davinci_pdex_test_kit 0.12.0 → 0.12.2

data/lib/davinci_pdex_test_kit/pdex_payer_client/urls.rb

@@ -4,12 +4,10 @@ module DaVinciPDexTestKit
   module PDexPayerClient
 
     module URLs
-      BASE_PATH = "#{Inferno::Application['base_url']}/custom/pdex_payer_client"
-      TOKEN_PATH = '/mock_auth/token'
       PATIENT_PATH = '/fhir/Patient'
+      PATIENT_INSTANCE_PATH = '/fhir/Patient/:patient'
       RESOURCE_PATH = '/fhir/:endpoint'
       INSTANCE_PATH = '/fhir/:endpoint/:id'
-      SUBMIT_PATH = '/fhir/:endpoint'   # FIXME duplicate
       BINARY_PATH = '/fhir/Binary/:id'
       METADATA_PATH = '/fhir/metadata'
       EVERYTHING_PATH = '/fhir/Patient/:patient/$everything'
@@ -19,7 +17,9 @@ module DaVinciPDexTestKit
       BASE_FHIR_PATH = '/fhir'
       RESUME_PASS_PATH = '/resume_pass'
       RESUME_CLINICAL_DATA_PATH = '/resume_clinical_data'
-      RESUME_FAIL_PATH = '/resume_fail'    
+      RESUME_FAIL_PATH = '/resume_fail'
+      AUTHORIZATION_PATH = '/auth/authorization'
+      TOKEN_PATH = '/auth/token'
 
       constants.each do |path_constant|
         # For each constant X_PATH, define x_path()
@@ -29,20 +29,28 @@ module DaVinciPDexTestKit
 
         # For each constant X_PATH, define x_url(), which includes base
         define_method(path_constant.to_s.downcase.gsub(/_path$/, '_url')) do
-          File.join(BASE_PATH, URLs.const_get(path_constant))
+          base_url + URLs.const_get(path_constant)
         end
       end
 
+      def suite_id
+        PDexPayerClientSuite.id
+      end
+
       # overwrite base_url which is irregular
       def base_url
-        BASE_PATH
+        @base_url ||= "#{Inferno::Application['base_url']}/custom/#{suite_id}"
       end
 
-      # overwrite base_fhir_url which is irregular
-      def base_fhir_url
-        File.join(BASE_PATH, BASE_FHIR_PATH)
+      # overwrite fhir_base_url which is irregular
+      def fhir_base_url
+        base_url + BASE_FHIR_PATH
       end
 
+      # alias for smart and udap tests
+      def client_fhir_base_url
+        fhir_base_url
+      end
     end
 
     # Add all constants and dynamically defined methods to PDexPayerClient namespace

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/authentication.rb

@@ -0,0 +1,34 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexMemberAuthenticationTest < Inferno::Test
+      title 'Uses recognized Health Plan credentials'
+
+      description <<~DESCRIPTION
+        The Health IT Module requires members to authenticate
+        using credentials issued or recognized by the Health Plan, such as credentials used to access
+        a member portal, and accepts only those credentials when processing member-authorized requests.
+      DESCRIPTION
+
+      id :pdex_member_authentication_test
+
+      verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@10'
+
+      run do
+        identifier = SecureRandom.hex(32)
+
+        wait(
+          identifier:,
+          message: <<~MESSAGE
+            I attest that the Health IT Module requires members to authenticate
+            using credentials issued or recognized by the Health Plan, such as credentials used to access
+            a member portal, and accepts only those credentials when processing member-authorized requests.
+
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+          MESSAGE
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/must_support.rb

@@ -0,0 +1,40 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+  class PDexClientMustSupportInterpretationTest < Inferno::Test
+    title 'Interprets Must Support according to US Core and HRex'
+
+    description <<~DESCRIPTION
+      The Health IT Module applies Must Support rules for all profiles it implements as follows:
+
+      - For US Core profiles, Must Support elements are interpreted according to the US Core IG.
+      - For HRex profiles, Must Support elements are interpreted according to the HRex IG.
+      - For PDex profiles, Must Support elements are interpreted according to the US Core IG.
+    DESCRIPTION
+
+    id :pdex_client_must_support_interpretation_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@4',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@6',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@8'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that:
+
+          - For US Core profiles, Must Support elements are interpreted according to the US Core IG.
+          - For HRex profiles, Must Support elements are interpreted according to the HRex IG.
+          - For PDex profiles, Must Support elements are interpreted according to the US Core IG.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/provenance.rb

@@ -0,0 +1,32 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexRetainProvenanceFromPayerExchangeTest < Inferno::Test
+      title 'Accepts and retains Provenance in member-authorized payer-to-payer exchange'
+
+      description <<~DESCRIPTION
+        The Health IT Module accepts and retains
+        Provenance records received with data as part of a member-authorized payer-to-payer exchange.
+      DESCRIPTION
+
+      id :pdex_accept_retain_provenance_test
+
+      verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@28'
+
+      run do
+        identifier = SecureRandom.hex(32)
+
+        wait(
+          identifier:,
+          message: <<~MESSAGE
+            I attest that the Health IT Module accepts and retains
+            Provenance records received with data as part of a member-authorized payer-to-payer exchange.
+
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+          MESSAGE
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/receive_must_support.rb

@@ -0,0 +1,34 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexMustSupportSubElementHandlingTest < Inferno::Test
+      title 'Accepts Must Support elements without error'
+
+      description <<~DESCRIPTION
+        The Health IT Module ensures that it can accept sub-elements marked Must Support
+        without generating errors — unless those sub-elements belong to a parent element
+        that has a minimum cardinality of 0 and no Must Support flag.
+      DESCRIPTION
+
+      id :pdex_must_support_sub_element_handling_test
+
+      verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@53'
+
+      run do
+        identifier = SecureRandom.hex(32)
+
+        wait(
+          identifier:,
+          message: <<~MESSAGE
+            The developer of the Health IT Module attests that the Health IT System can accept sub-elements marked Must Support
+            without generating errors — unless those sub-elements belong to a parent element
+            that has a minimum cardinality of 0 and no Must Support flag.
+
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+          MESSAGE
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation.rb

@@ -0,0 +1,24 @@
+require_relative 'visual_inspection_and_attestation/must_support'
+require_relative 'visual_inspection_and_attestation/receive_must_support'
+require_relative 'visual_inspection_and_attestation/provenance'
+require_relative 'visual_inspection_and_attestation/authentication'
+
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexClientVisualInspectionAndAttestationGroup < Inferno::TestGroup
+      id :pdex_client_visual_inspection_and_attestation
+      title 'Visual Inspection and Attestation'
+
+      description <<~DESCRIPTION
+        Perform visual inspections or attestations to ensure that the Client is conformant to the Da Vinci Payer Data Exchange IG requirements.
+      DESCRIPTION
+
+      run_as_group
+
+    test from: :pdex_member_authentication_test
+    test from: :pdex_client_must_support_interpretation_test
+    test from: :pdex_must_support_sub_element_handling_test
+    test from: :pdex_accept_retain_provenance_test
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client_suite.rb

@@ -1,3 +1,4 @@
+require_relative 'pdex_payer_client/pdex_client_options'
 require_relative 'pdex_payer_client/urls'
 require_relative 'pdex_payer_client/tags'
 require_relative 'pdex_payer_client/collection'
@@ -5,6 +6,11 @@ require_relative 'pdex_payer_client/mock_server'
 # require_relative 'must_support_test'
 # require_relative 'pdex_payer_client/client_validation_test'
 
+require_relative 'pdex_payer_client/client_registration_group'
+require_relative 'pdex_payer_client/client_auth_smart_alca_group'
+require_relative 'pdex_payer_client/client_auth_smart_alcs_group'
+require_relative 'pdex_payer_client/client_auth_smart_alp_group'
+require_relative 'pdex_payer_client/client_auth_udap_group'
 require_relative 'pdex_payer_client/client_workflow_interaction_test'
 require_relative 'pdex_payer_client/client_member_match_tests/client_member_match_validation_test'
 
@@ -31,6 +37,8 @@ require_relative 'pdex_payer_client/clinical_data_request_tests/practitioner_cli
 require_relative 'pdex_payer_client/clinical_data_request_tests/practitionerrole_clinical_data_request_test'
 require_relative 'pdex_payer_client/clinical_data_request_tests/procedure_clinical_data_request_test'
 
+require_relative 'pdex_payer_client/visual_inspection_and_attestation'
+
 module DaVinciPDexTestKit
   class PDexPayerClientSuite < Inferno::TestSuite
     include PDexPayerClient
@@ -70,6 +78,35 @@ module DaVinciPDexTestKit
       end
     end
 
+    requirement_sets(
+      {
+        identifier: 'hl7.fhir.us.davinci-pdex_2.0.0',
+        title: 'Da Vinci Payer Data Exchange (PDex) v2.0.0',
+        actor: 'Client'
+      }
+    )
+
+    suite_option  :client_type,
+                  title: 'Client Security Type',
+                  list_options: [
+                    {
+                      label: 'SMART App Launch Public Client',
+                      value: PDexClientOptions::SMART_APP_LAUNCH_PUBLIC
+                    },
+                    {
+                      label: 'SMART App Launch Confidential Symmetric Client',
+                      value: PDexClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC
+                    },
+                    {
+                      label: 'SMART App Launch Confidential Asymmetric Client',
+                      value: PDexClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC
+                    },
+                    {
+                      label: 'UDAP Authorization Code Client',
+                      value: PDexClientOptions::UDAP_AUTHORIZATION_CODE
+                    }
+                  ]
+
     resume_test_route :get, RESUME_PASS_PATH do |request|
       PDexPayerClientSuite.extract_token_from_query_params(request)
     end
@@ -82,18 +119,37 @@ module DaVinciPDexTestKit
       PDexPayerClientSuite.extract_token_from_query_params(request)
     end
 
+    group from: :pdex_client_registration
+
     group do
       run_as_group
-      title 'Workflow Tests'
+      title 'Verify PDex Data Access'
       id :payer_to_payer_workflow
 
       group do
         title 'Interaction Tests'
-        id :client_workflow_interaction
+        id :pdex_client_workflow_interaction
 
         test from: :pdex_client_workflow_interaction
       end
 
+      group from: :pdex_client_auth_smart_alca,
+          required_suite_options: {
+            client_type: PDexClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_ASYMMETRIC
+          }
+      group from: :pdex_client_auth_smart_alcs,
+            required_suite_options: {
+              client_type: PDexClientOptions::SMART_APP_LAUNCH_CONFIDENTIAL_SYMMETRIC
+            }
+      group from: :pdex_client_auth_smart_alp,
+            required_suite_options: {
+              client_type: PDexClientOptions::SMART_APP_LAUNCH_PUBLIC
+            }
+      group from: :pdex_client_auth_udap,
+            required_suite_options: {
+              client_type: PDexClientOptions::UDAP_AUTHORIZATION_CODE
+            }
+
       group do
         title '$member-match validation'
         id :member_match_validation
@@ -130,8 +186,15 @@ module DaVinciPDexTestKit
       end
     end
 
+    group from: :pdex_client_visual_inspection_and_attestation do
+      optional
+    end
+
+
     # TODO: must support validation
 
+
+
     private
 
     def self.extract_token_from_query_params(request)

data/lib/davinci_pdex_test_kit/pdex_payer_server/urls.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module DaVinciPDexTestKit
+  module PDexPayerServer
+    RESUME_PASS_PATH = '/resume_pass'
+    RESUME_FAIL_PATH = '/resume_fail'
+
+    # URLs
+    module URLs
+      def base_url
+        @base_url ||= "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+      end
+
+      def resume_pass_url
+        @resume_pass_url ||= base_url + RESUME_PASS_PATH
+      end
+
+      def resume_fail_url
+        @resume_fail_url ||= base_url + RESUME_FAIL_PATH
+      end
+
+      def suite_id
+        PDexPayerServerSuite.id
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/bulk_data_transmission_restrictions.rb

@@ -0,0 +1,33 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class BulkDataTransmissionRestrictionsTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Properly restricts Bulk Data transmission of individual member data'
+
+    description <<~DESCRIPTION
+      The Health IT Module's use of the Bulk FHIR specification for transmission of individual member data honors jurisdictional and personal privacy restrictions.
+    DESCRIPTION
+
+    id :pdex_bulk_data_transmission_restrictions_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@11'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module's use of the Bulk FHIR specification for transmission of individual member data
+          honors jurisdictional and personal privacy restrictions that are relevant to a member's health record.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/consent_failure.rb

@@ -0,0 +1,40 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexMemberMatchConsentFailureHandlingTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Handles consent non-compliance correctly during $member-match'
+
+    description <<~DESCRIPTION
+      The Health IT Module correctly handles situations where during the `$member-match` operation:
+          - If a unique match to a member is found but the consent request cannot be honored (e.g., due to unsupported data segmentation policies), the system does not return a Patient ID in the response.
+          - In such cases, the system returns an HTTP 422 status code with an accompanying Operation Outcome that explains why the consent request could not be honored.
+
+    DESCRIPTION
+
+    id :pdex_member_match_consent_failure_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@38',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@39'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that during the `$member-match` operation:
+
+          - If a unique match to a member is found but the consent request cannot be honored (e.g., due to unsupported data segmentation policies), the system does not return a Patient ID in the response.
+
+          - In such cases, the system returns an HTTP 422 status code with an accompanying Operation Outcome that explains why the consent request could not be honored.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/consent_requirements.rb

@@ -0,0 +1,40 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class ConsentRequirementsTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Assesses consent requirements'
+
+    description <<~DESCRIPTION
+      The Health IT Module considers consent requirements to be met only if:
+      - Member Identity is matched
+      - Consent Policy (Everything or only Non-Sensitive data) matches the data release segmentation capabilities of the receiving payer
+      - Date period for consent is valid
+      - Payer requesting retrieval of data is matched.
+    DESCRIPTION
+
+    id :pdex_consent_requirements_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@40'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module considers consent requirements to be met only if:
+          - Member Identity is matched
+          - Consent Policy (Everything or only Non-Sensitive data) matches the data release segmentation capabilities of the receiving payer
+          - Date period for consent is valid
+          - Payer requesting retrieval of data is matched.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/hrex_must_support.rb

@@ -0,0 +1,35 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexMustSupportDefinedByHRexTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Uses HRex Must Support definitions for HRex profiles'
+
+    description <<~DESCRIPTION
+      The Health IT Module applies the definition of "Must Support" as defined
+      by the Da Vinci HRex Implementation Guide for all HRex profiles referenced in PDex.
+    DESCRIPTION
+
+    id :pdex_must_support_defined_by_hrex_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@5'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the system applies the definition
+          of "Must Support" as defined by the Da Vinci HRex Implementation Guide for all
+          HRex profiles referenced in PDex.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/licensing.rb

@@ -0,0 +1,37 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexLicensingTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Complies with licensing requirements'
+
+    description <<~DESCRIPTION
+      The Health IT Module abides by the license
+      requirements for each terminology content artifact utilized within a functioning implementation and obtained
+      terminology licenses from the Third-Party IP owner for each code system and/or other specified artifact used.
+    DESCRIPTION
+
+    id :pdex_licensing_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@1',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@2'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module abides by the license
+          requirements for each terminology content artifact utilized within a functioning implementation and obtained
+          terminology licenses from the Third-Party IP owner for each code system and/or other specified artifact used.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/member_auth.rb

@@ -0,0 +1,81 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexMemberAuthorizedExchangeTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Supports Payer-to-Payer member-authorized exchange'
+
+    description <<~DESCRIPTION
+      The Health IT Module supports Payer-to-Payer member-authorized
+      information exchange using SMART on FHIR and OAuth 2.0 by satisfying the following criteria.
+
+      The Health IT Module is acting as the **source** Health Plan, and is the Health Plan the member would like to get data from.
+      The **target** Health Plan is the Health PLan the member would like to share data to.
+
+      1. **Client Authorization Credentials**
+          The Health IT Module issues the target Health Plan OAuth 2.0 client application credentials during client registration.
+
+      1. **Member Consent Flow**
+          After the member authenticates to the Health IT Module's authorization server, the system presents an Authorization
+          screen enabling the member to approve sharing with the target Health Plan.
+
+          The Authorization process aligns with applicable privacy policy and regulations, allowing members to
+          select what data may be shared.
+
+      4. **Token Issuance**
+          Upon successful authorization, the Health IT Module issues an Access Token to the target Health Plan.
+          The scopes associated with the Access Token are limited to the information and permissions authorized by the member.
+
+      6. **Refresh Token Handling**:
+          Any Access Token subsequently issued by the Health IT Module using a Refresh Token enforces the same scope and member-specific
+          restrictions as the original authorization.
+    DESCRIPTION
+
+    id :pdex_member_authorized_exchange_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@20',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@21',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@22',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@23',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@25',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@26'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module supports Payer-to-Payer member-authorized
+          information exchange using SMART on FHIR and OAuth 2.0 by satisfying the following criteria.
+
+          The **source** Health Plan is the Health Plan the member would like to get data from, and the **etarget**
+          Health Plan is the Health PLan the member would like to share data to.
+
+          1. **Client Authorization Credentials**
+              The Health IT Module issues the target Health Plan OAuth 2.0 client application credentials during client registration.
+
+          1. **Member Consent Flow**
+              After the member authenticates to the Health IT Module's authorization server, the system presents an Authorization
+              screen enabling the member to approve sharing with the target Health Plan.
+
+              The Authorization process aligns with applicable privacy policy and regulations, allowing members to
+              select what data may be shared.
+
+          4. **Token Issuance**
+              Upon successful authorization, the Health IT Module issues an Access Token to the target Health Plan.
+              The scopes associated with the Access Token are limited to the information and permissions authorized by the member.
+
+          6. **Refresh Token Handling**:
+              Any Access Token subsequently issued by the Health IT Module using a Refresh Token enforces the same scope and member-specific
+              restrictions as the original authorization.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end