Alice to Bob – Self Sovereign Interoperability Without Censorship – U.S. Federal Regulations
Alice to Bob: Self Sovereign Interoperability Without Censorship US Federal Regulations
Wednesday 6G
Convener: Adrian Gropper
Notes-taker(s): Adrian Gropper & Ben Gregori
Tags for the session - technology discussed/ideas considered:
->21st century cures -> NPRM Regulations (June 3rd) -> Patient Directed Sharing -> Open Competition
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
1. Notes received from Adrian Gropper:
Platforms can be designed to promote competition or to hinder it. Using health information networks as an example, we discussed the ways technology regulation might be used to promote competition. The role of self-sovereign credentials and signed software statements was discussed.
Link to “Patient-Directed Access for Competition to Bend the Cost Curve” – The Heath Care Blog: https://thehealthcareblog.com/blog/2019/04/18/patient-directed-access-for-competition-to-bend-the-cost-curve/
******************* ******************* ********************** ******************
2. Notes received from Ben Gregori:
21st Century Cures: End of Obama admin, bipartisan law aimed to fix consolidation and anticompentitve behavior (21st century cures Act) – after 2 years, the held and human services from Trump issues regulations that are pro-competitive to fix the High Tech pact (Gov’t spent $40bn in computerizing health records)
- - “Without special effort” – important phrase. 99% of times, the patients who want to take records out of a network have to go through hoops (in person verification, fees, provide other documents. Doctors have to do the same thing.
NPRM Regulation is “good” – it would be a major step forward into the self-sovereign patient exchange
- - Open banking initiative in Europe: it’s the same type of thing, saying that if you have an account and you want to pick a different credit card/or other services, you should be able to take it away from that institutions (bank) to another one. Banks should allow interoperability with credit cards
- -Same idea, just applied to health sector.
The Term of Art in the law, is “Patient Directed Sharing” – meaning that there are two ways to transfer data re: HIPPA
- - Federation based: data requests from another HIPPA covered entity can be moved to another HIPPA complient entity without patient consent.
- - The sending or receiving institution wants to control how it moves for business reasons, so the
- - If the gov’t does it right, instead of silos of networks where patients can only use services within a network, the patient can easily move data between networks.
Why is this interesting from an identity POV?
- - Alice uses a patient portal, with a credential that attaches her to the IT system of the institutions using the portal.
- - Bob uses a patient portal at a second hospital, with a credential that attaches HIM to another IT system (in another network, another country, etc).
- - When Bob is only partially in control of the IT system, how can Alice express consent, you want software that enables Bob to MOVE credentials between networks without barriers, because they are HIS records.
- - Protocols:
- - (HL-7) FHIR – when Alice directs sharing with Bob, she needs to restrict access to certain types of information (some medical history, not all). When HER system interoperate, they must adhere to a standard that, in healthcare, is baked into an API (called FHIR) for the apps to be fungible. Then, the regulation gets to dictate whether or not the EHR has to use FHIR…so they can enforce standardization rather than the EHR provider wanting to.
- - (IEFT) OAuth2
- - (Open ID Foundation) Open ID Connect/DID+SSI
- - Dyamic Client Registration -
- - Refresh tokens
NOTE: GDPR separates people into
Data controllers _ those who collect data
Data processors – those who process data (this is outsourced most of the time)
- - In this model, the hostpial that hodls the records, would be the data controller
- - Alice is the data subject of the records
From a standards perspective, the problems are:
1. To create a comment – by June 3rd (spend an hour look through summaries of the law and which part look okay)
2. What is the best practice, and who in this community,
3. When we realize this real-world situation, and we understand what these standards are, we need agency in this process (UMA)
- what is the responsibility of the developer, who signs the software statement that enables a client to be registered dynamically? Is it signed by the patient? Is it signed by the receiving IT admin in the receiving system?
- - HIE of One:
- - Auth Server
- - Health Record
- Directing – shouldn’t be government because there’s an incentive to keep a closed garden approach and to be conservative.