<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:915626520;
mso-list-type:hybrid;
mso-list-template-ids:-1586438554 42729800 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1388340819;
mso-list-template-ids:-1471890656;}
@list l2
{mso-list-id:1925340702;
mso-list-template-ids:-845006020;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Here is an example consent in human readable pdf and FHIR Consent form. I answered your questions in line below. Ken<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> agropper@gmail.com [mailto:agropper@gmail.com]
<b>On Behalf Of </b>Adrian Gropper<br>
<b>Sent:</b> Wednesday, August 10, 2016 2:57 PM<br>
<b>To:</b> Salyards, Kenneth (SAMHSA/OPPI)<br>
<b>Cc:</b> Vivek Biswas; openid-specs-heart@lists.openid.net; Josh Mandel; Grahame Grieve<br>
<b>Subject:</b> Re: [Openid-specs-heart] HEART Scope Design Proposal #1<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">What is a consent directive?<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-bottom:12.0pt;text-indent:-.25in;mso-list:l0 level1 lfo3">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">See attachments<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">What is the relationship of whatever it is to FHIR or any other standard data model?<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-bottom:12.0pt;text-indent:-.25in;mso-list:l0 level1 lfo3">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Attached FHIR DSTU2 consent<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">How does a consent directive interact with OAuth, UMA or OpenID Connect?<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-bottom:12.0pt;text-indent:-.25in;mso-list:l0 level1 lfo3">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Cuurently we use Oauth and OpenID Connect for patient authentication. For UMA, I would envision a RS with the responsibility to enforce patient consent
disrectives.<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Do you have an example of how a consent directive maps into, replaces, or changes the NYP ROI authorization form?<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> - I don’t know what the NYP ROI authorization form is. You can compare to the attached consent or send it to me
and I can compare.<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thanks,<o:p></o:p></p>
</div>
<p class="MsoNormal">Adrian<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Aug 10, 2016 at 2:49 PM, Salyards, Kenneth (SAMHSA/OPPI) <<a href="mailto:Kenneth.Salyards@samhsa.hhs.gov" target="_blank">Kenneth.Salyards@samhsa.hhs.gov</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Fine grained authorization should be dealt with using a patients’ consent directive. FHIR DSTU2 supports
consent directive as part of the contract resource. In DSTU3, as I understand the consent directive will not be part of contract. This can work seamlessly within the UMA resource server construct. Ken</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-heart [mailto:<a href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank">openid-specs-heart-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Vivek Biswas<br>
<b>Sent:</b> Wednesday, August 10, 2016 1:50 PM<br>
<b>To:</b> Adrian Gropper; <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">
openid-specs-heart@lists.openid.net</a><br>
<b>Cc:</b> Josh Mandel; Grahame Grieve</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
<b>Subject:</b> Re: [Openid-specs-heart] HEART Scope Design Proposal #1<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">Hi Adrian,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">The scopes are meant to do coarse-grained authorization and not fine grained authorization.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">And hence, this one of the reason why scopes are static string.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">If one want to perform fine grained authorization, then its based on lot of contextual information like you mention, date-range, geo-location, etc....</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">The contextual information can reside in the Request Payload, in database, within the access token (if JWT) etc. All these contextual information associated with the request can be trusted only if
the access token is valid. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">There can be a policy associated with context which can help us to decide if the request should be authorized or not.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">So, scopes can help you do first level of coarse grain authorization which will yield you an access token. Once an access token is valid, grab the contextual information from the payload, header,
access token etc. Find a policy associated with the contextual object and than perform fine level authorization based on the policy.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">Regards</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">Vivek Biswas, CISSP</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black">Consulting Member @Oracle</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Verdana","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">
<hr size="1" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"> Adrian Gropper <<a href="mailto:agropper@healthurl.com" target="_blank">agropper@healthurl.com</a>><br>
<b>To:</b> "<a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a>" <<a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a>>
<br>
<b>Cc:</b> Justin Richer <<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>>; Vivek Biswas <<a href="mailto:vivek_biswas@yahoo.com" target="_blank">vivek_biswas@yahoo.com</a>>; Josh Mandel <<a href="mailto:jmandel@gmail.com" target="_blank">jmandel@gmail.com</a>>;
Grahame Grieve <<a href="mailto:grahame@healthintersections.com.au" target="_blank">grahame@healthintersections.com.au</a>><br>
<b>Sent:</b> Tuesday, August 9, 2016 12:57 PM<br>
<b>Subject:</b> Re: [Openid-specs-heart] HEART Scope Design Proposal #1</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">There are many reasons why we need to find a way:</span><o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1;background:white">
<span style="font-family:"Helvetica","sans-serif"">I have never seen a release of information form that did not have a date range. Has anyone? If we say HEART can't do that we're calling into question the legitimacy of HEART.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1;background:white">
<span style="font-family:"Helvetica","sans-serif"">We have a lot of experience with 75-page CCDAs with the current standards. Many patients have huge health records and it is resource-intensive to get 74-pages of information you already had in order to find
the change from the last encounter. The cost is not just on the sender but on the recipient as well. This is probably the top complaint of the current interop methods in my medical society.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1;background:white">
<span style="font-family:"Helvetica","sans-serif"">I don't think the HEART charter set a particular limit on how much of FHIR we would manage. It's not in our charter to treat effective provider-to-provider exchange as out-of-scope. Once we say that HEART will
not support the full patient-level feature set of FHIR, where do we draw the line?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1;background:white">
<span style="font-family:"Helvetica","sans-serif"">UMA is not OAuth. The goals of the two standards are very different. UMA and HEART are patient-centered. If we restrict HEART to a small fraction of the longitudinal health records or patient-centered health
rerecords transactions (because most of the traffic stays in the batch or institution-to-institution domain) then where do we host the discussion on a future for patient-centered records?</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1;background:white">
<span style="font-family:"Helvetica","sans-serif"">There is no logical reason for HEART to not support date ranges once FHIR has that capability. In some jurisdictions, this would be seen as reducing patient's right of access and subject to legal challenge.
</span><o:p></o:p></li></ol>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">I've added Josh and Grahame to this thread. Let's try and find the solution to this problem even if it involves changing UMA, FHIR or both.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">Adrian</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">On Tue, Aug 9, 2016 at 12:31 PM, Vivek Biswas <<a href="mailto:vivek_biswas@yahoo.com" target="_blank">vivek_biswas@yahoo.com</a>> wrote:</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">I agree with Justin, that scopes are static string vs scope string be parameterized. Most of the OAuth server support static string. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">It will get challenging to implement a profile which requires dynamic string which in turn will hamper the adoption of HEART.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">We are trying to add contextual information into the scope which are not what scopes are intended for.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"><br>
Regards</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">Vivek Biswas, CISSP</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">Consulting member @Oracle </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"><br>
On Aug 9, 2016, at 9:17 AM, Justin Richer <<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>> wrote:</span><o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">A problem I can see with this is that the “date” field in particular moves this from something that’s expressible as a table of known strings (like in the appendix of the current spec) to something
that’s dynamically parameterized with a potentially infinite set of values. This is a problem in practice as many OAuth implementations treat all scopes as static strings, and will do things like limit set set of scopes a client is allowed to ask for based
on a set of registered strings. That’s not possible with a field like “date” anymore, since the value is filled in at runtime. We tried to have parameterized scopes in BB+ (and even implemented it) but it was generally thought to be too complicated, and required
special tooling at the authorizations server.</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">If at all possible, I’d like HEART scopes to not require such special processing and support at the AS.</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> — Justin</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">On Aug 8, 2016, at 9:08 PM, Adrian Gropper <<a href="mailto:agropper@healthurl.com" target="_blank">agropper@healthurl.com</a>> wrote:</span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">Scope Design Proposal #1 aims to support
<a href="https://dl.dropboxusercontent.com/u/8909568/NYP%20authorization.pdf" target="_blank">
a typical ROI authorization</a>.</span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">The structure of SDP1 is: patient/<a href="http://hl7.org/fhir/search.html#date" target="_blank">date</a>/<a href="http://hl7-fhir.github.io/v3/ConfidentialityClassification/vs.html" target="_blank">confidentialitycl
ass</a>/<a href="http://hl7.org/fhir/resourcelist.html" target="_blank">resource</a>/edit</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"><br>
The logic is as follows:</span><o:p></o:p></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span style="font-family:"Helvetica","sans-serif"">/patient because this applies to only one patient at a time. The patient ID is local to the resource server.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span style="font-family:"Helvetica","sans-serif"">/<a href="http://hl7.org/fhir/search.html#date" target="_blank">date</a> is defined by FHIR and can be a range. Putting it at the highest level in the hierarchy (if a scope hierarchy is useful) allows for efficiency
in clients requesting updates and reduces the cost to the resource server</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span style="font-family:"Helvetica","sans-serif"">/<a href="http://hl7-fhir.github.io/v3/ConfidentialityClassification/vs.html" target="_blank">confidentialityclass</a> filters for resources at or below the specified value. Resources that do not have a confidentiality
class are considered N - Normal. It is up to the resource server to provide jurisdictictionally appropriate policies and user interfaces for setting confidentiality class other than N on particular resources.</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span style="font-family:"Helvetica","sans-serif"">/<a href="http://hl7.org/fhir/resourcelist.html" target="_blank">resource</a> is any resource listed in the particular version of the FHIR specification</span><o:p></o:p></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span style="font-family:"Helvetica","sans-serif"">/edit is "read", "write", "any" operation by the client on the resource</span><o:p></o:p></li></ul>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">A client might request a scope for immunizations for patient 23 as:</span><o:p></o:p></p>
</div>
<pre style="background:white"><span style="color:black">[ "date=le2016-8-8","conclass=N" , "resource=Immunization", "edit=read" ]<br></span><span style="font-family:"Arial","sans-serif";color:black"><br>on a resource registered as:</span><span style="color:black"> [base]/Patient/23/</span><span style="font-family:"Arial","sans-serif";color:black"> with a reference to HEART scopes SDP1 <br>that would tell both the AS and anyone else that dereferenced HEART/SDP1 that the RS would<br>process specific scope strings for date, confidentialityclass, resource, and edit as described above.<br><br>The AS would be free to present SDP1 to the RO any way that it chose.<br><br>A resource server like NYP that wanted to offer registration for sensitive data like Mental Health Treatment<br>would register another resource: [base]/Patient/23/ MentalHealthTx with whatever scopes it offered. <br>These additional resources would not be specified by HEART.<br><br>Any particular RS could choose to support Confidentiality Class, additional resources, neither, or both. <br><br>It would be up to the AS to combine HEART SDP1 resources and additional resources and scopes offered by the RS into whatever policy setting experience it wanted.</span><o:p></o:p></pre>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">With this scheme, an AS might offer Alice a policy setting for Observation = R - Restricted even on a resource server that did not support confidentiality class. This would cause all client requests
for Observations to fail because the RS would be forced to treat unlabeled resources as N and the authorization tokens for observations were R. The RS could:<br>
(a) ignore this problem and treat it as an AS bug, <br>
(b) implement confidentiality classification, or <br>
(c) offer additional resources and scopes so that the AS could tell Alice that Observations did not include those related to mental health in the hope that Alice would set Observation = N and deal with mental health as a separate part of her policy.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">I believe that, to a first approximation, SDP1 would capture the functionality of most sharing use-cases without forcing the RS to do anything more than it is jurisdictionally already required to
do. </span><o:p></o:p></p>
</div>
<div>
<pre style="background:white"><span style="font-family:"Arial","sans-serif";color:black">Adrian</span><o:p></o:p></pre>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Arial","sans-serif";color:black"><br>
</span><span style="font-family:"Helvetica","sans-serif";color:black"><br clear="all">
</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"><br>
-- </span><o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">Adrian Gropper MD<br>
<br>
PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>
HELP us fight for the right to control personal health data.<br>
DONATE: <a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563C1">http://patientprivacyrights. org/donate-2/</span></a>
</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">______________________________ _________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists. openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/ mailman/listinfo/openid-specs- heart</a></span><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">______________________________ _________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists. openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/ mailman/listinfo/openid-specs- heart</a></span><o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"><br>
<br clear="all">
<br>
-- </span><o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">Adrian Gropper MD<br>
<br>
PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>
HELP us fight for the right to control personal health data.<br>
DONATE: <a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563C1">http://patientprivacyrights.org/donate-2/</span></a>
</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black"> </span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Adrian Gropper MD<br>
<br>
<span style="font-family:"Arial","sans-serif";color:#1F497D">PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>
HELP us fight for the right to control personal health data.<br>
DONATE: <a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563C1">http://patientprivacyrights.org/donate-2/</span></a></span>
<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>