PD+Phases+1a+and+1b+User+Stories

**Top Level User Story**:
An emergency room wants to send a summary of care to a patient’s provider as part of the visit or in response to a request from the provider. The system used by the emergency department has the information regarding the electronic address of the recipient of the message and lacks the required security credentials. The emergency department system performs a query to the certificate store to obtain this security information. In the event the emergency department system does not have the electronic address of the recipient, the system or user queries the provider directory to obtain the electronic address and potentially the digital certificate.

This story assumes that the summary of care data will be sent through a push messaging framework (e.g. an email message such as Direct via SMTP or using a SOAP based message standard such as Direct or Exchange via XDR/XCA). This use case is restricted to a push use case and scopes out any use case which falls into an electronic query/retrieve model as adopted by Exchange. Any request for the care data will be assumed to be delivered as a separate push transaction or out-of-band.


 * Electronic Address:** A string which identifies the transport protocol and end point address for communicating electronically with a recipient. A recipient may be a person, organization or other entity that has designated the electronic address as the point at which it will receive electronic messages. Examples of an electronic address are an email address (Direct via SMTP) or URL (SOAP / XDR). Communication with an electronic address may require a digital certificate and for each electronic address there is at most one digital certificate necessary for communication.

Provider (sending or receiving) can be an individual, an organization, or a department depending on the specifics of the use case (e.g. any of these may have an electronic address).

**User Story 1: Push**
The sending provider or provider’s system has a known electronic address for the intended recipient. The sending provider’s system does not have the digital certificate for the intended recipient to enable the health information exchange. The provider system sends a query to the certificate store without user intervention. The certificate store returns the digital certificate associated with the intended recipient. The sending system verifies that the certificate of the recipient has been issued by the trusted authority. The provider system is able to use this information to send the patient information to the intended recipient. The recipient uses the sender’s electronic address to access the certificate store to confirm the identity of the sending provider and confirms that the public certificate of the sender is signed by a trusted authority and to retrieve the certificate.

In the instance where the certificate is not available, the certificate store returns an error message.

**User Story 2**: Pull
The sending provider does not have the electronic address of the intended recipient of the summary of care. The provider initiates a provider directory query (either through their provider system or in a separate application) to locate the electronic address for the individual provider who is the intended recipient of the request or patient information. The provider enters basic identifying information about the intended recipient and sends the inquiry to the provider directory. The provider directory returns a list of providers that match the criteria along with demographic information to allow the sending provider to unambiguously determine the correct provider (individual and/or entity) and the correct electronic address for the appropriate recipient provider’s system. The provider selects the intended recipient of the message.
 * 1) If the query is initiated in a separate application, the provider directory returns the electronic address for the correct endpoint and the user enters this address manually in their provider system. The remainder of the user story is the same as in User Story 1.
 * 2) If the query is initiated through the provider system, the provider directory returns the electronic address for the correct endpoint and may return any required security information.
 * 3) If the provider directory does not return the required security information, the balance of the user story is the same as User Story 1.
 * 4) If the provider directory does return the security information (at a minimum the digital certificate for the recipient), the provider system verifies that the certificate of the recipient has been issued by the trusted authority.

The provider system is able to use this information to send the patient information to the intended recipient. The recipient uses the sender’s electronic address to access the certificate store to confirm the identity of the sending provider and confirms that the public certificate of the sender is signed by a trusted authority and to retrieve the certificate.

In the instance where the certificate is not available, the certificate store returns an error message.