[Openid-specs-heart] HEART Stepping stones - Consent Use case

Debbie Bucci debbucci at gmail.com
Fri May 8 02:30:38 UTC 2015 

First question

What is the function of the UMA service in the practice?  Is it an
enterprise function to help the practice manage the its authorizations
and/or supports the patient portal ?
Given Alice has chosen her PHR to be her source of truth, my current
assumption is that she would manage her authorizations at the PHR UMA
service




On Thu, May 7, 2015 at 8:02 PM, Kinsley, William <BKinsley at nextgen.com>
wrote:

>  Debbie, (and group)
>
>
>
> In the attached word document, I hopefully clarified this use case and
> answered your questions. Again, the point is to create the discussion of
> these very issues you bring up.
>
>
>
> Questions:
>
>             #1: “Trust between patient portal and cloud based PHR?” I am
> simplify this by removing the dynamic discovery process. See the attached
> documents.
>
>             #2: “The cloud PHR has established a base identity
> proofing/authentication level of trust?” Since the PHR is not a HIPAA
> covered entity (like most personal HIT devices and services), the PHR is
> using common internet  credentialing (e-mail or SMS codes). Two points here:
>
> 1)   There are no regulation requiring the PHR to use any credentialing
> standard such as NIST and there are different credentialing processes being
> used. (Do not be mistaken, this is not what I am advocating, it “just is”)
>
> 2)   Each system is offering different level of authentication controls.
>
>
>
>
>
> Again, this is a simple real world use case; but it has a lot of moving
> parts.
>
>
>
> Bill
>
>
>
>
>
> *From:* Openid-specs-heart [mailto:
> openid-specs-heart-bounces at lists.openid.net] *On Behalf Of *Debbie Bucci
> *Sent:* Saturday, May 02, 2015 1:46 PM
> *To:* openid-specs-heart at lists.openid.net
> *Subject:* [Openid-specs-heart] HEART Stepping stones - Consent Use case
>
>
>
> Picking this back up again but removed the background leading to this and
> starting a different thread.  Bill says keep it simple but it's complex!
> He has 2 scenarios but I focused on the most difficult -   I have posted
> the original text to Bill's question on the wiki:
>
> http://hg.openid.net/heart/wiki/PCP_First_Appointment
>
>
>
> Questions:
>
> Client one: If Alice has chosen a cloud based PHR that already has an
> established trust:
>
> *Please clarify what you mean by established trust:*
>
> *1.*     *Trust between patient portal and cloud based PHR:  the patient
> portal has establish an FHIR API server , is accepting client applications
> and the client PHR is has been registered with the Patient Portal?*
>
> *2.*     *The cloud PHR has established a base identity
> proofing/authentication level of trust?   *
>
> *3.*     *Both*
>
> What are the credentialing requirements to create Alice's account?
>
> *1.*     *Patient Portal*
>
> *2.*     *Cloud PHR *
>
> *3.*     *Both*
>
> Note that ONC"s Ten year interop roadmap refer's to NIST SP 800-63-2 and
> OMB M-040-04 and is implying level 2 or 3 levels of assurance (LOA). (see
> pp 59)
>
>
>
> *LOA2 is a single factor –that’s out.  The HITPC committee recommended
> more than username and password for patient portals – that implies
> multifactor.    Transaction will be more secure but what is the level of
> identity proofing needed – no real guidance issued for patients that I am
> aware of.    There is the notion that the patient is know to the practice –
> but at this point  - it’s an initial visit – not the case.*
>
>
>
>
>
> Are there two or three consent profiles?
>
> One for Alice's PHR defining what to share with the Practice?
>
> One for the Practice defining what is to be shared with Alice's PHR?
>
> One for Alice at the Practice portal defining what the Portal (or
> Practice?) is to be shared?
>
> *1.*     *Are there consent preferences stored /shared on the patient’s
> trusted UMA service? *
>
> *2.*     *Is there a Consent Directives Management Service trusted by the
> UMA service?*
>
> *3.*     *Is there a CDMS maintained by the provider*
>
> *4.*     *Does the PHR maintain it own CDMS?*
>
>
>
> How is the initial implied consent for TPO electronically presented,
> stored and accessed?
>
> *Generate a consent receipt reminding the patient they agreed   *
>
>
>
> *I wonder if this is the ruckus I've heard re: check the box for consent
> ... *
>
>
>
>  How is this consent profile used by the practice's internal HIT systems?
> (if at all)
>
> *Which profile?*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150507/0ec3ec07/attachment-0001.html>

More information about the Openid-specs-heart mailing list