Comments for XSPA 2.0 SAML profile

[Michael Dufel <michael.dufel@jerichosystems.com>]

1. The NwHIN Authorization guide specifies the use of a pseudo ­ xspa
subject id attribute of "urn:oasis:names:tc:xspa:1.0:subject:subject-id"
instead of using the XACML subject-id as called out in the XSPA 1.0 and
2.0 draft. Should we care?

2. The NwHIN Authorization gude specifies the use of a structured HL7 type
as the attribute value for the purpose of use and role attributes. We
decided to reference other sources for the value of these attributes, but
should we copy the concept of a coded type or just leave the value lacking
the notion of a code system? The commonly accepted health care IT practice
when it comes to standards seems to prefer using coded or strongly typed
values, so I advocate a similar approach for consistency sake.

3. We have "urn:oasis:names:tc:xspa:2.0:resource:type" and
"urn:gov:hhs:fha:nhinc:service-type". The XACML action-id is still unused
and I suggest eliminating both of these attributes in favor of the XACML
action-id.

4. The patient id is represented by the XACML resource-id attribute, and
the provider is represented by the NPI. However, the NPI can represent
both a provider and a clinic. We should break this attribute into
provider and clinic NPI attributes to avoid any mixup and allow for the
reliable identification of a physical location in a privacy policy.

5. The subject-id is reserved for the requestors free-text name. Names are
not unique identifiers and are not suggested for access control decisions.
I suggest changing the XACML profile to make the subject-id optional and
the NPI mandatory.

6. Alternate suggestion for the handling of unique identifiers is to
replace the NPI attributes with equivalent attributes for a subject unique
identifier, provider unique identifier, and clinic unique identifiers.


Regards,


Michael Dufel
Jericho Systems Corporation
Toll Free:  877.231.2200
Local:  972.231.2000
Fax:  972.234.1100
EnterSpace Technology:  Tools that Rule®
All rights reserved. Product names are trademarked by their respective
companies.  EnterSpace Technology is covered under United States Patents
7,779,247, 7,792,828, and 8,060,504.
The information contained in this e-mail and all attachments transmitted
with it is the Confidential and Proprietary information of Jericho Systems
Corporation.  If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the
intended recipient, you are hereby notified that any dissemination,
distribution, copying, or other use of this message or its attachments is
strictly prohibited. If you have received this message in error, please
notify the sender immediately by replying to this message and please
delete it from your computer.