carin_for_blue_button_test_kit 0.15.1 → 0.15.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b3cdc3b7c526f79be3e7941386187f42a15828d4ef19792aba376268fde1b8a
-  data.tar.gz: 7542f67061a8ac32bee0353d336c553d13a7fb2e58ebdcf573ed8957d9afae0b
+  metadata.gz: 67e7b14eb8555dfd3b698224f6588d8d7697a53d97806dd8edc142ad8ec342ca
+  data.tar.gz: 8f8a1bf9dbb75ffb68151e3cd5a7a944cea6568c41932549f26665b959c7be80
 SHA512:
-  metadata.gz: f6270e60778abe840346f9793143327f9fef4be1d408c317467316ca400faba3538708d66ba1e3c22a36ec6bdb3e77b2608ff03e4dfe44f3a372e8da518c7d05
-  data.tar.gz: 4265870ed675a4d105b92ffe6a861cbcb65162c847ef81c3543f5e625d01e3816e56c2523e4ee1b957d164232dfc7b598ad5e2f270e563c79bc988d5582f3ce3
+  metadata.gz: 865d150b32a6e1bee5bb4af634bf588721ebcafcdd7ad0168d20aaeb1f75535d8435a9f17c7db78112fb68b66b92606c988cfc8f582a65cc3a5d7ea0739dbc18
+  data.tar.gz: 78cca118754975e754777beb20e21199f46bda13855350d04ea4031fa68210fe471cf5db9e915eebe6df80c238a8bb0c5affe180278cde9f4e57d816d2505446

data/lib/carin_for_blue_button_test_kit/capability_statement/tests/instantiates_test.rb

@@ -1,21 +1,20 @@
 module CarinForBlueButtonTestKit
-    class InstantiatesTest < Inferno::Test
-      id :carin_bb_instantiate
-      title 'Server instantiates CARIN BlueButton '
-      description %(
-          This test inspects the CapabilityStatement returned by the server to
-          verify that the server instantiates http://hl7.org/fhir/us/carin-bb/CapabilityStatement/c4bb
-        )
-      verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@17'
+  class InstantiatesTest < Inferno::Test
+    id :carin_bb_instantiate
+    title 'Server instantiates CARIN BlueButton '
+    description %(
+        This test inspects the CapabilityStatement returned by the server to
+        verify that the server instantiates http://hl7.org/fhir/us/carin-bb/CapabilityStatement/c4bb
+      )
 
-      uses_request :capability_statement
+    uses_request :capability_statement
 
-      run do
-        assert_resource_type(:capability_statement)
-        capability_statement = resource
+    run do
+      assert_resource_type(:capability_statement)
+      capability_statement = resource
 
-        assert capability_statement.instantiates.include?('http://hl7.org/fhir/us/carin-bb/CapabilityStatement/c4bb'),
-          "Server CapabilityStatement.instantiates does not include 'http://hl7.org/fhir/us/carin-bb/CapabilityStatement/c4bb'"
-      end
+      assert capability_statement.instantiates.include?('http://hl7.org/fhir/us/carin-bb/CapabilityStatement/c4bb'),
+        "Server CapabilityStatement.instantiates does not include 'http://hl7.org/fhir/us/carin-bb/CapabilityStatement/c4bb'"
     end
   end
+end

data/lib/carin_for_blue_button_test_kit/capability_statement/tests/json_support_test.rb

@@ -25,7 +25,6 @@ module CarinForBlueButtonTestKit
       * application/fhir+json
     )
     uses_request :capability_statement
-    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@98'
 
     run do
       assert_resource_type(:capability_statement)

data/lib/carin_for_blue_button_test_kit/client/v2.0.0/c4bb_client_test_suite.rb

@@ -38,6 +38,8 @@ require_relative 'required_searches_tests/eob_required_searches'
 
 require_relative 'claim_data_request_tests/client_claims_data_attestation_test'
 
+require_relative '../../custom_groups/visual_inspection_and_attestation/v200_client'
+
 module CarinForBlueButtonTestKit
   class C4BBV200ClientSuite < Inferno::TestSuite
     extend MockServer
@@ -83,6 +85,14 @@ module CarinForBlueButtonTestKit
       end
     end
 
+    requirement_sets(
+      {
+        identifier: 'hl7.fhir.us.carin-bb_2.0.0',
+        title: 'CARIN IG for Blue Button® v2.0.0',
+        actor: 'Consumer'
+      }
+    )
+
     suite_option  :client_type,
                   title: 'Client Security Type',
                   list_options: [
@@ -300,5 +310,9 @@ module CarinForBlueButtonTestKit
               client_type: CarinClientOptions::UDAP_AUTHORIZATION_CODE
             }
     end
+
+    group from: :c4bb_client_v200_visual_inspection_and_attestation do
+      optional
+    end
   end
 end

data/lib/carin_for_blue_button_test_kit/client/v2.0.0/claim_data_request_tests/client_claims_data_attestation_test.rb

@@ -22,9 +22,9 @@ module CarinForBlueButtonTestKit
           greater than or equal to 1 and/or flagged as Must Support as defined by that profiles StructureDefinition
           for each resource.
 
-          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
 
-          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
         )
       )
     end

data/lib/carin_for_blue_button_test_kit/custom_groups/v2.0.0/eob/insurer_same_test.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module CarinForBlueButtonTestKit
+  module CARIN4BBV200
+    class InsurerSameTest < Inferno::Test
+      include CarinSearchTest
+
+      id :c4bb_v200_custom_eob_insurer_same
+      title 'ExplanationOfBenefit insurer is properly referenced in insurance list'
+      description %(This test confirms that the ExplanationOfBenefit.insurer is equal to the insurance referenced
+      in the ExplanationOfBenefit.insurance list with focal=True, and that ExplanationOfBenefit.insurer is not 
+      equal to any insurance referenced in the ExplanationOfBenefit.insurance list with focal=False.
+      )
+
+      verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@116',
+                            'hl7.fhir.us.carin-bb_2.0.0@124',
+                            'hl7.fhir.us.carin-bb_2.0.0@125',
+                            'hl7.fhir.us.carin-bb_2.0.0@127',
+                            'hl7.fhir.us.carin-bb_2.0.0@128',
+                            'hl7.fhir.us.carin-bb_2.0.0@129'
+
+      def resource_type
+        'ExplanationOfBenefit'
+      end
+
+      def scratch_resources
+        scratch[:explanationofbenefit_resources] ||= {}
+      end
+
+      def get_reference(reference, type)
+        reference_id = resource_id(reference)
+        fhir_read(type, reference_id)&.resource
+      end
+
+      run do
+        resources = scratch_resources[:all]
+        skip_if resources.blank?,
+                "No #{resource_type} resources were returned"
+
+        skip_if !resources
+                  .map(&:insurance)
+                  .flatten
+                  .map(&:coverage)
+                  .map { |eob_insurance_coverage| get_reference(eob_insurance_coverage, :coverage) }
+                  .any?,
+                "None of the ExplanationOfBenefit resources has .insurance.coverage."
+
+        resources.each do |eob|
+          eob.insurance.each_with_index do |eob_insurance, index|
+            eob_insurance_coverage = get_reference(eob_insurance.coverage, :coverage)
+
+            next if eob_insurance_coverage.nil?
+
+            if eob_insurance.focal
+              assert resource_id(eob.insurer) == resource_id(eob_insurance_coverage.payor.first),
+                     <<~ERROR_MESSAGE1
+                        ExplanationOfBenefit.insurer.reference differs from
+                        ExplanationOfBenefit.insurance.coverage.reference -> Coverage.payor[0].reference
+                        when ExplanationOfBenefit.insurance.focal == True. They must be equal.
+                      ERROR_MESSAGE1
+            else
+              assert resource_id(eob.insurer) != resource_id(eob_insurance_coverage.payor.first),
+                     <<~ERROR_MESSAGE2
+                        ExplanationOfBenefit.insurer.reference equals
+                        ExplanationOfBenefit.insurance.coverage.reference -> Coverage.payor[0].reference
+                        when ExplanationOfBenefit.insurance.focal == False. They must differ.
+                      ERROR_MESSAGE2
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/v2.0.0/eob/outcome_complete_test.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module CarinForBlueButtonTestKit
+  module CARIN4BBV200
+    class OutcomeCompleteTest < Inferno::Test
+      id :c4bb_v200_custom_eob_outcome_complete
+      title 'ExplanationOfBenefit.outcome has value "complete"'
+      description %(ExplanationOfBenefit.outcome has value "complete")
+
+      verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@117'
+
+      def resource_type
+        'ExplanationOfBenefit'
+      end
+
+      def scratch_resources
+        scratch[:explanationofbenefit_resources] ||= {}
+      end
+
+      run do
+        resources = scratch_resources[:all]
+  
+        skip_if resources.blank?,
+                "No #{resource_type} resources were returned"
+  
+        resources.each do |resource|
+          assert resource.outcome == 'complete', "ExplanationOfBenefit.outcome was '#{resource.outcome}'. Expected 'complete'."
+        end
+      end
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/v2.0.0/eob/type_data_absent_test.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module CarinForBlueButtonTestKit
+  module CARIN4BBV200
+    class TypeDataAbsentTest < Inferno::Test
+      id :c4bb_v200_custom_eob_type_data_absent
+      title 'ExplanationOfBenefit.type does not use a data absent reason'
+      description %(
+        ExplanationOfBenefit.type SHALL NOT use a data absent reason.
+      )
+
+      verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@115'
+
+      DAR_CODE_SYSTEM_URL = 'http://terminology.hl7.org/CodeSystem/data-absent-reason'
+
+      def resource_type
+        'ExplanationOfBenefit'
+      end
+
+      def scratch_resources
+        scratch[:explanationofbenefit_resources] ||= {}
+      end
+
+      run do
+        resources = scratch_resources[:all]
+
+        skip_if resources.blank?,
+                "No #{resource_type} resources were returned"
+
+        resources.each do |resource|
+          resource.type&.coding&.each do |coding|
+            if coding.system
+              assert coding.system != DAR_CODE_SYSTEM_URL,
+                     'ExplanationOfBenefit.type uses a data absent reason. It must not.'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_client/authentication.rb

@@ -0,0 +1,30 @@
+module CarinForBlueButtonTestKit
+  class CARIN4BBAuthTest < Inferno::Test
+    title 'Uses appropriate authentication'
+    description <<~DESCRIPTION
+      The Health IT Module must
+      - Direct communication through authenticated, authorized, and secure channels.
+      - Use the SMART App Launch Framework’s standalone launch.
+    DESCRIPTION
+    id :c4bb_authentication
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@1',
+                          'hl7.fhir.us.carin-bb_2.0.0@48'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module
+          - Directed communication through authenticated, authorized, and secure channels.
+          - Used the SMART App Launch Framework’s standalone launch.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the tester visually confirmed system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the tester visually confirmed system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_client/last_updated.rb

@@ -0,0 +1,31 @@
+module CarinForBlueButtonTestKit
+  class CARIN4BBLastUpdatedTest < Inferno::Test
+    title 'Uses meta.lastUpdated value appropriately'
+    description <<~DESCRIPTION
+      The Health IT Module must use the meta.lastUpdated value to determine if the associated data is
+      accurate as of the date of service or as of the current date.
+    DESCRIPTION
+    id :c4bb_last_updated
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@90',
+                          'hl7.fhir.us.carin-bb_2.0.0@94',
+                          'hl7.fhir.us.carin-bb_2.0.0@180',
+                          'hl7.fhir.us.carin-bb_2.0.0@184',
+                          'hl7.fhir.us.carin-bb_2.0.0@188'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module used the
+          meta.lastUpdated value to determine if the associated data is accurate as of the date of service or as of the current date.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the tester visually confirmed system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the tester visually confirmed system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_client/must_support_absent_reason.rb

@@ -0,0 +1,26 @@
+module CarinForBlueButtonTestKit
+  class CARIN4BBMustSupportAbsentReasonTest < Inferno::Test
+    title 'Processes Must Support elements that assert missing information'
+    description <<~DESCRIPTION
+      The Health IT Module must process Must Support elements that assert missing information.
+    DESCRIPTION
+    id :c4bb_must_support_absent_reason
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@8'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module processed
+          Must Support elements that asserted missing information.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the tester visually confirmed system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the tester visually confirmed system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_client/must_support_display.rb

@@ -0,0 +1,26 @@
+module CarinForBlueButtonTestKit
+  class CARIN4BBMustSupportDisplayTest < Inferno::Test
+    title 'Can display Must Support data elements'
+    description <<~DESCRIPTION
+      The Health IT Module must be capable of displaying all Must Support data elements.
+    DESCRIPTION
+    id :c4bb_must_support_display
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@4'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module can display all
+          Must Support data elements for human use.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the tester visually confirmed system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the tester visually confirmed system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_client/must_support_missing.rb

@@ -0,0 +1,27 @@
+module CarinForBlueButtonTestKit
+  class CARIN4BBMustSupportMissingTest < Inferno::Test
+    title 'Interprets missing Must Support data elements'
+    description <<~DESCRIPTION
+      The Health IT Module must interpret missing Must Support data elements within resource instances as
+      data not present in the Health Plan API actors system.
+    DESCRIPTION
+    id :c4bb_must_support_missing
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@6'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module interpreted missing Must Support
+          data elements within resource instances as data not present in the Health Plan API actors system.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the tester visually confirmed system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the tester visually confirmed system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_client.rb

@@ -0,0 +1,25 @@
+require_relative 'v200_client/must_support_display'
+require_relative 'v200_client/must_support_missing'
+require_relative 'v200_client/must_support_absent_reason'
+require_relative 'v200_client/last_updated'
+require_relative 'v200_client/authentication'
+
+module CarinForBlueButtonTestKit
+  class CarinClientVisualInspectionAndAttestationGroup < Inferno::TestGroup
+    id :c4bb_client_v200_visual_inspection_and_attestation
+
+    title 'Visual Inspection and Attestation'
+
+    description <<~DESCRIPTION
+      Perform visual inspections or attestations to ensure that the Client is conformant to the CARIN for Blue Button® IG requirements.
+    DESCRIPTION
+
+    run_as_group
+
+    test from: :c4bb_authentication
+    test from: :c4bb_must_support_display
+    test from: :c4bb_must_support_missing
+    test from: :c4bb_must_support_absent_reason
+    test from: :c4bb_last_updated
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_server/00_authorization_group/attestation_test_requirement_48.rb

@@ -0,0 +1,50 @@
+module CarinForBlueButtonTestKit
+  class AttestationTestCarinV2Requirement48_57 < Inferno::Test
+    title 'Secures data'
+    description <<~DESCRIPTION
+      The Health IT Module
+      - Enables members to direct the communication of CARIN4BB data through authenticated, authorized, and secure channels.
+      - Protects CARIN4BB data with proper security and privacy protections to avoid malicious or unintentional exposure of
+        such information.
+      - Secures all consumer-directed payer data exchanges in transit and limits access only to authorized individuals.
+      - Ensures that APIs fully and successfully implement privacy and security features such as, but not limited to, those
+        required to comply with HIPAA privacy and security requirements and other applicable law protecting the privacy and
+        security of protected health information.
+      - Uses either current or the immediately prior release of Transport Level Security (TLS) as specified by the current release
+        of NIST guidelines (SP 800-52).
+      - Supports the FHIR US Core [Patient Privacy and Security requirements](https://www.hl7.org/fhir/us/core/security.html).
+    DESCRIPTION
+    id :carin_server_requirement_48_57_attestation
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@48',
+                          'hl7.fhir.us.carin-bb_2.0.0@49',
+                          'hl7.fhir.us.carin-bb_2.0.0@50',
+                          'hl7.fhir.us.carin-bb_2.0.0@51',
+                          'hl7.fhir.us.carin-bb_2.0.0@55',
+                          'hl7.fhir.us.carin-bb_2.0.0@57'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module
+          - Enables members to direct the communication of CARIN4BB data through authenticated, authorized, and secure channels.
+          - Protects CARIN4BB data with proper security and privacy protections to avoid malicious or unintentional exposure of
+            such information.
+          - Secures all consumer-directed payer data exchanges in transit and limits access only to authorized individuals.
+          - Ensures that APIs fully and successfully implement privacy and security features such as, but not limited to, those
+            required to comply with HIPAA privacy and security requirements and other applicable law protecting the privacy and
+            security of protected health information.
+          - Uses either current or the immediately prior release of Transport Level Security (TLS) as specified by the current release
+            of NIST guidelines (SP 800-52).
+          - Supports the FHIR US Core [Patient Privacy and Security requirements](https://www.hl7.org/fhir/us/core/security.html).
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_server/00_authorization_group/attestation_test_requirement_60.rb

@@ -0,0 +1,48 @@
+module CarinForBlueButtonTestKit
+  class AttestationTestCarinV2Requirement60_67 < Inferno::Test
+    title 'Supports SMART Core Capabilities'
+    description <<~DESCRIPTION
+      The Health IT Module supports the following “SMART Core Capabilities”:
+      - `launch-standalone`: support for SMART’s Standalone Launch mode
+      - `client-public`: support for SMART’s public client profile (no client authentication)
+      - `client-confidential-symmetric`: support for SMART’s confidential client profile
+      - `sso-openid-connect`: support for SMART’s OpenID Connect profile
+      - `context-standalone-patient`: support for patient-level launch context (requested by launch/patient scope, conveyed via patient token parameter)
+      - `permission-offline`: support for refresh tokens (requested by offline_access scope)
+      - `permission-patient`: support for patient-level scopes (e.g. patient Observation.read)
+      - `permission-user`: support for user-level scopes (e.g. user/Appointment.read)
+    DESCRIPTION
+    id :carin_server_requirement_60_67_attestation
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@60',
+                          'hl7.fhir.us.carin-bb_2.0.0@61',
+                          'hl7.fhir.us.carin-bb_2.0.0@62',
+                          'hl7.fhir.us.carin-bb_2.0.0@63',
+                          'hl7.fhir.us.carin-bb_2.0.0@64',
+                          'hl7.fhir.us.carin-bb_2.0.0@65',
+                          'hl7.fhir.us.carin-bb_2.0.0@66',
+                          'hl7.fhir.us.carin-bb_2.0.0@67'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The Health IT Module supports the following “SMART Core Capabilities”:
+          - `launch-standalone`: support for SMART’s Standalone Launch mode
+          - `client-public`: support for SMART’s public client profile (no client authentication)
+          - `client-confidential-symmetric`: support for SMART’s confidential client profile
+          - `sso-openid-connect`: support for SMART’s OpenID Connect profile
+          - `context-standalone-patient`: support for patient-level launch context (requested by launch/patient scope, conveyed via patient token parameter)
+          - `permission-offline`: support for refresh tokens (requested by offline_access scope)
+          - `permission-patient`: support for patient-level scopes (e.g. patient Observation.read)
+          - `permission-user`: support for user-level scopes (e.g. user/Appointment.read)
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_server/00_authorization_group/attestation_test_requirement_97.rb

@@ -0,0 +1,41 @@
+module CarinForBlueButtonTestKit
+  class AttestationTestCarinV2Requirement97 < Inferno::Test
+    title 'Responds with appropriate error codes'
+    description <<~DESCRIPTION
+      The Health IT Module returns the following response classes:
+      - (Status 400): invalid parameter
+      - (Status 401/4xx): unauthorized request
+      - (Status 403): insufficient scope
+      - (Status 404): unknown resource
+      - (Status 410): deleted resource
+
+      The Health IT Module rejects any unauthorized request by returning an HTTP 401 "Unauthorized", HTTP 403 "Forbidden",
+      or HTTP 404 "Not Found".
+    DESCRIPTION
+    id :carin_server_requirement_97_attestation
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@97', 'hl7.fhir.us.carin-bb_2.0.0@102'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module returns the following response classes:
+          - (Status 400): invalid parameter
+          - (Status 401/4xx): unauthorized request
+          - (Status 403): insufficient scope
+          - (Status 404): unknown resource
+          - (Status 410): deleted resource
+
+          I further attest that the Health IT Module rejects any unauthorized request by returning an HTTP 401 "Unauthorized",
+          HTTP 403 "Forbidden", or HTTP 404 "Not Found".
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_server/00_authorization_group.rb

@@ -0,0 +1,15 @@
+require_relative '00_authorization_group/attestation_test_requirement_48'
+require_relative '00_authorization_group/attestation_test_requirement_60'
+require_relative '00_authorization_group/attestation_test_requirement_97'
+
+module CarinForBlueButtonTestKit
+  class CarinSecurityAttestationGroup < Inferno::TestGroup
+    id :c4bb_security
+    title 'Security'
+    short_title 'Security'
+
+    test from: :carin_server_requirement_97_attestation
+    test from: :carin_server_requirement_48_57_attestation
+    test from: :carin_server_requirement_60_67_attestation
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_server/01_must_support_group/attestation_test_requirement_10.rb

@@ -0,0 +1,26 @@
+module CarinForBlueButtonTestKit
+  class AttestationTestCarinV2Requirement10 < Inferno::Test
+    title 'Follows FHIR and US Core guidance when data is unavailable'
+    description <<~DESCRIPTION
+      The Health IT Module follows the FHIR core specification and US Core guidance when no data is available
+      for required data elements (minimum cardinality > 0).
+    DESCRIPTION
+    id :carin_server_requirement_10_attestation
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@10'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module applies FHIR and US Core guidance
+          when the source system lacks data for required elements with minimum cardinality > 0.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/carin_for_blue_button_test_kit/custom_groups/visual_inspection_and_attestation/v200_server/01_must_support_group/attestation_test_requirement_2.rb

@@ -0,0 +1,29 @@
+module CarinForBlueButtonTestKit
+  class AttestationTestCarinV2Requirement2 < Inferno::Test
+    title 'Returns maintained data'
+    description <<~DESCRIPTION
+      The Health IT Module is capable of populating and returning all data elements maintained
+      by the payer as part of the query results, as specified by the CARIN Blue Button Health Plan API
+      CapabilityStatement.
+    DESCRIPTION
+    id :carin_server_requirement_2_attestation
+
+    verifies_requirements 'hl7.fhir.us.carin-bb_2.0.0@2'
+
+    run do
+      identifier = SecureRandom.hex(32)
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module is capable of populating and returning all data elements maintained
+          by the payer as part of the query results, as specified by the CARIN Blue Button Health Plan API
+          CapabilityStatement.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end