[Openid-specs-heart] No Meeting today - started draft charter

Adrian Gropper agropper at healthurl.com
Tue Jun 23 02:11:37 UTC 2020 

Hi Debbie,

Thank you so much for taking the initiative to put up this draft.

I would suggest narrowing the scope and making it clearer based on an
analysis of the current gaps in health interoperability:

   - FHIR APIs do not readily support patient-directed exchange.
   Interoperability is fragmented into two application silos:
      1. HIPAA based exchange where patient consent is not required and
      typically not sought.
      2. Patient-mediated exchange where a non-HIPAA proxy such as a
      personal health record (PHR) gets a copy of the data.
   - Access to social determinants of health is hampered by both (1) and
   (2) because patients may be reluctant to put sensitive data under the lack
   of control in HIPAA while also worried about the loss of privacy when
   less-regulated PHR intermediaries are introduced.

I propose that HEART be scoped to close this interoperability gap by
scoping us to Patient-Directed Exchange:

   - Equally accessible to both HIPAA and non-HIPAA RESTful APIs that
   follow the FHIR data model specification including Subscriptions,
   Notifications, and CDS Hooks.
   - Patients do NOT need to see the data itself. This allows for research,
   behavioral health, and other data types where patients do not have a right
   of access but do have a right to CONSENT.
   - Enabling the patient to specify to a HIPAA Covered Entity another
   HIPAA CE where specific components of their longitudinal health record are
   being curated. For example a patient at hospitals A and B can tell hospital
   A that their current medication list is at Hospital B. This enables a
   longitudinal health record that doctors might actually curate as a service
   and use when curated by other doctors.
   - Enabling the patient to choose their preferred consent / authorization
   service and specifying that to all of their FHIR resource servers (HIPAA,
   PHR, wearables, monitors, mobile or desktop). This improves the patient
   experience by presenting consent requests in a format that is uniform
   across all of a patient's providers.
   - Making support for a patient-specified authorization service (AS)
   *mandatory* for HEART designation. This could be satisfied through UMA 2
   or OAuth 3 / Transactional Authorization standards. Systems that only
   support SMART on FHIR or OAuth would not be compliant with HEART.
   - Explicitly discuss the gaps in current access control profiles
   including SMART and BlueButton and how HEART fills those gaps.

In addition, we should be careful if and how we introduce self-sovereign or
federated identity into our charter. It might be reasonable to leave both
DID and OIDC standards out of scope or maybe just produce an informational
document separate from the HEART profile. The relationship between
credentials, roles, audit logs, and accountability for both licensed
practitioners and their clients is complex. For example, a physician could
be using an SSI standard wallet to authorize a controlled substance
prescription in a non-repudiable way at the same time they are using an
enterprise EHR as the client to communicate with the pharmacy that is
chosen by the patient (the way we used to be able to choose with paper
prescriptions). This is an example of patient-directed interoperability
where the doctor's SSI "wallet" and her EHR "client" would both be
considered "user agents".  HEART should be clear if this SSI and/or
federated (OIDC) is in scope. It probably should be in scope but maybe it
should be a separate workgroup or a later phase of HEART.

- Adrian



On Mon, Jun 22, 2020 at 9:51 AM Debbie Bucci <debbucci at gmail.com> wrote:

> Hello Everyone,
>
> My apologies for the late response.  My calendar has gotten away from me.
>  In lieu of a meeting,  I  started a rough draft charter based on notes
> from previous meetings and hope those interested would add comments/edit.
>  Additionally, would suggest we make use of this listserv to continue the
> conversation.
>
>
> https://docs.google.com/document/d/1N3CPhWQFX5hmhGO0nzsJBG6XeXnJRqzj18J85cLvQ9E/edit?usp=sharing
>
> Next available Monday* tentatively scheduled  for ** July 13th   *
> Hope many of you will be able to attend.
>
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20200622/39f41aa0/attachment.html>

More information about the Openid-specs-heart mailing list