Uncategorized

The Dog’s OAuth

Adrian Gropper A simple technology for linking EHRs will have a major impact on health care.

We’ve all heard the one about what does the barking dog do when it catches the car.

The dogs of health IT seem to have caught their car when the Interim Final Rule for standards for meaningful use accepted certification of “EHR Modules” and left it up to the marketplace to decide how the modules would communicate with each other. I think ONC deserves much praise for a very fair and innovation-friendly approach.

OAuth is a relatively simple Web standard for authorizing a limited link between one server and another. Some describe it as a valet key to your car that allows you, the owner, to give the valet a key that doesn’t open the trunk or let the car go more than 30 mph. When two EHR servers or two EHR modules are linked via OAuth they can be anywhere on the Web and they can be operated by completely different enterprises. The authority to establish and limit the link can come from the patient directly or from a provider under the HIPAA laws.

The impact on health care comes from the power of OAuth to catalyze modular EHRs by providing the same free interface inside and outside an institution. Current institution-centered EHR, favored by the cats, don’t need OAuth interfaces or CCRs to achieve meaningful use certification because one vendor controls one database for one institution.

Under the IFR rules, a new generation of EHR will now be possible where multiple vendors can benefit from free and efficient interfaces even within a single institution. In radiology, the DICOM standard allows CT scanners from vendor A and MR from vendor B to work seamlessly with workstations from a vendor that knows nothing about either CT or MR and long-term storage off-site at a service that works with all CT, MR and workstation vendors. Vendors seldom charge for for DICOM interfaces and many have adopted or adapted open source software for the DICOM stack as a way to reduce costs and improve quality.

Compared to DICOM, OAuth will be revolutionary. This is because DICOM is some 25 years old and never intended to cross firewalls or to support the strict HITECH act “accounting for disclosures” privacy mandates. OAuth, by working seamlessly across the Internet, enables cloud-based and patient-centered EHR architectures that will drive decision support for clinicians, informed consent for patients and rapid innovation for institutions as health records portability becomes the norm.

Elizabeth Cohen’s wonderful article on CNN [ http://www.cnn.com/2010/HEALTH/01/14/medical.records/index.html ] and Dave deBronkart’s rallying cry just might ignite a revolution catalyzed by the simplicity and transparency of OAuth and redefine the physician-patient contract in 21’st century terms.

Adrian Gropper, MD is a founder of MedCommons, with roots in patient-controlled and patient-centered health records that go back to MIT’s Guardian Angel project. AMICAS, a more recent radiology-focused venture, pioneered the clinical use of Web browsers and protocols. Adrian is driven by the vision of doctors and patients collaborating around shared health records on the Web.

Livongo’s Post Ad Banner 728*90

Categories: Uncategorized

Tagged as: , ,

10
Leave a Reply

10 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
9 Comment authors
southend taxi firmswomanDavidjabbettdog training nyc Recent comment authors
newest oldest most voted
southend taxi firms
Guest

Thanks for another excellent post. Where else may anybody get that kind of information in such a
perfect means of writing? I have a presentation next week, and I am at the look for such
information.

woman
Guest

Thanks for one’s marvelous posting! I actually enjoyed reading it, you happen to be a great author.

I will remember to bookmark your blog and may come back from now on. I
want to encourage one to continue your great job,
have a nice evening!

David
Guest
David

Hello Jabbett, I was wondering that too. It appears that adoption has been slow, but there are some positive signs. The HL7 standards are working with OAuth. Indivo uses OAuth (Indivo was used in a recent MIT hackathon). The SMART Platform uses OAuth (the SMART Platform is funded by the feds; the ONC). I couldn’t find any examples of actual doctors or hospitals using OAuth.

jabbett
Guest

Three years later, have you seen any adoption of oAuth?

Nevermind EHR interoperability, there’s a whole universe of web and mobile health apps that are craving Twitter- or Google-like connectivity with hospital systems.

dog training nyc
Guest

Your way of telling all in this article is actually fastidious, every
one be able to without difficulty be aware of it,
Thanks a lot.

Mark
Guest
Mark

Medical records, and transfer of information needs to be live and not taking these doctors 1 or 2 days to get. This also includes getting health insurance quotes or health insurance plans.. For example we live in Utah and if you want to get a utah health plan, their is a local company that just asks for your age and zip code and then bingo you have over 50 plans to choose from and can apply online. Saving money and time for everyone. Now why don’t they do this with health care records and transformation of info. They need to… Read more »

propensity
Guest
propensity

Unless it is quick, user friendly, with historical images available for evaluation by the immediate health care team, it will fall into the category of we can make it but it is not meaningfully useful to the users, thus, so what.

Alan Viars
Guest

We are talking about the same thing. oAuth = http://oauth.net. Similar to OpenID but with a narrower focus. Twitter is a pure oAuth implementation but Facebook Connect is slightly different. We setup both in recent weeks.
Alan Viars
@aviars

Adrian Gropper
Guest

Alan,
Are we talking about the same thing? OATH [ http://www.openauthentication.org/ ] is about authentication of a user biometrics and such.
OAuth [ http://oauth.net/ ] is about authorization and is independent of whether the user signs in with password or biometrics or OpenID. As wikipedia puts it: “OAuth is a complementary but distinct service to OpenId.”
That said, I agree with you that web standards tend to be more open than HL7 and other industry-specific standards and should be preferred whenever possible.
Adrian

Alan Viars
Guest

We have embraced and implemented oAuth in the Videntity platform as one of many options for authentication. I find it simpler than OpenID, although we plan to implement OpenID too. If I have a weak password on one site, say Twitter, then if I use oAuth to access another health site, then access to the health care site also has in essence a weak password. Do you think there is room for biometrics in health care? Many people think so and many other people are scared of the idea. Biometrics, implemented properly could do a lot to solve the master… Read more »