[Openid-specs-heart] 20 Dimensions of Patient-Centered Privacy

Adrian Gropper agropper at healthurl.com
Tue Jun 28 01:59:00 UTC 2016 

Here are some of the dimensions that my Authorization Server would consider
when a Client comes asking for authorization:

For a specified Resource, will the Client:

   1. Preserve and propagate the Confidentiality Classification
   <http://hl7-fhir.github.io/v3/ConfidentialityClassification/vs.html> on
   data it receives?
   2. Disclose the actual name of the individual Requesting Party?
   3. Ever share de-identifiied personal-level data?
   4. Send me a notification every time the data is accessed, even if
   de-identified??
   5. Provide a standardized Purpose of Use
   <http://hl7.org/fhir/v3/PurposeOfUse/index.html> statement for each
   access?
   6. Provide a standardized Privacy Policy (like we have standardized
   Creative Commons licenses)?
   7. Register its Privacy Policy with an independent registrar - which
   ones?
   8. Offer standards-based and unblocked access to the data they hold
   about me (like the Precision Medicine Initiative)?
   9. Accept my specification of a notification endpoint?
   10. Accept my specification of an authorization server?
   11. Support data minimization at the full resolution of the FHIR
   resource types?
   12. Support fine-grained, real-time notification of changes, additions,
   aggregations to my personal data?
   13. Respect my request to delete my data at any time?
   14. Provide me with a standards-based Accounting of Disclosures on
   demand?
   15. Accept my standards-based federated identity for single-sign-on to
   their system?
   16. Accept my standards-based digital signature in all interactions with
   me?
   17. Assert that the client is an FDA Class II or III medical device?
   18. Assert that the client is subject to the EU GDPR or some other data
   protection domain?
   19. Assert that the requesting party holds a valid medical license and
   in what state?
   20. Seek read, write, or RW to the resource?

How many of these 20 dimensions does HEART want to bundle into the 5 or so
choices that we envision would make for a patient-friendly experience?

If you think I'm asking too much, please tell us which of these policy
expectations are either less important or could be subordinated to a
registry of some sort and how would HEART relate to those registries.

Adrian

-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160627/4eca3279/attachment.html>

More information about the Openid-specs-heart mailing list