The security sections notes the use of SMART-on-FHIR and OAuth2.0 standards, but it's not clear how these standards apply to the use case detailed in Section 2.2 for information exchange between Healthcare Setting A and B (step 3). Is this expected to be a SMART-on-FHIR mediated exchange? Or could this be a "push" of data to Setting B or a FHIR query made by Setting B to Setting A's FHIR APIs? Please clarify any security considerations for these types of exchanges (if they are applicable)