<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.gmail-msonormal, li.gmail-msonormal, div.gmail-msonormal
{mso-style-name:gmail-msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.gmail-
{mso-style-name:gmail-;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think this is conversation is anent to one that I just pinged Debbie about yesterday.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We all recognize that under HIPAA a CE isn’t required to get an authorization to share a patient’s PHI for TPO.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That is a historical norm, right? Just because we have been there doesn’t mean we have to continue to live in the past.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I have felt like there has been this tension and fence riding about whether or not a Consumer’s Privacy Preferences can or should trump what a CE is permitted to do in relation to a permitted purpose.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think what it comes down to is what the Provider puts into their Notice of Privacy Practices. If in the NPP the provider says I will follow the directions of you AS for sharing purposes except for purposes of payment – let’s say – then I would argue that the patient has an expectation that their data from that provider not be shared with another provider – even though it is a permitted purpose under HIPAA.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Of course if the NPP says something like – regardless of what your AS indicates I am going to share with other providers who assert a treatment relationship because I can under HIPAA (sorry – sarcasm intended).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Just because I am allowed to carry a concealed weapon in Texas doesn’t mean I have to if I don’t think it is the right policy for me.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As a doc, if I believe the trust of my patients is as important as my ability to Diagnoses them accurately I might make it my policy to commit to following their AS directions.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Does anyone disagree with that? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:14.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron Seib, CEO<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@CaptBlueButton <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> (o) 301-540-2311<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(m) 301-326-6843<o:p></o:p></span></p><p class=MsoNormal><a href="nate-trust.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=205 height=48 id="Picture_x0020_1" src="cid:image001.jpg@01D1ED58.91FD0C00" alt="cid:image001.jpg@01D10761.5BE2FE00"></span></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Openid-specs-heart [mailto:openid-specs-heart-bounces@lists.openid.net] <b>On Behalf Of </b>Maxwell, Jeremy (OS/OCPO)<br><b>Sent:</b> Tuesday, August 2, 2016 5:13 PM<br><b>To:</b> Adrian Gropper<br><b>Cc:</b> openid-specs-heart@lists.openid.net<br><b>Subject:</b> Re: [Openid-specs-heart] Alice's health resource set<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Not sure I follow. HIPAA does not require consent for TPO—it is a permitted use. An organization may still choose to collect consent for TPO, either because of their own organizational policy or because another law requires it. But this is not “HIPAA TPO consent.” In ONC parlance, we call this “basic choice for TPO” in both our Interoperability Roadmap as well as our Patient Choice Technical Project. Of course others may call this by a different term, but calling it a “HIPAA TPO consent” is imprecise and can perpetuate existing misunderstandings about what HIPAA actually requires.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:agropper@gmail.com">agropper@gmail.com</a> [<a href="mailto:agropper@gmail.com">mailto:agropper@gmail.com</a>] <b>On Behalf Of </b>Adrian Gropper<br><b>Sent:</b> Tuesday, August 02, 2016 5:01 PM<br><b>To:</b> Maxwell, Jeremy (OS/OCPO)<br><b>Cc:</b> Debbie Bucci; <a href="mailto:openid-specs-heart@lists.openid.net">openid-specs-heart@lists.openid.net</a><br><b>Subject:</b> Re: [Openid-specs-heart] Alice's health resource set<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Jeremy, <br><br>Sorry, I should have said HIPAA TPO "consent".<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>If access to the FHIR resources does not require Alice's authorization and the RS wants to keep Alice in the dark because HIPAA's accounting of disclosures is seldom implemented as well, then HEART is not involved. I would not call the TPO loophole consent except sarcastically.<o:p></o:p></p></div><p class=MsoNormal>Adrian<o:p></o:p></p><div><div><div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Aug 2, 2016 at 2:22 PM, Maxwell, Jeremy (OS/OCPO) <<a href="mailto:Jeremy.Maxwell@hhs.gov" target="_blank">Jeremy.Maxwell@hhs.gov</a>> wrote:<o:p></o:p></p><div><div><p class=gmail-msonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Also, want to clarify what “typical of HIPAA TPO consent” means? TPO is a permitted use under HIPAA that does not require consent.</span><o:p></o:p></p><p class=gmail-msonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=gmail-msonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=gmail-msonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=gmail-msonormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Openid-specs-heart [mailto:<a href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank">openid-specs-heart-bounces@lists.openid.net</a>] <b>On Behalf Of </b>Debbie Bucci<br><b>Sent:</b> Tuesday, August 02, 2016 2:17 PM<br><b>To:</b> Adrian Gropper<br><span class=gmail-><b>Cc:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a></span><br><span class=gmail-><b>Subject:</b> Re: [Openid-specs-heart] Alice's health resource set</span></span><o:p></o:p></p><p class=gmail-msonormal> <o:p></o:p></p><div><div><p class=gmail-msonormal>Lost me again Adrian - <o:p></o:p></p></div><div><div><div><div><p class=gmail-msonormal> <o:p></o:p></p></div></div><blockquote style='margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><p class=gmail-msonormal>We should also not ignore the Client-to-AS first flow. This is the preferred flow from a privacy engineering perspective. (see other thread with Justin). In the majority of cases of HIE, the Client has a relationship with Alice already (<span style='background:yellow'>this is typical of HIPAA TPO consent</span>) or the Client has found Alice via a "Relationship Locator Service" which is a directory operated by the state or some private entity like CommonWell. When the Client matches with Alice in the RLS, does the RLS return a list of RSs or a pointer to Alice's AS?<o:p></o:p></p></div><div><div><p class=gmail-msonormal> <o:p></o:p></p></div></div><div><p class=gmail-msonormal>The most privacy-preserving thing would be for RLSs to return pointers to Alice's AS and in the future this is what Alice might insist on if she is still given a choice to opt-in or opt-out of HIE. Alice does have that choice today in the US. In other countries, not-so-much.<o:p></o:p></p></div></blockquote><div><p class=gmail-msonormal> <o:p></o:p></p></div><div><p class=gmail-msonormal> Are you suggesting the AS is some sort of proxy for all data - I don't think you were saying that. At some point the Client would need a relationship with the RS as well - correct? Is the Client to AS flow a separate spec? Would you please provide the link? Looking at UMA 1.01 - client needs a permission ticket first - that is generated from AS - to RS to client (?)<o:p></o:p></p></div><div><p class=gmail-msonormal> <o:p></o:p></p></div><div><div><p class=gmail-msonormal> <o:p></o:p></p></div></div><div><p class=gmail-msonormal> <o:p></o:p></p></div><div><div><p class=gmail-msonormal> <o:p></o:p></p></div></div></div></div></div></div></div></div><p class=MsoNormal><br><br clear=all><br>-- <o:p></o:p></p><div><div><div><div><div><div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Adrian Gropper MD<br><br><span style='font-family:"Arial","sans-serif";color:#1F497D'>PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>HELP us fight for the right to control personal health data.<br>DONATE: <a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style='color:#0563C1'>http://patientprivacyrights.org/donate-2/</span></a></span> <o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></body></html>