[Openid-specs-heart] Alice's health resource set
Danny van Leeuwen
danny at health-hats.com
Wed Aug 3 11:26:38 UTC 2016
Is TPO Treatment, payment, operations?
On Tuesday, August 2, 2016, Adrian Gropper <agropper at healthurl.com> wrote:
> Jeremy,
>
> Sorry, I should have said HIPAA TPO "consent".
>
> If access to the FHIR resources does not require Alice's authorization and
> the RS wants to keep Alice in the dark because HIPAA's accounting of
> disclosures is seldom implemented as well, then HEART is not involved. I
> would not call the TPO loophole consent except sarcastically.
>
> Adrian
>
> On Tue, Aug 2, 2016 at 2:22 PM, Maxwell, Jeremy (OS/OCPO) <
> Jeremy.Maxwell at hhs.gov
> <javascript:_e(%7B%7D,'cvml','Jeremy.Maxwell at hhs.gov');>> wrote:
>
>> Also, want to clarify what “typical of HIPAA TPO consent” means? TPO is
>> a permitted use under HIPAA that does not require consent.
>>
>>
>>
>>
>>
>>
>>
>> *From:* Openid-specs-heart [mailto:
>> openid-specs-heart-bounces at lists.openid.net
>> <javascript:_e(%7B%7D,'cvml','openid-specs-heart-bounces at lists.openid.net');>]
>> *On Behalf Of *Debbie Bucci
>> *Sent:* Tuesday, August 02, 2016 2:17 PM
>> *To:* Adrian Gropper
>> *Cc:* openid-specs-heart at lists.openid.net
>> <javascript:_e(%7B%7D,'cvml','openid-specs-heart at lists.openid.net');>
>> *Subject:* Re: [Openid-specs-heart] Alice's health resource set
>>
>>
>>
>> Lost me again Adrian -
>>
>>
>>
>> We should also not ignore the Client-to-AS first flow. This is the
>> preferred flow from a privacy engineering perspective. (see other thread
>> with Justin). In the majority of cases of HIE, the Client has a
>> relationship with Alice already (this is typical of HIPAA TPO consent)
>> or the Client has found Alice via a "Relationship Locator Service" which is
>> a directory operated by the state or some private entity like CommonWell.
>> When the Client matches with Alice in the RLS, does the RLS return a list
>> of RSs or a pointer to Alice's AS?
>>
>>
>>
>> The most privacy-preserving thing would be for RLSs to return pointers to
>> Alice's AS and in the future this is what Alice might insist on if she is
>> still given a choice to opt-in or opt-out of HIE. Alice does have that
>> choice today in the US. In other countries, not-so-much.
>>
>>
>>
>> Are you suggesting the AS is some sort of proxy for all data - I don't
>> think you were saying that. At some point the Client would need a
>> relationship with the RS as well - correct? Is the Client to AS flow a
>> separate spec? Would you please provide the link? Looking at UMA 1.01 -
>> client needs a permission ticket first - that is generated from AS - to RS
>> to client (?)
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
> --
>
> Adrian Gropper MD
>
> PROTECT YOUR FUTURE - RESTORE Health Privacy!
> HELP us fight for the right to control personal health data.
> DONATE: http://patientprivacyrights.org/donate-2/
>
--
Danny van Leeuwen
617-304-4681
Blog: www.health-hats.com Twitter: @healthhats
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160803/d53f2fff/attachment.html>
More information about the Openid-specs-heart
mailing list