Was pointed to this sub, so here goes.

One of my major (health field) customers' wants me to create an integration service between their EMR system and my 'SOC2 attested' application (not an EMR).

Currently, for my application, we have 'strict policies' put in place that only allows the doctor to access patients' that he is supposed to. This patient information can be PII/PHI and is NOT not sourced from another party. All the information in the application is entered by doctors as required, and can be accessed by the doctor and the specialists that have been assigned for that patient.

This integration will basically allow doctors that use my application to request PII/PHI information from the EMR. This information request will sent via the application's SID/Token, as they do not have a 'client level authentication' method for application integrations at the moment.

Moreover, the doctors that use this integration can see ALL patients that are in the EMR. No access control is present in the EMR, and we cannot enforce EMR restrictions at our application level.

I am very concerned about this particular workflow, however, my sales and privacy teams' keep telling me that it is not a cause for concern as it is common practice across the field. As long as the customer wants something, we should provide it. Any breach of info, would be on the customer as they want us to implement this.

My concerns/queries:

1. Won't the entire 'strict policies' that we have for our application be void with this integration? I mean the doctor can search and go through any patients information in the EMR through my application, overriding the policies we have enforced. Wouldn't it just be simpler for the doctor to open the EMR application on another browser tab?
2. Will my SOC2 attestation still be valid after the integration?
3. The customer keeps verbally telling me that they accept 'full responsibility' for the data disclosure with this workflow, however, they aren't providing this in writing.
4. Patients may be US citizens, Canadian citizens, and EU citizens, residing in NA. Would this implementation breach either HIPAA/PIPEDA/GDPR?
5. Wouldn't a breach of information in the EMR, that originated from my application, mean that my application would be liable? I don't understand my sales and privacy teams' reasoning regarding this aspect.