<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>
<div>I have no idea what you are saying. Are you saying that a patent isn't smart enough to decide if they are comfortabe sharing something that was deemed sensitive 30 years ago by a legislatI've process?</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><div style="font-size:85%;color:#575757">Aaron Seib</div><div style="font-size:85%;color:#575757"><br></div><div style="font-size:85%;color:#575757">The trick to establishing trust is to avoid all tricks. Especially tricks on yourself.</div></div><br><br>-------- Original message --------<br>From: "Glen Marshall [SRS]" <gfm@securityrs.com> <br>Date: 7/27/16 4:03 PM (GMT-05:00) <br>To: HEART List <openid-specs-heart@lists.openid.net> <br>Subject: Re: [Openid-specs-heart] Resources vs Resource sets <br><br>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif">The boundary of existing regulatory mandates for privacy and security is a bright line. It defines the minimum we in health IT must achieve. Anything beyond that either anticipates regulatory
change or states an objective or some sort.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif">In the case of covered entities’ objectives, we can assume they have performed HIPAA-required risk analysis and set risk management policies accordingly. I believe that OAuth and UMA operate
most effectively in a such a businesslike risk-mitigation environment, where the semantics of the security and privacy metadata are unambiguous.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif">When we honor patient-specific privacy choices, we ignore covered entity risk assessment and in-common semantics. Patients are under no obligation to perform a formal business risk analysis
or articulate it in a commonly-understood way. Their choices may be realistic or not, articulate or not. We have no simple objective basis to assess, let alone enforce, them.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif">It is a philosophic ethical question as to how we honor patient privacy choices. It is not clear to me that the health IT marketplace is ready to answer it.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Glen F. Marshall<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Consultant<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Security Risk Solutions, Inc.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">698 Fishermans Bend<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Mount Pleasant, SC 29464<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Tel: (610) 644-2452
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Mobile: (610) 613-3084<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">gfm@securityrs.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif"><a href="http://www.securityrisksolutions.com/"><span style="color:#0563C1">www.SecurityRiskSolutions.com</span></a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Openid-specs-heart [mailto:openid-specs-heart-bounces@lists.openid.net]
<b>On Behalf Of </b>Aaron Seib<br>
<b>Sent:</b> Wednesday, July 27, 2016 14:25<br>
<b>To:</b> Adrian Gropper <agropper@healthurl.com>; Salyards, Kenneth (SAMHSA/OPPI) <Kenneth.Salyards@samhsa.hhs.gov><br>
<b>Cc:</b> HEART List <openid-specs-heart@lists.openid.net><br>
<b>Subject:</b> Re: [Openid-specs-heart] Resources vs Resource sets<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I don't understand why we would even ask the consumer what their preference is if they can't change a default used by a Covered Entity?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That is the entire point.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="composer_signature">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757">Aaron Seib<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#575757">The trick to establishing trust is to avoid all tricks. Especially tricks on yourself.<o:p></o:p></span></p>
</div>
</div>
</div>
</body></html>