[Openid-specs-heart] Draft HEART Meeting Notes 2016-02-15
sarah at engageidentity.com
Mon Feb 15 22:29:53 UTC 2016
Danny van Leeuwen
The security profile vote has passed. Let’s move on to Glen’s use case.
Does the IRB have to do with patient consent?
The IRB does require consent depending on the nature of the studies. How do
you handle the core case, withholding from the EHR data that could be
identified that resides in the CDRN.
One of the things I’ve been focused on is instead of deidentified data sent
to an enclave, there is a push for some of it to have the query cached and
add new participants or take away. There are other models that could
respect a revocation of consent.
I think that might be of interest.
Can we recap? The patient is the resource owner? The AS is run by the IRB?
The idea is we are trying to figure out what UMA has to do if the
researcher doesn’t have a patient in mind in order to get deidentified data.
The researcher would not have a patient in mind.The patient is known to the
IRB, but the actual request for data would be anonymous.
I have lost the picture of why this is UMA at all. If the patient is not a
resource owner, then somebody else, the CDRN or someone else, is a resource
We’re at step n in philosophy. The CDRN is the requesting party. So the
resource owner is the patient and the data is about the patient.
Isn’t that OAuth?
No. The requesting party is a legal party. OAuth doesn’t have a concept of
OAuth does have a concept of a legal party.
There is sharing going on between two parties.
Why isn’t the CDRN running the authorization server?
It’s the requesting party. It’s separable. The requesting party probably
shouldn’t run the AS. One of the things that should be possible to
configure is purpose of use limitations.
So should we have the patient set the policy on the AS, rather than the IRB?
We could set standard claims that derive from IRB semantics.
The patient is developing a relationship between themselves and the CDRN.
The IRB sounds to me like a trust framework.
What I’m hearing is that the CDRN is the resource server. It’s operating a
directory service because it has to fulfill an anonymizing service. The
requesting party is the researcher.
No, you’ve got that wrong. The CDRN is the requesting party and the EHR is
the resource server.
The CDRN could also use UMA. There could be a chained use case.
The research client has an OAuth relationship with the CDRN. For the
purposes of a researcher accessing the CDRN, it’s a simple OAuth resource
Should we tackle the simpler case of a directory as a resource?
That has nothing to do with this use case?
Who owns the authorization service? If it were PCORNet, a researcher could
request data. Where does the authorization server live?
The IRB selects the AS.
I sent an email with some questions that might re-align the swimlane
I would like to point out that the scale problems pointed out earlier were
about scalability of the process, not the technology.
What the UK did was standardize the enrollment process.
So it was a single domain, so it didn’t have to scale.
So I could have an IRB that asks for one patient or thousands of patients.
It could be aggregated. I don’t think the IRB is presented to the patient.
The researchers recruit the physicians and have them ask the patients to
join the study.
Would it be fair to say that the patient’s IRB form is in fact the patient
setting the policy on their AS?
I’m still completely lost. Does the EHR provide anonymized data or
If the EHR is given the burden of anonymizing the data before it is sent,
that’s probably technologically easier than the CDRN doing it.
I’m completely lost. I think we should think in terms of securing a
directory for anonymization purposes.
Maybe you should write that use case.
Is this a use case that could be implemented today?
It is, except that how does a patient revoke consent?
There’s room to do an analysis paper about all the ways revocation can be
So the IRB selects the AS, then that’s PCORNet? Who is managing those
authorizations? Who manages the IRB? Where are these boards?
That’s a policy matter. It’s outside the scope of this use case. The IRB is
managed by the institution that’s sponsoring the research.
So the CDRN has a relationship with that institution?
Why isn’t the resource owner able to revoke a token?
Revocation could be a lot of things. You might not want to specify it at a
policy or UX level.
We need to anonymize at the EHR so that we can keep discreet records that
UMA can handle as resources and possibly revoke.
We can still have discreet anonymized records.
We are talking about a patient-centered UMA transaction. The AS is a
patient level AS, and there’s a directory that handles the anonymization
We are merging the anonymization service for the purpose of simplicity.
Where does the patient’s AS come in?
It doesn’t. The IRB’s AS is the only AS relevant to this use case.
The patient-centered aspect comes into play with the ability to revoke
access and the ability for notification of use.
Let’s wrap this up, but we can pick it up again next week. Can we clear up
There’s a closed FHIR/Argonauts meetup on Monday. There is an informal
HEART meetup Tuesday at 5pm.
Okay, so we’ll cancel the call on the 29th, and we’ll pick up the use case
discussion next week.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-heart