[Openid-specs-heart] Dissecting the Release of information form
Debbie Bucci
debbucci at gmail.com
Mon Jul 18 22:57:24 UTC 2016
Adrian,
In review of the NY -Presbyterian form think I sort of understand what you
are saying.
The UMA RPT contains information that could represent a good portion of the
ROI. In the case of Alice authorizing Dr. Bob:
- Alice is the Resource Owner
- The requested resource set - is the protected resource.
- The resource set would need to have date range.
- Form indicates that release of sensitive information is explicitly
OPT-IN so a confidentiality code of V (very sensitive) would not release
HIV-AIDS/Mental Health/Genetics/Substance Abuse unless
explicitly asked for
(as a scope?).
- Can the Authorization server sign the RPT(ROI) on behalf of Alice?
- Probably good hygiene to recommend that claims re: Bob's medical
affiliation be recorded as part of the audit or consent receipt if unable
to include as part of RPT process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160718/a4b20420/attachment.html>
More information about the Openid-specs-heart
mailing list