The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2017-01-31

Dan Burnett is scribing.

Topic: Agenda Review and Introductions

Dan Burnett: Want to give heads up about starting requirements at some point on the call
Dan Burnett: Will start a process to move from use cases to requirements [scribe assist by Matt Stone]
Dan Burnett: Look for email this week. [scribe assist by Matt Stone]
Dan Burnett: Purpose it to focus on the work on datamodel and syntax document [scribe assist by Matt Stone]

Topic: Status of Verifiable Claims WG creation

Manu Sporny: No update. Chairs should reach out and take over getting updates from them.
... Wendy Seltzer, Phil Archer, and Dave Raggett. Will put you in touch with them.

Topic: Possible VCWG F2F week of March 21st 2017

Manu Sporny: Considering March 21st because of other groups meeting in Chicago that week (payments, etc.). Proposal is to tack onto the beginning of their week. VCWG, then Web Payments IG (incl. digital offers), then Web Payments WG
... would be Tue/Wed for most of us, then payments for others. if we want to do this, we need to announce and get a venue. Does group want to commit to meeting then?
Shane McCarron: There might be another venue option too - dezell had some ideas.
Nate Otto: Is w3c membership required for this proposed meeting?
Joe Kaplan: Is meeting open to the public?
Manu Sporny: No, member only.
Matt Stone: Chairs can make exceptions for guests/visitors
Manu Sporny: The policy for Invited Experts has changed recently. Verify with W3C. IPR concerns are always an issue.
... can ask, but may be difficult.
Dan Burnett: This is one of the reasons for future meetings like this, we may want to do this, future decision, we need to start planning process earlier. If we're always going to be meeting w/ WPIG, we need to work with them for determination of dates. [scribe assist by Manu Sporny]
Dan Burnett: For future meetings, we need to start planning sooner. And coordinate w/ the Payments group if we're going to generally align dates [scribe assist by Matt Stone]
Manu Sporny: This is as soon as we could do begin in this case. payments just announced [scribe assist by Matt Stone]
Dan Burnett: Don't want this to be a surprise in the future, we need to have a meeting when the VCWG forms, we need to know about this stuff as early as possible. [scribe assist by Manu Sporny]
Dan Burnett: Thought our group was going to be a "public" group. [scribe assist by Matt Stone]
Nate Otto: Alternative: Digital Badges & Credentials Summit in Orlando, Feb 28, open to the public, but part of IMS Digital Badges & Credentials initiative, to be followed by other meetings that are limited to IMS members..
Nate Otto: We could probably get free space Wednesday March 1 during the Open Badges Community meeting, which is looking sparsely attended. Good chance this group would be welcome if we move quickly.
Gregg Kellogg: What about policiies around the mailing list(s)? Have they changed?
Manu Sporny: Not that I know of. The are member-only lists for IPR-related discussions, but not for the general list.
Gregg Kellogg: If we encourage the use of email then that gives us an opportunity to be fairly open.
Shane McCarron: It is not just the monetary value of members. There are also IPR commitments that are needed.
... W3C is concerned about this.
Dan Burnett: Yes, the chairs will be monitoring visitors to ensure that comments from them do not cause potential IPR risks for others. Contributions will have to satisfy W3C IPR disclosure requirements.
Shane McCarron: +1 For a meeting on 21 March in Chicago.
Shane McCarron: Is it okay with Staff Contact for us to have such a meeting? Can they attend?
Matt Stone: Todo: (chair) confirm/coordinate w/ staff contact can participate
ACTION: Chairs to verify with Staff contacts that meeting is okay and they can attend.
Gregg Kellogg: +1
John Tibbetts: Unsure of attendance at this time
Shane McCarron: +1
Manu Sporny: +1 For Chicago meeting VCWG
Matt Stone: +1 For Chicago
Matt Stone: Who thinsk we shoudl have this meeting?
Adam Lake: +1
Adrian Gropper: Busy
Matt Stone: Any objections?
Adrian Gropper: -1
Jonathan Holt: Abstain, not a member yet.
John Tibbetts: +1 For having a meeting; ? if I can attend
Shane McCarron: (I note that I am happy meeting another time - this was just convenient and it was my idea)
Dan Burnett: We will also verify on the list for those who are not on today's call.
Matt Stone: There is sufficient interest for us to contact Staff Contacts about this.
Jonathan Holt: I'm still trying to convince the ABMS to become a member. If unsuccessful, I will consider joining myself.

Topic: Use Cases Framework Discussion

Joe Kaplan: Last week we focused on the prescription use case. questions came up about privacy.
Joe Kaplan: We will discuss privacy engineering around this use case today.
... anyone familiar with this approach?
Adam Migus: Me
Adam Migus: Yes, I am
... reading Gropper's use case, what are the domains in this use case and what is available for correlation across those domains.
... there are phyiscian, patient, pharmacist, deliverer, state monitoring service,
... adam, are these the entities?
John Tibbetts: Sometimes it would be service and sometimes a person who would reviewer. The PVMP is a registry, the physician is a person.
Joe Kaplan: (Missed)
Jonathan Holt: Rx monitoring is a service, but Dr. needs to review the Rx history for the patient.
Adam Migus: Insurance not needed in the simplest possible case, but for completeness yes.
... patient is allowed to pay cash by law
Joe Kaplan: What info does the insurance system need in this transaction.
Adam Migus: Insurance introduces formulary that physician may want to consult. so adds two layers.
Joe Kaplan: Formulary is what insurance will pay for (and how much)
Jonathan Holt: Also consider the person picking up the Rx, could be a family member of care giver.
... two external domains: pharma and marketing firms (not inside trust boundary). anything else?
Jonathan Holt: Learning systems in medicine that monitor for adverse reactions (eventually). ongoing monitoring methods, but we can leave off for now.
Adam Migus: A complete list would include adverse drug reports to FDA, for devices would need their identifiers to be tracked as well . both extetrnal registries
Joe Kaplan: They are similar actors in that they prescribe these.
Jonathan Holt: Also, labs in the future world of Pharmacogenomics, genome-informed medicine. Future work.
Adam Migus: Devices are required to have serial numbers by law
Joe Kaplan: Prescription, delivery address, and patient id. any other data we need to track?
Jonathan Holt: Person picking up prescription (caregiver, etc.).
Joe Kaplan: Different from deliverer?
Jonathan Holt: Deliverer is pharmacy.
Joe Kaplan: Delivery services are because pharmacy may give to someone to deliver
Richard Varn: What about generic category of agent? Could be patient, caregiver, etc. who takes care of picking up, ordering, etc.
... we may not know every possible function in advance.
Adrian Gropper: The pharmacy can deliver to the physician so only the physician knows the patient - as in giving out samples
Joe Kaplan: Sounds good. historically delegation is complex. delivery service/caregiver do fit under agent.
Matt Stone: Regarding adverse drug reactions, this seems like a new use case that would require deeper access
... let's not get too far away from delivering prescription
... don't go into what an adverse reaction is. don't guess about what we need to deliver to them.
Joe Kaplan: Data set: prescrition, delivery address, patient info. anything else?
Nate Otto: Does PII include previous prescriptions?
Joe Kaplan: Not in my definition. is there a link in this prescription to prior ones?
Adam Migus: No. in practice dr might consult a registry but that doesn't need to be part of the use case.
Matt Stone: Correlation?
Joe Kaplan: Part of what we don't want correlation around is between this and other prescriptions.
Adam Migus: We want to control but not prevent.
... in the opioid case we want to control for this even though no registry is implied.
Joe Kaplan: So maybe we need to monitor this as a data item.
... delivery address and patient identity also
Adam Migus: Use agent and take delegation out of it. context and data actions are important and need to be dealt with separately.
... if data actions are different with two prescriptions separate them.
Manu Sporny: +1 To what Adam Migus just said
Joe Kaplan: Let's make agency out of scope for this use case.
Matt Stone: +1
Adrian Gropper: Fine by me. have to deal with phys giving out samples. there is no pharmacy here.
Joe Kaplan: Will include items that are out of scope for certain use cases but included in general
... in each domain, need to identiy actions that occur in those domains.
Adam Migus: Context and domain are different.
... if we have either/or situations, deal with them using separate data actions.
Joe Kaplan: Re privacy, are there different contexts or a single one?
Adam Migus: Each use case has a context associated with it.
Joe Kaplan: UC should have a single context.
Adam Migus: The UC then would have data that traverses from domain to domain. context is relationship between dr and prescribee, for example
Nate Otto: +1 To selecting a specific use case from the cluster of options (i.e. explicitly deciding whether this case is controlled substance vs not, who the delivery agent works for, etc.)
... Sean (sp?) Brooks has spreadsheets that walk through the entire privacy process. Should I get those for us to use? I don't know if they're public. If we can use them they will really help this kind of discussion. I'll try.
Manu Sporny: +1 To following the worksheets.
Joe Kaplan: Great!
Adam Migus: Will get back to you.
Joe Kaplan: There are references to registries here and assumptions around credentials. How do we know Dr is authorized to prescribe
Adrian Gropper: Yep, very important. for controlled substances, ability to e-sign is dealt with by the Dr's employer. For others it is entirely at ?? discretion
... In typical case, checking credentials is at the option of the pharmacy.
Joe Kaplan: Can we pick one? (controlled or not, for this UC)
Adam Migus: Yes, that was my point. pick one.
Adrian Gropper: We have to do both.
Adam Migus: Start with non-controlled, then build a second UC on top for controlled.
Jonathan Holt: Agree, do both.
... assuming controlled is more complex.
Manu Sporny: So what's next? joe needs to write up a summary of the discussion and point people to it.
... will we have a google doc summarizing this or the worksheets adam mentioned?
Joe Kaplan: Will put my notes in the github issue. should it be somewhere else?
Manu Sporny: Use cases
... (use case issue)
Jonathan Holt: For non-controlled it's often still done via fax. Controlled is more interesting.
ACTION: Joe Andrieu will update issues in github use cases repo.
... Need to do both, non-controlled first.
Adam Migus: Ok