[Openid-specs-heart] Draft HEART Meeting Notes 2015-09-14

Mon Sep 14 21:50:31 UTC 2015

Attending:

Debbie Bucci

Danny van Leeuwen

Sarah Squire

Thompson Boyd

Dale Moberg

Glen Marshall

Jin Wen

Justin Richer

Tom Sullivan

Adrian Gropper

Edmund Jay

Brandon Smith

Jeremy Maxwell

Elderly mom use case:

We talked about the Discussion section of the Elderly mom use case (
https://docs.google.com/document/d/1V3e_fDH63fNDsV-WOGKcyg0ebuW165DOpjY_RcuMk4U/edit#
)

HEART wants to have healthcare-specific and generic UMA and OAuth scopes.

The UMA legal subgroup is trying to figure out exactly how to minimize the
resource server’s liability for introducing new technology. This use case
is one example of how to do that from a business standpoint.

PCORI: (
https://drive.google.com/file/d/0BxZEh73RDPxdZFIxczBBTmlrVUZjekVlLUNaQ0h4bHh2N3Fn/view
)

They are setting up a pattern for clinical information called PCORnet.
There are online information sessions coming up.

It starts with data sources - EHRs, PHR - these are abstracted into “data
marts” and aggregated. IRBs can impose policy and data access restrictions
on the researcher. So there are two sources of information constraint -
informed consent of the patient, and IRB restrictions.

PCORnet has not standardized authorization, but it is of interest to them.
Glen thinks that what HEART is doing will strongly inform what they end up
doing.

PCORI is research. PCORnet is a federal way to bring resources together.

A research query posed through PCORnet could flow to multiple CDRNs at the
same time.

Has there been a consideration of notification when patient data is used?
No, it hasn’t been done consistently, but that concern is addressed in the
use case.

If someone violates trust in an agreement, is there recourse? That’s out of
scope. It’s a policy question. They are working on capturing policy issues
and new technology standards.

Danny van Leeuwen co-chairs PCORI’s Communication and Dissemination
Advisory Council. They meet in a couple of weeks, and he would like to know
how he can be of assistance to link these two PCORI initiatives.

Glen’s Use Case: (
https://drive.google.com/file/d/0BxZEh73RDPxdMW9EMDRqcV92RGJpb2ZaMjdQTzJlNHNXTmJF/view
)

Alice is a stage-4 cancer patient. She sets up a two-way EHR-PHR exchange.
She’s added her son as a proxy. She has to submit a biopsy sample for
biotyping and current and future research. Clinical researchers will have
access to all of her medical record and EHR data. She can see what data
they are going to be getting and what they’re going to do to keep it
private; she shares it with her son. She electronically consents.

Alice is aware of the story of Henrietta Lacks, so she wants to preserve
her right and that of her heirs so track the use of her data and revoke
consent.

How many consents is she signing? She’s signing one consent. There is an
assumption that there’s a common access server or servers that contains
these restrictions. The restrictions are placed on the CDRNs and the
researcher.

Every access of Alice’s data is sent as a notification to her PHR.

Alice’s son notices that her data is being used in a valuable clinical
trial. He considers withdrawing consent unless compensation is provided.
Thus, he modifies the original consent on behalf of her estate.

Alice knew she was in a clinical trial - did she give consent to have data
used after her death? did she give permission for a pseudonym? We’ll make a
note and think about that.

What does this have to do with FHIR? FHIR is the interface between the data
sources and the CDRNs. We don’t expect it to interface with researchers.

Tom Sullivan is active in the HIMSS task force on anonymity, and he would
love to help.

Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150914/2d8df26d/attachment.html>