The Dog’s OAuth

Adrian Gropper A simple technology for linking EHRs will have a major impact on health care.

We’ve all heard the one about what does the barking dog do when it catches the car.

The dogs of health IT seem to have caught their car when the Interim Final Rule for standards for meaningful use accepted certification of “EHR Modules” and left it up to the marketplace to decide how the modules would communicate with each other. I think ONC deserves much praise for a very fair and innovation-friendly approach.

OAuth is a relatively simple Web standard for authorizing a limited link between one server and another. Some describe it as a valet key to your car that allows you, the owner, to give the valet a key that doesn’t open the trunk or let the car go more than 30 mph. When two EHR servers or two EHR modules are linked via OAuth they can be anywhere on the Web and they can be operated by completely different enterprises. The authority to establish and limit the link can come from the patient directly or from a provider under the HIPAA laws.

The impact on health care comes from the power of OAuth to catalyze modular EHRs by providing the same free interface inside and outside an institution. Current institution-centered EHR, favored by the cats, don’t need OAuth interfaces or CCRs to achieve meaningful use certification because one vendor controls one database for one institution.

Under the IFR rules, a new generation of EHR will now be possible where multiple vendors can benefit from free and efficient interfaces even within a single institution. In radiology, the DICOM standard allows CT scanners from vendor A and MR from vendor B to work seamlessly with workstations from a vendor that knows nothing about either CT or MR and long-term storage off-site at a service that works with all CT, MR and workstation vendors. Vendors seldom charge for for DICOM interfaces and many have adopted or adapted open source software for the DICOM stack as a way to reduce costs and improve quality.

Compared to DICOM, OAuth will be revolutionary. This is because DICOM is some 25 years old and never intended to cross firewalls or to support the strict HITECH act “accounting for disclosures” privacy mandates. OAuth, by working seamlessly across the Internet, enables cloud-based and patient-centered EHR architectures that will drive decision support for clinicians, informed consent for patients and rapid innovation for institutions as health records portability becomes the norm.

Elizabeth Cohen’s wonderful article on CNN [ http://www.cnn.com/2010/HEALTH/01/14/medical.records/index.html ] and Dave deBronkart’s rallying cry just might ignite a revolution catalyzed by the simplicity and transparency of OAuth and redefine the physician-patient contract in 21’st century terms.

Adrian Gropper, MD is a founder of MedCommons, with roots in patient-controlled and patient-centered health records that go back to MIT’s Guardian Angel project. AMICAS, a more recent radiology-focused venture, pioneered the clinical use of Web browsers and protocols. Adrian is driven by the vision of doctors and patients collaborating around shared health records on the Web.

Categories: Uncategorized

Tagged as: , ,

10 replies »

  1. Thanks for another excellent post. Where else may anybody get that kind of information in such a
    perfect means of writing? I have a presentation next week, and I am at the look for such

  2. Thanks for one’s marvelous posting! I actually enjoyed reading it, you happen to be a great author.

    I will remember to bookmark your blog and may come back from now on. I
    want to encourage one to continue your great job,
    have a nice evening!

  3. Hello Jabbett, I was wondering that too. It appears that adoption has been slow, but there are some positive signs. The HL7 standards are working with OAuth. Indivo uses OAuth (Indivo was used in a recent MIT hackathon). The SMART Platform uses OAuth (the SMART Platform is funded by the feds; the ONC). I couldn’t find any examples of actual doctors or hospitals using OAuth.

  4. Three years later, have you seen any adoption of oAuth?

    Nevermind EHR interoperability, there’s a whole universe of web and mobile health apps that are craving Twitter- or Google-like connectivity with hospital systems.

  5. Medical records, and transfer of information needs to be live and not taking these doctors 1 or 2 days to get. This also includes getting health insurance quotes or health insurance plans..
    For example we live in Utah and if you want to get a utah health plan, their is a local company that just asks for your age and zip code and then bingo you have over 50 plans to choose from and can apply online. Saving money and time for everyone.
    Now why don’t they do this with health care records and transformation of info. They need to find companies that see ahead the future of health care and invest in these type of firms

  6. Unless it is quick, user friendly, with historical images available for evaluation by the immediate health care team, it will fall into the category of we can make it but it is not meaningfully useful to the users, thus, so what.

  7. We are talking about the same thing. oAuth = http://oauth.net. Similar to OpenID but with a narrower focus. Twitter is a pure oAuth implementation but Facebook Connect is slightly different. We setup both in recent weeks.
    Alan Viars

  8. Alan,
    Are we talking about the same thing? OATH [ http://www.openauthentication.org/ ] is about authentication of a user biometrics and such.
    OAuth [ http://oauth.net/ ] is about authorization and is independent of whether the user signs in with password or biometrics or OpenID. As wikipedia puts it: “OAuth is a complementary but distinct service to OpenId.”
    That said, I agree with you that web standards tend to be more open than HL7 and other industry-specific standards and should be preferred whenever possible.

  9. We have embraced and implemented oAuth in the Videntity platform as one of many options for authentication. I find it simpler than OpenID, although we plan to implement OpenID too.
    If I have a weak password on one site, say Twitter, then if I use oAuth to access another health site, then access to the health care site also has in essence a weak password.
    Do you think there is room for biometrics in health care? Many people think so and many other people are scared of the idea. Biometrics, implemented properly could do a lot to solve the master patient index (MPI) federation problem.
    Still the larger problem is the closed nature of many health informatics standards such as HL7. We need true open standards if we want things to really work.
    An equally large problem is the fact many doctors simply do not want to provide patient’s access to their records. Exposure to litigation is one of many reasons this is so.
    Alan Viars, CEO