1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. HEART

Wiki

Clone wiki

HEART / 2015-02-02

View History

Roll call stats

8/14 on the call were members

25 have submitted IPR - reminder - http://openid.net/intellectual-property. specify the working group as “OpenID HEART"

Listserv count up to 78 (thanks for interest!)

Meeting notes:

Kathleen Connor presented the Privacy on FHIR use case.

· She works for Mike Davis at the VA.

· This use case is complicated, but if we can solve it for healthcare, we can solve it for everything.

· The idea was to do a pilot with ONC and VA, and there are other partners, including vendors such as Jericho Systems. This involved, for example, putting security labels on information.

· JASON is based on a presidential memorandum on big data. The Learning Health System is an ecosystem of symbiotic health entities. It’s a “health Internet of things”.

· Alice is a veteran nurse (RN). She has a complex health history. She’s IT-savvy. She needs control in a variety of sharing situations.

· Consent directives are agreements under law that she can make with an organization that authorize the use of her information. Kathleen wants to get to understand how UMA can enable patient control of how health information is accessed and used. UMA interactions are dependent on a lot of factors.

· MU = Meaningful Use.

· The use case refers to several special regulations, such as 42 CFR Part 2 (Substance Abuse Information).

· Tricare = the DoD health system.

· JASON = a group of scientists advising the US government on health IT interoperability.

· Handling caveats = obligations or restrictions on the purpose of use.

· Refrains = prohibited actions.

· The storyboard imagines a single UMA authorization server. The resource servers register information. Alice can hopefully specify whether these are registered at a more or less granular level. She could register her PHR at a granular level while her provider’s EHR may register her entire record as a resource bundle. Opaque identifiers are required to prevent leakage.

· The Apps on FHIR use case is about HIoT.

· QSO = Qualified Service Organization.

· (Kathleen's slides have an acronym list at the back.)

· Discussion:

· Could this be made more generic, for non-US veterans and for non-veterans? Yes. The health history timeline and the HIE on FHIR data-sharing slide (#14) in particular are applicable. However, if the patient were to try to restrict data sharing, and not authorize a particular provider where a custodian is another HIPAA provider, because the PCP has the right under law to disclose information except under special circumstances. There’s a push for providers to disclose even more information, as well. As well, the size and “openness” of the app ecosystem would differ, at least in the case of VA vs. the US healthcare market. HL7 has international reach, so there is input from other countries.

· It was noted that it’s desirable to move past an assumption of a closed ecosystem to account for unregistered apps. So this would be a case of a complication that’s actually more complex than the VA use case.

· Next steps on these use cases:

· We recommended boiling them down to “ACE” format for HIPAA-governed and non-HIPPA-governed versions, eliding the technical portions so we can reserve that for our actual profiling work.

· We’ll meet on Feb 16 even though it’s a holiday for some.

· Technical catchup by Justin: The group voted for an in-depth presentation. He managed to cover OAuth in the remaining time.

Action Items

· OIDF Wiki for use cases - Deb Bucci · Updated presentation pdf for wiki - Kathleen Connor · Kathleen: Revise and boil down the VA use cases. · Adrian (if desired): Map the currently submitted use cases to the Venn diagram.

Tenative next week

· 20 minute review VA use case in ACE format · OpenID Connect - hopefully Justin pick up where he left off · UMA - Eve Maler

Updated