[Openid-specs-heart] Draft HEART meeting notes 2015-05-18

Debbie Bucci debbucci at gmail.com
Mon May 18 21:49:13 UTC 2015 

Attendee 5/18:

   - Deb Bucci         Thompson Boyd        Sarah Squire
   - Greg Groves      Adrian Gropper        Jin Wen
   - Tom Sullivan      Edmund Jay             Dustin Gage
   - Justin Richer      Eric Friedman        Jeremy Maxwell
   - Catherin Shulten   Sal D’Agostino    James Kraugh



Regrets

   - Bill Kinsley    Eve Maler



Stats - 99 list serv - 31 IPR



NO MEETING NEXT Monday



Two take-aways from the meeting today:

   - How to avoid conflation
   - Delegation is in scope for HEART wg -





How to avoid conflation?

   - Identity Proofing
   - Identity Lookup
   - Authentication
   - Authorization (consent?)
   - Privacy
   - Security
   - Policy
   - Validation (id proofing) /verification (during authentication
   transaction – presentation of valid credential – verification of
   driverlicense/bill for identity proofing)



   -
   - Notes and discussion may highlight issues that are out of scope for
   the working group but good to acknowledge the issues are there.  Fine
   art between acknowledgement and deep in the weeds.
   - Focus on standard with mind toward what today’s policies are to inform
   with how to catch up to what it may enable
   - Keep these things in mind while we discuss.   Multiple perspectives
   are sometimes at odds with each other.
   - All have contextual definitions
   - Example = public key?  What is it – is it attached to something a user
   controls? How are we doing that?


We did not get much further in the use case today.  Alice is still standing
at the front desk

   1.

   Alice is given and acknowledges receipt the Practice’s HIPAA privacy
   statement.
   1.

      Office/practice privacy statement – how I protect your data – OCR
      enforced - generic agreeing to business with patient
      2.

      Consent not always gathered at this point
      3.

      In non-health does acknowledge = consent??
      4.

      Practice handles differently – often different doc – we are going to
      share your PHI with …
      5.

      Do you want to opt in/opt-out to share your information with the
      local exchange ACO?
      6.

      Clinical/administrative/financials consents may be gather at this time



   1.

   Alice is given the initial patient web portal information to activate
   her account.
   1.

      Service discovery step – Alice is given info to find service on her
      phone (go to this url …) Discovery stuff (UI and API components)
      2.

      Possible to introduce Alice discovery too …



2.  While in the waiting room, Alice (using her smart phone) completes the
patient portal account activation.   (Is Alice setting authorizations at
this point?)

   1.

   Discovery to site
   2.

   Alice logs in with account (hers (facebook/google) or portal)
   3.

   Complete registration
   4.

   RFI scancode ?
   5.

   Personal authorization service?
   6.

   Delegation (person to person)?
   1.

      Parent to child (under 13)
      2.

      Child to parent (89 yr old)
      3.

      Heathcare  proxy
      4.

      Would delegate have to be digitally bound to account?
      7.

   Who is the owner
   1.

      The owner is the physician’s office – so these authorization are used
      to help the practice
      2.

      Owner is the person that has the right to delete the account (right
      to be forgotten)
      3.

      Perhaps shared ownership
      4.

      JASON report perspective evolved from patient owned to patient
      controlled/mediated (?) changed from legal perspective
      5.

      Based on office Data retention requirement
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150518/78e07ad6/attachment.html>

More information about the Openid-specs-heart mailing list