1. Automate Blue Button Initiative Pull Workgroup Meeting December 13, 2012

2. Meeting Etiquette Remember: If you are not speaking, please keep your phone on mute Do not put your phone on hold. If you need to take a call, hang up and dial in again when finished with your other call o Hold = Elevator Music = frustrated speakers and participants This meeting is being recorded o Another reason to keep your phone on mute when not speaking Use the “Chat” feature for questions, comments and items you would like the moderator or other participants to know. o Send comments to All Panelists so they can be addressed publically in the chat, or discussed in the meeting (as appropriate). From S&I Framework to Participants: Hi everyone: remember to keep your phone on mute All Panelists 2

3. Announcements and Reminders 3 Meeting Reminders and Announcements – Next Pull Workgroup Meeting is Tuesday, December 18 th, 2012 from 3:00 – 4:00 pm Eastern. – Pull Workgroup Meetings for December 25, 2012 and January 1, 2013 are CANCELLED due to the holidays.

4. Agenda TopicTime Allotted Welcome and Announcements5 minutes Boot strap Slide Overview (Adrian G.)15 minutes Implementation Guide Outline20 minutes APIs Discussion - Defined10 minutes Open Questions (discussion cont’d from 11/27/2012 meeting)10 minutes Next Steps / Reminders 4

5. Pre- Discovery Discovery Reference Implementations  Agreed and voted on charter, including  Scope  Timeline  Deliverables  Open call for straw man proposals for PULL scenarios  Review background information from other S&I groups like RHex Project  Discuss advantages and disadvantages of proposed straw men  Identify proposal(s) to invest in  Write draft implementation guide  Identify 1-2 partners that can build proof of concepts for PULL  Have 1-2 partners demonstrate the technical feasibility of the implementations Implementation Guidance Implementations  Refine use cases based on reference implementations  Refine implementation guide based on reference implementations  2-4 full implementations that reflect implementation guidance PULL Current Status Pull Workgroup1 5

11. See “Normal” PPT view for all meeting notes (in Notes section below)

15. Implementation Guide – Time to Start Drafting Suggested Outline Giving a patient a web address to PULL from Authentication Authorization API guidelines Trusting third parties with PULL access

16. Implementation Guide – Time to Start Drafting Suggested Content Giving a patient a web address to PULL from – Unique URL for pull functionality Authentication – Existing login credentials, using OAuth Authorization – OAuth – How long do authorizations last / ability to cancel – Synchronization of request / granting access – What does a sample patient consent to PULL look like API guidelines – Generalize across APIs presented to the group – Date ranges (Send me everything, send me info for last 3 years, send me only the latest, etc.) – Frequencies and triggers Comment: potentially confusing? Our original scope statement was on-demand (~n times) – Document types Trusting third parties with PULL access – Trust framework necessary for a dataholder to implement PULL. What are criteria for being included in trust group? How is it governed and managed? Audit Capability (based on BB logging?)

17. Open Questions / Discussion Areas (cont’d from 11/27/2012 Meeting) How is app registration handled? – There is a draft spec (out of OpenID Connect) that allows dynamic user registration; Rhex profiled; OAuth 2.0 dynamic client registration protocol. – Scenario: how can we revoke application registration? When you want to authorize, you have to authenticate using the client credentials to the token endpoint; at that point the token endpoint can make a decision about whether or not to accept those credentials. How do you promulgate status (good, bad or otherwise) across a system? App could be responsible for it. But if the app is the rogue entity, then you do need something like a centralized registry. Other option is an ABBI provider dealing with the authorization endpoints; OAuth 2.0 has the ability to support both the resource endpoint and the authorization endpoint and those can be separate. – To Answer: Are there technical solutions to this or are they more policy? How do data holders restrict “abusive” apps? How do developers discover how to interact with third parties? How can we ensure/validate end-points?

18. Next Steps / Meeting Reminders 18 Next Steps – Homework Meeting Reminders – Next PULL Workgroup Meeting is Tuesday, December 18, 2012 @ 3:00 pm Eastern. – Pull Workgroup Meetings for December 25, 2012 and January 1, 2013 are CANCELLED due to the holidays. – The next Community Meeting will be announced. Useful Links – http://wiki.siframework.org/Automate+Blue+Button+Initiative http://wiki.siframework.org/Automate+Blue+Button+Initiative Contact Information – Initiative Coordinator: Pierce Graham-Jones (pierce.graham-jones@hhs.gov)pierce.graham-jones@hhs.gov – Presidential Innovation Fellow: Ryan Panchadsaram (ryan.panchadsaram@hhs.gov)ryan.panchadsaram@hhs.gov – Project Manager: Jennifer Brush (jennifer.brush@esacinc.com)jennifer.brush@esacinc.com – S&I Admin: Apurva Dharia (apurva.dharia@esacinc.com)apurva.dharia@esacinc.com