Selective Scope Redaction Coming to Patient-Facing Applications

[Matthew Beermann (Cerner)]

Developers of patient-facing applications:

We wanted to give you early warning about a forthcoming change to our ecosystem. Currently, our patient authorization form works on an "all or nothing" basis; either the patient can grant your application all of the FHIR resource scopes that it registered and requested, or none of them. As part of Cerner's ongoing efforts to implement the provisions of the 21st Century Cures Act, we plan to enhance this workflow such that the patient can pick and choose which information they wish to share with your application. Note that has always been possible for requested scopes and approved scopes to differ, for a variety of reasons [1,2]; all applications must detect and gracefully handle such a situation.

We hope to make this enhancement available to [both of] the sandbox environments early next year; we will post another announcement to this group shortly before the new functionality goes live.

[1] http://hl7.org/fhir/smart-app-launch/index.html: "Scope of access authorized. Note that this can be different from the scopes requested by the app."

[2] https://tools.ietf.org/html/rfc6749#section-3.3: "The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions."

[Cerner FHIR Developers]

A reminder for any patient facing applications that you need to ensure your application will handle this scenario gracefully (not call services that the patient didn't consent to). The current plan is to put this into client non-production environments next week and target the first week in February for broad availability including production.

[Matthew Beermann (Cerner)]

The schedule here has changed slightly since the prior post; our operations team tells me that they now expect non-production availability later this week (at the earliest) or sometime next week (at the latest).

[Matthew Beermann (Cerner)]

As of today, these changes should begin appearing in production environments as well.