[Openid-specs-heart] HEART Stepping stones - Consent Use case

Kinsley, William BKinsley at nextgen.com
Fri May 8 00:02:54 UTC 2015


Debbie, (and group)

In the attached word document, I hopefully clarified this use case and answered your questions. Again, the point is to create the discussion of these very issues you bring up.

Questions:
            #1: “Trust between patient portal and cloud based PHR?” I am simplify this by removing the dynamic discovery process. See the attached documents.
            #2: “The cloud PHR has established a base identity proofing/authentication level of trust?” Since the PHR is not a HIPAA covered entity (like most personal HIT devices and services), the PHR is using common internet  credentialing (e-mail or SMS codes). Two points here:

1)   There are no regulation requiring the PHR to use any credentialing standard such as NIST and there are different credentialing processes being used. (Do not be mistaken, this is not what I am advocating, it “just is”)

2)   Each system is offering different level of authentication controls.


Again, this is a simple real world use case; but it has a lot of moving parts.

Bill


From: Openid-specs-heart [mailto:openid-specs-heart-bounces at lists.openid.net] On Behalf Of Debbie Bucci
Sent: Saturday, May 02, 2015 1:46 PM
To: openid-specs-heart at lists.openid.net
Subject: [Openid-specs-heart] HEART Stepping stones - Consent Use case

Picking this back up again but removed the background leading to this and starting a different thread.  Bill says keep it simple but it's complex!  He has 2 scenarios but I focused on the most difficult -   I have posted the original text to Bill's question on the wiki:

http://hg.openid.net/heart/wiki/PCP_First_Appointment

Questions:
Client one: If Alice has chosen a cloud based PHR that already has an established trust:
Please clarify what you mean by established trust:
1.     Trust between patient portal and cloud based PHR:  the patient portal has establish an FHIR API server , is accepting client applications and the client PHR is has been registered with the Patient Portal?
2.     The cloud PHR has established a base identity proofing/authentication level of trust?
3.     Both
What are the credentialing requirements to create Alice's account?
1.     Patient Portal
2.     Cloud PHR
3.     Both
Note that ONC"s Ten year interop roadmap refer's to NIST SP 800-63-2 and OMB M-040-04 and is implying level 2 or 3 levels of assurance (LOA). (see pp 59)

LOA2 is a single factor –that’s out.  The HITPC committee recommended more than username and password for patient portals – that implies multifactor.    Transaction will be more secure but what is the level of identity proofing needed – no real guidance issued for patients that I am aware of.    There is the notion that the patient is know to the practice – but at this point  - it’s an initial visit – not the case.


Are there two or three consent profiles?
One for Alice's PHR defining what to share with the Practice?
One for the Practice defining what is to be shared with Alice's PHR?
One for Alice at the Practice portal defining what the Portal (or Practice?) is to be shared?
1.     Are there consent preferences stored /shared on the patient’s trusted UMA service?
2.     Is there a Consent Directives Management Service trusted by the UMA service?
3.     Is there a CDMS maintained by the provider
4.     Does the PHR maintain it own CDMS?

How is the initial implied consent for TPO electronically presented, stored and accessed?
Generate a consent receipt reminding the patient they agreed

I wonder if this is the ruckus I've heard re: check the box for consent ...

 How is this consent profile used by the practice's internal HIT systems? (if at all)
Which profile?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150508/7d5199d6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Use Case Alice with a PHR.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 97026 bytes
Desc: Use Case Alice with a PHR.docx
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150508/7d5199d6/attachment-0001.docx>


More information about the Openid-specs-heart mailing list