For this call, let us take the following “negative use case”, growing out of the agency and “RS risk” discussion we’ve been having:
“I, a US hospital, have an online service that exposed a FHIR API for electronic medical records. Alice set up policies at her consumer-grade AS, and I accepted outsourcing authorization there. The token from the AS told me that it was okay to give client MobileApp and requesting party Bob access, so I did. But then Alice sued me/complained/reported me/(something else bad)”. (Adrian can comment on real-life examples somewhat analogous to this, with breaches and such.)
Dazza has offered to facilitate a discussion of the following points:
- What are the key legal issues presented by this scenario?
- What legal role(s) and corresponding rules apply to the actions and data of the parties in this scenario?
- What are the potential or probable outcomes if things go wrong (eg: result of enforcement actions, allocation of loss or other dispute resolutions)?
- What advice or other resources for parties seeking to adopt UMA could help them manage legal risks and/or structure legal affairs to expand or create new value?
And I will scribe. :-)
Talk to you soon!
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar:
xmlgrrl@gmail.com