This is a companion discussion topic for the original entry at http://rippleosi.org/integrated-care-digital-records-maturity-model/
I’ve worked on a level 4 system in Edniburgh Did you look at incorporating IG/access controls into the API calls?
I believe the best approach is to use REST API (either JSON or XML) and OAuth2. Using Oauth2 would allow the API to check the user originating/making the call has permission to view the data (combo of patient consent, organisation consent and role based access)
We didn’t get this far, adding user management system was adding a bit too much to the project but SMART looked like a way forward or similar OAuth2 extensions.
We also tried to implement a canonical model across organisations to simplify to integration.