BB+ Direct PULL: Difference between revisions
Jump to navigation
Jump to search
m (36 revisions imported: Initial Upload of old pages from IDESG Wiki) |
(No difference)
|
Latest revision as of 03:00, 28 June 2018
Blue Button + Pull:
Use Case Description: A patient directs an electronic health data holder to allow a designated third party to access to his/her personal health information using an existing trusted credential held by the patient (mobile, email acct etc) via the internet.
Use Case Category: Authentication, Authorization, Consent
Contributor: IDESG Health Care Committee
Use Case Details
Actors:
- Data Provider (EHR Portal)
- Identity Provider
- Relying Party (3rd Party application and/or Delegated Patient Proxy)
- Patient
Goals: Permit patients to delegate access to their own personal health information.
Assumptions:
'3rd Party application has registered Blue Button Root CA with Blue Button Plus NEEDS MORE WORK
Requirements:
- There is a existing record or data in a data holder store
- The patient has an existing trusted credential
- The data holder has a legal, defined agreement to share data under HIPAA, its extensions or other formal agreements.
Process Flow:
- Patient authenticates to an EHR or other data holder and request that EHR send patient information to a 3rd Party Application (3PA) by providing a unique URI - Direct address
- EHR/data holder uses address to locate 3PA public certificate and reconcile that certificate with the legal defined agreement
*EHR wraps up CCDA using the Direct Message protocol to transport for delivery *3PA unwraps Direct Message and notifies the patient to confirm delivered information *3PA registers with EHR Authorization server and generates a shared secret *Patient authenticates to 3PA application, verifies information. *3PA prompts user to confirm if they would like set up periodic updates *If yes -3PA redirects patient to authenticate EHR to generate token necessary for future access behind. LINES IN ITALICS ABOVE NEED MORE WORK''
Success Scenario:
Error Conditions:
Relationships
- Extended by:
- Extension of:
- Remote electronic identity proofing
- Authenticate Person Use case
- Delegated Authentication of User Managed access
References and Citations
- NIST SP 800-63
- HIPAA
- Meaningful Use Stage 2 45 CFR 170.314(b)(2) Federal Register /Vol. 77, No.171 September 4, 2012 54163 at 54288