- Intro/Scope statement - what this report will cover
- overall objective of the document, what we will cover, what the reader should understand by the end
- Julie's use-case... how it is complex but typical. how to solve it in a way that's: technically feasible, respects Julie's rights to privacy and access to her information, respects the legal/regulatory policy requirements of the health system
- understanding UMA's unique value to aid this use-case (why can't it just be OAuth??)
- don't have to use all of UMA, parts can be used to address different challenges
- how to make hard problems easier though UMA
- how UMA's interacts with other protocols (OIDC, FHIR/SMARTonFHIR/HEART, OAuth)
- What's not being covered
- overall objective of the document, what we will cover, what the reader should understand by the end
- Description of concrete use-case (Julie)
- actors, data, systems (Primary care EMR, Specialist EMR, Pharmacy system, Payer system), identities *needs a diagram
- capabilities and responsibilities of actors (Julie, HCP, Organization) eg link to Policy?
- Policy that impacts the use-case
- risk/liability vs patient agency (
- tension between policies (eg obligations to protect data vs obligation to enable sharing)
- Core UMA/HEART overview - why were even talking about UMA in this context
- UMA application to use-case (steady state) *needs a diagram
- Delegation state changes,
- how the health journey affects state.
- concrete events that create changes
- Julie turns 17,
- Julie sees asthma specialist
- Father get's invoice from health provider, submits claim to insurance provider
- Julie get's medication to treat STI, Provide create Rx, Pharmacist fills Rx and needs access to record (ie to see drug interactions)
- Discussion? Tough corners, future topics
- Conclusion
- References, learn more
Julie Story - NL will continue to edit
Suggestion
- Convert this to a user story
- Make it simpler
- Start with an overview of PP2PI and share that other groups are addressing policy issues
- Insert their diagram
- Add 2 paragraphs on the fact that there are tensions in the HC community around certain issues. Those need to be addressed and resolved by the Policy WGs. We will make these assumptions.
- Discuss patient policy trumping organizational policy
- Outline simpler story for illustration
- Start with Julie as a child and her mother controls access to her record
- Demonstrate a simple use case of her mother sharing records with another physician on her behalf (straight UMA)
- Julie turns 13
- She is educated on how to use her portal and has exclusive right to manage who has access.
- (For now – skip the issue of multi-subject data in one record. We will assume this is not the case in our user story.)
- When Julie is 16, she begins to experience with Sex and also begins using alcohol socially. Julie knows her mother would not approve but does share it with her pediatrician in confidence. Her pediatrician discusses these details with her during annual visit and makes notes in her record. Her pediatrician provides relevant educational information, discusses safe behavior, as part of her overall evaluation for multiple potential risks of adolescents in transition.
- Add the specifics per the PP2PI user story
- Add some policy to the stack - ex default policy sexual status not shared with her mother. Julies decides either sticking with that or overriding and sharing with her mother
- Continue story with her sharing her data, removing sexually and behave health sensitive data
- Discuss how UMA/HEART manages the transition from the consent to the protocol
- Discuss what gets redacted
- Describe the FHIR scope call
- Describe what is exchanged.
- At the end – transition again to Julie as an adult
- Start with Julie as a child and her mother controls access to her record