[Openid-specs-heart] Alice's health resource set

[Maxwell, Jeremy (OS/OCPO)]

Also, want to clarify what “typical of HIPAA TPO consent” means?  TPO is a permitted use under HIPAA that does not require consent.



From: Openid-specs-heart [mailto:openid-specs-heart-bounces at lists.openid.net] On Behalf Of Debbie Bucci
Sent: Tuesday, August 02, 2016 2:17 PM
To: Adrian Gropper
Cc: openid-specs-heart at lists.openid.net
Subject: Re: [Openid-specs-heart] Alice's health resource set

Lost me again Adrian -

We should also not ignore the Client-to-AS first flow. This is the preferred flow from a privacy engineering perspective. (see other thread with Justin). In the majority of cases of HIE, the Client has a relationship with Alice already (this is typical of HIPAA TPO consent) or the Client has found Alice via a "Relationship Locator Service" which is a directory operated by the state or some private entity like CommonWell. When the Client matches with Alice in the RLS, does the RLS return a list of RSs or a pointer to Alice's AS?

The most privacy-preserving thing would be for RLSs to return pointers to Alice's AS and in the future this is what Alice might insist on if she is still given a choice to opt-in or opt-out of HIE. Alice does have that choice today in the US. In other countries, not-so-much.

 Are you suggesting the AS is some sort of proxy for all data - I don't think you were saying that.  At some point the Client would need a relationship with the RS as well - correct?   Is the Client to AS flow a separate spec?  Would you please provide the link?   Looking at UMA 1.01 - client needs a permission ticket first - that is generated from AS - to RS to client (?)




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160802/2b125309/attachment.html>