UMA Legal Subgroup Discussion

Fri Aug 28 8-9am PT/11-12 ET

Bridge: (605) 475-4700 / passcode: 176720#

(due to difficulty using the usual conference line, participants used or switched to this telephone bridge )

UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar

Attending: Thomas Hardjono (first half), Scott David, Jon Neiditz, Adrian Groper, Mark Lizar, Jeff Stollman and Dazza Greenwood (who took notes and facilitated in Eve's absence).

Announced agenda:

* Select goal and use case(s)

* Proposal: RS liability —> Alice visits PCP and introduces its EHR system (RS) to her AS.  AS variations?

* Data rights ownership impact?

* Work through role perspective(s):

* Principal/Agent/Third Party

* Identify next steps

Dazza took the roll, provided a quick overview of the agenda and where the group has left off the previous week, and confirmed everybody wanted to keep to the announced agenda.

Dazza provided a quick overview of Adrian's contribution of scenarios in a use case table and described the intention to use these scenarios (very basic use cases) as a starting point to overlay legal roles in hopes of shedding light on what recommendations may be needed or helpful from the legal subgroup.

Dazza thanked Adrian and handed him the active speaker to present a Google doc based Use Case Table of Different Healthcare related scenarios demonstrating different combinations of actors and flows.

See: https://docs.google.com/document/d/1wygXX8FvHif07KA0P4IocBL-tsUGoXEFDpEwxNLrRh8/edit  Dazza also added a link to this Google doc to the top of "UMA Legal Group 'Use Cases, Roles and Obligations/ wiki page" See:

Adrian's presentation revolved around seven scenarios organized in his use case table, each featuring variations of UMA roles.  Some confusion about who was doing what in the scenarios and how the scenarios related to familiar situations.

Adrian provided further context by reference to one of the links in the use case table, linking to a standard looking patient consent form for the "Release of Information" under HIPAA.  See:

Dazza requested at this point that Adrian step the group through each HIPAA named role (already highlighted on the consent form) and identify the corresponding roles and data in the use case table scenarios.  Based on Adrian's cross-walk of HIPAA and every day business names of each party, Dazza confirmed everybody understood the same use case, thanked Adrian for providing the anchoring document and presentation and re-commenced facilitation.

Given the relatively short time remaining and the priority of engaging all participants, Dazza used the remaining time soliciting feedback from each participant on 1. their broad and general estimate of the situation and 2. ideas or suggestions about more specific directions the group should consider, especially directions likely to result with timely recommendations.

Scott David, among other incisive comments, incidated he agreed that it is a good idea for the subgroup to start with HIPAA because it is a good match for UMA legal evaluation.  Also, the statutory duties are the right ones.  Also, HIPAA use cases relate directly to contractual practices, which Scott indicated would be fundamental tools for addressing the legal issues.  Scott also cautioned UMA won't be bound to healtchare or any single given scenario or field of law and legal results will vary as any particular contractual terms or specific legal measures are applies in other or more generic scenarios of use.

John Neiditz indicated UMA offers an approach that starts with the patient and this is a good fit.  John noted this may well change the relationship between the operator of the Resource Server and the operator of the Authorization Server.  This needs to be managed carefully and well but overall offers an opportunity to improve The current state of affairs.

John indicated he felt agency law analysis is a great thing to do as part of the groups work.

Jeff Stolman also agrees (w/ Scott and Adrian specifically) on the direction and indicated a need to do a much deeper dive into the process diagrams in order to surface enough relevant detail for more substantive work on the issues.

Jeff indicated the issues of "shared party log-in" (is that what he said? like among spouses?) will need to be dealt with either by this group or by others, soon.

Jeff also indicated he agreed that it is a great idea to use agency law as part of the work of the group.

Dazza raised the question: to what extent does agency law apply the same beyond the US?  Scott answered that by use of contracts one can deliberately introduce agency and other relationships and that is also distorted by local law (like a situation he had with Indian law for a large ecommerce company).

Mark Lizar indicated he thought we were on the right track here and looks forward to continuing to participate going forward.

Adrian Groper indicated the group should watch three way relationship between individual (personal data "owner"/subject) and direct service providers and third parties. Adrian suggest it is ok not to worry so much about business associates, etc. and other flavors of resource owner in a HIPAA context.  Rather, it is important to understand and work with the basic triangle use case. (presumably the basic OAuth 2 triangle of 1) the individual resource owner and provider/witholder/revoker of consent, 2) the resource/auth service provider and 3) the third-party client/app).

Adrian brought up the Apple's Healthkit as an example of an alternative model of relationships and healthcare personal data and transaction flow.  This example sparked a lively and creative round of discussion among several members who informally stayed on the line to continue the dialog after the call was adjournd.  As with other contexts, some ambiguity arose between use of the words "Consent" and "Authorization" as well as "User Control" and "User Management".  It was noteworthy that the iPhone device is at once apparently "owned" by the user while at the same time housing components and processes that are proprietary to and  controlled by others parties. Presumably, further development of nomenclature for legal lawyers of UMA use cases will more quickly and clearly reflect which people, devices and processes in operate at the behest or in the interests of the individual who holds and generate personal data through systems like the Heathkit and which operate as "agent" for and in the interests of other parties.  It was also noted that Apple's open source and modular componentization of an "informed consent" function was interesting and should be explored to understand how it would or could relate to OAuth 2 and UMA authorization flows.   Dazza added an 8th use case to the use case table as a rough sketch / placeholder to further explore Apple Healthkit/Researchkit.

Meeting Results Keyed to Agenda:

> Select goal and use case(s):

* Yes, start with identified health data related use cases described in use case table provided by Adrian and augmented by the group during the meeting.

> Proposal: RS liability —> Alice visits PCP and introduces its EHR system (RS) to her AS.  AS variations?

* This was not directly addressed.

> Data rights ownership impact?

* This was touched upon a few times and was an explicit basis for the need to further explore how ownership, control, contractual and agency relationships play out with Apple's Healthkit/Researchkit.

> Work through role perspective(s):

* One level of legal roles was briefly but completely worked through by use of the HIPAA consent form for Release of Information in the context of Adrian's UMA use case table (ascribing the roles of "covered entity, patient, etc to each actor or other entity in the UMA use cases").  The group also indicated a desire to do that again more comprehensively to use cases in the table and with other use cases.

> Principal/Agent/Third Party

* A majority of participants voiced a strong interest to apply agency law oriented role based analysis for all UMA legal use cases.  The basic formula was felt to be strong fit with the roles, relationships and rules generally intended for UMA. However, some caution was stated about limits of how far agency law may apply in the same way (especially beyond the boarders of the US) and also the potential wild-card effect of unpredictable but over-riding roles, rights and responsibilities agreed by contract.  The general sense was that Princiap/Agent/Third Party triangluar analysis will be a valuable reference point to evaluate and describe intended legal context and outcomes.  The idea was to use agency analysis as a benchmark to evaluate conformance or need for additional contractual or other structuring  of the rules defining rights and responsibilities for roles and the networks of relationships, interactions/transactions that ensure predictable, expected legal results.

> Identify next steps:

The following next steps were identified:

* It was confirmed that the group should continue working through the HIPAA use cases

* It was evident participants want to further discuss the Apple Healthkit/Researchkit and so it will be included as a variation of the initial health information scenarios.

* Dazza will work with Adrian (and anyone else so inclided) to refactor the use case table scenarios into more detailed cross-functional process diagrams (aka swim lane diagrams) including agency law overlay (and possibly a first guess as to where contracts are formed, already exist or could be monkeyed with).  When ready, a link to the diagrams in the wiki will be emailed to the list for everybody to hammer at or at least view them.

* Other?