Too often networks today are single purpose. That is that the HIE is designed for ONE purpose. For example a Health Information Exchange (HIE) that is designed for supporting Treatment. When a network is single purpose, then this simplifies the access control decision. However this does not scale to Purposes beyond Treatment. Thus one needs to carefully design the security tokens in ALL requests so that they declare what Purpose is driving the request for data. This has been built into the IHE security token profiles from the beginning:
- Cross-Enterprise User Assertion (XUA) – a profile on SAML for use with SOAP and other network infrastructures like XDS and XCA
- Internet User Authorization (IUA) – a profile on OAuth for use with http REST network infrastructures like #FHIR and MHD
Why is PurposeOfUse so important?
How is PurposeOfUse used?
difference between an EHR and a PHR with regards to authorization is that a PHR is accessing a patient record onbehalf of that patient, with the data accessible on that PHR only by that patient. Yes the patient can then provide access to others, but it is a assignment action by that patient. YES one must know that the PHR is trustworthy to be upholding the desires of the Patient. The Patient must be the one responsible for holding the PHR accoutable for upholding their desires. Thus when the Patient wants only themselves to have access, it is the PHR that holds access to only that Patient.
PurposeOfUse is more important than data-link authentication?
GDPR requires PurposeOfUse declaration
PurposeOfUse is core principle of Privacy
I base these on the Privacy Principles