.3.2
    • Hide

      This is correct.  The only permission the Patient is in fact giving is the ability to POST a CommunicationRequest.  The data within the original payer's system that gets assembled does not require any authorization (the old payer always has authorization to assemble their own data).  The old payer may limit what data is disclosed based on their own business rules and (potentially) previously communicated patient preferences, but OAuth doesn't (and can't) come into play here.  When the new payer subsequently retrieves the document (whether by polling or by querying after a subscription notification), that access will not rely on the patient's authorization token.

      We will remove the language relating to keeping the token active from the specification.

      Show
      This is correct.  The only permission the Patient is in fact giving is the ability to POST a CommunicationRequest.  The data within the original payer's system that gets assembled does not require any authorization (the old payer always has authorization to assemble their own data).  The old payer may limit what data is disclosed based on their own business rules and (potentially) previously communicated patient preferences, but OAuth doesn't (and can't) come into play here.  When the new payer subsequently retrieves the document (whether by polling or by querying after a subscription notification), that access will not rely on the patient's authorization token. We will remove the language relating to keeping the token active from the specification.
    • Mark Scrimshire / Mary Kay McDaniel: 17-0-2
    • Clarification
    • Compatible, substantive

      Existing Wording: In many cases, the Coverage Transition document either won't already exist or won't be up-to-date and some degree of manual work will be required by payer staff to gather content, organize it and provide the appropriate document narrative. This may take hours or even a few days. The duration of the authorization token SHALL therefore take this into account and allow sufficient time that the authorized access will not expire prior to the document being delivered. (Allowance should also be made for a delay of 1-2 days in retrieval by the target system in the event of a plannned or unplanned system outage.)

      Comment:

      Isn't the Token duration only a concern for authorizing sending the CommunicationRequest? What is the relevance for the Responding Payor sending the response?

      Summary:

      Isn't the Token duration only a concern for authorizing sending the CommunicationRequest?

            Assignee:
            Unassigned
            Reporter:
            Paul Knapp
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: