<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body ><div>Thanks. Arbitrary is a loaded term for me in the sense that in law it seems to mean a decision that is not based on reason or justification. </div><div><br></div><div><br></div><div><div style="font-size:10px;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br><div>-------- Original message --------</div><div>From: "Glen Marshall [SRS]" <gfm@securityrs.com> </div><div>Date:09/26/2015 11:47 PM (GMT-05:00) </div><div>To: openid-specs-heart@lists.openid.net </div><div>Subject: Re: [Openid-specs-heart] Bloomberg article highlights pitfalls associated with patient matching </div><div><br></div>
Policy-based privacy objectives cannot be predicted, hence they are
arbitrary relative to the use cases. They may be individual,
institutional, governmental, cultural, etc. The technology should
be secure and enabling, not constraining, to the objectives. <br>
<br>
Our assumptions about the provenance of the policies and how they
operate needs to be unconstrained as well. For example, not all
privacy preferences are restrictive, e.g., a patient may choose to
disclose more than a default privacy policy allows. Some policies
may conflict with each other, with a compromise resolution outside
of the use case. And so on. We just need to support them,
regardless.<br>
<br>
<div class="moz-signature">
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: (610) 644-2452<br>
Mobile: (610) 613-3084<br>
<a class="moz-txt-link-abbreviated" href="mailto:gfm@securityrs.com">gfm@securityrs.com</a><br>
<a class="moz-txt-link-abbreviated" href="http://www.SecurityRiskSolutions.com">www.SecurityRiskSolutions.com</a></p>
</div>
<div class="moz-cite-prefix">On 9/26/15 20:03, Aaron Seib wrote:<br>
</div>
<blockquote cite="mid:011201d0f8b7$e23e6d30$a6bb4790$@nate-trust.org" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There
is no objecting to that reasoning. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
would add that the system operator is responsible for
disclosing to the potential user that these risks exist and
allow the user to exercise their right not to participate if
they do not feel the approach being proposed is sufficient.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Where
I am not following is the following phrase…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">“help
us define a secure means to support arbitrary policy-based
privacy objectives.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
wonder if when you say ‘support arbitrary policy based
privacy objectives’ is that mean the same thing as ‘support
the ability of an individual to define their own privacy
preferences’ as in “I am not ready to share with these
people the fact that I am being treated for pancreatitis”
and the authorization server prevents information related to
my treatments from being shared or do you mean something
else entirely? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Aaron
Seib, CEO<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">@CaptBlueButton
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> (o)
301-540-2311<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">(m)
301-326-6843<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true" href="nate-trust.org"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none"><img id="Picture_x0020_1" src="cid:part1.09040706.01090301@securityrs.com" border="0" height="48" width="205"></span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Openid-specs-heart
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-heart-bounces@lists.openid.net">mailto:openid-specs-heart-bounces@lists.openid.net</a>] <b>On
Behalf Of </b>Glen Marshall [SRS]<br>
<b>Sent:</b> Saturday, September 26, 2015 7:37 PM<br>
<b>Cc:</b> Catherine Schulten;
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-heart@lists.openid.net">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart] Bloomberg
article highlights pitfalls associated with patient
matching<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Let's assume an accurate patient-matching
"black box" exists. What are the use cases that would help us
define a secure means to support arbitrary policy-based
privacy objectives? <br>
<br>
Let's not seek 100% assurance of privacy, as that is an
NP-complete problem. What we need is a solution that can be
incrementally improved.<br>
<br>
Glen <o:p></o:p></p>
<div>
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: (610) 644-2452<br>
Mobile: (610) 613-3084<br>
<a moz-do-not-send="true" href="mailto:gfm@securityrs.com">gfm@securityrs.com</a><br>
<a moz-do-not-send="true" href="http://www.SecurityRiskSolutions.com">www.SecurityRiskSolutions.com</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">On 9/26/15 16:32, Adrian Gropper wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">If it
were under the cover of TPO, then why wouldn't all
health information exchanges do the same thing?<o:p></o:p></p>
</div>
<p class="MsoNormal">Adrian<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Sat, Sep 26, 2015 at 11:34 AM,
Aaron Seib <<a moz-do-not-send="true" href="mailto:aaron.seib@nate-trust.org" target="_blank">aaron.seib@nate-trust.org</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a moz-do-not-send="true" name="1500a4b04c0be91d__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
you figure out how SureScripts does it please
don’t share with anyone else. </span></a><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Isn’t
it just under the cover of TPO?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Aaron
Seib</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a moz-do-not-send="true" href="http://www.nate-trust.org/" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">NATE</span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">,
CEO</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">@CaptBlueButton</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">(o)
<a moz-do-not-send="true" href="tel:301-540-2311" target="_blank">301-540-2311</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">(m)
<a moz-do-not-send="true" href="tel:301-326-6843" target="_blank">301-326-6843</a></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Openid-specs-heart [mailto:<a moz-do-not-send="true" href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank"></a><a class="moz-txt-link-abbreviated" href="mailto:openid-specs-heart-bounces@lists.openid.net">openid-specs-heart-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Adrian Gropper<br>
<b>Sent:</b> Saturday, September 26, 2015 10:14 AM<br>
<b>To:</b> Maxwell, Jeremy (OS/OCPO)<br>
<b>Cc:</b> Catherine Schulten; <a moz-do-not-send="true" href="mailto:openid-specs-heart@lists.openid.net"></a><a class="moz-txt-link-abbreviated" href="mailto:openid-specs-heart@lists.openid.net">openid-specs-heart@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-heart] Bloomberg
article highlights pitfalls associated with
patient matching</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I
agree with Jeremy about transparency as the
solution but I also think that what Catherine
calls "anonymization" would have solved the
problem. <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Anonymization
or pairwise pseudonumity forces the patient to
be an explicit actor to the matching process.
It replaces an error-prone probabilistic and
hidden process with a clear informed consent
by the patient being matched. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Although
not mentioned in this Bloomberg article,
Surescripts is the de-facto national patient
surveillance system. Pretty much every
prescription we have ever had from any
Meaningful Use EHR and beyond is
identity matched, tracked, and stored forever
by Surescripts. I am currently trying to
figure out how Surescripts is able to do this
without any visible consent or transparency.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Adrian<br>
<br>
On Friday, September 25, 2015, Maxwell, Jeremy
(OS/OCPO) <<a moz-do-not-send="true" href="mailto:Jeremy.Maxwell@hhs.gov" target="_blank">Jeremy.Maxwell@hhs.gov</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Probably not. It
sounds like it was either human error
(e.g., someone entered information into
a wrong chart) or a software error
(e.g., the EHR software mixed up its
database indices). Or it could be
simple fraud (e.g., doctor shopping).
In any event, I think the best de</span></p></div></div></div></div></div></div></div></div></div></blockquote></div></blockquote></body>