[Openid-specs-heart] FHIR OAuth2 - How is authorization provided to Sensor Devices and Clinicians?

Sun Mar 26 19:19:59 UTC 2017

Sanjay,

In the general case, the FHIR / OAuth API is under the control of an
Authorization Server. The AS controls access to patient-level resources
that would cover both 1. and 2. in your case.

Please consider joining the HEART workgroup http://openid.net/wg/heart/
where we're doing the profiling work for using FHIR / OAuth in this
automated, yet patient-centered way even when, as you say, the patient is
not interested in their own health records.

Adrian

On Sun, Mar 26, 2017 at 3:04 PM, Michele Mottini <mimo at careevolution.com>
wrote:

>
>> 1. How do smart medical devices get authorization to upload vitals to the
>> FHIR database i.e. how do they get the authority to upload vitals.
>>
>
> I'd say using back-end authorization - http://docs.smarthealthit.
> org/authorization/backend-services/, although this does not seem to be
> widely implemented
>
>
>> 2. How do the clinicians get authority to a access the EHR for the
>> patients.
>>
>>
> Once the data is in the EHR as port of the patient data clinicians that
> have login credentials for the EHR and the necessary permissions can access
> it - it is no longer a matter for FHIR / SMART
>
>   - Michele
>   CareEvolution Inc
>
>
Safety Labs Inc <sanjaychadha79 at gmail.com wrote:

> FHIR OAuth2 authorization seems to cover the scenario where the patient
> wants to access her EHR. In this case the user is prompted for  her
> credentials and after credentials are confirmed the authorization is given
> to the application.
>
> The above scenario is for healthy and savvy users. Our clients are
> critically ill, on their beds or are not able to or interested in their own
> health records.
> Our smart medical devices measure their vitals and on their behalf would
> like to update in their EHR. It is to be assumed that one time permission
> is given at setup time to upload the vitals.
>
> Once these vitals are uploaded, the clinicians are interested in the vital
> data (and not the patient). How do the clinicians get authorization to
> access to their patents EHR data. Clinicians are authorized at one time at
> setup to access the EHR of a patient.
>
> Following two pieces of information seems to be missing:
> 1. How do smart medical devices get authorization to upload vitals to the
> FHIR database i.e. how do they get the authority to upload vitals.
> 2. How do the clinicians get authority to a access the EHR for the
> patients.
>
> These two scenarios are different than when a patient would like to view
> her own EHR information.
>
> Thank you in advance.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20170326/54e510e0/attachment.html>