ABBI+Pull+Strawman+Option+3

include component="page" wikiName="siframework" page="ABBI Header"

Courtesy of Keith Boone
This option is largely consistent with option 2, filling in some critical details. It also takes into account capabilities of patient portals to support download capabilities as in option 1. It defers the discussion of how patient credentials are created (see prerequisites), but supports OpenID as a mechanism for patient credentials to be verified. It uses OAuth as the mechanism by which applications and/or services are provided with authorization to access patient information. It supports patient/application directed content negotiation to enable access content deemed most valuable (e.g., plain text, structured XML, HTML, et cetera).


 * Prerequisites:**
 * 1) Patient or their authorized representative and provider have mutually established a link between a patient identity, and the patient's record,that the patient will use to access those records.

Access:
 * Use case:**
 * 1) Patient accesses URL containing patient data through provider portal or other information system.
 * 2) The portal authenticates the patient using the credentials previously established. If these credentials are not in the provider's control, the portal authenticates the patient via OpenID.
 * 3) Upon authentication, the patient is given the opportunity to grant the application access to information, and by authorizing the application, agrees to the policy framework established for use of the content.

Download:
 * 1) The authorized and authenticated application requests content to be retrieved.
 * 2) Such requests can specify the "mime type" of the content to be returned, the dates of service to select for, and the type of information to received (e.g., H&P, Consult, CCD, et cetera), enabling the patient or application to use the content types that are most useful to them. They may also request to receive both metadata and content, or just metadata with links to content.
 * 3) The portal returns a response containing metadata about the available information requested, instructions for how to download the detailed information, and optionally, a complete copy of that information (depending on what the patient requested).
 * 4) The portal will return a metadata description of the content, and the content that matches the mime type requested.
 * 5) When a mime type is requested for which there is a transform of available information in other mime types, the portal will apply that transformation if the transformed content is not already available in the requested mime type.
 * 6) If no mime type is available, the portal will return only the metadata for the available content, the full content (if requested), and pointers to available transformations of the available content.

Audit:
 * 1) The portal will audit all downloads.
 * 2) Audit records will also be available to patients and authorized representatives, and may be transmitted to applications.

Patient:
 * Policy Framework:**
 * 1) The patient or authorized representative agrees that the application downloading content is doing so on his/her behalf, and by so authorizing it to recieve information that contains personally identifiable information, the he/she consents to the transmission to that application.
 * 2) The patient or authorized representative agrees that the portal, by providing this service, and transmitting this information to a third party on the patient's behalf, is not creating any business relationship between the provider organizations providing the patient data, the organization providing the service or any of their associates, and the organization providing the application of service which receives this transmission.

Provider/Portal:
 * 1) Agrees to only transmit data to parties that have been authorized by the patient using the identity credentials that are linked to the patient account.
 * 2) Agrees to secure the exchange by encrypting and ensure integrity of the information through the use of standards allowed under regulation for certified EHR systems (c.f., 45 CFR 170.210)
 * 3) Agrees to maintain an audit log of all transmissions containing the information required, and to make that log available to patients, through the use of standards allowed under regulation for certified EHR systems (c.f., 45 CFR 170.210).
 * 4) Agrees to make that audit log accessible to patients through this service.
 * 5) Agrees to revoke access when notified by the patient, either through this service, in written notification, or verbally or electronically contacted at addresses specified by the provider.

Standards:
 * 1) Authentication: OpenID [optional]
 * 2) Authorization: OAuth [required]
 * 3) Metadata: Atom [required] and/or JSON [optional]
 * 4) Content: text/xml, text/html, text/plain [all required], application/pdf [optional], application/json [optional]
 * 5) Transport Encryption and Integrity: TLS

include component="page" wikiName="siframework" page="ABBI Initiative Contacts" include component="page" wikiName="siframework" page="space.template.inc_contentleft_end"