*Attendees*
Jack Buchanan - U.T. Memphis (Chair)
Steve Olshansky Internet 2
Jere Retzer, Oregon Health & Science University (OHSU)
June Moody, AAMC
Michael Gettes, Georgetown
Mary Kratz, Internet2
Bill Gordon, U. Cincinnati
Jeanette Fielden, Internet2

*Discussion*

The call focused on discussing the Internet2 Medical Middleware (MedMid) Working Group: Work plan Scenarios.

Scenario 2.1: It was agreed that if a visiting doctor is given access to specific patient records at another health care facility, he could either be going physically to the facility or virtually accessing the information from another location. An example of the visiting scenario is: a doctor works for a clinic, a patient is admitted to a hospital, and the doctor is granted privileges at that hospital to treat the patient. Go to see them, access records relating to care while there, initiate orders, etc. A remote scenario would consist of remote access from an office or clinic of that same information. 2 ways are identified to grant access: 1) a local id is issued at hospital B or 2) the physician authenticates through his original office or clinic and is granted access through that credential. The emphasis is on authentication, where it occurs, and how is it trusted, not on the actual logging in.

A key reoccurring theme of the discussion was: Should relationships be institutional, personal or both? Is the relationship between the individual and institution being visited, or between the institution where the person is authenticated and the institution where additional access is being requested? I.e. Is this really a visiting physician scenario or is it a matter of trusted authentication elsewhere and then gaining access at a particular facility? Do you trust the identity from another institution? How do we define a trust relationship between institutions? If a physician loses his privileges at his home institution, how do you track this to revoke privileges elsewhere? This implies business relationships between institutions and a designated institution that is authenticated against. There could be different levels/roles depending on affiliations (medical, administrative, teaching, etc.) So a doctor could lose his medical privileges but still have administration privileges spread across different institutions.

It was acknowledged that a common vocabulary and definition of roles is going to be essential to creating uniform processes for handling these types of scenarios. It will also be complicated since applications may perform operations in a particular way. The consensus was that while defining roles is beyond the scope of the current effort it should be designed so roles can be incorporated at a later point.

After extensive discussion it was concluded that consulting with a legal perspective might offer some insight in how institutions structure agreements that would enhance the feasibility of the scenarios. 1. [AI] 11-July- 2002 (Mary Kratz) Will consult a legal contact at University of Michigan about standardized legal contracts regarding inter-institutional relationships for resource access.

2. [AI] 11-July- 2002 (All) Review the scenarios attached to the July 11 conference call announcement. Forward comments and observations to the list and mail document modifications to Steve Olshansky.