[WG-UMA] UMA legal subgroup notes for telecon 2015-08-28

Dazza Greenwood dazza at civics.com
Fri Aug 28 14:32:31 CDT 2015

UMA Legal Subgroup Discussion
Fri Aug 28 8-9am PT/11-12 ET

Bridge: (605) 475-4700 / passcode: 176720#
(due to difficulty using the usual conference line, participants used or
switched to this telephone bridge )

UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar

Attending: Thomas Hardjono (first half), Scott David, Jon Neiditz, Adrian
Groper, Mark Lizar, Jeff Stollman and Dazza Greenwood (who took notes and
facilitated in Eve's absence).

Announced agenda:

* Select goal and use case(s)
* Proposal: RS liability —> Alice visits PCP and introduces its EHR system
(RS) to her AS.  AS variations?
* Data rights ownership impact?
* Work through role perspective(s):
* Principal/Agent/Third Party
* Identify next steps

Dazza took the roll, provided a quick overview of the agenda and where the
group has left off the previous week, and confirmed everybody wanted to
keep to the announced agenda.

Dazza provided a quick overview of Adrian's contribution of scenarios in a
use case table and described the intention to use these scenarios (very
basic use cases) as a starting point to overlay legal roles in hopes of
shedding light on what recommendations may be needed or helpful from the
legal subgroup.

Dazza thanked Adrian and handed him the active speaker to present a Google
doc based Use Case Table of Different Healthcare related scenarios
demonstrating different combinations of actors and flows.

 Dazza also added a link to this Google doc to the top of "UMA Legal Group
'Use Cases, Roles and Obligations/ wiki page" See:

Adrian's presentation revolved around seven scenarios organized in his use
case table, each featuring variations of UMA roles.  Some confusion about
who was doing what in the scenarios and how the scenarios related to
familiar situations.

Adrian provided further context by reference to one of the links in the use
case table, linking to a standard looking patient consent form for the
"Release of Information" under HIPAA.  See:

Dazza requested at this point that Adrian step the group through each HIPAA
named role (already highlighted on the consent form) and identify the
corresponding roles and data in the use case table scenarios.  Based on
Adrian's cross-walk of HIPAA and every day business names of each party,
Dazza confirmed everybody understood the same use case, thanked Adrian for
providing the anchoring document and presentation and re-commenced

Given the relatively short time remaining and the priority of engaging all
participants, Dazza used the remaining time soliciting feedback from each
participant on 1. their broad and general estimate of the situation and 2.
ideas or suggestions about more specific directions the group should
consider, especially directions likely to result with timely

Scott David, among other incisive comments, incidated he agreed that it is
a good idea for the subgroup to start with HIPAA because it is a good match
for UMA legal evaluation.  Also, the statutory duties are the right ones.
Also, HIPAA use cases relate directly to contractual practices, which Scott
indicated would be fundamental tools for addressing the legal issues.
Scott also cautioned UMA won't be bound to healtchare or any single given
scenario or field of law and legal results will vary as any particular
contractual terms or specific legal measures are applies in other or more
generic scenarios of use.

John Neiditz indicated UMA offers an approach that starts with the patient
and this is a good fit.  John noted this may well change the relationship
between the operator of the Resource Server and the operator of the
Authorization Server.  This needs to be managed carefully and well but
overall offers an opportunity to improve The current state of affairs.

John indicated he felt agency law analysis is a great thing to do as part
of the groups work.

Jeff Stolman also agrees (w/ Scott and Adrian specifically) on the
direction and indicated a need to do a much deeper dive into the process
diagrams in order to surface enough relevant detail for more substantive
work on the issues.

Jeff indicated the issues of "shared party log-in" (is that what he said?
like among spouses?) will need to be dealt with either by this group or by
others, soon.

Jeff also indicated he agreed that it is a great idea to use agency law as
part of the work of the group.

Dazza raised the question: to what extent does agency law apply the same
beyond the US?  Scott answered that by use of contracts one can
deliberately introduce agency and other relationships and that is also
distorted by local law (like a situation he had with Indian law for a large
ecommerce company).

Mark Lizar indicated he thought we were on the right track here and looks
forward to continuing to participate going forward.

Adrian Groper indicated the group should watch three way relationship
between individual (personal data "owner"/subject) and direct service
providers and third parties. Adrian suggest it is ok not to worry so much
about business associates, etc. and other flavors of resource owner in a
HIPAA context.  Rather, it is important to understand and work with the
basic triangle use case. (presumably the basic OAuth 2 triangle of 1) the
individual resource owner and provider/witholder/revoker of consent, 2) the
resource/auth service provider and 3) the third-party client/app).

Adrian brought up the Apple's Healthkit as an example of an alternative
model of relationships and healthcare personal data and transaction flow.
This example sparked a lively and creative round of discussion among
several members who informally stayed on the line to continue the dialog
after the call was adjournd.  As with other contexts, some ambiguity arose
between use of the words "Consent" and "Authorization" as well as "User
Control" and "User Management".  It was noteworthy that the iPhone device
is at once apparently "owned" by the user while at the same time housing
components and processes that are proprietary to and  controlled by others
parties. Presumably, further development of nomenclature for legal lawyers
of UMA use cases will more quickly and clearly reflect which people,
devices and processes in operate at the behest or in the interests of the
individual who holds and generate personal data through systems like the
Heathkit and which operate as "agent" for and in the interests of other
parties.  It was also noted that Apple's open source and modular
componentization of an "informed consent" function was interesting and
should be explored to understand how it would or could relate to OAuth 2
and UMA authorization flows.   Dazza added an 8th use case to the use case
table as a rough sketch / placeholder to further explore Apple

Meeting Results Keyed to Agenda:

> Select goal and use case(s):

* Yes, start with identified health data related use cases described in use
case table provided by Adrian and augmented by the group during the meeting.

> Proposal: RS liability —> Alice visits PCP and introduces its EHR system
(RS) to her AS.  AS variations?

* This was not directly addressed.

> Data rights ownership impact?

* This was touched upon a few times and was an explicit basis for the need
to further explore how ownership, control, contractual and agency
relationships play out with Apple's Healthkit/Researchkit.

> Work through role perspective(s):

* One level of legal roles was briefly but completely worked through by use
of the HIPAA consent form for Release of Information in the context of
Adrian's UMA use case table (ascribing the roles of "covered entity,
patient, etc to each actor or other entity in the UMA use cases").  The
group also indicated a desire to do that again more comprehensively to use
cases in the table and with other use cases.

> Principal/Agent/Third Party

* A majority of participants voiced a strong interest to apply agency law
oriented role based analysis for all UMA legal use cases.  The basic
formula was felt to be strong fit with the roles, relationships and rules
generally intended for UMA. However, some caution was stated about limits
of how far agency law may apply in the same way (especially beyond the
boarders of the US) and also the potential wild-card effect of
unpredictable but over-riding roles, rights and responsibilities agreed by
contract.  The general sense was that Princiap/Agent/Third Party triangluar
analysis will be a valuable reference point to evaluate and describe
intended legal context and outcomes.  The idea was to use agency analysis
as a benchmark to evaluate conformance or need for additional contractual
or other structuring  of the rules defining rights and responsibilities for
roles and the networks of relationships, interactions/transactions that
ensure predictable, expected legal results.

> Identify next steps:

The following next steps were identified:
* It was confirmed that the group should continue working through the HIPAA
use cases
* It was evident participants want to further discuss the Apple
Healthkit/Researchkit and so it will be included as a variation of the
initial health information scenarios.
* Dazza will work with Adrian (and anyone else so inclided) to refactor the
use case table scenarios into more detailed cross-functional process
diagrams (aka swim lane diagrams) including agency law overlay (and
possibly a first guess as to where contracts are formed, already exist or
could be monkeyed with).  When ready, a link to the diagrams in the wiki
will be emailed to the list for everybody to hammer at or at least view
* Other?

 - Dazza

Note: Due to technical difficulty, the meeting did not get rolling until
nearly 30 minutes after the start time, but covered a lot of ground
nonetheless prior to adjournment at slightly after 12pm Eastern Time.
Several participants also chose to continue a lively and topical discussion
for 15-20 minutes after the meeting was formally adjourned.

   _ _ _ _ _ _ _ _ _ _ _ _ _ _
   |   Dazza Greenwood, JD
   |   CIVICS.com, Founder & Principal
   |   MIT Media Lab, Visiting Scientist
   |     Vmail: 617.500.3644
   |     Email: dazza at CIVICS.com
   |     Biz: http://CIVICS.com
   |     MIT: https://law.MIT.edu
   |     Me: DazzaGreenwood.com
   |     Twitter: @DazzaGreenwood
   |     Google+: google.com/+DazzaGreenwood
   |     LinkedIn: linkedin.com/in/DazzaGreenwood
   |     GitHub: github.com/DazzaGreenwood/Interface
   |     Postal: P.O. Box 425845 Cambridge, MA  02142
   | _ _ _ _ _ _ _ _ _ _ _ _ _ _
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20150828/26a5d2b4/attachment.html>

More information about the WG-UMA mailing list