[Openid-specs-heart] Dissecting the Release of information form

Sarah Squire sarah at engageidentity.com
Tue Jul 19 10:56:42 UTC 2016


Hi all,

This is the use case that Eve has been hashing out on the call for a few
weeks now:
https://bitbucket.org/openid/heart/wiki/Alice_Shares_with_Physicians_and_Others_UMA_FHIR

Is there anything specifically added by the NYP form that has not already
been covered?

Sarah

Sarah Squire
Engage Identity
http://engageidentity.com

On Tue, Jul 19, 2016 at 5:43 AM, Adrian Gropper <agropper at healthurl.com>
wrote:

> Debbie,
>
> In case it's not on the HEART servers, I've put a copy of the NYP
> Authorization Form here:
> https://dl.dropboxusercontent.com/u/8909568/NYP%20authorization.pdf
>
> Mapping the NYP Authorization Form to actual UMA protocol is way above my
> pay grade. Here's as far as I get (inline):
>
> In the case of Alice authorizing  Dr. Bob:
>
>>
>>
>>
>>    - Alice is the Resource Owner *[Yes. Notice that we have to handle
>>    the case where Alice has a Representative sign for her as at the bottom of
>>    the form]*
>>
>>
>>    - The requested resource set  - is the protected resource. *[Someone
>>    else needs to propose the mapping to standards]*
>>    - The resource set would need to have date range.
>>       - Form indicates that release of sensitive information is
>>       explicitly OPT-IN so a confidentiality code of V (very sensitive) would not
>>       release HIV-AIDS/Mental Health/Genetics/Substance Abuse unless explicitly
>>       asked for (as a scope?).
>>    - Can the Authorization server sign the RPT(ROI) on behalf of Alice?*
>>    [Yes. That's the whole point of UMA and HEART as far as I can tell.]*
>>    - Probably good hygiene to recommend that claims re: Bob's medical
>>    affiliation be recorded as part of the audit or consent receipt if unable
>>    to include as part of RPT process. *[Maybe but it seems peripheral.]*
>>
>> It's important to note that this form is labeled by NYP as an
> "authorization" and represents UMA Phase 2 where Dr. Bob is on the scene.
> Whoever proposes a mapping to standards needs to also deal with UMA Phase 1
> where Alice or her representative tells NYP the address of her UMA
> Authorization Server. This happens before Bob is on the scene and is what I
> would call "consent".
>
> For the purpose of HEART, could we call UMA Phase 1 consent and UMA Phase
> 2 authorization?
>
> Adrian
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160719/83bf1378/attachment.html>


More information about the Openid-specs-heart mailing list