<div dir="ltr">There's nothing US-centric or even healthcare-centric in profiling HEART
to support a person's right of access. Done right, this approach
minimizes governance issues and serves institutions subject to GDPR as
much as those subject to HIPAA.<br><br>The issue boils down to a few simple requirements for a HEART API:<br><ul><li>Complete information is available as a participant-specific resource, <br></li><li>A participant can specify _any_ Authorization Server for any participant-specific resource,<br></li><li>A
warning mechanism allows the Resource Server operator to warn the
participant if the AS does not meet whatever criteria it chooses or is
mandated to support,</li><li>The implementation ensures that compromise of a participant-specified AS does not affect any other participant's resources.</li></ul><p>None
of these four requirements is US or healthcare-specific and all four
together still allow for other kinds of resources and other kinds of
authorization servers. These four requirements are a minimum of sorts.
HEART profiles can support many advanced features and policies.</p><p>Conversely, is there a reason not to support a person's right of access to a HEART resource?<span class=""><font color="#888888"><br></font></span></p><div class=""><div id=":383" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif">Adrian</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 11, 2016 at 6:11 PM, Glen Marshall [SRS] <span dir="ltr"><<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I would prefer we not tie HEART to a US regulatory guidance
document. Such things change based on the political winds and on
whoever is interpreting the documents. In addition, OCR's view
represents a minimum, with stronger state regulations -- and there
are many of those -- taking precedence. And patients may opt for
lesser privacy restrictions. Additionally, it is not clear to me
that HEART is US-domain only, at least in the longer term. Other
nations may want to use the profiles. A much more stable basis is
needed.<br>
<br>
What is needed, IMHO, is a clear way to populate the profiles with
policies and patient preferences and to keep them up-to-date as
things change. We need to profile that dynamic environment. <br>
<div>
<p><b>Glen F. Marshall</b><br>
Consultant<br>
Security Risk Solutions, Inc.<br>
698 Fishermans Bend<br>
Mount Pleasant, SC 29464<br>
Tel: <a href="tel:%28610%29%20644-2452" value="+16106442452" target="_blank">(610) 644-2452</a><br>
Mobile: <a href="tel:%28610%29%20613-3084" value="+16106133084" target="_blank">(610) 613-3084</a><br>
<a href="mailto:gfm@securityrs.com" target="_blank">gfm@securityrs.com</a><br>
<a href="http://www.SecurityRiskSolutions.com" target="_blank">www.SecurityRiskSolutions.com</a></p>
</div><div><div class="h5">
<div>On 1/8/16 22:49, Adrian Gropper wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>
<div>
<p style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14.6667px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span><i>(Apologies
for cross-posting in the hope that the groups will
communicate via comments in the shared <a href="http://bit.ly/HEARTfromHIPAA" target="_blank">document</a>. If
you want edit access, please contact me directly)</i><br>
</p>
<p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><br>
</p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14.6667px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">Can
we expedite a consensus on the HEART profiles directly
from HIPAA rather than just use-cases? The recent
release of detailed and up-to-date guidance from the
Office for Civil Rights. </span><a href="http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html" style="text-decoration:none" target="_blank"><span style="font-size:14.6667px;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline"></span></a><a href="http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html" target="_blank">http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html</a></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14.6667px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">makes
this relatively easy. Although it doesn’t answer every
question, this approach, like HIPAA itself,
establishes a baseline of functionality for HEART and
can clarify the remaining technical and policy issues.
In addition, deriving the baseline of functionality
from HIPAA also helps to inform the HL7-FHIR standards
and their relationship to HEART.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:14.6667px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">To
begin this process, I’ve copied out a few relevant
sections of the OCR guidance </span><a href="http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html" style="text-decoration:none" target="_blank"><span style="font-size:14.6667px;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline">document</span></a><span style="font-size:14.6667px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">
below and have added initial comments that relate to
HEART. If we can reach consensus on interpretation of
these comments in HEART, then consensus on the scope
and content of the HEART profiles should be relatively
easy. Furthermore, this approach makes it much easier
to inform FHIR, Argonaut, and SMART to the extent that
optionality will be constrained by linking FHIR to the
HIPAA privacy rule.</span></p>
<br>
<span style="font-size:14.6667px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">The
initial comments in the Google doc are classified (1-9)
according to what particular aspect of patient-directed
interface is being addressed. I hope we can use the
following weeks to resolve any objections to the
interpretations of HIPAA in terms of FHIR and HEART. If
we succeed, I believe the baseline HEART profiles will
then become a straightforward technical exercise. Beyond
this baseline, we can then revisit the use-cases to see
what additional features or issues need to be addressed.</span><br>
</div>
<font size="2"><br>
</font></div>
<font size="2">Happy New Year and thank you OCR!</font></div>
<div><font size="2"><br>
</font></div>
<font size="2">Adrian<br>
</font>
<div>
<div><font size="2"><br>
<br clear="all">
</font>
<div><br>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><br>
<div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br>
<br>
<span style="font-family:"Arial",sans-serif;color:rgb(31,73,125)">PROTECT
YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:rgb(31,73,125)"><br>
HELP us fight for the right to control
personal health data.</span><span style="font-family:"Arial",sans-serif;color:rgb(31,73,125)"></span><span style="font-family:"Arial",sans-serif;color:rgb(31,73,125)"><br>
DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:rgb(5,99,193)">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:rgb(31,73,125)"></span>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Openid-specs-heart mailing list
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:"Arial",sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:"Arial",sans-serif;color:#1f497d"></span><span style="font-family:"Arial",sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div></div>
</div></div>