UMA telecon 2021-04-01

UMA telecon 2021-04-01

Date and Time

Agenda

Minutes

Roll call

Quorum was NOT reached.

Approve minutes

Deferred

Pensions Dashboard

Things are looking good for proceeding.

ONC Annual Meeting Update (and other events)

The ONC event took place Monday/Tuesday this week. Booth content was great, will try to republish the content on the Kantara website. Not a lot of visitors though. 

Will there be UMA content at Identiverse? No presentations known at this time. There will be Kantara/mDL. Eve will ping Andi and Allan to get more concrete info.

IIW is later this month Apr 20-22. Registration is still open. Alec will be there and showing an IDENTOS Ontario trusted account demo. Eve is attending as well.

Profiles Discussion, relationship manager draft

Last week, we discussed if there's a need for Alice to be told/informed of resource locations. This wasn't identified as a need when designing UMA 2 as the URL was always "available" to Alice.

Provider Directories (a directory of Health Organizations not physicians) as a current approach to this within US Health care. Ex Apple Wallet you can see the links to your health resources (at the Provider). The patient uses the Apple Wallet to login to their provider, and pull the health resources. Apple maintains a provider directory of 'approved' providers (EHRs)

Apple Wallet(SMARTonFHIR client) ->EHR(OIDC/RS): login user

Patient(RO) ↔EHR: authenticate

EHR(RS) → Apple Wallet: URIs of Patient resources


RM → RS: negotiate some access token (RAM, RMT)

RM → RS: GET /my-resources (RMT)

RS → RM: list of available resources

RM → RS: protect resource A with AS1

If the Apple Wallet was a Relationship Manager, Alice could then direct the Provider to protect her resources at her AS, and then control sharing/delegation to the RqP outside the Provider. Does this mean that Alice's client has the resources in "machine-readable" form, which is better than just copying and pasting in some non-interoperable fashion? Nancy sees about ten different ways this is relevant, but maybe pulling the data from the endpoints is more viable with today's technology and tech appetite. The dashboard is a better idea/ideal since you get fresh data.

Eve notes: The PD model creates a dashboard that faces the "RO as an UMA RqP" as its step 1. Alice "shares with herself" to do resource discovery through a pension finder service (an UMA-protected PFS). It's UMA followed by UMA, pretty sophisticated. Nancy agrees. Paper-based still seems preferable to many. Immediate high value is needed.

AOB

Vaccine passports are in the news. Does UMA have relevance? Nancy comments: It's a problem waiting to happen. UMA is a great solution that could be applied. HIPAA is relevant (in the US). Some organizations are restricting themselves to "get a passport to the patient on the phone". But there are so many use cases where the credential has to be shared way in advance of the person arriving. Just sharing directly without the patient being involved is the challenge. UMA is very relevant here. Nancy's folks have developed a solution here.

UMA and the consent conversation: With UMA, it's a "totally computable consent". See also Kantara's stream consent receipt efforts, now with a new WG called ANCR ("advanced notice and consent receipt"). Auditability of consent, including UMA-based consent, is of high importance. How to integrate with legacy systems? It tends to be coarse-grained to meet the old systems' capabilities. E.g., consenting to treatment in a blanket fashion.

Attendees

As of October 26, 2020, quorum is 5 of 8. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve)

Voting:

  1. Eve
  2. Alec
  3. Domenico
  4. Sal

Non-voting participants:

  1. Scott
  2. Ian
  3. Nancy
  4. Colin
  5. Tim