[Openid-specs-heart] HEART 2015-08-05 meeting notes
Justin Richer
jricher at mit.edu
Thu Aug 6 01:21:12 UTC 2015
Thank you, Adrian, this is a great reference! I think your annotations
make sense as well, things should map pretty plainly to the OAuth
process. The tricky part (that we got a start on today) is going to be
the scopes bits and getting those right.
For an UMA flow, it's also similar, except that the "who can see it" is
a set of claims instead of the client application.
-- Justin
On 8/5/2015 9:12 PM, Adrian Gropper wrote:
> I've attached a very typical Release of Information authorization.
> I've annotated the 5 elements common to all such documents that I have
> ever seen. The stuff outside if the rectangles is more or less optional.
>
> This form covers one direction of the EHR-PHR Use Case. It is
> presented to the Custodian (the patient or their designate ) and
> approved by them by the Resource Server and pre-filled with
> information supplied by the Client, if available.
>
> In some cases, the Client information is not available at the time the
> Authorization form is signed. In that case, it will be up to the
> Authorization Server to consider the Client and User information and
> provide the authorization to the Resource Server.
>
> The Resource Server has the final say in all cases and could decide to
> ignore the authorization based on local or jurisdictional policy. This
> is outside the control of the Resource Owner and likely to be out of
> scope for HEART in all use-cases.
>
> This ROI Authorization Form is the only "consent" that I'm aware of in
> clinical IT. Patients are asked to sign other documents, including:
> Registration Form, Notice of Privacy Practices, and Treatment Consent
> but none of these has anything to do with sharing of health data
> (except for HIPAA TPO which we will not get into here.)
>
> Adrian
>
> On Wed, Aug 5, 2015 at 8:27 PM, jim kragh <kragh65 at gmail.com
> <mailto:kragh65 at gmail.com>> wrote:
>
> Thanks for sharing,... informative and constructive in reaching
> the patient end point.
>
> May all have a nice evening!
>
> On Wed, Aug 5, 2015 at 3:26 PM, Debbie Bucci <debbucci at gmail.com
> <mailto:debbucci at gmail.com>> wrote:
>
> Attendees:
> Eve Maler
> Justin Richer
> Josh Mandel
> Adrian Gropper
> Thomas Sullivan
> Debbie Bucci
>
> We have decided to delineate between mechanical and semantic
> scope docs.
>
> For the PCP <-> PHR use case:
>
> The pre determined choice token confidential token choice and
> exactly what information needs (example: PHR's authorization
> endpoint) to be shared in advance between the PCP's EHR and
> Alice's PCP was left out of the discussion for now.
>
> There is one basic mechanical Oauth generic flow that occurs
> twice in the use case.
>
> Given the group has generally agreed that the SMART
> specifications are a good place to /*start *... /for this
> particular use case the only semantic FHIR scope that is
> necessary is the patient/*.read scope that grants permission
> to read any resource for the current patient.
>
> During the registration process Alice should be able to select
> at a fine grain level which resources she is willing to share
> with the PHR. This mimic's a specific process - Adrian
> please provide. This information will be used to generate the
> access token.
>
> The one thing left at the end of the discussion is whether the
> patient record is implicit or explicitly stated. This is a
> design decision that may make a difference as we move towards
> our next use case in which delegation is a factor.
>
> Corrections/updates appreciated.
>
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> <mailto:Openid-specs-heart at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> <mailto:Openid-specs-heart at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>
>
>
>
> --
>
> Adrian Gropper MD
>
> RESTORE Health Privacy!
> HELP us fight for the right to control personal health data.
> DONATE: http://patientprivacyrights.org/donate-2/
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150805/aaaf829f/attachment.html>
More information about the Openid-specs-heart
mailing list