BB+ Direct PULL

From IDESG Wiki
Jump to navigation Jump to search

Blue Button + Pull:


Use Case Description: A patient directs an electronic health data holder to allow a designated third party to access to his/her personal health information using an existing trusted credential held by the patient (mobile, email acct etc) via the internet.



Use Case Category: Authentication, Authorization, Consent


Contributor: IDESG Health Care Committee


Use Case Details

Actors:

  • Data Provider (EHR Portal)
  • Identity Provider
  • Relying Party (3rd Party application and/or Delegated Patient Proxy)
  • Patient


Goals: Permit patients to delegate access to their own personal health information.


Assumptions: '3rd Party application has registered Blue Button Root CA with Blue Button Plus NEEDS MORE WORK


Requirements:

  • There is a existing record or data in a data holder store
  • The patient has an existing trusted credential
  • The data holder has a legal, defined agreement to share data under HIPAA, its extensions or other formal agreements.



Process Flow:

  • Patient authenticates to an EHR or other data holder and request that EHR send patient information to a 3rd Party Application (3PA) by providing a unique URI - Direct address
  • EHR/data holder uses address to locate 3PA public certificate and reconcile that certificate with the legal defined agreement
    *EHR wraps up CCDA using the Direct Message protocol to transport for delivery 
    *3PA unwraps Direct Message and notifies the patient to confirm delivered information
    *3PA registers with EHR Authorization server and generates a shared secret
    *Patient authenticates to 3PA application, verifies information.
    *3PA prompts user to confirm if they would like set up periodic updates
    *If yes -3PA redirects patient to authenticate EHR to generate token necessary for future access behind.
    LINES IN ITALICS ABOVE NEED MORE WORK''



Success Scenario:


Error Conditions:


Relationships

  • Extended by:
  • Extension of:
  • Remote electronic identity proofing
  • Authenticate Person Use case
  • Delegated Authentication of User Managed access

References and Citations

  • NIST SP 800-63
  • HIPAA
  • Meaningful Use Stage 2 45 CFR 170.314(b)(2) Federal Register /Vol. 77, No.171 September 4, 2012 54163 at 54288