<div dir="ltr"><div>Picking this back up again but removed the background leading to this and starting a different thread. Bill says keep it simple but it's complex! He has 2 scenarios but I focused on the most difficult -
I have posted the original text to Bill's question on the wiki:<br><br><a href="http://hg.openid.net/heart/wiki/PCP_First_Appointment">http://hg.openid.net/heart/wiki/PCP_First_Appointment</a> <br><br></div><div><div><br>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)">Questions:</span><span style="font-size:10pt;font-family:Times"></span></p>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)">Client one: If
Alice has chosen a cloud based PHR that already has an established trust: </span></p>
<p class="MsoNormal" style><b style><span style="font-size:10pt;color:rgb(95,73,122)">Please clarify what
you mean by established trust:</span></b></p>
<p class="" style="margin-left:40px"><b style><span style="font-size:10pt;color:rgb(95,73,122)"><span style>1.<span style="font:7pt "Times New Roman"">
</span></span></span></b><b style><span style="font-size:10pt;color:rgb(95,73,122)">Trust between patient portal and cloud based
PHR:<span style> </span>the patient portal has establish an
FHIR API server , is accepting client applications and the client PHR is has
been registered with the Patient Portal?</span></b></p><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b style><span style="font-size:10pt;font-family:Times;color:rgb(95,73,122)"><span style>2.<span style="font:7pt "Times New Roman""> </span></span></span></b><b style><span style="font-size:10pt;color:rgb(95,73,122)">The cloud PHR has
established a base identity proofing/authentication level of trust?<span style> </span></span></b><b style><span style="font-size:10pt;font-family:Times;color:rgb(95,73,122)"></span></b></p><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b style><span style="font-size:10pt;font-family:Times;color:rgb(95,73,122)"><span style>3.<span style="font:7pt "Times New Roman""> </span></span></span></b><b style><span style="font-size:10pt;color:rgb(95,73,122)">Both</span></b><b style><span style="font-size:10pt;font-family:Times;color:rgb(95,73,122)"></span></b></p>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)">What are the
credentialing requirements to create Alice's account?<span style> </span></span></p>
<p class="" style="margin-left:40px"><b style><span style="font-size:10pt;color:rgb(68,84,106)"><span style>1.<span style="font:7pt "Times New Roman""> </span></span></span></b><b style><span style="font-size:10pt;color:rgb(68,84,106)">Patient Portal</span></b></p><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b style><span style="font-size:10pt;color:rgb(68,84,106)"><span style>2.<span style="font:7pt "Times New Roman""> </span></span></span></b><b style><span style="font-size:10pt;color:rgb(68,84,106)">Cloud PHR </span></b></p><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b style><span style="font-size:10pt;color:rgb(68,84,106)"><span style>3.<span style="font:7pt "Times New Roman""> </span></span></span></b><b style><span style="font-size:10pt;color:rgb(68,84,106)">Both</span></b></p>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)">Note that
ONC"s Ten year interop roadmap refer's to NIST SP 800-63-2 and OMB
M-040-04 and is implying level 2 or 3 levels of assurance (LOA). (see pp 59)</span></p><p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)"><br></span></p>
<p class="MsoNormal" style><b style><span style="font-size:10pt;color:rgb(68,84,106)">LOA2 is a single factor –that’s out.<span style> </span>The HITPC committee recommended more than
username and password for patient portals – that implies multifactor.<span style> </span>Transaction will be more secure but what is
the level of identity proofing needed – no real guidance issued for patients
that I am aware of.<span style> </span>There is the
notion that the patient is know to the practice – but at this point<span style> </span>- it’s an initial visit – not the case.</span></b></p><p class="MsoNormal" style><br><b style><span style="font-size:10pt;color:rgb(68,84,106)"></span></b></p><p class="MsoNormal" style><b style><span style="font-size:10pt;color:rgb(68,84,106)"><br></span></b></p>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)">Are there two or
three consent profiles?</span></p><p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)">One for Alice's
PHR defining what to share with the Practice? </span><span style="font-size:10pt;font-family:Times"></span></p>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)">One for the
Practice defining what is to be shared with Alice's PHR? </span><span style="font-size:10pt;font-family:Times"></span></p>
<span style="font-size:10pt;color:rgb(68,84,106)">One for Alice at
the Practice portal defining what the Portal (or Practice?) is to be shared? </span><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b><span style="font-size:10pt;color:rgb(68,84,106)"><span style>1.<span style="font:7pt "Times New Roman"">
</span></span></span><span style="font-size:10pt;color:rgb(68,84,106)">Are there consent preferences stored /shared on the patient’s
trusted UMA service? </span></b></p><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b><span style="font-size:10pt;color:rgb(68,84,106)"><span style>2.<span style="font:7pt "Times New Roman"">
</span></span></span><span style="font-size:10pt;color:rgb(68,84,106)">Is there a Consent Directives Management Service trusted by the
UMA service?</span></b></p><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b><span style="font-size:10pt;color:rgb(68,84,106)"><span style>3.<span style="font:7pt "Times New Roman"">
</span></span></span><span style="font-size:10pt;color:rgb(68,84,106)">Is there a CDMS maintained by the provider</span></b></p><div style="margin-left:40px">
</div><p class="" style="margin-left:40px"><b><span style="font-size:10pt;color:rgb(68,84,106)"><span style>4.<span style="font:7pt "Times New Roman"">
</span></span></span><span style="font-size:10pt;color:rgb(68,84,106)">Does the PHR maintain it own CDMS?</span></b></p>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)"> </span></p><span style="font-size:10pt;color:rgb(68,84,106)"></span><span style="font-size:10pt;font-family:Times"></span>
<p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)"><span style></span>How is the initial implied consent for TPO
electronically presented, stored and accessed? </span></p>
<p class="MsoNormal" style><b><span style="font-size:10pt;color:rgb(68,84,106)">Generate a consent receipt reminding the patient they agreed </span></b></p><p class="MsoNormal" style><b><span style="font-size:10pt;color:rgb(68,84,106)"><br></span></b></p><p class="MsoNormal" style><b><span style="font-size:10pt;color:rgb(68,84,106)">I wonder if this is the ruckus I've heard re: check the box for consent ... <br></span></b></p><p class="MsoNormal" style><b><span style="font-size:10pt;color:rgb(68,84,106)"><br></span></b></p><p class="MsoNormal" style><span style="font-size:10pt;color:rgb(68,84,106)"> How is this
consent profile used by the practice's internal HIT systems? (if at all)</span></p>
<p class="MsoNormal" style><b style><span style="font-size:10pt;color:rgb(68,84,106)">Which profile?</span></b><b style><span style="font-size:10pt;font-family:Times"></span></b></p>
<br><br></div></div></div>