Standardized-api-patient-and-population-services" Throttling

Spec Of the Topic
https://www.healthit.gov/test-method/standardized-api-patient-and-population-services

While the specification talks about access to the API.

There isn’t any requirements I can find around access rates requirements

What would be a reasonable throttle limit to keep costs down…

How do we block denial of service app[apps that call the FHIR lots of time per day], especially when lots of patients start using it?