[Openid-specs-heart] Alice's health resource set
Adrian Gropper
agropper at healthurl.com
Wed Aug 3 21:03:29 UTC 2016
Debbie, I think we might agree. Please keep in mind that I'm not describing
scopes - just resources.
a) I call ...patient/abc123/ or anything with ?patient=abc123 as a
patient-lever resource. I think we are saying the same thing
b) I did not say "ensure", I said "allow". I think we're saying the same
thing.
c) What's the difference between Any and A? I'm happy to accept your
alternative.
The rest of your message is about scopes. If we have a consensus on a, b, c
then we can tart to talk about scopes. Immunization might be a perfectly
good place to start.
Adrian
On Wed, Aug 3, 2016 at 4:51 PM, Debbie Bucci <debbucci at gmail.com> wrote:
> Don't agree Adrian
>
> a) ALL patient-level resources available as FHIR resources MUST also be
> provided for registration with a HEART resource server even if the RS
> decides to bypass the AS or override the AS authorization.
>
> wouldn't - patient/*.read technically give you all patient resources
> available by the FHIR server?
>
>
> b) HEART MUST support data minimization in cases where ALL patient-level
> FHIR resources are registered with an AS.
>
> It's not HEART's responsibility to ensure data minimization as part of the
> profile- that sentiment could be covered by the pre-conditions stating
> that RS should; leverage the good work of the privacy principles standards.
>
>
> c) Any resource server MAY choose to register sets of resources in order
> to improve the user experience at the AS. These resources may or may not
> all be specified by FHIR. These bundling and definition of these resource
> sets may be done by HEART or by standards organizations like the HL7 DAF.
>
> Perhaps agree with -- slight revision - A resource server MAY choose to
> register sets of resources in order to improve the user experience at the
> AS. (perhaps include example(s) her
>
>
>
> Looking at the Immunization resource, it references location,
> organization, patient, practitioner and observation.
> If you authorize only
>
> patient / Immunization .read
> on a GET /Immunizations?patient=abc123 If I understand correctly ...
> you get there reference to the resource If you want more than the reference
> of the resource - such as patient demographic information, would we need
> to include the referenced resources scopes?
> patient / Patient .read
> patient / Practitioner .read
> patient /organization.read
> patient / observation .read
> Are their conditional statements we can add to ensure additional info is
> only on an _include or separate GETS/queries are related to the
> immunization only?
>
>
>
>
>
>
>
>
>
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160803/54a689ce/attachment.html>
More information about the Openid-specs-heart
mailing list