## Consumer Responsibilities
###	Privacy

The information which adopters receive when querying acCDR is considered Personal Information (PI) and Personal Health Information (PHI). As a result, access to the health patient information must be restricted to only appropriately **authorized users** and used on a **need-to-know basis** as specified in data-sharing agreements and corresponding legislation.

###	User Credentials
To support privacy inquiries into the disclosure of patient PHI, user name or ID mnemonic SHALL be included in the acCDR query message to identify the user who initiated the query when that query was initiated by an actual user (as opposed to when performed by a system with no PHI disclosure to an individual user).  
For acCDR FHIR, the consumer shall satisfy this requirement through implementation of SAML attributes defined in the request message header.  Refer to the [Connectivity]