[Openid-specs-heart] HEART Stepping stones - Consent Use case

Debbie Bucci debbucci at gmail.com
Fri May 8 00:46:44 UTC 2015


This is great!  I propose we continue the discussion on the list and if
need be follow on Monday.

Studying...
On May 7, 2015 8:02 PM, "Kinsley, William" <BKinsley at nextgen.com> wrote:

>  Debbie, (and group)
>
>
>
> In the attached word document, I hopefully clarified this use case and
> answered your questions. Again, the point is to create the discussion of
> these very issues you bring up.
>
>
>
> Questions:
>
>             #1: “Trust between patient portal and cloud based PHR?” I am
> simplify this by removing the dynamic discovery process. See the attached
> documents.
>
>             #2: “The cloud PHR has established a base identity
> proofing/authentication level of trust?” Since the PHR is not a HIPAA
> covered entity (like most personal HIT devices and services), the PHR is
> using common internet  credentialing (e-mail or SMS codes). Two points here:
>
> 1)   There are no regulation requiring the PHR to use any credentialing
> standard such as NIST and there are different credentialing processes being
> used. (Do not be mistaken, this is not what I am advocating, it “just is”)
>
> 2)   Each system is offering different level of authentication controls.
>
>
>
>
>
> Again, this is a simple real world use case; but it has a lot of moving
> parts.
>
>
>
> Bill
>
>
>
>
>
> *From:* Openid-specs-heart [mailto:
> openid-specs-heart-bounces at lists.openid.net] *On Behalf Of *Debbie Bucci
> *Sent:* Saturday, May 02, 2015 1:46 PM
> *To:* openid-specs-heart at lists.openid.net
> *Subject:* [Openid-specs-heart] HEART Stepping stones - Consent Use case
>
>
>
> Picking this back up again but removed the background leading to this and
> starting a different thread.  Bill says keep it simple but it's complex!
> He has 2 scenarios but I focused on the most difficult -   I have posted
> the original text to Bill's question on the wiki:
>
> http://hg.openid.net/heart/wiki/PCP_First_Appointment
>
>
>
> Questions:
>
> Client one: If Alice has chosen a cloud based PHR that already has an
> established trust:
>
> *Please clarify what you mean by established trust:*
>
> *1.*     *Trust between patient portal and cloud based PHR:  the patient
> portal has establish an FHIR API server , is accepting client applications
> and the client PHR is has been registered with the Patient Portal?*
>
> *2.*     *The cloud PHR has established a base identity
> proofing/authentication level of trust?   *
>
> *3.*     *Both*
>
> What are the credentialing requirements to create Alice's account?
>
> *1.*     *Patient Portal*
>
> *2.*     *Cloud PHR *
>
> *3.*     *Both*
>
> Note that ONC"s Ten year interop roadmap refer's to NIST SP 800-63-2 and
> OMB M-040-04 and is implying level 2 or 3 levels of assurance (LOA). (see
> pp 59)
>
>
>
> *LOA2 is a single factor –that’s out.  The HITPC committee recommended
> more than username and password for patient portals – that implies
> multifactor.    Transaction will be more secure but what is the level of
> identity proofing needed – no real guidance issued for patients that I am
> aware of.    There is the notion that the patient is know to the practice –
> but at this point  - it’s an initial visit – not the case.*
>
>
>
>
>
> Are there two or three consent profiles?
>
> One for Alice's PHR defining what to share with the Practice?
>
> One for the Practice defining what is to be shared with Alice's PHR?
>
> One for Alice at the Practice portal defining what the Portal (or
> Practice?) is to be shared?
>
> *1.*     *Are there consent preferences stored /shared on the patient’s
> trusted UMA service? *
>
> *2.*     *Is there a Consent Directives Management Service trusted by the
> UMA service?*
>
> *3.*     *Is there a CDMS maintained by the provider*
>
> *4.*     *Does the PHR maintain it own CDMS?*
>
>
>
> How is the initial implied consent for TPO electronically presented,
> stored and accessed?
>
> *Generate a consent receipt reminding the patient they agreed   *
>
>
>
> *I wonder if this is the ruckus I've heard re: check the box for consent
> ... *
>
>
>
>  How is this consent profile used by the practice's internal HIT systems?
> (if at all)
>
> *Which profile?*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150507/3924bde9/attachment.html>


More information about the Openid-specs-heart mailing list