Auth+PurposeOfUse+Research

=Error in the Implementation of Purpose Of Use=

**Background:**
During conformance testing for VLER, the Nationwide Health Information Network Testing team and CONNECT uncovered a disparity between the specified value specified for the  element and the value implemented by CONNECT and Kaiser.

Nationwide Health Information Network has adopted the Cross Enterprise Security and Privacy Authorization (XSPA) SAML profile, which specifies the purposeofuse  element. The Auth Framework further specifies the use of a SAML  element, PurposeOfUse, as a child to the  element. The normative text from section 3.3.2.6 of Auth Framework 2.0 is contained below:

> **"3.3.2.6 Purpose of Use Attribute** > This  element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:purposeofuse” . The value of the  element is a child element, “PurposeOfUse”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification." > The example syntax for the PurposeOfUse  element contains a typo and mistakenly reads PurposeForUse >  >  > For Use xmlns="urn:hl7-org:v3" xsi:type="CE" code="OPERATIONS" > codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" > displayName="Healthcare Operations"/> > <span style="background-color: #c0c0c0; display: block; font-family: 'Courier New',Courier,monospace;"></saml:AttributeValue> > <span style="background-color: #c0c0c0; display: block; font-family: 'Courier New',Courier,monospace;"></saml:Attribute>

CONNECT, Kaiser, and Medicity followed the example syntax and implemented Purpose**For**Use. [We are checking with Med Plus] As such, they were unable to pass conformance testing for the VLER pilot. ONC granted a waiver as a short term solution to allow the VLER timeline to proceed.

Issue/Question:
Short term solution needed: > The error contained in the example of the currently published specification is obviously causing confusion among implementers. We need an immediate solution which will prevent variable interpretation and lead to interoperability issues and re-work.

Long term solution needed: > This is the first, but it will certainly not be the last substantive change to specifications that Nationwide Health Information Network Exchange will face. We need to develop a recommended solution for this particular issue as well as a specifications versioning and transition plan.

Proposed Short Term Solution:
> Our objective is to ensure interoperability among Nationwide Health Information Network Gateways. All known Nationwide Health Information Network Gateway developers (CONNECT, Kaiser, Medicity, MedPlus, and InterSystems) have implemented Purpose**For**Use. **The Spec Factory proposes to alter the Auth Framework to include the following non-normative implementation note.** > . > Non-normative implementation note: CAUTION: As of September, 2010, the Nationwide Health Information Network Exchange has become aware of a potentially breaking change related to the SAML PurposeOfUse AttributeValue. As can be observed in the immediately prior non-normative example, the example text is incorrect and inconsistent with the remaining text in this document. Specifically, the example text “PurposeForUse” should have been “PurposeOfUse”. The PurposeForUse attribute has unfortunately been widely implemented by Nationwide Health Information Network Exchange members. When, and if, the Nationwide Health Information Network Exchange elects to correct this error, the Nationwide Health Information Network Exchange change management process will be employed. This will provide a transparent decision making and upgrade process with a suitable transition period. The Nationwide Health Information Network Exchange’s Security and Privacy Workgroup has elected to temporarily leave the errant text as is, and to call implementer’s attention to this discrepancy, via this implementation note, so they can plan accordingly. For more detailed and more recent information on this topic, please see the Nationwide Health Information Network Exchange’s Wiki page at: http://standards-and-interoperabilty-specifications.wikispaces.com/Auth+PurposeOfUse+Research or the main Security and Privacy Workgroup page at: http://standards-and-interoperabilty-specifications.wikispaces.com/Security+and+Privacy+Team.

Discussion of Long Term Solution
Auth Framework (along with Messaging Platform) is a Foundational Nationwide Health Information Network spec which applies to all Nationwide Health Information Network Web Services. As such, changes will impact all Nationwide Health Information Network Web Services. We need to determine the specific changes to make to the defintion of the <Attribute> and <AttributeValue> and to develop a general versioning plan. The work-in-progress Nationwide Health Information Network specifcation versioning plan can be found here.

Discussion Topics
 * 1) XSPA specifies the use of a to contain strings for purposes, as opposed to an <AttributeValue> and the coded elements Nationwide Health Information Network has specified. Spec Factory strongly favors the use of coded elements to maximize interoperabilty.
 * Should Nationwide Health Information Network define a its own namespace for this <AttributeValue>?
 * Do we need to specify XMI type?

2011-04-29 updates based on the Sec and Priv WG call today:
We've agreed to the following changes (in principal, but the details need to be confirmed, such as the exact new text).

> Non-normative implementation note: CAUTION: As of September, 2010, the Nationwide Health Information Network Exchange has become aware of a potentially breaking change related to the SAML PurposeOfUse AttributeValue. As can be observed in the immediately prior non-normative example, the example text is incorrect and inconsistent with the remaining text in this document. Specifically, the example text “PurposeForUse” should have been “PurposeOfUse”. The PurposeForUse attribute has unfortunately been widely implemented by Nationwide Health Information Network Exchange members. When, and if, the Nationwide Health Information Network Exchange elects to correct this error, the Nationwide Health Information Network Exchange change management process will be employed. This will provide a transparent decision making and upgrade process with a suitable transition period. The Nationwide Health Information Network Exchange’s Security and Privacy Workgroup has elected to temporarily leave the errant text as is, and to call implementer’s attention to this discrepancy, via this implementation note, so they can plan accordingly. For more detailed and more recent information on this topic, please see the Nationwide Health Information Network Exchange’s Wiki page at: http://standards-and-interoperabilty-specifications.wikispaces.com/Auth+PurposeOfUse+Research or the main Security and Privacy Workgroup page at: http://standards-and-interoperabilty-specifications.wikispaces.com/Security+and+Privacy+Team.
 * The following text is current in the currently approved, but not published, NwHIN Authorization Framework specification, version 2.01.**


 * Corrections to the text, and the current 2010 Authorization Framework Production 2.00 spec text may be found below:**

**From the current 2010 AF spec:**
3.3.2.6 Purpose of Use Attribute This <Attribute> element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:purposeofuse”

The value of the <AttributeValue> element is a child element, “PurposeOfUse”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The PurposeOfUse element shall contain the coded representation of the Purpose for Use that is in effect for the request. An example of the syntax of this element is as follows: <saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"> <saml:AttributeValue> < PurposeForUse xmlns="urn:hl7-org:v3" xsi:type="CE" code="OPERATIONS" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Healthcare Operations"/> </saml:AttributeValue> </saml:Attribute>

3.3.2.6 Purpose of Use Attribute This <Attribute> element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:purposeofuse”
 * Proposed new spec text:**

The value of the <AttributeValue> element is a child element, “PurposeOfUse”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The PurposeOfUse element shall contain the coded representation of the Purpose for Use that is in effect for the request. An example of the syntax of this element is as follows: <saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"> <saml:AttributeValue> < PurposeOfUse xmlns="urn:hl7-org:v3" xsi:type="CE" code="OPERATIONS" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Healthcare Operations"/> </saml:AttributeValue> </saml:Attribute>

From the current 2010 AF spec:
The value set for Purpose of Use is defined in Table 4, below. The NHIN Trial Implementation “PurposeForUse” attribute has been replaced by the PurposeOfUse attribute defined in this section.

<no proposed change, text is correct>
 * Proposed new spec text:**

From the current 2010 AF spec:
3.3.2.9 Attribute Statement Example <saml:AttributeStatement> <saml:Attribute Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> <saml:AttributeValue>Dr Joe Smith</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization"> <saml:AttributeValue>Best Clinic</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"> <saml:AttributeValue>urn:oid: 2.16.840.1.113883.3.18.101</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:nhin:names:saml:homeCommunityId"> <saml:AttributeValue>urn:oid:2.16.840.1.113883.3.190</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role"> <saml:AttributeValue> <Role xmlns="urn:hl7-org:v3" xsi:type="CE" code="112247003" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED CT" displayName="Medical doctor"/> </saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"> <saml:AttributeValue> < PurposeForUse xmlns="urn:hl7-org:v3" xsi:type="CE" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Treatment"/> </saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id"> <saml:AttributeValue>543797436^^^&amp;1.2.840.113619.6.197&amp;ISO</saml:AttributeValue> </saml:Attribute>

</saml:AttributeStatement>

3.3.2.9 Attribute Statement Example <saml:AttributeStatement> <saml:Attribute Name="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> <saml:AttributeValue>Dr Joe Smith</saml:AttributeValue> </saml:Attribute>
 * Proposed new spec text:**

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization"> <saml:AttributeValue>Best Clinic</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id"> <saml:AttributeValue>urn:oid: 2.16.840.1.113883.3.18.101</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:nhin:names:saml:homeCommunityId"> <saml:AttributeValue>urn:oid:2.16.840.1.113883.3.190</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role"> <saml:AttributeValue> <Role xmlns="urn:hl7-org:v3" xsi:type="CE" code="112247003" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED CT" displayName="Medical doctor"/> </saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"> <saml:AttributeValue> < PurposeOfUse xmlns="urn:hl7-org:v3" xsi:type="CE" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Treatment"/> </saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id"> <saml:AttributeValue>543797436^^^&amp;1.2.840.113619.6.197&amp;ISO</saml:AttributeValue> </saml:Attribute>

</saml:AttributeStatement>

Non-normative: As of this version of the Authorization Framework Specification, the examples for the PurposeOfUse element have been changed from the former incorrect "PurposeForUse" to the correct "PurposeOfUse" syntax. Implementers should be aware that this may not be backward compatible with all existing implementations and should plan accordingly in terms of their business needs and technical implementation.
 * Proposed new text implementation guidance:**

We've agreed to put the above new text in the AF spec immediately after both corrected examples. Specifically, in sections 3.3.2.9, and 3.3.2.6.

Corrected PurposeOfUse in examples.
 * Change history entry:**

Eric Heflin note: 2011-04-18 CLOSED. This issue is being tracked as issue #2 in the Google docs spreadsheet issue #2. Please see that issue for the latest information on this issue. Note that the current fix for this issue was to update the Authorization Framework with a non-normative caution to implementers. The "correct" fix is, I propose, to fix the example so it states "PurposeOfUse" instead of "PurposeForUse". This has been incorporated into the Summer 2011 Specification Package.