The information which adopters receive or provide when querying CMS is considered Personal Information (PI) and Personal Health Information (PHI). As a result, access to the health patient information must be restricted to only appropriately authorized users and used on a need-to-know basis as specified in data-sharing agreements and corresponding legislation.
To support privacy inquiries into the disclosure of patient PHI, user name or ID mnemonic SHALL be included in the CMS messages to identify the user who initiated the query when that query was initiated by an actual user (as opposed to when performed by a system with no PHI disclosure to an individual user). For CMS FHIR, the consumer shall satisfy this requirement through implementation of OAuth2 token defined in the message header. Refer to the Connectivity section for further details.
The consumer shall implement request messages that are well-formed and conform to this specification.
Powered by SIMPLIFIER.NET