HEART (Health Relationship Trust) is a set of profiles that enables patients to control how, when, and with whom their clinical data is shared. The HEART model builds on existing state-of-the-art security and adds additional components to ensure that patient clinical data is securely exchanged. In addition to giving patients control over how their own data is shared, HEART defines the interoperable process for systems to exchange patient-authorized healthcare data consistent with open standards, specifically FHIR (Fast Healthcare Interoperability Resources), OAuth, OpenID Connect, and UMA (User-Managed Access).
Today, attempts to enable patients to electronically manage authorizations for sharing their data have only worked within narrow ecosystems, such as a single healthcare system. This is problematic for patients because it is difficult to share healthcare data with an external physician or with a healthcare system in a different region. It is problematic for organizations and providers because there are no processes, rules, or standards for ensuring that the clinical data being shared has been authorized by patients. This lack is likely to limit adoption and use of data-sharing APIs because it will be far more difficult to ensure that apps seeking to use APIs actually have the approval to obtain access to individual patients’ data.
The goal in developing the HEART profiles was to address these issues by creating best practices that accomplish the following practical tasks:
- Enables organizations and other entities to electronically determine whether requests for data are valid (i.e., have been authorized by the patient) and what data the requesting entity is authorized to obtain.
- Creates a protocol for managing both sharing of permissions and data that adheres to the highest levels of security and privacy. In the process, both patients and providers increase trust that the data is authorized and accurate.
- Supports, and integrates with, systems that allow patients to set up permissions and authorizations for sharing their clinical data to ensure that their data is only shared with individuals, institutions, and apps that they choose.
HEART provides a standard to enable patient-mediated interoperability implementation through the FHIR APIs. To obtain the full benefit of open APIs, we need to enable the HEART standard and attain widespread adoption.
(You can find this overview as a standalone document.)
The Vote to Approve Implementer’s Drafts of Four HEART Specifications has closed and the specifications have been approved as of March 12, 2019. You can read about the vote here. The four specifications that were approved are:
- Health Relationship Trust Profile for OAuth 2.0
- Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes
- Health Relationship Trust Profile for User-Managed Access 2.0
- Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) UMA 2 Resources
A complete list of HEART specifications produced (including previous Implementer’s Drafts) can be found in the group’s BitBucket repository.
There are two types of HEART specifications:
- Mechanical profiles: These specify and tighten security parameters for using OAuth 2.0, OpenID Connect, and UMA, respectively, in the context of patient-controlled health data exchange.
- Semantic profiles: These prescribe usage of OAuth and UMA (for example, defining scopes and flows) in combination with health industry-specific APIs. The first set of APIs to have received this treatment is FHIR.
The group has written the following use cases to crystalize key needs in patient-directed health data exchange and how HEART can contribute to the solution:
- Alice Shares Clinical Records With Her Spouse
- Alice Shares Health Data With Her Spouse
- Alice Electronically Shares Data From Her PHR
- Patient Shares Data From Her Health IoT Device to Her Clinician
Additional information can be found on our Resources page.
The easiest way to monitor progress on the HEART Specification is to join the mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-heart.
Please note that while anyone can join the mailing list as a read-only recipient and listen to the calls, posting to the mailing list or actively contributing to development of the specification itself (all spoken comments are considered contributions) requires the submission of an IPR Agreement. More information is available at http://openid.net/intellectual-property. Make sure to specify the working group as “OpenID HEART”.
- Meetings on some Mondays
- When: 1 PM PST/4 PM EST
- Where: Gotomeeting – https://global.gotomeeting.com/join/785234357
- When: 1 PM PST/4 PM EST
- GoToMeeting software is available on Mac, PC, iPhone, and Android Phone.
- Using VoIP option of GoToMeeting is preferred. If you must use a plain old telephone for some reason, here is the US phone number: +1 (619) 550-0003. Access Code 785-234-357
- Please Note: Participation in the call is limited to the 20 most active members at the discretion of the chairs due to the number of lines available.