https://wiki.idesg.org/index.php?action=history&feed=atom&title=BB%2B_Direct_PULLBB+ Direct PULL - Revision history2026-05-09T07:15:15ZRevision history for this page on the wikiMediaWiki 1.38.4https://wiki.idesg.org/index.php?title=BB%2B_Direct_PULL&diff=565&oldid=prevOmaerz: 36 revisions imported: Initial Upload of old pages from IDESG Wiki2018-06-28T03:00:51Z<p>36 revisions imported: Initial Upload of old pages from IDESG Wiki</p>
<p><b>New page</b></p><div>'''Blue Button + Pull''': <br />
<br />
<br /><br />
'''Use Case Description''': A patient directs an electronic health data holder to allow a designated third party to access to his/her personal health information using an existing trusted credential held by the patient (mobile, email acct etc) via the internet.<br />
<br />
<br />
<br /><br />
'''Use Case Category''': Authentication, Authorization, Consent<br />
<br />
<br /><br />
'''Contributor''': IDESG Health Care Committee<br />
<br />
<br /><br />
<br />
=== Use Case Details ===<br />
'''Actors''': <br />
* Data Provider (EHR Portal) <br />
* Identity Provider<br />
* Relying Party (3rd Party application and/or Delegated Patient Proxy)<br />
* Patient<br />
<br /><br />
'''Goals''': Permit patients to delegate access to their own personal health information.<br />
<br />
<br /><br />
'''Assumptions''': <br />
''''''3rd Party application has registered Blue Button Root CA with Blue Button Plus''' NEEDS MORE WORK<br />
'''<br />
<br />
<br /><br />
'''Requirements''': <br />
* There is a existing record or data in a data holder store<br />
* The patient has an existing trusted credential<br />
* The data holder has a legal, defined agreement to share data under HIPAA, its extensions or other formal agreements.<br />
<br />
<br />
<br /><br />
'''Process Flow''': <br />
*Patient authenticates to an EHR or other data holder and request that EHR send patient information to a 3rd Party Application (3PA) by providing a unique URI - Direct address<br />
*EHR/data holder uses address to locate 3PA public certificate and reconcile that certificate with the legal defined agreement <br />
''*EHR wraps up CCDA using the Direct Message protocol to transport for delivery <br />
''*3PA unwraps Direct Message and notifies the patient to confirm delivered information<br />
''*3PA registers with EHR Authorization server and generates a shared secret<br />
''*Patient authenticates to 3PA application, verifies information.<br />
''*3PA prompts user to confirm if they would like set up periodic updates<br />
''*If yes -3PA redirects patient to authenticate EHR to generate token necessary for future access behind.''<br />
''LINES IN ITALICS ABOVE NEED MORE WORK''''<br />
'''<br />
<br />
<br />
<br /><br />
'''Success Scenario''': <br />
<br />
<br /><br />
'''Error Conditions''': <br />
<br />
<br /><br />
<br />
=== Relationships ===<br />
* Extended by:<br />
** <br />
**<br />
* Extension of: <br />
* Remote electronic identity proofing<br />
* Authenticate Person Use case<br />
* Delegated Authentication of User Managed access<br />
<br />
=== References and Citations ===<br />
* NIST SP 800-63<br />
* HIPAA<br />
* Meaningful Use Stage 2 45 CFR 170.314(b)(2) Federal Register /Vol. 77, No.171 September 4, 2012 54163 at 54288 <br />
<br /><br />
<br />
[[Category:Authentication Use Cases]]<br />
[[Category:Use Cases]]</div>Omaerz