Hi Andrew,
Your question is very important. It's not clear to me what aspects of UMA
need to be specified in order for it to add a huge amount of value. The
less needs to be specified, the more universal the authorization server
will be.
I see the ROI Form as entirely designed, administered, and archived by the
RS. This is the practice today and it would be a huge adoption barrier to
try and change that. If we can keep the ROI form in the RS domain the
issues of region or vertical domain specificity that you raise will be moot.
*How little of the ROI form needs to be standardized in order for Alice to
be able to specify her UMA Authorization Server?* As long as the AS needs
to be contacted at least once for every client-RqP transaction at the
protected resource, the RO gains the value of centralized accounting for
disclosures and centralized revocation and the RS gains security and more
of a safe harbor from privacy risks.
Adrian
On Mon, Aug 17, 2015 at 11:32 AM, Andrew Hindle wrote: Hi Adrian: thanks for sending though the example. How region-specific is
this? For example: assuming such forms exists in other countries (UK or
Japan, for example), are we likely to find the same essential elements? Or
are there features that are properly specific to given jurisdictions? In
which case, anything that's designed from these from a specifications
standpoint probably needs to account for that.... --&e On Fri, Aug 14, 2015 at 3:50 PM, Adrian Gropper The ROI form is one of the three common legal documents in healthcare.
(The other two are the Notice of Privacy Practices that's a meaningless and
often unsigned notification about HIPAA and informed consent notices for
specific procedures. ) The ROI form (attached) is quite typical and demonstrates all of the
common elements. I've annotated it with the UMA terms. Jim Hazard and I
have some experience translating the ROI form into the Common Accord format. I see the ROI form as the institutional complement to the 4 use-cases I
shared last week. The use-cases were presented entirely from Alice's
perspective. The ROI form is presented entirely from the service provider
perspective. There is, of course, a third dimension: the third parties and
intermediaries in the real world that have contractual relationships with
Alice and her service provider. These are sometimes called Business
Associates in healthcare and sometimes overlap with federations. Alice's
third parties often look like software clients and apps. Adrian -- Adrian Gropper MD RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/ _______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma --
Andrew Hindle
Hindle Consulting Limited
+44 7966 136543 --
Adrian Gropper MD
RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/