Wiki
Clone wikiHEART / 2015-05-18
Attendee 5/18:
Deb Bucci Thompson Boyd Sarah Squire
Greg Groves Adrian Gropper Jin Wen
Tom Sullivan Edmund Jay Dustin Gage
Justin Richer Eric Friedman Jeremy Maxwell
Catherin Shulten Sal D’Agostino James Kraugh
Regrets
Bill Kinsley Eve Maler
Stats - 99 list serv - 31 IPR
NO MEETING NEXT Monday
Two take-aways from the meeting today:
How to avoid conflation
Delegation is in scope for HEART wg -
How to avoid conflation?
Identity Proofing
Identity Lookup
Authentication
Authorization (consent?)
Privacy
Security
Policy
Validation (id proofing) /verification (during authentication transaction – presentation of valid credential – verification of driverlicense/bill for identity proofing)
Notes and discussion may highlight issues that are out of scope for the working group but good to acknowledge the issues are there. Fine art between acknowledgement and deep in the weeds.
Focus on standard with mind toward what today’s policies are to inform with how to catch up to what it may enable
Keep these things in mind while we discuss. Multiple perspectives are sometimes at odds with each other.
All have contextual definitions
Example = public key? What is it – is it attached to something a user controls? How are we doing that?
We did not get much further in the use case today. Alice is still standing at the front desk
Alice is given and acknowledges receipt the Practice’s HIPAA privacy statement.
Office/practice privacy statement – how I protect your data – OCR enforced - generic agreeing to business with patient
Consent not always gathered at this point
In non-health does acknowledge = consent??
Practice handles differently – often different doc – we are going to share your PHI with …
Do you want to opt in/opt-out to share your information with the local exchange ACO?
Clinical/administrative/financials consents may be gather at this time
Alice is given the initial patient web portal information to activate her account.
Service discovery step – Alice is given info to find service on her phone (go to this url …) Discovery stuff (UI and API components)
Possible to introduce Alice discovery too …
-
While in the waiting room, Alice (using her smart phone) completes the patient portal account activation. (Is Alice setting authorizations at this point?)
Discovery to site
Alice logs in with account (hers (facebook/google) or portal)
Complete registration
RFI scancode ?
Personal authorization service?
Delegation (person to person)?
Parent to child (under 13) Child to parent (89 yr old) Heathcare proxy Would delegate have to be digitally bound to account?
Who is the owner
The owner is the physician’s office – so these authorization are used to help the practice Owner is the person that has the right to delete the account (right to be forgotten) Perhaps shared ownership JASON report perspective evolved from patient owned to patient controlled/mediated (?) changed from legal perspective Based on office Data retention requirement
Updated