Existing Wording: This interaction searches a set of resources based on some filter criteria. The interaction can be performed by several different HTTP commands.

GET [base]/[type]{?[parameters]{&_format=[mime-type]}}

This searches all resources of a particular type using the criteria represented in the parameters.

Because of the way that some user agents and proxies treat GET and POST requests, in addition to the get based search method above, servers that support search SHALL also support a POST based search: POST [base]/[type]/_search{?[parameters]{&_format=[mime-type]}}

Proposed Wording: This interaction searches a set of resources based on some filter criteria. Servers SHALL support seearch via a POST based search: POST [base]/[type]/_search or POST [base]/[type] and submit their search parametes via x-form-urlencoded values

Comment:

Searches on all resources have the potential to expose PHI and PII within the URL querystring - Patient search is one example, but most resources could potentially contain the protected information in their querystring. While this querystring is encrypted under HTTPS, the majority of web and proxy servers log the URL in unencrypted server logs that don't have the same data security processes that production healthcare databases employ. To avoid the risk, FHIR should support POST-based search via x-form-urlencoded queries.