Child pages
  • UMA telecon 2021-12-09

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Working Session on BLT Use-Case Report

Please find the new working document here: Julie Use-case Report 


Things are not fine-grained enough to enable sharing in safe ways, resulting in NO access. This is what info-blocking rules are starting to address, orgniaztions organizations have to do better to give control of the data to the subject 9patient)


  • Julie is a adolescent woman, age 16
  • She has a GP, and also see's an asthma specialist at a health organization
  • The health organization provide a patient portal, including proxy access features
  • The health organization provides a provider portal, with greater access to the data
  • The health organization provides a provider HCProvider identity provider/directory services, includes roles and patient roster
  • Julie has given her mother proxy access to this health portal
  • Julies' mother tells the provider about her history with abuse, this is noted in the record, but should be hidden from Julie be default
  • Julie wants to hide reproductive health data from her mother (eg STI test history) in the portal, and her asthma specialist who can also access the record
  • Her fathers insurance covers most of her medical care
  • The insurance invoices should redact specific health information about Julie from her father, while he has a want(need?) to know what he's paying for (was the service even performed?!)


  • big ad-tech and unintentional disclosure of information (eg Alice searches for X, and my parent starts seeing ads for dX)
  • multiple data subjects involved (parent, child) eg parent information sharing policy towards the child (history of domestic violence)
  • non-techinical data flows, eg phone calls etc where the human needs to make a fuzzy policy decision
  • (future) in the bow tie today, the AS 'licenses perm granting to' the RS, however isn't it the RS that is delegation the PDP to the AS? The RS is the responsible custodian of the data

Design Pattern of state changes:

  • specific to the resource, the RS is responsible to track resources, the resource subject(s) and other tagging

Outline of proposed document

  1. Intro/Scope statement - what this report will cover
    1. overall objective of the document, what we will cover, what the reader should understand by the end
      1. Julie's use-case... how it is complex but typical. how to solve it in a way that's: technically feasible, respects Julie's rights to privacy and access to her information, respects the legal/regulatory policy requirements of the health system
      2. understanding UMA's unique value to aid this use-case (why can't it just be OAuth??)
        1. don't have to use all  of UMA, parts can be used to address different challenges
        2. how to make hard problems easier though UMA
      3. how UMA's interacts with other protocols (OIDC, FHIR/SMARTonFHIR/HEART, OAuth)
    2. What's not being covered
  2. Description of concrete use-case (Julie)
    1. actors, data, systems (Primary care EMR, Specialist EMR, Pharmacy system, Payer system), identities *needs a diagram
    2. capabilities and responsibilities of actors (Julie, HCP, Organization) eg link to Policy?
  3. Policy that impacts the use-case
    1. risk/liability vs patient agency 
    2. tension between policies (eg obligations to protect data vs obligation to enable sharing)
  4. Core UMA/HEART overview - why were even talking about UMA in this context
  5. UMA application to use-case (steady state) *needs a diagram
  6. Delegation state changes,
    1. how the health journey affects state.
    2. concrete events that create changes
      1. Julie turns 17,
      2. Julie sees asthma specialist
      3. Father get's invoice from health provider, submits claim to insurance provider
      4. Julie get's medication to treat STI, Provide create Rx, Pharmacist fills Rx and needs access to record (ie to see drug interactions)
  7. Discussion? Tough corners, future topics
  8. Conclusion
  9. References, learn more

Who will take the responsibility to create a draft?

  • Nancy to take a run at section 2/3
  • Eve will work on the 16th ahead of the meeting

When can we meet next?

  • we want a draft for next session (Dec 16) and use it as a working session
    • start an hour earlier and have a 2hour call

How much can we use graphics vs paragraphs?

Do we want a page budget to limit scope?

  • yes 3-5 pages, try to not explain completely, just enough for the reader to understand

How specific do we want to be around policy (eg HIPPA, CCPA)?

  • can we refer to other docs, and pull the most relevant observations out

Future ideas:

  • exact same outline applied to financial services


  • Should we cancel some of the meeting at the end of the month, eg Dec 23 and Dec 30? 
    • Who would attend those sessions?
    • Alec to send a proposed meeting schedule for the rest of the year