規範書的讀者與範疇 - Profile audience and scope

This profile is intended to be used by developers of apps that need to access FHIR resources by requesting access tokens from OAuth 2.0 compliant authorization servers.

OAuth 2.0 authorization servers are configured to mediate access based on a set of rules configured to enforce institutional policy, which may include requesting end-user authorization. This profile does not dictate the institutional policies that are implemented in the authorization server.

The profile defines a method through which an app requests authorization to access a FHIR resource, and then uses that authorization to retrieve the resource. Other HIPAA-mandated security mechanisms, such as end-user authentication, session time-out, security auditing, and accounting of disclosures, are outside the scope of this profile.

這個規範旨在被用於需要存取 FHIR resources 的apps開發，而用來自 「OAuth2.0 相容性授權伺服器」 所要求的「存取金鑰 (access token)」存取 FHIR resources。

「OAuth 2.0 授權伺服器」是配置於基於一組執行機構政策的規則，以協調存取，其包含要求終端使用者授權。這個規範不決定實作於授權伺服器的機構政策。

這個規範定義一個方法，經由一個 app 要求授權存取 FHIR resource ，然後使用這個授權調閱 resource。其他 HIPAA-委任安全性機制，如終端使用者授權、session 逾期、安全性審核、會計的公開，不在這個規範的範圍以內。