1 of 12

Separation of Concerns

IETF/transactional authorizations/SSI Standards

HEART

2 of 12

Three clinical use-cases

  • Mandated PDMP Access in EHR
  • Curated Current Medication List
  • Homeless Health Record

3 of 12

All three use-cases are really the same

  • Each has a single, patient-centered source of truth (RS)
  • The source of truth is authoritative, not patient edited (not CARIN)
  • Each is accessible by a credentialed provider (RqP) in their institutional EHR (Client)
  • The patient directly or indirectly decides the source of truth (Points the Client to the AS or RS)
  • The patient explicitly or implicitly and provides consent for access (Scopes are based on FHIR and CDS Hooks data model)

4 of 12

Gaps in the Cures Reg’s, TEFCA, and CARIN

  • SMART on FHIR Apps don’t write from one EHR to another
  • The introduction of a CARIN-style data broker app breaks authenticity
  • Direct Messages are underspecified compared to FHIR
  • Patient has no standard way to specify the source of truth
  • Patient has no standard way to specify consent for access

5 of 12

HEART on FHIR Profiles to Fill the Gaps

  • SMART on FHIR Apps don’t write from one EHR to another
    • HEART Apps are UMA-Aware
  • The introduction of a CARIN-style data broker app breaks authenticity
    • Patient-directed sharing does not introduce any intermediary
  • Direct Messages are underspecified compared to FHIR
    • Build on top of FHIR and CDS Hooks data models
  • Patient has no standard way to specify the source of truth
    • Patient specifies the Authorization Server to EHR Client
  • Patient has no standard way to specify consent for access
    • AS manages access authorization to Resource Server

6 of 12

Separation of Concerns

  • Neither the data holder (Source of truth, RS) nor the Client is a data controller
  • The Authorization Server does not see the data
  • The Authorization Server assumes a subset of FHIR for scoping
  • The Requesting Party credentials are separate and distinct from the Client credentials (can be federated or SSI, per AS policy)
  • Authorization is based on RqP and / or Client credentials
  • The RS can issue a warning to the Patient (RO) but cannot block Client registration
  • Patient identity proofing or matching is unnecessary and out of scope. RS and Client access credentials are sufficient.

7 of 12

References

8 of 12

HIE of One Trustee

Needs HEART!

9 of 12

Trustee

  • Implements (Emory) Homeless Health Record
  • Demonstrates Separation of Concerns
  • Highlights gaps in the standards
  • Implements both federated and SSI authentication and professional credentials
  • Demonstrates Decentralized Governance

10 of 12

Trustee Components

  • Personal Authorization Server (Trustee)
  • Community Support Server (Trustee Directory)
  • Direct Primary Care EHR for One Patient (NOSH)

All three are Free / Open Source Software

11 of 12

Trustee Demonstrates

  • A patient-owned UMA Authorization Server
  • A Directory operator separate from the AS
    • Policy bundle initializes the AS policies
    • Supports patients with hosting / tech support
    • Responsible party for CMS (BB2) or Open Epic client registration
  • An UMA-aware FHIR EHR as Resource Server (NOSH)

12 of 12

Trustee needs HEART

  • To be a voice for patients and patient communities as Directory operators
  • A patient-focused alternative or supplement to SMART
  • An open alternative to CARIN Alliance
  • An interoperability demonstration
  • A showcase for SSI alongside federated identity
  • HEART to support community open source software