[Openid-specs-heart] Resources vs Resource sets

[Glen Marshall [SRS]]

No, Aaron.  It’s 180 degrees different.  The health IT industry is not collectively smart enough to apply a patient privacy preferences for some things that are not covered by current legislative or regulatory requirements.  HEART can supply some of the necessary technical aspects for the solution(s), but is not sufficient.  The pieces that HEART does not cover need to be identified and stated as preconditions.

Glen F. Marshall
Consultant
Security Risk Solutions, Inc.
698 Fishermans Bend
Mount Pleasant, SC 29464
Tel: (610) 644-2452
Mobile: (610) 613-3084
gfm at securityrs.com<mailto:gfm at securityrs.com>
www.SecurityRiskSolutions.com<http://www.securityrisksolutions.com/>

From: Aaron Seib [mailto:aaron.seib at nate-trust.org]
Sent: Wednesday, July 27, 2016 17:34
To: Glen Marshall [SRS] <gfm at securityrs.com>; HEART List <openid-specs-heart at lists.openid.net>
Subject: Re: [Openid-specs-heart] Resources vs Resource sets

I have no idea what you are saying.  Are you saying that a patent isn't smart enough to decide if they are comfortabe sharing something that was deemed sensitive 30 years ago by a legislatI've process?



Aaron Seib

The trick to establishing trust is to avoid all tricks.  Especially tricks on yourself.


-------- Original message --------
From: "Glen Marshall [SRS]" <gfm at securityrs.com<mailto:gfm at securityrs.com>>
Date: 7/27/16 4:03 PM (GMT-05:00)
To: HEART List <openid-specs-heart at lists.openid.net<mailto:openid-specs-heart at lists.openid.net>>
Subject: Re: [Openid-specs-heart] Resources vs Resource sets
The boundary of existing regulatory mandates for privacy and security is a bright line.  It defines the minimum we in health IT must achieve.  Anything beyond that either anticipates regulatory change or states an objective or some sort.

In the case of covered entities’ objectives, we can assume they have performed HIPAA-required risk analysis and set risk management policies accordingly. I believe that OAuth and UMA operate most effectively in a such a businesslike risk-mitigation environment, where the semantics of the security and privacy metadata are unambiguous.

When we honor patient-specific privacy choices, we ignore covered entity risk assessment and in-common semantics.  Patients are under no obligation to perform a formal business risk analysis or articulate it in a commonly-understood way.  Their choices may be realistic or not, articulate or not.  We have no simple objective basis to assess, let alone enforce, them.

It is a philosophic ethical question as to how we honor patient privacy choices.  It is not clear to me that the health IT marketplace is ready to answer it.


Glen F. Marshall
Consultant
Security Risk Solutions, Inc.
698 Fishermans Bend
Mount Pleasant, SC 29464
Tel: (610) 644-2452
Mobile: (610) 613-3084
gfm at securityrs.com<mailto:gfm at securityrs.com>
www.SecurityRiskSolutions.com<http://www.securityrisksolutions.com/>

From: Openid-specs-heart [mailto:openid-specs-heart-bounces at lists.openid.net] On Behalf Of Aaron Seib
Sent: Wednesday, July 27, 2016 14:25
To: Adrian Gropper <agropper at healthurl.com<mailto:agropper at healthurl.com>>; Salyards, Kenneth (SAMHSA/OPPI) <Kenneth.Salyards at samhsa.hhs.gov<mailto:Kenneth.Salyards at samhsa.hhs.gov>>
Cc: HEART List <openid-specs-heart at lists.openid.net<mailto:openid-specs-heart at lists.openid.net>>
Subject: Re: [Openid-specs-heart] Resources vs Resource sets

I don't understand why we would even ask the consumer what their preference is if they can't change a default used by a Covered Entity?

That is the entire point.





Aaron Seib

The trick to establishing trust is to avoid all tricks.  Especially tricks on yourself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160727/294cc044/attachment.html>