<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.m5930665722844559720m274681756077527283m-1431242408440403331m7046718250433411500apple-converted-space
{mso-style-name:m_5930665722844559720m_274681756077527283m-1431242408440403331m7046718250433411500apple-converted-space;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1690524752;
mso-list-type:hybrid;
mso-list-template-ids:1796741562 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:38.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:74.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:110.25pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:146.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:182.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:218.25pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:254.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:290.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:326.25pt;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Adrian<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Your points are certainly well taken too! Especially regarding C and E below. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Perhaps the point is that if we were to freeze the permitted value for Purpose of Use to patient access we’d actually limit the size of the problem we are trying to solve to a manageable size?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Nancy listed out several examples of POU where she writes <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-family:"Calibri","sans-serif"'>The custodian organization uses the claimed purpose of use to interpret policy. For instance, if the pou is ‘Treatment’ a complete record might be provided, but if the pou is ‘Coverage’ the policy may limit what is sent. If the pou is ‘Research’ then the custodian organization might need to de-identify the data on the way out.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Where what is shared is defined by the POU. Does it help us make progress to say – yes POU can have different values but for the purpsoes of this work group we are holding our work to the case where it is Individual Right of Access?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As you say – an UMA Auth server is not healthcare specific but I thought HEART was. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I recognize the arguments that POU would be valuable to include but given what the original charter was does it make sense to consider working on a subset of possible POUs?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron Seib, CEO<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@CaptBlueButton <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> (o) 301-540-2311<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(m) 301-326-6843<o:p></o:p></span></p><p class=MsoNormal><a href="nate-trust.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=164 height=38 id="Picture_x0020_1" src="cid:image001.jpg@01D2CE5D.8EB1E7F0"></span></a><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> agropper@gmail.com [mailto:agropper@gmail.com] <b>On Behalf Of </b>Adrian Gropper<br><b>Sent:</b> Tuesday, May 16, 2017 2:29 PM<br><b>To:</b> John Moehrke<br><b>Cc:</b> Aaron Seib; HEART List<br><b>Subject:</b> Re: [Openid-specs-heart] Purpose of Use<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Aaron has stated his opinion on scalability quite clearly and I can give a privacy engineering perspective that attempts to explain the reason I come to the opposite conclusion from Aaron. HEART needs to be about 3rd party access.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>From a privacy engineering at scale perspective:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>A - We need to minimize the number of copies of PII that are required in the normal course of business. This enhances both security (fewer places to secure and audit) and privacy (more opportunity to control and audit use<span style='color:#1F497D'>)</span>.<span style='color:#1F497D'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal>B - We can separate PII creators (lab, imaging facility, genome) from PII aggregators because the aggregators (institutional health records, relationship registries, outcomes registries, biobanks, hidden data brokers) combine PII over time and across various institutions. <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>C - Some kinds of "lab" data are not conveniently copied to a patient-controlled location even if provenance is solved. For example, an MRI, CT, or genome can be 10's og GB and is more usefully streamed (like Netflix) or processed in-place (ask about a specific SNP in a genome). 3rd party access control allows for streaming direct from the source for scalability.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>D - Even when a patient chooses to own a copy of her data as an aggregated health record, <span style='background:lime;mso-highlight:lime'>she still needs to provide for discovery of this record by appropriate third-parties</span>. Typically, this means registering some metadata in a directory (e.g.: an HIE relationship locator service) and controlling access to that directory somehow. The AS can control 3rd party access to a directory.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>E - Some healthcare registries are, by definition, coercive. For example, a Prescription Drug Monitoring Program. This kind of aggregated PII cannot be replaced by a copy under patient control and needs to be handled as 3rd party access.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>F - A patient-owned aggregated health record, like the ones promoted by Aaron's organization, can be designed with compatibility for a HEART AS and will gain utility and marketability if they are. The reason is that an UMA Authorization Server is not healthcare-specific. Patients may want to provide access to location, environmental, social or banking relationships compatible with UMA that have nothing to do with FHIR and may not be compatible with software designed for healthcare. The assumption that a HEART AS is specific to healthcare reduces both patient empowerment and scalability.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Adrian<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, May 16, 2017 at 1:42 PM, John Moehrke <<a href="mailto:johnmoehrke@gmail.com" target="_blank">johnmoehrke@gmail.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>well... if not third party access, then normal OAuth will work just fine... <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>See the fine work done leveraging this patient right of access, Sync for Science<o:p></o:p></p><div><p class=MsoNormal><a href="https://www.healthit.gov/buzz-blog/health-innovation/nih-and-onc-launch-the-sync-for-science-pilot/" target="_blank">https://www.healthit.gov/buzz-blog/health-innovation/nih-and-onc-launch-the-sync-for-science-pilot/</a> <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>And if you are finding that normal OAuth or even lesser technology (username/password) is not working, then adding another layer of OAuth/UMA is not likely to fix the problem...<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>again, I am not arguing that Patient Right of Access is universally accepted and implemented... Just that adding more technology will not fix a fundamental misunderstand. A misunderstanding that HHS has tried over and over to fix.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>Of course, I live in Wisconsin were there is no such data blocking... :-)<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div></div></div></div></div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><div><p class=MsoNormal>John Moehrke<br>Principal Engineering Architect: Standards - Interoperability, Privacy, and Security<br>CyberPrivacy – Enabling authorized communications while respecting Privacy<br>M <a href="tel:(920)%20564-2067" target="_blank">+1 920-564-2067</a><br><a href="mailto:JohnMoehrke@gmail.com" target="_blank">JohnMoehrke@gmail.com</a><br><a href="https://www.linkedin.com/in/johnmoehrke" target="_blank">https://www.linkedin.com/in/johnmoehrke</a><br><a href="https://healthcaresecprivacy.blogspot.com" target="_blank">https://healthcaresecprivacy.blogspot.com</a><br>"Quis custodiet ipsos custodes?" ("Who watches the watchers?")<o:p></o:p></p></div></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal>On Tue, May 16, 2017 at 12:19 PM, Aaron Seib <<a href="mailto:aaron.seib@nate-trust.org" target="_blank">aaron.seib@nate-trust.org</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>John</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Your point is certainly well taken.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>UMA is more powerful when it enables the user to manage third party access rights. I am just not sure I subscribe to the notion that we should be building toward a world where there are still 3<sup>rd</sup> party access rights. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I may be alone in seeing it this way but I had thought that UMA was a candidate for the consumer to convey to its app what the individual’s sharing preferences would be. In the future the holder of a 3<sup>rd</sup> Party Auth would be going to their Consumer Controlled app to collect data for a given purpose of use. I see how it could work both ways.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I may be speaking heretically here but do we really believe that a Provider Organization should be accountable for handling 3<sup>rd</sup> party auths?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I am speaking really practically here. Do Provider Organizations have the bandwidth to handle 3<sup>rd</sup> party auths at scale? I am not talking about the volume of these kinds of Auths today. I am envisioning in the future when more consumers are authorizing sharing with researchers or for other purposes of use.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It seems to me that the Consumer Apps would be the place that would have the value add from building the computing capacity to manage those transactions. Not the Data Source. The benefit of the Data Source doing it is that you don’t have to solve the Provenance Problem but if I am following along the FHIR Resources are being defined to account for that.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>At the end of the day it may be a policy question but I would argue from a policy perspective that in the best of all possible worlds the data should flow from the consumer to the researcher. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>There is probably more to it that others can point out that I am missing but from an SDO perspective what you say makes sense.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron Seib, CEO</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@CaptBlueButton </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> (o) <a href="tel:(301)%20540-2311" target="_blank">301-540-2311</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(m) <a href="tel:(301)%20326-6843" target="_blank">301-326-6843</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="http://nate-trust.org" target="_blank"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=164 height=38 id="m_5930665722844559720m_274681756077527283Picture_x0020_1" src="cid:image002.jpg@01D2CE5D.8EB1E7F0"></span></a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> John Moehrke [mailto:<a href="mailto:johnmoehrke@gmail.com" target="_blank">johnmoehrke@gmail.com</a>] <br><b>Sent:</b> Tuesday, May 16, 2017 12:24 PM<br><b>To:</b> Aaron Seib<br><b>Cc:</b> Justin Richer; HEART List</span><o:p></o:p></p><div><div><p class=MsoNormal><br><b>Subject:</b> Re: [Openid-specs-heart] Purpose of Use<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Aaron,<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks for illuminating. I have not been able to keep up with all of the current intent of HEART. It seems that you are saying that the current goal of HEART is always patient access. As you point out PurposeOfUse = “Patient Access”... If this is indeed the case, then it would be best to state that as a fixed PurposeOfUse. When stated that way, it is more clear. <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This means however that other PurposeOfUse are not accepted. I seem to recall use-cases that were being discussed where the HEART AS was intermediating Treatment use-cases. Where the patient would be authorizing specific Providers to access their data through HEART (UMA). This would be a PurposeOfUse of TPO. It would be important to be specific that "Dr Bob" has TPO access, but not research or other access.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Or uses where the Patient is authorizing access by a Research project... or where they are authorizing access for other uses.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am not trying to say that PurposeOfUse is essential, but rather to point out that it enables an 'intent' vector.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I think limiting HEART to only the patient accessing their own data is too limiting. This is indeed an important use-case, isn't that a much more simple two party use-case? UMA is more powerful when it enables the "User" (aka Patient) to manage third parties access rights. Thus it seems way too limiting to just focus on patient access.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>John<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br clear=all><o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>John Moehrke<br>Principal Engineering Architect: Standards - Interoperability, Privacy, and Security<br>CyberPrivacy – Enabling authorized communications while respecting Privacy<br>M <a href="tel:(920)%20564-2067" target="_blank">+1 920-564-2067</a><br><a href="mailto:JohnMoehrke@gmail.com" target="_blank">JohnMoehrke@gmail.com</a><br><a href="https://www.linkedin.com/in/johnmoehrke" target="_blank">https://www.linkedin.com/in/johnmoehrke</a><br><a href="https://healthcaresecprivacy.blogspot.com" target="_blank">https://healthcaresecprivacy.blogspot.com</a><br>"Quis custodiet ipsos custodes?" ("Who watches the watchers?")<o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Fri, May 12, 2017 at 8:19 AM, Aaron Seib <<a href="mailto:aaron.seib@nate-trust.org" target="_blank">aaron.seib@nate-trust.org</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Perhaps a very important qualification to add to this discussion is that the PurposeOfUse = “Patient Access” is the essential trump card in the entire paradigm as far as I am concerned.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This is what I mean. If consumer wants their data the data holders (specific the Covered Entities of HIPAA) have absolutely no right asking what the consumers intended “pou” is and they are obligated by law to send their data to the designated endpoint indicated by the consumer. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I am sure no one on this thread needs to hear that reminder but I am not exaggerating when I tell you <u>every single time</u> I am trying to help someone get - their data out in the real world - that I have to “educate” the data holders about this fact. Every time I make a call the first question out of the orgs mouth is “What do you want it for.”</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>PurposeOfUse comes into play when the Institution Data Holder is pushing the data to a 3<sup>rd</sup> party independent of the consumer. Perhaps it also has a role to play when the consumer directs the data holder to share the PHI with another third party <u>on their behalf</u>, such as when they direct a Provider to share their data with an a research repository – a workflow that I have seen proposed by a couple of programs in the country.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In a perfect world I argue that this not the best practice – the consumer should request the data to a consumer app that they control and then subsequently share that date with the destination(<b>s</b>) of their choice. The programs that are building “middle-ware” that takes the consumer’s approval to share with their research end-point and presents that to the Institution where upon the data is transferred to the Program’s destination are inadvertently leaving a lot of value on the table as I believe the consumer should have access to this data in an app that they can use for other purposes. Including making donations of their data to other research activities.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Of course the catch 22 for the research community is that not enough consumers have their own apps that can support that today <i>but they will. </i>If in were in fact a perfect world the Program’s would be able to provide the consumer’s with a way to pick a consumer app of their choice to populate. The consumer apps would have the enabling infrastructure to make the donation of their data to one or more research destinations of their choice and everyone would benefit significantly more.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But that is only a dream today and probably not relevant to this work group, right?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Aaron Seib, CEO</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@CaptBlueButton </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> (o) <a href="tel:(301)%20540-2311" target="_blank">301-540-2311</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(m) <a href="tel:(301)%20326-6843" target="_blank">301-326-6843</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="http://nate-trust.org" target="_blank"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;text-decoration:none'><img border=0 width=164 height=38 id="m_5930665722844559720m_274681756077527283m_-1431242408440403331Picture_x0020_1" src="cid:image002.jpg@01D2CE5D.8EB1E7F0"></span></a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Openid-specs-heart [mailto:<a href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank">openid-specs-heart-bounces@lists.openid.net</a>] <b>On Behalf Of </b>John Moehrke<br><b>Sent:</b> Friday, May 12, 2017 4:20 AM<br><b>To:</b> Justin Richer<br><b>Cc:</b> duane decouteau; <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.openid.net</a><br><b>Subject:</b> Re: [Openid-specs-heart] Purpose of Use</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>PurposeOfUse is indeed a critical aspect in healthcare. It is the highest differentiation, higher than user-role. It indicates the broader context that the data is to be used within. For example a request for data in healthcare often is onbehalf of a broader use: Treatment, Coverage, Research, etc. It is not an attribute of the user, it is an attribute of the request for information. It is not uncommon for identity and context attributes to be conflated or simply communicated in one token; however that does not mean they really are the same, it just means that the environment has made a simplifying assumption to combine for ease of technology. It is most closely aligned with the broadest part of a OAuth scope. So it should be included in the request for authorization decision, and authorization token.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br clear=all><o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>John Moehrke<br>Principal Engineering Architect: Standards - Interoperability, Privacy, and Security<br>CyberPrivacy – Enabling authorized communications while respecting Privacy<br>M <a href="tel:(920)%20564-2067" target="_blank">+1 920-564-2067</a><br><a href="mailto:JohnMoehrke@gmail.com" target="_blank">JohnMoehrke@gmail.com</a><br><a href="https://www.linkedin.com/in/johnmoehrke" target="_blank">https://www.linkedin.com/in/johnmoehrke</a><br><a href="https://healthcaresecprivacy.blogspot.com" target="_blank">https://healthcaresecprivacy.blogspot.com</a><br>"Quis custodiet ipsos custodes?" ("Who watches the watchers?")<o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Thu, May 11, 2017 at 3:29 PM, Justin Richer <<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The “pou” claim as it was specified in HEART does not fit this use case, then, and it’s appropriate that we removed it. This was a claim presented by the requesting party’s identity provider, and had nothing to do with the request being made by the client itself. That’s why I argued it wasn’t a good fit where it was. If we were to add it back in, it should go elsewhere in the protocol.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> — Justin<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On May 11, 2017, at 2:01 PM, Nancy Lush <<a href="mailto:nlush@lgisoftware.com" target="_blank">nlush@lgisoftware.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>Hello all,<span class="m5930665722844559720m274681756077527283m-1431242408440403331m7046718250433411500apple-converted-space"> </span></span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>Per our last meeting, I agreed to provide more information on the need for the pou claim.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>The claim pou was recently removed from the HEART specs and needs to be restored.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>I spoke with Duane Decouteau from the VA team and provide the following details:</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>Purpose of use drives policy in many electronic exchanges today. The custodian organization uses the claimed purpose of use to interpret policy. For instance, if the pou is ‘Treatment’ a complete record might be provided, but if the pou is ‘Coverage’ the policy may limit what is sent. If the pou is ‘Research’ then the custodian organization might need to de-identify the data on the way out.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>The pou is passed as a claim within the request. It is a determining factor in evaluating which policies apply to a request. Pou is implemented in ehealth exchange as an underlying principal. Duane feels that pou should be a cornerstone for patient consent. It is fully implemented now in ehealth exchange at the VA, Kaiser and others.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>The list of pou values can be found at this link: <span class="m5930665722844559720m274681756077527283m-1431242408440403331m7046718250433411500apple-converted-space"> </span><span style='color:#044444'><a href="https://www.hl7.org/fhir/v3/PurposeOfUse/vs.html" target="_blank"><span style='color:#954F72'>https://www.hl7.org/fhir/v3/PurposeOfUse/vs.html</span></a></span></span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif";color:#044444'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif";color:#044444'>Respectively,</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif";color:#044444'>Nancy</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif";color:#1F3864'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif";color:#1F3864'> </span><o:p></o:p></p></div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse'><tr style='height:1.0pt'><td width=342 colspan=2 valign=top style='width:256.7pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div style='border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.65pt'><span style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#1F3864'> </span><o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><span style='font-size:8.0pt;font-family:"Calibri","sans-serif";color:#1F3864'> </span><o:p></o:p></p></div></td></tr><tr style='height:1.0pt'><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#222A35'>Nancy Lush </span></b><o:p></o:p></p></div></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'><a href="mailto:nancy.lush@lgisoftware.com" target="_blank"><span style='color:#954F72'>nancy.lush@lgisoftware.com</span></a></span><o:p></o:p></p></div></td></tr><tr style='height:1.0pt'><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#222A35'>Lush Group, Inc</span></b><o:p></o:p></p></div></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'>Office: <a href="tel:(401)%20423-9111" target="_blank">(401) 423-9111</a></span><o:p></o:p></p></div></td></tr><tr style='height:1.0pt'><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.65pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'>28 Narragansett Ave</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'>PO Box 651</span><o:p></o:p></p></div></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.65pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'><a href="http://www.lgisoftware.com/" target="_blank"><span style='color:#954F72'>www.lgisoftware.com</span></a></span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'>Cell:<a href="tel:(401)%20965-9347" target="_blank">(401) 965-9347</a></span><o:p></o:p></p></div></td></tr><tr style='height:1.0pt'><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-line-height-alt:1.0pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'>Jamestown, RI 02835</span><o:p></o:p></p></div></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.65pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'> </span><o:p></o:p></p></div></td></tr><tr><td width=342 colspan=2 valign=top style='width:256.7pt;padding:0in 5.75pt 0in 5.75pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.65pt'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1F3864'><image001.gif></span><o:p></o:p></p></div></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=139 valign=top style='width:1.45in;padding:0in 5.75pt 0in 5.75pt'></td><td width=203 valign=top style='width:152.3pt;padding:0in 5.75pt 0in 5.75pt'></td></tr><tr><td width=342 colspan=2 valign=bottom style='width:256.7pt;padding:0in 5.75pt 0in 5.75pt'></td></tr></table><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F3864'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Helvetica","sans-serif"'>_______________________________________________<br>Openid-specs-heart mailing list<br></span><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank"><span style='font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#954F72'>Openid-specs-heart@lists.openid.net</span></a><span style='font-size:9.0pt;font-family:"Helvetica","sans-serif"'><br></span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank"><span style='font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#954F72'>http://lists.openid.net/mailman/listinfo/openid-specs-heart</span></a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><div><div><div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Adrian Gropper MD<br><br><span style='font-family:"Arial","sans-serif";color:#1F497D'>PROTECT YOUR FUTURE - RESTORE Health Privacy!<br>HELP us fight for the right to control personal health data.</span><o:p></o:p></p></div></div></div></div></div></div></div></div></div></body></html>