[Openid-specs-heart] HEART Stepping stones - Consent Use case

Debbie Bucci debbucci at gmail.com
Sat May 2 17:45:39 UTC 2015 

Picking this back up again but removed the background leading to this and
starting a different thread.  Bill says keep it simple but it's complex!
He has 2 scenarios but I focused on the most difficult -   I have posted
the original text to Bill's question on the wiki:

http://hg.openid.net/heart/wiki/PCP_First_Appointment


Questions:

Client one: If Alice has chosen a cloud based PHR that already has an
established trust:

*Please clarify what you mean by established trust:*

*1.     **Trust between patient portal and cloud based PHR:  the patient
portal has establish an FHIR API server , is accepting client applications
and the client PHR is has been registered with the Patient Portal?*

*2.     **The cloud PHR has established a base identity
proofing/authentication level of trust?   *

*3.     **Both*

What are the credentialing requirements to create Alice's account?

*1.     **Patient Portal*

*2.     **Cloud PHR *

*3.     **Both*

Note that ONC"s Ten year interop roadmap refer's to NIST SP 800-63-2 and
OMB M-040-04 and is implying level 2 or 3 levels of assurance (LOA). (see
pp 59)


*LOA2 is a single factor –that’s out.  The HITPC committee recommended more
than username and password for patient portals – that implies
multifactor.    Transaction will be more secure but what is the level of
identity proofing needed – no real guidance issued for patients that I am
aware of.    There is the notion that the patient is know to the practice –
but at this point  - it’s an initial visit – not the case.*



 Are there two or three consent profiles?

One for Alice's PHR defining what to share with the Practice?

One for the Practice defining what is to be shared with Alice's PHR?
One for Alice at the Practice portal defining what the Portal (or
Practice?) is to be shared?

*1.     Are there consent preferences stored /shared on the patient’s
trusted UMA service? *

*2.     Is there a Consent Directives Management Service trusted by the UMA
service?*

*3.     Is there a CDMS maintained by the provider*

*4.     Does the PHR maintain it own CDMS?*



How is the initial implied consent for TPO electronically presented, stored
and accessed?

*Generate a consent receipt reminding the patient they agreed   *



*I wonder if this is the ruckus I've heard re: check the box for consent
... *


 How is this consent profile used by the practice's internal HIT systems?
(if at all)

*Which profile?*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150502/9503aa61/attachment.html>

More information about the Openid-specs-heart mailing list