[Openid-specs-heart] Draft minutes of HEART WG telecon 2015-01-12

Eve Maler eve.maler at forgerock.com
Mon Jan 12 22:37:49 UTC 2015 

John Bradley convened the meeting.

He presented the Note Well language. The purpose is to protect against
encumbered work product.

John himself is in observer mode and will only help with procedural issues
because his contribution agreement doesn’t yet cover this WG.

The group reviewed the provisional agenda:

   - Introduction to OIDF
   - Roll call
   - Review and adoption of charter (moved up from the original plan)
   - Election of co-chairs
   - Introductory comments to HEART
   - Logistics
   - Timeline
   - AOB


Introduction to OIDF: John B, in his treasurer role, invited people to join
OIDF.

Roll call: Debbie as convener conducted roll against a spreadsheet
constructed by John B.

Present:

   - Allen Byerly
   - Warren Kolber
   - Catherine Schulten
   - Adrian Gropper
   - Deborah Bucci
   - Nat Sakimura
   - Eve Maler

Absent:

   - Majeed Almadan
   - Vladimir Dzhuvinov
   - Michael Varley
   - Mike Jones
   - Don Thibeau

Quorum was reached.

Process question: Are those with agreements for other groups able to
participate in this group without taking special action? No, they must fill
out contribution forms for their own protection.

*MOTION:* Accept Debbie Bucci and Eve Maler as co-chairs of the WG. *PASSED*
by unanimous consent.

Debbie in her new role as co-chair thanked everyone for their support of
the effort. Conversations with MIT, data aggregators, health app creators,
HIEs, and FHIR contributors have been productive, and the federal advisory
committees’ recognition of the importance of OAuth and related technologies
has been helpful.

Eve reviewed the charter (http://openid.net/wg/heart/charter/).

Question about method of work: What is the canonical place for discussion:
email list vs. telecon vs. other? IETF is email list because it’s a written
record. Recording calls is an option, but that’s not particularly
accessible. Some other OIDF groups use a hybrid approach. Sufficient
controversy to create an issue around this has been rare; the process seeks
consensus. Formal voting is the most accurate method in the OIDF case.

Initial contributions: The Mitre Corporation contributed draft profiles (
http://secure-restful-interface-profile.github.io/pages/). To see the
“HEART Venn” referred to by Debbie, see these IIW XIX session notes:

http://iiw.idcommons.net/Health_–_Relationship_–_Turst:_Come_hare_about_the_new_HEART_WG_at_Open_ID_Foundation

*MOTION:* Moved by Eve, seconded by Adrian: Accept WG charter. *PASSED* by
unanimous consent.

First work effort: use cases. Ground rules: identify real-life use cases,
implementable in the next couple of years. Separate general profiles that
are reusable/layered outside of healthcare and identify special needs, such
as FHIR. Be iterative.

Justin posted links to the profiles, surrounding documentation, and pilot
results to the HEART list. The use case involved a patient, a veteran named
Steve, logging in to a portal for his doctor, Dr. Pat Feelgood, using his
own externally hosted personal digital identity. In that pilot, his
identity was bound to a particular medical record, and they left that not
fully profiled. He’d like to tackle that in HEART. He can use that identity
to authorize data access to an app that he trusts. This involves OAuth and
OIDC. The veteran is able to reuse his existing identity in a flexible and
user-focused way.

The next thing they wanted to show is how to use this across three
different secure domains. Steve, on vacation, is on an accident and is in
an ER not affiliated with his PCP. So the ER has to pull his VA record. He
has to log in using OIDC and his personal digital identity into a
VA-controlled authorization server, and approve access to the ER using
OAuth. This is an intersection of three distinct security domains to allow
access to medical records that are under end user Steve’s control. Dr.
Feelgood also needs to log in to the ER directly to get records left for
her there. There’s a “hole” left for how to manage this.

All three legs of the provider-provider-patient triangle are important, and
need to use the same protocols and security mechanisms.

This is all an extension of the RHex protocol developed some years ago,
where they considered both provider-provider and patient-provider
requirements.

If someone is in a car accident, and they’re alert and awake but and
they’re not in a part of town where their medical records are kept, what
are the consequences? Justin recommends focusing on “alert patient”
scenarios vs. “break-the-glass” scenarios so that we don’t go down
unconscious-in-the-ER ratholes, which are like the “Godwin’s law” of health
IT use cases. Eve does want to include use cases that include asynchronous
consent, but understands the tendency Justin describes. Debbie agrees that
delegation is an important element of what we want to solve.

Right now we’re discovering relevant use cases, and maybe we’re not solving
them all.

*NOTE:* We’re not meeting next Monday because it’s a holiday for many of
us. We will meet next on *Monday, January 26*.


*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
Join our ForgeRock.org OpenUMA <http://forgerock.org/openuma/> community!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150112/a9d77b25/attachment.html>

More information about the Openid-specs-heart mailing list