<div dir="ltr"><div><div><div>I've attached a very typical Release of Information authorization. I've annotated the 5 elements common to all such documents that I have ever seen. The stuff outside if the rectangles is more or less optional. <br><br></div>This form covers one direction of the EHR-PHR Use Case. It is presented to the Custodian (the patient or their designate ) and approved by them by the Resource Server and pre-filled with information supplied by the Client, if available. <br><br>In some cases, the Client information is not available at the time the Authorization form is signed. In that case, it will be up to the Authorization Server to consider the Client and User information and provide the authorization to the Resource Server.<br><br></div>The Resource Server has the final say in all cases and could decide to ignore the authorization based on local or jurisdictional policy. This is outside the control of the Resource Owner and likely to be out of scope for HEART in all use-cases.<br><br></div><div>This ROI Authorization Form is the only "consent" that I'm aware of in clinical IT. Patients are asked to sign other documents, including:<br></div><div>Registration Form, Notice of Privacy Practices, and Treatment Consent but none of these has anything to do with sharing of health data (except for HIPAA TPO which we will not get into here.)<br></div><div><br></div>Adrian<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 5, 2015 at 8:27 PM, jim kragh <span dir="ltr"><<a href="mailto:kragh65@gmail.com" target="_blank">kragh65@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for sharing,... informative and constructive in reaching the patient end point.<div><br></div><div>May all have a nice evening!</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Wed, Aug 5, 2015 at 3:26 PM, Debbie Bucci <span dir="ltr"><<a href="mailto:debbucci@gmail.com" target="_blank">debbucci@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div>Attendees:</div><div>Eve Maler</div><div>Justin Richer</div><div>Josh Mandel</div><div>Adrian Gropper</div><div>Thomas Sullivan </div><div>Debbie Bucci</div><div><br></div><div>We have decided to delineate between mechanical and semantic scope docs.</div><div><br></div><div>For the PCP <-> PHR use case:</div><div><br></div><div>The pre determined choice token confidential token choice and exactly what information needs (example: PHR's authorization endpoint) to be shared in advance between the PCP's EHR and Alice's PCP was left out of the discussion for now.</div><div><br></div><div>There is one basic mechanical Oauth generic flow that occurs twice in the use case.</div><div><br></div><div>Given the group has generally agreed that the SMART specifications are a good place to <em><strong>start </strong>... </em>for this particular use case the only semantic FHIR scope that is necessary is the patient/*.read scope that grants permission to read any resource for the current patient.</div><div><br></div><div>During the registration process Alice should be able to select at a fine grain level which resources she is willing to share with the PHR. This mimic's a specific process - Adrian please provide. This information will be used to generate the access token.</div><div><br></div><div>The one thing left at the end of the discussion is whether the patient record is implicit or explicitly stated. This is a design decision that may make a difference as we move towards our next use case in which delegation is a factor.</div><div><br></div><div>Corrections/updates appreciated. </div><div><br></div><div><br></div></div>
<br></div></div><span class="">_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></span></blockquote></div><br></div>
<br>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d"></span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div>
</div>