1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. HEART

Wiki

Clone wiki

HEART / 2015-05-18

View History

Attendee 5/18:

Deb Bucci         Thompson Boyd        Sarah Squire
Greg Groves      Adrian Gropper        Jin Wen
Tom Sullivan      Edmund Jay             Dustin Gage
Justin Richer      Eric Friedman        Jeremy Maxwell
Catherin Shulten   Sal D’Agostino    James Kraugh

Regrets

Bill Kinsley    Eve Maler

Stats - 99 list serv - 31 IPR

NO MEETING NEXT Monday

Two take-aways from the meeting today:

How to avoid conflation
Delegation is in scope for HEART wg -

How to avoid conflation?

Identity Proofing
Identity Lookup
Authentication
Authorization (consent?)
Privacy
Security
Policy
Validation (id proofing) /verification (during authentication transaction  presentation of valid credential  verification of driverlicense/bill for identity proofing)




Notes and discussion may highlight issues that are out of scope for the working group but good to acknowledge the issues are there.  Fine art between acknowledgement and deep in the weeds.
Focus on standard with mind toward what todays policies are to inform with how to catch up to what it may enable
Keep these things in mind while we discuss.   Multiple perspectives are sometimes at odds with each other.
All have contextual definitions
Example = public key?  What is it  is it attached to something a user controls? How are we doing that?

We did not get much further in the use case today. Alice is still standing at the front desk

Alice is given and acknowledges receipt the Practices HIPAA privacy statement.

    Office/practice privacy statement  how I protect your data  OCR enforced - generic agreeing to business with patient

    Consent not always gathered at this point

    In non-health does acknowledge = consent??

    Practice handles differently  often different doc  we are going to share your PHI with 

    Do you want to opt in/opt-out to share your information with the local exchange ACO?

    Clinical/administrative/financials consents may be gather at this time



Alice is given the initial patient web portal information to activate her account.

    Service discovery step  Alice is given info to find service on her phone (go to this url ) Discovery stuff (UI and API components)

    Possible to introduce Alice discovery too

  1. While in the waiting room, Alice (using her smart phone) completes the patient portal account activation. (Is Alice setting authorizations at this point?)

    Discovery to site

    Alice logs in with account (hers (facebook/google) or portal)

    Complete registration

    RFI scancode ?

    Personal authorization service?

    Delegation (person to person)?

    Parent to child (under 13)

Child to parent (89 yr old)

Heathcare  proxy

Would delegate have to be digitally bound to account?

    Who is the owner

    The owner is the physicians office  so these authorization are used to help the practice

Owner is the person that has the right to delete the account (right to be forgotten)

Perhaps shared ownership

JASON report perspective evolved from patient owned to patient controlled/mediated (?) changed from legal perspective

Based on office Data retention requirement

Updated