<div dir="ltr"><b style="font-size:12.8px">When:</b><span style="font-size:12.8px"> Monday </span><span class="gmail-m_-4720044195561465251gmail-m_-1022747092269647207gmail-m_-8610592917558303695gmail-m_-3689055787901943479gmail-m_-7055369794187335490gmail-m_-5953081755660991943gmail-aBn" style="font-size:12.8px">1PM PST</span><span style="font-size:12.8px"> - </span><span class="gmail-m_-4720044195561465251gmail-m_-1022747092269647207gmail-m_-8610592917558303695gmail-m_-3689055787901943479gmail-m_-7055369794187335490gmail-m_-5953081755660991943gmail-aBn" style="font-size:12.8px">4PM EST</span><span style="font-size:12.8px"> </span><span class="gmail-m_-4720044195561465251gmail-m_-1022747092269647207gmail-m_-8610592917558303695gmail-m_-3689055787901943479gmail-m_-7055369794187335490gmail-m_-5953081755660991943gmail-aBn" style="font-size:12.8px"><br></span><div style="font-size:12.8px"><b>Where:</b> GoToMeeting: <a href="https://global.gotomeeting.com/join/785234357" target="_blank">https://global.gotomeeting.com/join/785234357</a><br></div><div style="font-size:12.8px"><b>US phone number:</b> <a href="tel:(619)%20550-0003" value="+16195500003" target="_blank">+1 (619) 550-0003</a>. Access Code 785-234-357<br></div><div style="font-size:12.8px"><b>Agenda:</b></div><div style="font-size:12.8px"><ul><li><b>Continue FAPI/HEART discussion</b></li></ul><div><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">2018-12-03 NOTES</p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><b>Attendees:</b></p><p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Debbie Bucci</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Justin Richer</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Timothy Adams</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Nancy Lush</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Adrian Gropper</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Eve Maler</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Thompson Boyd </p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Tom Sullivan</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Luis Maas</p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:11pt;font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span><span style="font-size:11pt">Nat Sakimura</span></p><p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:11pt"><br></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Does it make sense to align HEART profiles for security with
those that are broader than health.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"></p><ul><li>FAPI, although started specifically for Financial
transaction is getting traction for to become no- sector specific. <br></li><li>IOT is horizontal
- applicable to HEALTH use cases and may other sectors too.<br></li></ul><p></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Difference in FAPI and HEART (perhaps not that far apart)</p>
<p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>HEART considers both read and right within
existing profiles. FAPI has separated
them out into different profiles and with stronger levels of security for write.
(note SMART focused on read exchanges at
the moment.)</p>
<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Would be
interesting to look at the draft IETF standards/specs that have been
generated by that work JAR (<a href="https://tools.ietf.org/id/draft-ietf-oauth-jwsreq-17.html" style="color:rgb(5,99,193)">https://tools.ietf.org/id/draft-ietf-oauth-jwsreq-17.html</a>)
and JARM (<a href="https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-openid-financial-api-jarm-wd-01" style="color:rgb(5,99,193)">https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-openid-financial-api-jarm-wd-01</a>)
</p>
<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>In references to token binding – mutual tls
specifications – early HEART version had looked at that approach</p>
<p class="gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 8pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>A bit difficult to compare side by side FAPI is
writing using ISO standards text - HEART defaults to IETF. FAPI does appear to be written in a way that
requirements could be tested and referenced by number</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Is it necessary to require OpenID Connect ? Not always.
Would not use for use case where identity information may not be needed
or should not be exposed. Example – in Transferring
money – you do not necessarily want to
have ID information included.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">In Health IT there is interest in supporting dynamic client registration. Can HEART do anything to promote client dynamic
registration? It’s already part of the
HEART specs.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"></p><ul><li>The SMART team is beginning to talk about Dynamic
registration and what may be needed.<span style="font-size:11pt"> </span></li></ul><p></p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">UMA</p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"></p><ul><li>User
delegation – completely untouched by OAUTH in SMART at the moment. There <span style="font-size:11pt">nterest to introduce UMA for use in consent and delegated
use cases.</span><span style="font-size:11pt"> </span><br></li><li>Health IT SMEs are aware of the
cross over between SMART and HEART.<span style="font-size:11pt">
</span><span style="font-size:11pt">There is interest in exploring further. </span><span style="font-size:11pt"> </span><span style="font-size:11pt">More conversations what is needed but it’s
not a priority – just not ready to address.</span><span style="font-size:11pt"> </span><br></li><li>There was an effort to introduce UMA at a <span style="font-size:11pt"> </span><span style="font-size:11pt">connectathon last year – but HL7 was not
ready.</span><span style="font-size:11pt"> </span><span style="font-size:11pt">Patient Mediated concerns - Consent/Delegation/Dynamic
registration are becoming an recurrent theme for these type of events</span><br></li><li>Some (developers- Health IT security SME?)<span style="font-size:11pt"> </span><span style="font-size:11pt">Are concerned about the Synch for science
model.</span><span style="font-size:11pt"> </span><span style="font-size:11pt">Supporting an authorization code
flow with resource token </span><span style="font-size:11pt"> </span><span style="font-size:11pt">lasting a year
or more is worrisome.</span><br></li></ul><p></p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:11pt"></span></p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Observation that the SMART profile may be falling short in
support of broader exchange – scopes are resource based in nonstandard way – at
the scope level. Need for granular
scopes and access control. Scopes HEART profiled in addition to those recognized by SMART may be useful.</p>
<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Other topics</p>
<p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0.0001pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Specs currently not rendering properly. Justin is looking into </p>
<p class="gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 8pt 0.5in;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">
</span></span>Possible meet-up/meeting in Orlando?</p></div></div></div>