locked
Authentication RRS feed

  • Question

  • Hi,

    I am new to Healthvault and I have a few questions:

    1. I understand that HealthVault allows records to be created. Are these records accessible by others? and who is it acceccible to?

    2. How is this access assigned if there is one?

    3. Using the API is it possible for an application to receive notifications when one is accessing my records or trying to change them? is possible to grant access on a per access basis?

    4. Is it possible to pro grammatically change the access restrictions of a record or profile?

    Thursday, July 8, 2010 5:13 PM

Answers

  • Hi,

    In HealthVault always the user is the one who own all access to his data. No other, users or application can use the data without the explicit permission from the user.

    1. Records created in HealthVault are by default only accessible to the owners of the record. Then the user can opt to give other users custodian permissions  for the record as and when needed. Once the other users receive the permissions from the owner they will also have the acquired permissions.

    2. The permission set is decided by the actual owner of the record.

    3. For any application to access any data from a record first the application will have to be authorized by the record owner. Each application, during the authorization process, will specify the set of permissions and the set of data types the application wants access to. Users can choose to allow the application these permissions. On Online authentication based applications always the user will have to signed in so the user will be aware of the changes happening, but for Offline based applications the updates will be done automatically in the background without the user being present. Please note here that both of these will be possible only after the user authorizes the application to do it.

    4. Applications can revoke the permissions on the records but cannot add extra permissions by itself without the consent from the user. Some applications use optional authorization mechanism to request permissions to additional data types. This also has to be authorized by the user.

    Thanks and Regards,

    Aneesh D.

    Thursday, July 8, 2010 5:25 PM
  • Bardia,

    On the scenario that you have specified you can surely use the optional authorization mechanism provided by HealthVault. Optional authorization is meant for those data types which does not come in the main workflow of the application i.e., not having permission to those data types will not block the application's normal flow.

    Here as you have mentioned you are developing a mobile application I have to mention the following. We have previous experience from our partners suggesting that the existing HealthVault authentication steps are not very well suited for the mobile platform (we are currently working on to improve this as soon as possible). Because of this most of the mobile applications use Offline access to the records rather than Online access to avoid the authorization process which will have to happen on the mobile device otherwise. So if you are also opting for the Offline access, my suggestion is, in the scenario you mentioned, you can verify the user's willingness to upload the specific data from the application itself (for example pop up a dialogue box with "Yes" or "No" option) rather than using the HealthVault mechanism for it.

    You can try using the optional authorization in the application and see if it does suite all your requirements for user interface etc. If it is fine go ahead and implement it that way. If not you can do a verification in the application level.

    Thanks and Regards,

    Aneesh D.

    Thursday, July 8, 2010 6:22 PM

All replies

  • Hi,

    In HealthVault always the user is the one who own all access to his data. No other, users or application can use the data without the explicit permission from the user.

    1. Records created in HealthVault are by default only accessible to the owners of the record. Then the user can opt to give other users custodian permissions  for the record as and when needed. Once the other users receive the permissions from the owner they will also have the acquired permissions.

    2. The permission set is decided by the actual owner of the record.

    3. For any application to access any data from a record first the application will have to be authorized by the record owner. Each application, during the authorization process, will specify the set of permissions and the set of data types the application wants access to. Users can choose to allow the application these permissions. On Online authentication based applications always the user will have to signed in so the user will be aware of the changes happening, but for Offline based applications the updates will be done automatically in the background without the user being present. Please note here that both of these will be possible only after the user authorizes the application to do it.

    4. Applications can revoke the permissions on the records but cannot add extra permissions by itself without the consent from the user. Some applications use optional authorization mechanism to request permissions to additional data types. This also has to be authorized by the user.

    Thanks and Regards,

    Aneesh D.

    Thursday, July 8, 2010 5:25 PM
  • Aneesh,

     

    Thank you very much for the soon reply.

     

    I am interested in the authorization process. In your 4th point you mention that some applications use optional authorization mechanism to request permission to additional data types. I was thinking of writing a mobile application in which whenever anyone wanted to access the user records the user receives a notification on their mobile device. The users response to this notification will be the authorization of access or no access? do you think that is a feasible application?

    Thanks,

    Bardia.

    Thursday, July 8, 2010 6:00 PM
  • Bardia,

    On the scenario that you have specified you can surely use the optional authorization mechanism provided by HealthVault. Optional authorization is meant for those data types which does not come in the main workflow of the application i.e., not having permission to those data types will not block the application's normal flow.

    Here as you have mentioned you are developing a mobile application I have to mention the following. We have previous experience from our partners suggesting that the existing HealthVault authentication steps are not very well suited for the mobile platform (we are currently working on to improve this as soon as possible). Because of this most of the mobile applications use Offline access to the records rather than Online access to avoid the authorization process which will have to happen on the mobile device otherwise. So if you are also opting for the Offline access, my suggestion is, in the scenario you mentioned, you can verify the user's willingness to upload the specific data from the application itself (for example pop up a dialogue box with "Yes" or "No" option) rather than using the HealthVault mechanism for it.

    You can try using the optional authorization in the application and see if it does suite all your requirements for user interface etc. If it is fine go ahead and implement it that way. If not you can do a verification in the application level.

    Thanks and Regards,

    Aneesh D.

    Thursday, July 8, 2010 6:22 PM
  • Aneesh,

     

    The aim of the application that I am writing is solely for authentication. The app would stand in between the HealthVault and the person or app trying to access the data. So my application would be only a service for authentication and will not provide any medical data uploads or downloads. The idea is to allow owners to provide access easier on the mobile phone rather than on the web.

    I will investigate more and sure come up with more questions. thank you very much for your help.

    Regards,

    Bardia.

    Thursday, July 8, 2010 6:49 PM