[WG-HealthIDAssurance] Draft agenda for tomorrow (special meeting)

[Tom (Thomas) Sullivan]

Jim Kragh and I spoke yesterday.  He suggested we call a meeting tomorrow to discuss the issues raised by Tom Jones and others addressing the Vaccine mobile IDs since it is such a timely topic and mobile IDs are "in our wheelhouse".

We typically hold our calls on the first and third Thursdays of the month, so this is temporarily out of the usual order.

However, it does seem very topical and there are some discussions around the implementation of this, in the fog and controversy that is associated with these new vaccines along with the needs of Public Health balanced against individual autonomy and privacy.

I am hoping that our staff support  (Bella and staff) will be able to accommodate this temporary change in the schedule.

HIAWG members,

Here is the draft agenda for Thursday (tomorrow) - a special meeting.   Please contact me ASAP if you want to suggest edits or additions.

Healthcare - HIAWG and IDEF sub WG Created by: kantarai...@gmail.com

Time     2pm‎ - ‎3pm‎‎ (Eastern Time - New York)

Date      Thursday, September 30, 2021

Where   GoToMeeting (GTM2)

Description: USUALLY Occurs every first and third Thursday of the month at 2:00 PM US Eastern Time --- zone converter: www.thetimenow.com/timezone-converter.php 

Please join our meeting from your computer, tablet or smartphone.

 https://global.gotomeeting.com/join/975495917
Access Code: 975-495-917

1.  Roll Call: Start recording!! Tom Sullivan 

Here are some of the emails to set up this call led by Tom Jones:

From Tom Jones today:

The example of a sporting event is a great one. And it might well fit into an expanded view of a mobile credential in this way.

In general a smart health cred cannot authorize entry to any venue, there will (almost) always be another cred to be bound to the health cred. The binding between the various creds at each use case does need an explanation which i have not myself seen anywhere

1. airplane => mdl + SHC + boarding pass

2. sports => ticket-to-event + SHC

3. physician or lab or pharmacy => known-to-practice + SHC

I believe that any privacy profile needs to look at the entire package to be presented by the user. Not just one cred.

I believe the binding among the creds needs to be addressed from a security perspective, so I don't know if that fits into the existing PPMC effort. It would clearly fit into the HIAWG scope.

++++++++++++++++++++++++++++++++++++++++++++++++

From Tom Jones yesterday:

 Here's the problem that I think is in-scope essentially immediately. Several states are not issuing mobile driver's licenses, rather they are calling them mobile ID from the git go.

So why does this matter to a privacy profile for getting onto an airplane? or to Healthcare, or to getting into a ball park?

The mDL will be in a wallet with multiple creds. Whether they are in a single cred, or multiple creds is not the issue. What needs to happen, essentially from day one, is that the mDL will be paired with authorization. If you look at the DHS request access to nuclear facilities was included from the git go.

Here are some links to the Smart Health Card. TL;DR, the point is that the shc (and most medical authz as well) ask for the legal name and birthdate. If that cred is in a wallet with an mDL the verifier needs both. We need to understand that binding created by the wallet as one of the use cases for mDL.

Another use case is the TSA agent wants the mdl AND the e-ticket. The wallet is likely to have both.

from apple: https://support.apple.com/en-us/HT212752

from SHC: https://spec.smarthealth.cards

++++++++++++++++++++++++++++++++++++++++++++++++++

From Tom Jpnes:

https://github.com/18013-5/micov/blob/main/20210914%20-%20White_Paper_ISO_compliant_mdoc_for_eHealth_RC2.pdf

Is there any reason we should respond to this?  (responses due soon)

+++++++++++++++++++++++++++++++++++++++++

From TJ:

So. ---   Jim StClair -- is this the group you'r are involved with?

Can you explain how Identification works for these vax creds at our next meeting?

https://smarthealth.cards

+++++++++++++++++++++++++++

Here is a thread from Sal and John that ties some of this discussion in chronloggic order:

Thanks John, 100, valid for authorization.

 

What is useful is a discussion perhaps of how the credential has the ability to be used, even by DHS, in a decentralized manner that doesn’t require secure connections to databases. Decentralized authrorization.

Reply

Reply all

Forward

From: John Wunderlich <jo...@wunderlich.ca>
Sent: Wednesday, September 29, 2021 8:29 AM
To: Tom Jones <thomascli...@gmail.com>
Cc: jim kragh <kra...@gmail.com>; Salvatore DAgostino <s...@idmachines.com>; Christopher Williams <willia...@gmail.com>; Thomas Sullivan <tsul...@drfirst.com>; Catherine Schulten <catherin...@yahoo.com>
Subject: Re: interesting proposal to add a cert of vax to the mDL

 

Tom;

I agree with you that this is a use case for the PEMC WG, and should probably make it into the interim PEMC report. I’ll also note that a number of members of the PImDL DG are authors of this report. TL:DR my view is that verifiers too often ask for both identification and authorization when all that is necessary for the context is authorization. So while a TSA boarding agent may require both identity (mDL) and e-ticket at a boarding gate, the person at the gate for a sports event only needs a valid e-ticket and a green check mark for vaccination status, not identification. 

Each of us can obviously respond individually. What are you proposing beyond that?

 

Have a better than expected day,

John Wunderlich

 

LinkedIn: https://www.linkedin.com/in/privacycdn/

Twitter: https://twitter.com/PrivacyCDN

On Sep 28, 2021, 5:26 PM -0400, Tom Jones <thomascli...@gmail.com>, wrote:

Here's the problem that I think is in-scope essentially immediately. Several states are not issuing mobile driver's licenses, rather they are calling them mobile ID from the git go.

So why does this matter to a privacy profile for getting onto an airplane? or to Healthcare, or to getting into a ball park?

The mDL will be in a wallet with multiple creds. Whether they are in a single cred, or multiple creds is not the issue. What needs to happen, essentially from day one, is that the mDL will be paired with authorization. If you look at the DHS request access to nuclear facilities was included from the git go.

Here are some links to the Smart Health Card. TL;DR, the point is that the shc (and most medical authz as well) ask for the legal name and birthdate. If that cred is in a wallet with an mDL the verifier needs both. We need to understand that binding created by the wallet as one of the use cases for mDL.

Another use case is the TSA agent wants the mdl AND the e-ticket. The wallet is likely to have both.

from apple: https://support.apple.com/en-us/HT212752from SHC: https://spec.smarthealth.cards

Be the change you want to see in the world ..tom

On Tue, Sep 28, 2021 at 1:39 PM John Wunderlich <jo...@wunderlich.ca> wrote:

I don’t think so from the perspective of the new privacy enhancing mobile credentials work group. I think that server retrieval of a vaccine status has real risks to privacy so this highlights the utility of a PEMC the extends this document. Trying to address these issues in this work effort would be problematic or out of scope I’m thinking. 


Have a better than expected day,
John Wunderlich

Thomas E Sullivan, MD

 DrFirst.com, Inc.

(978) 729-5075 (M)

tsul...@drfirst.com

 

Notice of Confidentiality: The information included and/or attached in this electronic mail transmission may contain confidential or privileged information and is intended for the addressee. Any unauthorized disclosure, reproduction, distribution or the taking of action in reliance on the contents of the information is prohibited. If you believe that you have received the message in error, please notify the sender by reply transmission and delete the message without copying or disclosing it.

[Kay Chopard]

Hello Tom,

This week Kantara moved away from GoToMeeting and started using Zoom for work group meetings. The GTM renewal expired this week and at the request of several work groups we made the change to Zoom. Here is the invitation for your group's Zoom meeting with the links and the information required.

I don't know that Bella or others are supporting your work group but I will talk with them about that to see. 

Please make sure your group members have this new meeting invitation. It has also been changed on the Kantara calendar. Please delete the old information using GTM. It will no longer work. Please let me know if you have any questions.

Kay

Kay Chopard

Executive Director 

Kantara Initiative Inc. 

Kantara Initiative is inviting you to a scheduled Zoom meeting.

Topic: Health Identity Assurance WG
Time: This is a recurring meeting Meet anytime

Join Zoom Meeting
https://zoom.us/j/98326576116?pwd=QnlrYW9wb2lGM3JMY2tmd2dlSTJrQT09

Meeting ID: 983 2657 6116
Passcode: 192209
One tap mobile
+13017158592,,98326576116#,,,,*192209# US (Washington DC)
+13126266799,,98326576116#,,,,*192209# US (Chicago)

Dial by your location
        +1 301 715 8592 US (Washington DC)
        +1 312 626 6799 US (Chicago)
        +1 646 558 8656 US (New York)
        +1 253 215 8782 US (Tacoma)
        +1 346 248 7799 US (Houston)
        +1 669 900 9128 US (San Jose)
Meeting ID: 983 2657 6116
Passcode: 192209
Find your local number: https://zoom.us/u/abCvb8Pf7d

[Jim St.Clair]

Yay for Zoom! Thanks Kay!

Best regards,

Jim

_______________ 

 

Jim St.Clair 

Chief Trust Officer 

jim.s...@lumedic.io | 228-273-4893 

Let’s meet to discuss patient identity exchange: https://calendly.com/jim-stclair-1

---

From: Kay Chopard <k...@kantarainitiative.org>
Sent: Wednesday, September 29, 2021 9:19:28 AM
To: Tom (Thomas) Sullivan <tsul...@drfirst.com>
Cc: Kantara WG HealthIDassurance <wg-healthi...@kantarainitiative.org>; st...@kantarainitiative.org staff Kantara <st...@kantarainitiative.org>; Bella Staff <be...@kantarainitiative.org>; Salvatore D'Agostino <s...@idmachines.com>; jo...@wunderlich.ca <jo...@wunderlich.ca>; Catherine Schulten <catherin...@yahoo.com>; Jim St.Clair <jim.s...@lumedic.io>
Subject: Re: Draft agenda for tomorrow (special meeting)

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

[Kay Chopard]

Thanks Jim! So far everyone has been cheering just like you. I'm glad it's helpful.

Best,

Kay

Kay Chopard

Executive Director 

Kantara Initiative Inc. 

[Tom (Thomas) Sullivan]

Thanks for the update, Kay,

Although you sent this to our group, I will resend with 1-2 additions since a few for tomorrow only are not in the HIAWG traditional list.

Thanks again.

Tom

Thomas E Sullivan, MD

Chief Medical Strategic Officer

 DrFirst.com, Inc.

(978) 729-5075 (M)

tsul...@drfirst.com

 

---

From: Kay Chopard <k...@kantarainitiative.org>
Sent: Wednesday, September 29, 2021 12:19 PM

To: Tom (Thomas) Sullivan <tsul...@drfirst.com>
Cc: Kantara WG HealthIDassurance <wg-healthi...@kantarainitiative.org>; st...@kantarainitiative.org staff Kantara <st...@kantarainitiative.org>; Bella Staff <be...@kantarainitiative.org>; Salvatore D'Agostino <s...@idmachines.com>; jo...@wunderlich.ca <jo...@wunderlich.ca>; Catherine Schulten <catherin...@yahoo.com>; Jim St. Clair <jim.s...@lumedic.io>

Subject: [EXTERNAL] Re: Draft agenda for tomorrow (special meeting)

 

[Kay Chopard]

Great. Thank you for making sure everyone gets the info.

Best,

Kay

Kay Chopard

Executive Director 

Kantara Initiative Inc. 

[Tom (Thomas) Sullivan]

HIAWG participants,

This call to the meeting for tomorrow at 2 PM ET may be redundant as Kay has just let us know that Kantara has switched to Zoom for the future.

Here is the new link once again for tomorrow at 2 PM ET:

Kantara Initiative is inviting you to a scheduled Zoom meeting.

Topic: Health Identity Assurance WG
Time: This is a recurring meeting Meet anytime

Join Zoom Meeting
https://zoom.us/j/98326576116?pwd=QnlrYW9wb2lGM3JMY2tmd2dlSTJrQT09

Meeting ID: 983 2657 6116
Passcode: 192209
One tap mobile
+13017158592,,98326576116#,,,,*192209# US (Washington DC)
+13126266799,,98326576116#,,,,*192209# US (Chicago)

Dial by your location
        +1 301 715 8592 US (Washington DC)
        +1 312 626 6799 US (Chicago)
        +1 646 558 8656 US (New York)
        +1 253 215 8782 US (Tacoma)
        +1 346 248 7799 US (Houston)
        +1 669 900 9128 US (San Jose)
Meeting ID: 983 2657 6116
Passcode: 192209
Find your local number: https://zoom.us/u/abCvb8Pf7d

Thomas E Sullivan, MD

Chief Medical Strategic Officer

 DrFirst.com, Inc.

(978) 729-5075 (M)

tsul...@drfirst.com

 

---

From: Tom (Thomas) Sullivan
Sent: Wednesday, September 29, 2021 11:14 AM
To: Kantara WG HealthIDassurance <wg-healthi...@kantarainitiative.org>; st...@kantarainitiative.org staff Kantara <st...@kantarainitiative.org>; Bella Staff <be...@kantarainitiative.org>; Kay Chopard Cohen <k...@kantarainitiative.org>; Salvatore D'Agostino <s...@idmachines.com>; jo...@wunderlich.ca <jo...@wunderlich.ca>; Catherine Schulten <catherin...@yahoo.com>; Jim St. Clair <jim.s...@lumedic.io>
Subject: Draft agenda for tomorrow (special meeting)

 

[Tom Jones]

Here is a draft of the possible use cases are a starting place for the interesting discussion - how patient identity fits into all this other data.

Health Equity requires that any patient that wants to access their health data can provide given their capabilities and resources (or lack of resources). A variety of capabilities will be enabled with the trust registry to assure that vulnerable populations can be served when and where they chose. While this Patient Experience document focuses on the smart-phone case, other media, like paper based QR codes need to be provided in complete solutions.

Immunization Status Use Case[edit]

As a place holder this is the current status of the Smart Health Card use case

• The Patient goes to a pharmacy (lab, whatever) for a vaccination.
• The patient taps their phone at the pharmacy desk.
• After receiving the Presentation Request from the pharmacy, and acceptance by the user, the data (and any co-pay) is transferred from the phone to the pharmacy.
• After the shot, and a wait for seizures, the patient is again asked to tap the phone at the desk.
• A Smart Health Card is added to the patient's phone wallet.
• There may be a "not before" date on the card. Typically this is two weeks for COVID. After that data the patient is able to access venues for "fully vaccinated" people.

Link to Smart Health Cards https://tcwiki.azurewebsites.net/index.php?title=Smart_Health_Card

A Complex Use Case[edit]

• A child is visiting their grandparents out-of-state. The child has a chronic thyroid condition and needs a prescription renewal filled locally. This requires a blood test and prescription refill at providers that have never seen the child previously.
• The user case will focus on a fully automated wallet in the possession of the child.
• The following documentation is required.

1. Portions of the patient's health history and diagnosis with doctors scripts and medical allergies or other conditions.
2. State issued ID.
3. Payor approval.
4. PCP data (phone number, etc.)
5. Co-pay funds
6. Parental consent

• The patient lists the urgent care center closest to the grandparents' home.
• The patient taps their phone on the card center's in-take desk.
• The care center sends a "Presentation Request' to the patient's phone.
• The patient is told by their phone what information is requested, including co-pay.
• The patient accepts, the information and money is passed from the patient to the care center.
• The lab later reports results which are forwarded by the care center to the local pharmacy selected by the patient.
• The smartphone interchange at the pharmacy exactly maps the experiment at the care center.
• Success - everyone is pleased with the result.

link to this https://tcwiki.azurewebsites.net/index.php?title=Patient_Experience

..tom

Notice of Confidentiality: The information included and/or attached in this electronic mail transmission may contain confidential or privileged information and is intended for the addressee. Any unauthorized disclosure, reproduction, distribution or the taking of action in reliance on the contents of the information is prohibited. If you believe that you have received the message in error, please notify the sender by reply transmission and delete the message without copying or disclosing it. _______________________________________________
WG-HealthIDAssurance mailing list
WG-HealthI...@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-healthidassurance

[Jim St.Clair]

I look forward to the use case discussion but caution that at first blush it appears duplicative of the work in CCI and TOIP/GHPC to outline a lot of these process steps. Of note, I don't personally advocate for Smart Health Cards over providing a "proper" VC that serves as the basis for the verifiable claim for vaccination, and hopefuly also supports Zero-Knowledge Proofs and selective disclosure (which SHC explicitly does not). 

i'm happy to provide links to the GHPC blueprint for reference if that's useful.

I also added comments in-line in the "complex use case"

Best regards,

Jim

_______________ 

 

Jim St.Clair 

Chief Trust Officer 

jim.stclair@lumedic.io | 228-273-4893 

---

From: Tom Jones <thomascli...@gmail.com>
Sent: Wednesday, September 29, 2021 1:27 PM

To: Tom (Thomas) Sullivan <tsul...@drfirst.com>

Cc: Kantara WG HealthIDassurance <wg-healthi...@kantarainitiative.org>; st...@kantarainitiative.org staff Kantara <st...@kantarainitiative.org>; Bella Staff <be...@kantarainitiative.org>; Kay Chopard Cohen <k...@kantarainitiative.org>; Salvatore D'Agostino <s...@idmachines.com>; jo...@wunderlich.ca <jo...@wunderlich.ca>; Catherine Schulten <catherin...@yahoo.com>; Jim St.Clair <jim.s...@lumedic.io>
Subject: Re: [WG-HealthIDAssurance] Draft agenda for tomorrow (special meeting)

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Here is a draft of the possible use cases are a starting place for the interesting discussion - how patient identity fits into all this other data.

Health Equity requires that any patient that wants to access their health data can provide given their capabilities and resources (or lack of resources). A variety of capabilities will be enabled with the trust registry to assure that vulnerable populations can be served when and where they chose. While this Patient Experience document focuses on the smart-phone case, other media, like paper based QR codes need to be provided in complete solutions.

Immunization Status Use Case[edit]

As a place holder this is the current status of the Smart Health Card use case

• The Patient goes to a pharmacy (lab, whatever) for a vaccination.
• The patient taps their phone at the pharmacy desk.
• After receiving the Presentation Request from the pharmacy, and acceptance by the user, the data (and any co-pay) is transferred from the phone to the pharmacy.
• After the shot, and a wait for seizures, the patient is again asked to tap the phone at the desk.
• A Smart Health Card is added to the patient's phone wallet.
• There may be a "not before" date on the card. Typically this is two weeks for COVID. After that data the patient is able to access venues for "fully vaccinated" people.

Link to Smart Health Cards https://tcwiki.azurewebsites.net/index.php?title=Smart_Health_Card

A Complex Use Case[edit]

• A child is visiting their grandparents out-of-state. The child has a chronic thyroid condition and needs a prescription renewal filled locally. This requires a blood test and prescription refill at providers that have never seen the child previously. (So...this is presuming the script is not at a national chain where I just walk in and they locate my script to refill it)
• The user case will focus on a fully automated wallet in the possession of the child. (so the child has a mobile wallet? What's in it?)

• The following documentation is required.

1. Portions of the patient's health history and diagnosis with doctors scripts and medical allergies or other conditions. (So the pharmacy needs to initiate a records exchange via HIE to match the patient and request the data. Depending on the state, there's also the parental consent mechanism to consider)
2. State issued ID. (Parent's ID? Child's ID? This is a hard copy presentation of a state DL or ID?)
3. Payor approval. ("Approval" or a benefits claim, meaning the pharmacy initiates the round-trip 27X process to confirm status and presumably the accumulator to confirm status of out-of-pocket max?)
4. PCP data (phone number, etc.) (PCP data from home or the the urgent care center?)
5. Co-pay funds
6. Parental consent

• The patient lists the urgent care center closest to the grandparents' home. (The patient - in this case the child - lists the urgent care center? for a script?)
• The patient taps their phone on the card center's in-take desk. (taps what?)
• The care center sends a "Presentation Request' to the patient's phone. (A "presentation request" of what?)
• The patient is told by their phone what information is requested, including co-pay. (Is this a consent function?)
• The patient accepts, the information and money is passed from the patient to the care center. (Where does the money come in the process flow? Credit card, ACH?)
• The lab later reports results which are forwarded by the care center to the local pharmacy selected by the patient. (How does the lab know to send the results to pharmacy?)
• The smartphone interchange at the pharmacy exactly maps the experiment (experience?) at the care center. (I'm not sure what the "interchange maps" implies. 

..tom

[Tom Jones]

I am working with 

Savita Farooqui

 and others on LFPH to be sure the GCCN is properly included. We need to be inclusive of SSI and other sources as well. My (limited) understanding of the SHC is that it is designed to be VC compliant.  I am not able to evaluate that claim yet, but I am working on it.

..tom

[Tom (Thomas) Sullivan]

Kay or staff,

How do I become the Zoom organizer for the call tomorrow at 2 PM ET?

Do I just try to join at 2 PM and it opens automatically?  This call tomorrow is not on our usual schedule. It's a special meeting.

I just tried to join a few moments ago since I did not see a time specified, but It says I have to wait for the Zoom organizer to let me in.

Tom

Thomas E Sullivan, MD

Chief Medical Strategic Officer

 DrFirst.com, Inc.

(978) 729-5075 (M)

tsul...@drfirst.com

 

---

From: Kay Chopard <k...@kantarainitiative.org>
Sent: Wednesday, September 29, 2021 12:23 PM
To: Jim St.Clair <jim.s...@lumedic.io>
Cc: Tom (Thomas) Sullivan <tsul...@drfirst.com>; Kantara WG HealthIDassurance <wg-healthi...@kantarainitiative.org>; st...@kantarainitiative.org staff Kantara <st...@kantarainitiative.org>; Bella Staff <be...@kantarainitiative.org>; Salvatore D'Agostino <s...@idmachines.com>; jo...@wunderlich.ca <jo...@wunderlich.ca>; Catherine Schulten <catherin...@yahoo.com>
Subject: [EXTERNAL] Re: Draft agenda for tomorrow (special meeting)

 

[Jim St.Clair]

If you dig into the SHC GitHub, there are previous issues that Manu, Orie, and I commented on that the structure was non-compliant with W3C. Josh's arguments were that their chosen approach was expedient, and essentially other orgs could choose to implement their own verifiable presentation/SSI if they chose (which I believe to be true, but the SHC schema may need additional changes). 

Best regards,

Jim

_______________ 

 

Jim St.Clair 

Chief Trust Officer 

jim.stclair@lumedic.io | 228-273-4893 

---

From: Tom Jones <thomascli...@gmail.com>
Sent: Wednesday, September 29, 2021 1:59 PM
To: Jim St.Clair <jim.s...@lumedic.io>
Cc: Tom (Thomas) Sullivan <tsul...@drfirst.com>; Kantara WG HealthIDassurance <wg-healthi...@kantarainitiative.org>; st...@kantarainitiative.org staff Kantara <st...@kantarainitiative.org>; Bella Staff <be...@kantarainitiative.org>; Kay Chopard Cohen <k...@kantarainitiative.org>; Salvatore D'Agostino <s...@idmachines.com>; jo...@wunderlich.ca <jo...@wunderlich.ca>; Catherine Schulten <catherin...@yahoo.com>