[Openid-specs-heart] Dissecting the Release of information form

Sarah Squire sarah at engageidentity.com
Tue Jul 19 11:24:52 UTC 2016 

I definitely agree on auditing. Can you elaborate a little on what you're
thinking in terms of defining a resource set? I imagine that the
"clipboard" resource set would vary quite a bit based on the provider and
their specialty. Are you suggesting that we attempt to define a universal
set of fields that everyone would need as a baseline? Or are you thinking
that we should just acknowledge the existence of something called a
clipboard resource set, and let implementors decide for themselves what
that means?

I agree that RPT is essentially an authorization for release.

Sarah

Sarah Squire
Engage Identity
http://engageidentity.com

On Tue, Jul 19, 2016 at 1:10 PM, Debbie Bucci <debbucci at gmail.com> wrote:

> Well... when thinking about the virtual clipboard vs real world .. I am
> usually presented with at least 3 or 4 documents ... the laundry list info
> insurance meds allergies etc. Consent for treatment, Privacy Notice and if
> referred with no info in hand the release of information.
>
> Seems to me that rpt is essentially an authorization for release.
>
> Adrian asked that we consider roi as part of the discussion....I think he
> may be right.
>
> Eves doc was broad and I thought the next step was to drill down to
> soecifics.  If we have agreed a virtual clipboard resource set makes sense
> that needs to be added.
>
> Specifically from the ROI - John Moerke mentioned date range of treatment
> - that's one and this form opts in  sensitive info.... so I think ... the
> CFR 42 part 2 stuff ( +genomics) may need a specific scope for
> authorization to release.
>
> Auditing needs to peripherally be considered as well imo
> On Jul 19, 2016 6:56 AM, "Sarah Squire" <sarah at engageidentity.com> wrote:
>
>> Hi all,
>>
>> This is the use case that Eve has been hashing out on the call for a few
>> weeks now:
>> https://bitbucket.org/openid/heart/wiki/Alice_Shares_with_Physicians_and_Others_UMA_FHIR
>>
>> Is there anything specifically added by the NYP form that has not already
>> been covered?
>>
>> Sarah
>>
>> Sarah Squire
>> Engage Identity
>> http://engageidentity.com
>>
>> On Tue, Jul 19, 2016 at 5:43 AM, Adrian Gropper <agropper at healthurl.com>
>> wrote:
>>
>>> Debbie,
>>>
>>> In case it's not on the HEART servers, I've put a copy of the NYP
>>> Authorization Form here:
>>> https://dl.dropboxusercontent.com/u/8909568/NYP%20authorization.pdf
>>>
>>> Mapping the NYP Authorization Form to actual UMA protocol is way above
>>> my pay grade. Here's as far as I get (inline):
>>>
>>> In the case of Alice authorizing  Dr. Bob:
>>>
>>>>
>>>>
>>>>
>>>>    - Alice is the Resource Owner *[Yes. Notice that we have to handle
>>>>    the case where Alice has a Representative sign for her as at the bottom of
>>>>    the form]*
>>>>
>>>>
>>>>    - The requested resource set  - is the protected resource. *[Someone
>>>>    else needs to propose the mapping to standards]*
>>>>    - The resource set would need to have date range.
>>>>       - Form indicates that release of sensitive information is
>>>>       explicitly OPT-IN so a confidentiality code of V (very sensitive) would not
>>>>       release HIV-AIDS/Mental Health/Genetics/Substance Abuse unless explicitly
>>>>       asked for (as a scope?).
>>>>    - Can the Authorization server sign the RPT(ROI) on behalf of Alice?*
>>>>    [Yes. That's the whole point of UMA and HEART as far as I can tell.]*
>>>>    - Probably good hygiene to recommend that claims re: Bob's medical
>>>>    affiliation be recorded as part of the audit or consent receipt if unable
>>>>    to include as part of RPT process. *[Maybe but it seems
>>>>    peripheral.]*
>>>>
>>>> It's important to note that this form is labeled by NYP as an
>>> "authorization" and represents UMA Phase 2 where Dr. Bob is on the scene.
>>> Whoever proposes a mapping to standards needs to also deal with UMA Phase 1
>>> where Alice or her representative tells NYP the address of her UMA
>>> Authorization Server. This happens before Bob is on the scene and is what I
>>> would call "consent".
>>>
>>> For the purpose of HEART, could we call UMA Phase 1 consent and UMA
>>> Phase 2 authorization?
>>>
>>> Adrian
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-heart mailing list
>>> Openid-specs-heart at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160719/eaf81e66/attachment.html>

More information about the Openid-specs-heart mailing list