HEART Working Group – Specifications

HEART Working Group - Specifications

The HEART working group intends to harmonize and develop a set of privacy and security specifications that enable an individual to control the authorization of access to RESTful health-related data sharing APIs, and to facilitate interoperable implementations of these specifications by others.

HEART Working Group
OVERVIEW

HEART Working Group
CHARTER

HEART Working Group
SPECIFICATIONS

HEART Working Group
REPOSITORY

The working group has been developing the following specifications:

Specifications

A complete list of HEART specifications produced (including previous Implementer’s Drafts) can be found in the group’s BitBucket repository. There are two types of HEART specifications:

Mechanical profiles: These specify and tighten security parameters for using OAuth 2.0, OpenID Connect, and UMA, respectively, in the context of patient-controlled health data exchange.
Semantic profiles: These prescribe usage of OAuth and UMA (for example, defining scopes and flows) in combination with health industry-specific APIs. The first set of APIs to have received this treatment is FHIR.

Implementer's Drafts

Health Relationship Trust Profile for OAuth 2.0 – This specification profiles the OAuth 2.0 protocol framework to increase baseline security, provide greater interoperability, and structure deployments in a manner specifically applicable to (but not limited to) the healthcare domain.
– Most recent Implementer’s Draft
Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes – This specification profiles the OAuth 2.0 protocol scopes to be used with the FHIR protocol to increase baseline security, provide greater interoperability, and structure deployments in a manner specifically applicable to (but not limited to) the healthcare domain.
– Most recent Implementer’s Draft
Health Relationship Trust Profile for User-Managed Access 2.0 – This specification profiles the UMA protocol to increase baseline security, provide greater interoperability, and structure deployments in a manner specifically applicable to (but not limited to) the healthcare domain.
– Most recent Implementer’s Draft
Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) UMA 2 Resources – This specification profiles the resource types and claim types to be used with the FHIR protocol to increase baseline security, provide greater interoperability, and structure deployments in a manner specifically applicable to (but not limited to) the healthcare domain.
– Most recent Implementer’s Draft

Resources

General Resources

What Is HEART?
Emerging Identity Standards in Healthcare presentation by the HEART co-chairs from Identiverse, June 2018 (slides, video)
Introduction to OAuth and OpenID Connect by Justin Richer
Introduction to UMA (UMA V2, with some HEART context) by Eve Maler
UMA Business Model background
MITRE RHEx and Blue Button Plus profile efforts
GTRI-Trustmark Presentation April 2015 (downloads a PowerPoint file about the GTRI “trustmark marketplace”)

Use Cases

Use cases from 2018 Work Group effort:

Original use cases (obsolete):

Use case template (GDoc)
Alice Selectively Shares Health-Related Data with Physicians and Others [UMA, FHIR] (GDoc)
Alice Registers with PCP and Sets Up Two-Way Exchange of Personal Data Between EHR and PHR [OAuth Only] (GDoc)
Elderly Mom with Family Caregiver (GDoc)
Multiple Portals (wiki)
Post-MI Implant and Rehab (wiki)
VA Secure RESTful Profiles use case (wiki)
Patient Data for Clinical and Research Purposes (wiki)
PCP First Appointment (wiki) – see also PHR to EHR swimlane

Terminology

IdP = identity provider
RP = relying party
SSO = single sign-on
user = human end-user
RO = resource owner (typically a user) trying to achieve controlled sharing – could be same as SSO user
AS = authorization server – could be the same as IdP
RS = resource server – could be the same as AS
C = client – an application
RqP = requesting party (typically but not always a user) – could be same as RO