In the last month two very important regulatory guidance documents have been released by the EU and US governments respectively: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm and http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.htm... By adding to these regulations a single constraint - that an individual can own and specify the UMA Authorization Server if they choose to - I think we can derive a complete UMA Legal profile and associated clauses. I've started analysis of the US reg at http://bit.ly/HEARTfromHIPAA I think a similar analysis could be interesting for the EU regs. Adrian -- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/