davinci_pdex_test_kit 0.12.1 → 0.12.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a0f40793433a43053718719f614805ddda0830e0cd2d984cc59d75f1762b13e5
-  data.tar.gz: 842fb47429ceb04acdbcda3d90dd90b22982e1a53ea314901d7b4342e4fa0e33
+  metadata.gz: fbdcb21dc69873f17a9bb953dfc730122d4c23b3421cb083661a69948dc9ccae
+  data.tar.gz: 6247c018d72c6f697dbb6e44408ea3bf4a8bdbcd011edee17ae6cc43c6d0a35f
 SHA512:
-  metadata.gz: 40ce4e887659579ea541da03e3567f35bcb7abe5fa2ddb09d47dd26a777733c43ce538ea315dfdf6c06f47871713a2adaf49b02e9c09ce43852400e1b8463c19
-  data.tar.gz: 2f6584ff86cf25ab1de0019bc5f80bd0abb362d1ae5ad8f608391215b960f1b6d0366ee87bdb3a625e7dadc3ecc465948ab92fc1c80ca49ba05a52f48dd23517
+  metadata.gz: c21fb0dd88fadc8128d3970a73d442b0bbfbd242862748b4ea85b54ed8bfb2377a03e3a9674c79f2eff9ffa6f56441fc5cc1823c0fbff4bff37df734db85db00
+  data.tar.gz: ca9c1ffbba669a7b9dda3823207b9c971242fbb4e18f81d5f3da93444b472693905e15e73e2918e0dadcf7b31c876fb7debed64dac2219559cb20b8b069d7e3d

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/authentication.rb

@@ -0,0 +1,34 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexMemberAuthenticationTest < Inferno::Test
+      title 'Uses recognized Health Plan credentials'
+
+      description <<~DESCRIPTION
+        The Health IT Module requires members to authenticate
+        using credentials issued or recognized by the Health Plan, such as credentials used to access
+        a member portal, and accepts only those credentials when processing member-authorized requests.
+      DESCRIPTION
+
+      id :pdex_member_authentication_test
+
+      verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@10'
+
+      run do
+        identifier = SecureRandom.hex(32)
+
+        wait(
+          identifier:,
+          message: <<~MESSAGE
+            I attest that the Health IT Module requires members to authenticate
+            using credentials issued or recognized by the Health Plan, such as credentials used to access
+            a member portal, and accepts only those credentials when processing member-authorized requests.
+
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+          MESSAGE
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/must_support.rb

@@ -0,0 +1,40 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+  class PDexClientMustSupportInterpretationTest < Inferno::Test
+    title 'Interprets Must Support according to US Core and HRex'
+
+    description <<~DESCRIPTION
+      The Health IT Module applies Must Support rules for all profiles it implements as follows:
+
+      - For US Core profiles, Must Support elements are interpreted according to the US Core IG.
+      - For HRex profiles, Must Support elements are interpreted according to the HRex IG.
+      - For PDex profiles, Must Support elements are interpreted according to the US Core IG.
+    DESCRIPTION
+
+    id :pdex_client_must_support_interpretation_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@4',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@6',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@8'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that:
+
+          - For US Core profiles, Must Support elements are interpreted according to the US Core IG.
+          - For HRex profiles, Must Support elements are interpreted according to the HRex IG.
+          - For PDex profiles, Must Support elements are interpreted according to the US Core IG.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/provenance.rb

@@ -0,0 +1,32 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexRetainProvenanceFromPayerExchangeTest < Inferno::Test
+      title 'Accepts and retains Provenance in member-authorized payer-to-payer exchange'
+
+      description <<~DESCRIPTION
+        The Health IT Module accepts and retains
+        Provenance records received with data as part of a member-authorized payer-to-payer exchange.
+      DESCRIPTION
+
+      id :pdex_accept_retain_provenance_test
+
+      verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@28'
+
+      run do
+        identifier = SecureRandom.hex(32)
+
+        wait(
+          identifier:,
+          message: <<~MESSAGE
+            I attest that the Health IT Module accepts and retains
+            Provenance records received with data as part of a member-authorized payer-to-payer exchange.
+
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+          MESSAGE
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation/receive_must_support.rb

@@ -0,0 +1,34 @@
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexMustSupportSubElementHandlingTest < Inferno::Test
+      title 'Accepts Must Support elements without error'
+
+      description <<~DESCRIPTION
+        The Health IT Module ensures that it can accept sub-elements marked Must Support
+        without generating errors — unless those sub-elements belong to a parent element
+        that has a minimum cardinality of 0 and no Must Support flag.
+      DESCRIPTION
+
+      id :pdex_must_support_sub_element_handling_test
+
+      verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@53'
+
+      run do
+        identifier = SecureRandom.hex(32)
+
+        wait(
+          identifier:,
+          message: <<~MESSAGE
+            The developer of the Health IT Module attests that the Health IT System can accept sub-elements marked Must Support
+            without generating errors — unless those sub-elements belong to a parent element
+            that has a minimum cardinality of 0 and no Must Support flag.
+
+            [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+            [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+          MESSAGE
+        )
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client/visual_inspection_and_attestation.rb

@@ -0,0 +1,24 @@
+require_relative 'visual_inspection_and_attestation/must_support'
+require_relative 'visual_inspection_and_attestation/receive_must_support'
+require_relative 'visual_inspection_and_attestation/provenance'
+require_relative 'visual_inspection_and_attestation/authentication'
+
+module DaVinciPDexTestKit
+  module PDexPayerClient
+    class PDexClientVisualInspectionAndAttestationGroup < Inferno::TestGroup
+      id :pdex_client_visual_inspection_and_attestation
+      title 'Visual Inspection and Attestation'
+
+      description <<~DESCRIPTION
+        Perform visual inspections or attestations to ensure that the Client is conformant to the Da Vinci Payer Data Exchange IG requirements.
+      DESCRIPTION
+
+      run_as_group
+
+    test from: :pdex_member_authentication_test
+    test from: :pdex_client_must_support_interpretation_test
+    test from: :pdex_must_support_sub_element_handling_test
+    test from: :pdex_accept_retain_provenance_test
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_client_suite.rb

@@ -37,6 +37,8 @@ require_relative 'pdex_payer_client/clinical_data_request_tests/practitioner_cli
 require_relative 'pdex_payer_client/clinical_data_request_tests/practitionerrole_clinical_data_request_test'
 require_relative 'pdex_payer_client/clinical_data_request_tests/procedure_clinical_data_request_test'
 
+require_relative 'pdex_payer_client/visual_inspection_and_attestation'
+
 module DaVinciPDexTestKit
   class PDexPayerClientSuite < Inferno::TestSuite
     include PDexPayerClient
@@ -76,6 +78,14 @@ module DaVinciPDexTestKit
       end
     end
 
+    requirement_sets(
+      {
+        identifier: 'hl7.fhir.us.davinci-pdex_2.0.0',
+        title: 'Da Vinci Payer Data Exchange (PDex) v2.0.0',
+        actor: 'Client'
+      }
+    )
+
     suite_option  :client_type,
                   title: 'Client Security Type',
                   list_options: [
@@ -96,7 +106,7 @@ module DaVinciPDexTestKit
                       value: PDexClientOptions::UDAP_AUTHORIZATION_CODE
                     }
                   ]
-    
+
     resume_test_route :get, RESUME_PASS_PATH do |request|
       PDexPayerClientSuite.extract_token_from_query_params(request)
     end
@@ -176,10 +186,14 @@ module DaVinciPDexTestKit
       end
     end
 
-  
+    group from: :pdex_client_visual_inspection_and_attestation do
+      optional
+    end
+
+
     # TODO: must support validation
 
-    
+
 
     private
 

data/lib/davinci_pdex_test_kit/pdex_payer_server/urls.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module DaVinciPDexTestKit
+  module PDexPayerServer
+    RESUME_PASS_PATH = '/resume_pass'
+    RESUME_FAIL_PATH = '/resume_fail'
+
+    # URLs
+    module URLs
+      def base_url
+        @base_url ||= "#{Inferno::Application['base_url']}/custom/#{suite_id}"
+      end
+
+      def resume_pass_url
+        @resume_pass_url ||= base_url + RESUME_PASS_PATH
+      end
+
+      def resume_fail_url
+        @resume_fail_url ||= base_url + RESUME_FAIL_PATH
+      end
+
+      def suite_id
+        PDexPayerServerSuite.id
+      end
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/bulk_data_transmission_restrictions.rb

@@ -0,0 +1,33 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class BulkDataTransmissionRestrictionsTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Properly restricts Bulk Data transmission of individual member data'
+
+    description <<~DESCRIPTION
+      The Health IT Module's use of the Bulk FHIR specification for transmission of individual member data honors jurisdictional and personal privacy restrictions.
+    DESCRIPTION
+
+    id :pdex_bulk_data_transmission_restrictions_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@11'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module's use of the Bulk FHIR specification for transmission of individual member data
+          honors jurisdictional and personal privacy restrictions that are relevant to a member's health record.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/consent_failure.rb

@@ -0,0 +1,40 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexMemberMatchConsentFailureHandlingTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Handles consent non-compliance correctly during $member-match'
+
+    description <<~DESCRIPTION
+      The Health IT Module correctly handles situations where during the `$member-match` operation:
+          - If a unique match to a member is found but the consent request cannot be honored (e.g., due to unsupported data segmentation policies), the system does not return a Patient ID in the response.
+          - In such cases, the system returns an HTTP 422 status code with an accompanying Operation Outcome that explains why the consent request could not be honored.
+
+    DESCRIPTION
+
+    id :pdex_member_match_consent_failure_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@38',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@39'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that during the `$member-match` operation:
+
+          - If a unique match to a member is found but the consent request cannot be honored (e.g., due to unsupported data segmentation policies), the system does not return a Patient ID in the response.
+
+          - In such cases, the system returns an HTTP 422 status code with an accompanying Operation Outcome that explains why the consent request could not be honored.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/consent_requirements.rb

@@ -0,0 +1,40 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class ConsentRequirementsTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Assesses consent requirements'
+
+    description <<~DESCRIPTION
+      The Health IT Module considers consent requirements to be met only if:
+      - Member Identity is matched
+      - Consent Policy (Everything or only Non-Sensitive data) matches the data release segmentation capabilities of the receiving payer
+      - Date period for consent is valid
+      - Payer requesting retrieval of data is matched.
+    DESCRIPTION
+
+    id :pdex_consent_requirements_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@40'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module considers consent requirements to be met only if:
+          - Member Identity is matched
+          - Consent Policy (Everything or only Non-Sensitive data) matches the data release segmentation capabilities of the receiving payer
+          - Date period for consent is valid
+          - Payer requesting retrieval of data is matched.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/hrex_must_support.rb

@@ -0,0 +1,35 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexMustSupportDefinedByHRexTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Uses HRex Must Support definitions for HRex profiles'
+
+    description <<~DESCRIPTION
+      The Health IT Module applies the definition of "Must Support" as defined
+      by the Da Vinci HRex Implementation Guide for all HRex profiles referenced in PDex.
+    DESCRIPTION
+
+    id :pdex_must_support_defined_by_hrex_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@5'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the system applies the definition
+          of "Must Support" as defined by the Da Vinci HRex Implementation Guide for all
+          HRex profiles referenced in PDex.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/licensing.rb

@@ -0,0 +1,37 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexLicensingTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Complies with licensing requirements'
+
+    description <<~DESCRIPTION
+      The Health IT Module abides by the license
+      requirements for each terminology content artifact utilized within a functioning implementation and obtained
+      terminology licenses from the Third-Party IP owner for each code system and/or other specified artifact used.
+    DESCRIPTION
+
+    id :pdex_licensing_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@1',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@2'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module abides by the license
+          requirements for each terminology content artifact utilized within a functioning implementation and obtained
+          terminology licenses from the Third-Party IP owner for each code system and/or other specified artifact used.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/member_auth.rb

@@ -0,0 +1,81 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexMemberAuthorizedExchangeTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Supports Payer-to-Payer member-authorized exchange'
+
+    description <<~DESCRIPTION
+      The Health IT Module supports Payer-to-Payer member-authorized
+      information exchange using SMART on FHIR and OAuth 2.0 by satisfying the following criteria.
+
+      The Health IT Module is acting as the **source** Health Plan, and is the Health Plan the member would like to get data from.
+      The **target** Health Plan is the Health PLan the member would like to share data to.
+
+      1. **Client Authorization Credentials**
+          The Health IT Module issues the target Health Plan OAuth 2.0 client application credentials during client registration.
+
+      1. **Member Consent Flow**
+          After the member authenticates to the Health IT Module's authorization server, the system presents an Authorization
+          screen enabling the member to approve sharing with the target Health Plan.
+
+          The Authorization process aligns with applicable privacy policy and regulations, allowing members to
+          select what data may be shared.
+
+      4. **Token Issuance**
+          Upon successful authorization, the Health IT Module issues an Access Token to the target Health Plan.
+          The scopes associated with the Access Token are limited to the information and permissions authorized by the member.
+
+      6. **Refresh Token Handling**:
+          Any Access Token subsequently issued by the Health IT Module using a Refresh Token enforces the same scope and member-specific
+          restrictions as the original authorization.
+    DESCRIPTION
+
+    id :pdex_member_authorized_exchange_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@20',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@21',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@22',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@23',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@25',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@26'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module supports Payer-to-Payer member-authorized
+          information exchange using SMART on FHIR and OAuth 2.0 by satisfying the following criteria.
+
+          The **source** Health Plan is the Health Plan the member would like to get data from, and the **etarget**
+          Health Plan is the Health PLan the member would like to share data to.
+
+          1. **Client Authorization Credentials**
+              The Health IT Module issues the target Health Plan OAuth 2.0 client application credentials during client registration.
+
+          1. **Member Consent Flow**
+              After the member authenticates to the Health IT Module's authorization server, the system presents an Authorization
+              screen enabling the member to approve sharing with the target Health Plan.
+
+              The Authorization process aligns with applicable privacy policy and regulations, allowing members to
+              select what data may be shared.
+
+          4. **Token Issuance**
+              Upon successful authorization, the Health IT Module issues an Access Token to the target Health Plan.
+              The scopes associated with the Access Token are limited to the information and permissions authorized by the member.
+
+          6. **Refresh Token Handling**:
+              Any Access Token subsequently issued by the Health IT Module using a Refresh Token enforces the same scope and member-specific
+              restrictions as the original authorization.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/mtls.rb

@@ -0,0 +1,61 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PDexPayerToPayerMemberMatchTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Supports mTLS for secure $member-match payer-to-payer exchange'
+
+    description <<~DESCRIPTION
+      The Health IT Module attests that the system supports secure payer-to-payer exchange for $member-match as follows:
+
+      The **source** Health Plan is the Health Plan the member would like to get data from, and the **etarget**
+      Health Plan is the Health Plan the member would like to share data to.
+
+      1. **Secure mTLS Connection** — Establishes a mutual TLS (mTLS) connection with the target Health Plan.
+
+      2. **Client Registration** — Supports OAuth 2.0 Dynamic Client Registration for the target Health Plan over the mTLS-secured connection.
+
+      3. **Token Acquisition** — Accepts a Client Credentials grant request by the target Health Plan over mTLS to issue an OAuth 2.0 access
+      token for the $member-match operation.
+
+      4. **Scoped Access Token for Matched Patient** — If a Patient ID is matched, returns an OAuth 2.0 access token to the target Health Plan
+      that is scoped to that member to enable further data exchange.
+    DESCRIPTION
+
+    id :pdex_payer_to_payer_mtls
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@31',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@32',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@33',
+                          'hl7.fhir.us.davinci-pdex_2.0.0@34'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          I attest that the Health IT Module supports secure payer-to-payer exchange for $member-match as follows:
+
+          The **source** Health Plan is the Health Plan the member would like to get data from, and the **etarget**
+          Health Plan is the Health Plan the member would like to share data to.
+
+          1. **Secure mTLS Connection** — Establishes a mutual TLS (mTLS) connection with the target Health Plan.
+
+          2. **Client Registration** — Supports OAuth 2.0 Dynamic Client Registration for the target Health Plan over the mTLS-secured connection.
+
+          3. **Token Acquisition** — Accepts a Client Credentials grant request by the target Health Plan over mTLS to issue an OAuth 2.0 access
+          token for the $member-match operation.
+
+          4. **Scoped Access Token for Matched Patient** — If a Patient ID is matched, returns an OAuth 2.0 access token to the target Health Plan
+          that is scoped to that member to enable further data exchange.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** these requirements.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** these requirements.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/payer_consent_compliance.rb

@@ -0,0 +1,33 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PayerConsentComplianceTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Constrains response based on access permissions'
+
+    description <<~DESCRIPTION
+      The Health IT Module constrains the data returned from the server to a requester based upon the access permissions of the requester.
+    DESCRIPTION
+
+    id :pdex_payer_consent_compliance_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@45'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module constrains the data returned from the server to a requester
+          based upon the access permissions of the requester.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end

data/lib/davinci_pdex_test_kit/pdex_payer_server/visual_inspection_and_attestation/prior_authorization_decisions.rb

@@ -0,0 +1,35 @@
+require_relative '../urls'
+
+module DaVinciPDexTestKit
+  class PriorAuthorizationDecisionsTest < Inferno::Test
+    include PDexPayerServer::URLs
+
+    title 'Makes available pending and active prior authorization decisions'
+
+    description <<~DESCRIPTION
+      The Health IT Module makes available pending and active prior authorization decisions and related clinical documentation and forms for items and services.
+    DESCRIPTION
+
+    id :pdex_prior_authorization_decisions_test
+
+    verifies_requirements 'hl7.fhir.us.davinci-pdex_2.0.0@56'
+
+    run do
+      identifier = SecureRandom.hex(32)
+
+      wait(
+        identifier:,
+        message: <<~MESSAGE
+          The developer of the Health IT Module attests that the Health IT Module makes available pending and active prior authorization decisions
+          and related clinical documentation and forms for items and services, not including prescription drugs, including the date the prior authorization was approved,
+          the date the authorization ends, as well as the units and services approved and those used to date, no later than one (1) business day after a provider initiates
+          a prior authorization for the beneficiary or there is a change of status for the prior authorization.
+
+          [Click here](#{resume_pass_url}?token=#{identifier}) if the system **meets** this requirement.
+
+          [Click here](#{resume_fail_url}?token=#{identifier}) if the system **does not meet** this requirement.
+        MESSAGE
+      )
+    end
+  end
+end