Versions Compared

Old Version 4

changes.mady.by.user Nancy Lush

Saved on

compared with

New Version 5

changes.mady.by.user Alec Laws

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Target Outline


  1. Intro/Scope statement - what this report will cover
    1. overall objective of the document, what we will cover, what the reader should understand by the end
      1. Julie's use-case... how it is complex but typical. how to solve it in a way that's: technically feasible, respects Julie's rights to privacy and access to her information, respects the legal/regulatory policy requirements of the health system
      2. understanding UMA's unique value to aid this use-case (why can't it just be OAuth??)
        1. don't have to use all  of UMA, parts can be used to address different challenges
        2. how to make hard problems easier though UMA
      3. how UMA's interacts with other protocols (OIDC, FHIR/SMARTonFHIR/HEART, OAuth)
    2. What's not being covered
  2. Description of concrete use-case (Julie)
    1. actors, data, systems (Primary care EMR, Specialist EMR, Pharmacy system, Payer system), identities *needs a diagram
    2. capabilities and responsibilities of actors (Julie, HCP, Organization) eg link to Policy?
  3. Policy that impacts the use-case
    1. risk/liability vs patient agency (
    2. tension between policies (eg obligations to protect data vs obligation to enable sharing)
  4. Core UMA/HEART overview -
    1. why were even talking about UMA in this context
  5. UMA application to use-case (steady state) *needs a diagram
  6. Delegation state changes,
    1. how the health journey affects state.
    2. concrete events that create changes
      1. Julie turns 17,
      2. Julie sees asthma specialist
      3. Father get's invoice from health provider, submits claim to insurance provider
      4. Julie get's medication to treat STI, Provide create Rx, Pharmacist fills Rx and needs access to record (ie to see drug interactions)
  7. Discussion? Tough corners, future topics
  8. Conclusion
  9. References, learn more


Working Draft 


2. Description of concrete use-case (Julie)


Julie Adam's is an adolescent girl - 16 years old. Her health journey is unique and complex, however we would suggest that those attributes are typical of many journeys. 



3. Policy that impacts the use-case

Some of the main challenges that limit sharing and control of information by the person are:
- risk-averse policy, to remain secure it's easier to not give access
- the need to respect many levels of policies. one health organization must respect rules from many levels eg federal, state and organizational. In many cases it's hard to respect them all without narrowing the sharing

"Policy" covers many different elements, from data privacy and security requirements to the legal landscape the defines how health systems must operate. For example, who is liable to protect health data. 

Interestingly, on the provider side there is often much more open sharing by default. Access to this information is based on the providers need for information to give effective care, and their professional ethic's standards. In some health systems, this leads to many cases of inappropriate access (such as providers looking up celebrity or public figure's information). Sometimes this can be caught though audit and the provider [sure we can find some good reference to this, eg Rob Ford in ontario ~2017?]


In addition to the many levels of policy that must be interpreted, considered and respected by an organization, there are additional challenges around the appropriate implementation and communication with the person who is affected. For example, when a person gives their doctor access to an external health record or document, does that access extend to other providers in the clinic? If that default policy is no, can the doctor share access with another physician for a consultation, or when being covered by another doctor while going on an extended leave?



4. Core UMA/HEART overview


Parking Lot


Julie Story - NL will continue to edit

...

  1. Convert this to a user story
  2. Make it simpler
  3. Start with an overview of PP2PI and share that other groups are addressing policy issues
    1. Insert their diagram
  4. Add 2 paragraphs on the fact that there are tensions in the HC community around certain issues. Those need to be addressed and resolved by the Policy WGs.  We will make these assumptions.
  5. Discuss patient policy trumping organizational policy
  6. Outline simpler story for illustration
    1. Start with Julie as a child and her mother controls access to her record
      1. Demonstrate a simple use case of her mother sharing records with another physician on her behalf (straight UMA)
        1. Note to Eve:  For the first section, when our use case describes basic UMA, I think this will be a good place to explain what UMA has over oAuth and highlight the increased security.  If we can nail that part of the message it may help in all healthcare UMA implementations.
    2. Julie turns 13
      1. She is educated on how to use her portal and has exclusive right to manage who has access.
      2. (For now – skip the issue of multi-subject data in one record. We will assume this is not the case in our user story.)
    3. When Julie is 16, she begins to experience with Sex and also begins using alcohol socially. Julie knows her mother would not approve but does share it with her pediatrician in confidence.  Her pediatrician discusses these details with her during annual visit and makes notes in her record.  Her pediatrician provides relevant educational information, discusses safe behavior, as part of her overall evaluation for multiple potential risks of adolescents in transition.
        1. Add the specifics per the PP2PI user story
      2. Add some policy to the stack - ex default policy sexual status not shared with her mother.  Julies decides either sticking with that or overriding and sharing with her mother
      3. Continue story with her sharing her data, removing sexually and behave health sensitive data
      4. Discuss how UMA/HEART manages the transition from the consent to the protocol
      5. Discuss what gets redacted
      6. Describe the FHIR scope call
      7. Describe what is exchanged.
    4. At the end – transition again to Julie as an adult


Temporary Appendix - Julie's use case full details for reference (Will omit from final paper)

Description of use case – Adolescent Use Case

...