[Openid-specs-heart] Draft minutes of HEART meeting 2018-03-26

[Adrian Gropper]

Apologies for missing today's call (I was in the air) and thank you for the
wonderful notes.

Scoping HEART work for the coming year is an interesting opportunity as we
see growing interest in patient-whatever health IT and discussions around
TEFCA and the Trump administration's tilt on interoperability via HHS and
VA programs.

Here's some thoughts on where HEART is likely to be most effective:

I see at least three separate projects: Authentication, Scope of
Authorization, and Authorization. Not all of them belong in HEART:

A - I believe Authentication is completely separable from the other two and
has almost nothing to do with HEART. The patient logs into the hospital
portal with or without federated authentication. Federated authentication
is very useful when a clinician or other requesting party needs to
authenticate to the Authorization Server (AS) because we can’t expect
clinicians to have separate passwords for their thousands of patients. That
said, we do expect clinicians to have separate credentials for however many
health information exchanges they deal with. Allowing the patient to
specify their HIE works just as well for a limited choice among QHINs or
local exchanges as it would for HIE of One. As far as the FHIR resource
endpoint is concerned, the availability of federated ID for clinicians
should be irrelevant.

B - Scope of Authorization is a problem but it is not related to the
ability for a patient to choose an HIE as Authorization Server. Whatever
scopes are available for the default AS can be offered to a
patient-specified AS. No more, no less.

Patient Privacy Rights does advocate for making EHR segmentation and the
scope of consent clearer and more effective for all patients whether this
applies internally to a large hospital system or in HIE. This issue has
nothing to do with how the AS is specified. From my perspective, discussion
of segmentation of the record does not belong in HEART. It should be moved
to a forum with much broader specialty reach and focus on the EHR rather
than just HIE. Doing so will help the hospitals and EHR vendors as they
consolidate into ever larger institutions.

C - Authorization - Allowing the patient to specify the AS is a big help
because it collects all of the FHIR endpoints into one login. It also helps
patients by creating competition among HIEs on the basis of their privacy
policies and other customer-facing services. This, I believe, is where
HEART is poised to make a real difference.

Adrian


On Mon, Mar 26, 2018 at 4:54 PM, Eve Maler <eve.maler at forgerock.com> wrote:

> *HEART meeting 2018-03-26*
>
>
> Attending:
>
> Debbie Bucci
>
> Thompson Boyd
>
> Catherine Schulten
>
> Justin Richer
>
> Alan Byers
>
> Luis Maas
>
> Nancy Lush
>
> Eve Maler
>
>
> *Profiles status*
>
>
> Justin reports that the text has been revised. He hasn’t received any
> comments. Setting up a vote deadline will likely force the situation.
> Justin moves, Eve seconds. Justin recommends a WG review period of 1-2
> weeks and then start an Implementer’s Draft period after that.
>
>
> *CARIN Alliance F2F meeting*
>
>
> Alan reports that there was a payer meeting at the end. He can send notes
> from that. Debbie asks: Are they doing anything with ID proofing? Is there
> anything the HEART group can help with? They may require some
> investigation. They are just trying to bring people together, and come up
> with a standard to vet people to IAL2. There has been discussion on doing
> KBA, all around proofing. Justin: If that’s the focus, then this seems not
> directly HEART-related, unless VoT gets involved. Alan: VoT has been
> acknowledged, as has FIDO and social logon, as potentially helpful.
>
>
> *Vectors of Trust update*
>
>
> Justin: The shepherd review has been submitted. It will go through AD
> review, then IESG review, then to RFC.
>
>
> *Adrian’s email thread on “What’s the best way to coordinate FHIR and
> HEART?”*
>
>
> Debbie summarized for those not on the thread: Adrian started a thread to
> see where HEART could be relevant. Graham opined that HEART isn’t modular
> enough, and laid out four use cases. One was sort of about record locator
> service. Justin added: It was more like “I have a record; what are other
> related records?” This touches on other privacy discussions we’ve had about
> a protected discovery endpoint. The pre-FHIR notion of an hData document
> that comes back with pointers rather than documents would be something like
> the idea. Nancy: She saw the thread as their listing livewire issues, and
> quite a few of them do seem relevant to HEART.
>
>
> Alan: There’s been a discussion about this being the time to create a
> national patient identity, like other countries have. Debbie: That’s been a
> nonstarter. Catherine: CARIN is not advocating for this; it’s just still on
> people’s minds. Organizations can do two forms of queries: “give me
> everything you have” and more directed. Justin: Here’s how the discussion
> is coming up: https://catalyst.nejm.org/time-unique-patient-
> identifiers-us/
>
>
> *HEART “marketing” and use cases*
>
>
> Nancy: Since there is so much confusion about what HEART does and doesn’t
> do, proposes that we put together use cases, maybe 3 patient-facing and 3
> provider-facing. Catherine: Supports this. Debbie: This could be useful
> for, e.g., the HL7 Connectathons. Nancy: Would like to see this connected
> to the Argonaut work so that it can be moved into the mainstream.
>
>
> Catherine: Has written some use cases in English. She’ll share them and
> work with Nancy. Luis: Has HEART-enabled servers and clients, and they were
> there in the consumer-mediated exchange track. there were ~9 different
> scenarios there, and they made sure HEART — including UMA (then 1.0) — was
> included. Subjectively, the feedback he got was that they were looking for
> less complex solutions and less involved specs, e.g. Sync 4 Science with
> long-lived tokens. However they then need to enroll at each service. He’ll
> present in Cologne again.
>
>
> Eve: This feedback is great. To date we’ve provided no auxiliary material
> whatsoever about the operational and topological elements, just the bare
> bones of specs that mostly point to other specs. Suspects that would likely
> help. Debbie: The notion of a patient’s own AS is the new piece, and
> discussing that is something we need to do. Nancy: We need to discuss the
> notion of trusted IdP and a provider directory. If Alice wants to share
> with a provider, how does that happen? Justin: We’ve discussed that, and
> there are places in the specs to deal with it, but we don’t deal with the
> policy elements. Nancy: If we make some assumptions, that would make it
> realistic for readers. Could be non-normative.
>
>
> Catherine: Some examples she runs into all the time: How would that work
> with a child? Or how would that work if I were unconscious? Nancy: Agreed
> that delegation is really important; we also don’t want to get bogged down
> by edge cases. Let’s keep the main cases simple and to the point. Debbie:
> Willing to join ad hoc groups to work on all of this. Luis: Also willing.
> Debbie: It would be good also to have discussions with the broader FHIR
> community.
>
>
> Who will be at IIW next week? Eve, Justin, Adrian probably, Alan maybe,
> Debbie maybe. That *might* work.
>
>
> Nancy thinks use cases and, secondarily, messaging, are the first task.
> Debbie thinks the use cases need to be easily implementable.
>
>
> *Meeting logistics*
>
>
>    - Thu Mar 29 8am PT/11am ET: Ad hoc meeting to discuss use cases and
>    marketing (Nancy will send out invitation and connection info)
>    - No meeting Mon Apr 2 due to IIW
>    - Mon Apr 9 1pm PT/4pm ET: Next regular HEART meeting
>    - No meeting Mon Apr 16 due to RSA
>
>
>
> [image: ForgeRock] <https://www.forgerock.com/> *Eve Maler*
> VP Innovation & Emerging Technology  |  ForgeRock
> *t* (425) 345-6756  |  *e* eve.maler at forgerock.com
> *twitter* xmlgrrl  |  *web* www.forgerock.com
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>
>


-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: https://patientprivacyrights.org/donate-3/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20180326/de03810a/attachment.html>