[Openid-specs-heart] Alice's health resource set

Adrian Gropper agropper at healthurl.com
Tue Aug 2 20:56:43 UTC 2016


Of course I wasn't saying the AS is a proxy. That's the difference between
patient-directed exchange and patient-mediated exchange. A proxy, like a
PHR, would be patient-mediated exchange. Proxied or patient-mediated
exchange doesn't benefit from UMA almost at all.

Correct about Client-RS. That's why I said that the RS always has the final
word regardless of what any AS says. If the RS decides to raise or lower
the bar to a particular client they always could do that before UMA and
they still can after UMA.

I don't have a link to AS-first flow. It's up to UMA and HEART to recognize
that this is a very common case and deal with it either in UMA or in HEART.
The case is common because:
- When Alice has a relationship with Bob, then Bob has a patient portal and
Alice can register Bob to her AS.
- When Alice has a choice of RLS opt-in, Alice has to provide an identity.
That identity can be linked to her AS as we talked in the other thread.

Either way, there's no reason for Bob to go to the RS first because he'd be
guessing that any particular RS has resources about Alice. That's a waste
of time and resources.

Adrian

On Tue, Aug 2, 2016 at 2:16 PM, Debbie Bucci <debbucci at gmail.com> wrote:

> Lost me again Adrian -
>
>
> We should also not ignore the Client-to-AS first flow. This is the
> preferred flow from a privacy engineering perspective. (see other thread
> with Justin). In the majority of cases of HIE, the Client has a
> relationship with Alice already (this is typical of HIPAA TPO consent) or
> the Client has found Alice via a "Relationship Locator Service" which is a
> directory operated by the state or some private entity like CommonWell.
> When the Client matches with Alice in the RLS, does the RLS return a list
> of RSs or a pointer to Alice's AS?
>
> The most privacy-preserving thing would be for RLSs to return pointers to
> Alice's AS and in the future this is what Alice might insist on if she is
> still given a choice to opt-in or opt-out of HIE. Alice does have that
> choice today in the US. In other countries, not-so-much.
>
>
>  Are you suggesting the AS is some sort of proxy for all data - I don't
> think you were saying that.  At some point the Client would need a
> relationship with the RS as well - correct?   Is the Client to AS flow a
> separate spec?  Would you please provide the link?   Looking at UMA 1.01 -
> client needs a permission ticket first - that is generated from AS - to RS
> to client (?)
>
>
>
>
>



-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160802/61eb79f4/attachment.html>


More information about the Openid-specs-heart mailing list