HIMSIG20081212

Jump to: navigation, search

Liberty Alliance Project
SIG Health Identity Management
December 12, 2008
11:00am-12:05pm EDT
Conference Call
Meeting Notes
Author: Kurt Kolok

Attendance:

Pete Palmer, Wells Fargo (Co-chair)
John Fraser, MedNet World (Co-chair)
Dave Weitzel, Mitre
Rick Moore, eHealth Ohio
Gail Reynolds, Aetna
Mike Kirkwood, ID Commons
Matt Madison, CORHIO
Vernon Williams, SAIC
Heather Patrick, CDC
Bob Pinheiro, Individual Contributor
Cal ?, NASH Solutions (Smyrna, GA)
Trent Adams, DataPortability Project

Brett McDowell, Liberty Staff
Kurt Kolok, Liberty Staff

Note: The Identity Crisis document from the RAND group is on the wiki at the following link:

http://www.rand.org/pubs/monographs/2008/RAND_MG753.pdf

Guest Speaker: Mike Kirkwood

Mike will discuss the group http://www.idcommons.net/, Health 2.0 Accelerator and their interests/intersections with healthcare identity management.

User centric vs. User useful is core to what ID Commons is about. During the formation of ID Commons and other groups, the use cases were not clear.
--started putting together an example stack showing how it could be done with Identity Plus Health specifications. Objects that exist in ID Commons include OAuth, OpenID, Liberty, etc….
--Participated in health 2.0 conference and accelerator to understand what the competition is about and understand the interoperability that exists.
--Looked at the concept re: how a small group of companies gets hooked up to the identity stack.

What does the work plan look like? Is it technical, tutorials, etc…?
The Drug Profile Interoperability group has outlined 2-3 months per milestone. Beginning in January this group will identify user actions (what the user should be able to do) based on the records of a group of users. This will show the mechanics working in a real environment. There would be a set of implementation guidelines and suggestions that would require individual software companies to participate.

ID Commons/Health 2.0 and all players: There is currently not a formal function of joining the groups together because they all have different timelines/agendas, etc… The group is looking at how we take the stack forward while combining issues. There is an open idea that ID Commons would allow each group to participate freely if they would like and focus on the same objectives as they choose. There is no overhead in terms of payment and it would help the reference implementation (it would be going on in one place). Introduce the groups so they know enough about each other to determine whether or not they should work together toward a similar goal.

Please describe the relationship of this effort to what is happening in health information systems.
HITSPA and OASIS are dealing with emergency, diagnosis, pharmacy and ID Commons’ role could be acknowledgement/joining (shared components with different implementations or different components). We do not want to duplicate any other efforts.

We are looking at co-existence with federated scenarios. Self-assurance needs to get to a higher level of federation. Providers in the industry are going to move at different paces. There seems to be room for out of bounds types of processes re: assurance.

There are four scenarios related to the idea of making assertions from an operational world, including how a person asserts themselves and passes it on to the next party (self assert). Another scenario is when two parties verify themselves (private record has private comments from one provider to the next). The idea related to the use cases so far is that in going through the process there are two big roles that need definitions to work correctly.


Use cases were written with a high level of functionality initially. What is the exchange mechanism for expressing the role in the IDP? What is the role of the IDP? Is it the steward of the information about the patient?
This has not necessarily been resolved in the industry. Every time another member is added to the stack there is another licensee and an enterprise user license kicks in. The IDP sees the issue of updates. It would be ideal if it was more economically set up for exchange of information. There is no real solution to this. They would rather give away an upside in order to participate.

What companies do you see in this space? Health Vault (Open ID that allows log-in), Verisign, etc… When you use Open ID you are authenticating the user vs. the provider, correct? Wouldn’t you want some kind of high assurance?
Open ID providers do not identify identity. An enterprise license is just what the IDPs have chosen.

John: LAP is working on the idea of having a certified organization that can certify identities for health services, etc… Procedurally it needs to be a carefully thought out process. For example, Wells Fargo customers could plug into a certification process through Wells Fargo.

Mike: Wells Fargo might be an IDP in that case. We would defer to LAP if there are tools the group is going to deliver that we would like to adopt. Facebook is trying to push out people’s information to other companies and they’re facing challenges as to who owns the data.

It seems you are moving from an infrastructure-centric model to a data security-centric model. How does an organization articulate their policy to the community and how do they manage or share the information based on their role? When people start doing things themselves organizations realize they need to control policy compliance.

Liberty is trying to create a summary of what the two organizations have discussed and where Liberty and ID Commons might work together. The ID Commons and Liberty trust relationship is very fertile. Work at LAP is very focused and implementable (useful), a user-centric health group could present a project.

Mike: The ID Commons Google documents are public.

Action: All; Please send proposed agenda topics for future calls.

Meeting Adjourned

Retrieved from "http://wiki.projectliberty.org/index.php/HIMSIG20081212"
Personal tools