[Openid-specs-heart] There may be only 4 distinct use-cases for UMA in healthcare.
Adrian Gropper
agropper at healthurl.com
Fri Aug 7 17:38:35 UTC 2015
The current EHR-PHR use-case has been useful in educating us on the things
that OAuth alone can't do. To prepare for the next use-case, I suggest that
all healthcare use-cases for UMA will fall into one of the four categories
below: Alice-to-Alice N; Alice-to-Custodian; Alice-to-Bob Directed;
Alice-to-Bob HIE.
The categories: begin with a single patient problem today; avoid
introducing federation and trust frameworks prematurely; and avoid the
patient ID problem.
These four categories are from the patient perspective. SMART-on-FHIR and
Argonaut are not patient-perspective use cases and may be distracting in
developing the HEART profiles.
*I suspect that FHIR can be designed to support both the institutional and
the patient perspective, if they choose to. It is imperative that HEART
lead from the patient perspective to help them do that.*
I've tried to avoid jargon as much as possible and reuse terms we have
already discussed.
-
Alice-to-Alice N - The multiple portals problem - Alice wants to direct
sharing herself
Alice wants to manage her EHR-1 and EHR-2 authorizations in one place. We
call that place the AS.
-
Alice registers her AS with her practice’s EHR-1.
-
Alice registers her AS with another practice EHR-2.
-
From then on, Alice can sign-in to her EHR, view accounting for
disclosures, and manage authorizations.
-
Alice-to-Custodian - Delegation to a custodian
-
Custodian creates an AS for Alice. Custodian has a sign-in to Alice’s
AS.
-
Alice registers her AS with her PCP’s EHR-1.
-
Alice registers her AS with another practice’s EHR-2.
-
From then on, Custodian can sign-in to Alice’s EHR, view accounting
for disclosures, and manage authorizations.
-
Alice-to-Bob Directed - Alice wants to authorize her PCP for directed
sharing
-
Alice registers her AS with her PCP’s EHR-1.
-
The PCP shares an Alice-specific context with Bob.
-
Bob’s client EHR-2 presents claims to Alice’s AS, gets authorization.
-
EHR-2 accesses resource from EHR-1.
-
Alice-to-Bob HIE - Alice wants to be discoverable
-
Alice registers her AS with her practice’s EHR-1.
-
Alice picks up a flier for the state HIE with a Q/R code, reads their
Privacy Policy
-
Alice signs-in into her AS and scans the Q/R code.
-
The HIE allows Alice to pick her discovery attributes, registers
Alice’s AS.
-
Bob’s client signs into the HIE, discovers Alice, gets authorization
to EHR-1.
--
Adrian Gropper MD
RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20150807/6bedc4e2/attachment.html>
More information about the Openid-specs-heart
mailing list