HTI-1 increased specificity on maximum time allowed for application access to be revoked after patient request

[arscan]

ONC has updated their requirement for token revocation to state that the revocation must be complete within one hour of the patient request. See rule. This goes into effect March 11.

(vi) Patient authorization revocation.
A Health IT Module's authorization server must be able to revoke and must revoke an authorized application's
access at a patient's direction within 1 hour of the request.

In the Inferno (g)(10) Standardized API test kit, token revocation testing effectively occurs in 3 places:

1. The HealthIT developer demonstrates issuing a bearer token and refresh token in test 1 Standalone Patient Launch
2. The HealthIT developer demonstrates a patient revoking access to these tokens and attests that this occurs in 9.3.01 via a Yes/No question
3. Inferno checks that the bearer token no longer can access patient data (in 9.3.02), and the refresh token can no longer be used to receive a new bearer token (in 9.3.03).

Language in 9.3.01 needs to updated to include a maximum time between demonstrating the tokens being revoked and executing 9.3.02 and 9.3.03.