As healthcare providers open up patient access to their digital health records, it presents scenarios where patients use mobile apps to “pull” their health records from different providers in one place, or direct a provider to send their data to another provider. However, before such pulling or sharing can begin, a provider may need an explicit patient consent or authorization form (often paper-based) signed by the patient. Today, a patient would typically do this by signing a paper form and the provider would hand over a DVD containing scanned PDF copies of the patient’s health records. Now, imagine using a consumer health app on your phone, and every time you request your provider to share your records, the app asks you to first download a consent form that you then need to print, sign and fax to your provider. That would be a cumbersome and undesirable patient experience. Instead, digitally embedding patient consent during the electronic pulling or sharing of patient records itself can make this experience much smoother. Interestingly, one can implement this workflow with OAuth2, an industry-standard protocol for authorization. This session presents different implementation approaches for this based on my observations from the Consumer-Centered Data Exchange (CCDE) track of the last two FHIR Connectathons (September 2017 and February 2018).
Basic understanding of OAuth2 and FHIR is desirable.
https://oauth.net/2/
https://www.cubrid.org/blog/dancing-with-oauth-understanding-how-authorization-works
https://www.hl7.org/fhir/summary.html