Trustee gives people control over how their health records and information are used. The Trustee Directory™ enables patient communities, institutions, researchers, and other organizations to aggregate and analyze participant data if a patient has granted authorization or access. This unique feature benefits the wider health ecosystem while protecting individual patient privacy.
The development of contact tracing and other symptom reporting apps has exploded under the pandemic. In order to leverage this groundswell of support, Trustee aims to make every single one of those apps a part of a useful whole. Trustee is a standards based solution which allows the data you collect to extend beyond your app into a global view of the pandemic, while assuring that each of your users has visibility and control over their own PI. Trustee is focused on leveraging the whole emerging community of symptom and health reporting toward the global need, creating value for its users beyond that of any individual piece of software.
The intention of this sprint is to help developers who are working on symptom reporting and contact tracing (SRCT) apps to learn how Trustee and the Trustee Directory can enable their products to be part of a larger ecosystem, and also to serve group policies to enable the distribution of patient data. Together, SRCT apps an Trustee universal health record infrastructure promote solutions to allow people to “go back to work and school again” during the next stage of the current pandemic.
Standards are crucial to support the network effect that is essential to SRCT apps. If we expect patients to share their health data broadly in order to understand and address the problems in a pandemic, we must be working within a common set of agreements as developers and clinicians to keep trust levels high and explanations as simple as possible. It is easy to see where problems could arise inside of an ecosystem which is not standards based. As such, using commonly held standards to promote patient trust and opt-in is a must have.
NOSH is an open source patient record which is currently being used to serve the clinician forms in the current Trustee workflow. In the context of this sprint, it is a passive component that absorbs data, and completes the clinician portion of the Immunity Passport interaction.
In the Trustee model, the patient chooses from a set of available policies how their personal information will be shared. Additional to policy choosing, there is also a transactional authorization by the patient that can be leveraged in cases where the policies do not allow automated opt-in. The available policies are designed and published by public health experts and consistently displayed by Trustee in the same way that single sign-on (SSO) systems like Google, provide a consistent display of information sharing requests. Trustee uses OAuth and other standards established for SSO to enable large scale data usage and promote the network effect essential to pandemic mitigation. By using Trustee (at the individual level) in combination with Trustee Directory policies (at the community level), developers can offload the problem of authorization for dissemination of the data which their SRCT apps collect. This can help to both streamline the development process and also exponentially multiply the value of the data each individual app collects.
The patient-level Trustee uses a standard OAuth flow and optional UMA extensions to OAuth along with familiar OpenID Connect and emerging self-sovereign (blockchain) identifier methods. Applications make calls to display the uniformly defined policies to patients and receive data use authorization through each patient’s individual Trustee account. The default policies for an individual Trustee are suggested by the Trustee Directory operator. The independence of the Trustee Directory operators builds trust and promotes individual participation, effectively driving the network effect as more people opt-in to more uses of their personal data.
Patients get their Trustee in one of three ways:
- A In a group “call to action” scenario, as through a community or company website that might also offer their constituents a choice of compatible apps.
- B In a “white label” presentation linked to a SRCT app
- C As an a la carte service paid by the individual independent of any particular app
In each of these three scenarios, the patient is assured personal control and tracking of how their information is stored and shared. In all three, the patient is presented with a set of commonly held policies and default settings as suggested by in the Trustee Directory to opt in and out of, much like a GDPR compliant cookie warning appears to end users during a visit to a corporate website.
As an SRCT app developer, you can focus on Trustee (the consent manager and privacy agent) and make use of NOSH (the electronic health record and industry standard data model) with little or no modification. SRCT developers can often use the Trustee Directory operated HIE of One.
Developers focused on a particular community of patients, as opposed to a particular app, start off by working with a baseline Trustee Directory installation modify or implement features along the various features in the table below.
| Trustee Community | Level 1 | Level 2 | Level 3 | Level 4 |
| Description | Least responsibility | Enhanced privacy | Sponsorship and transparency | Revenue and
“White label” |
| Member pays (monthly) | Credit card to HIE of One | Credit card to HIE of One | Community decides | Community decides |
| Hosting Costs | None | Proxy hosting | Directory and Trustee hosting | Directory and Trustee hosting |
| Software Costs | Free | Free | Free | Free |
| Setup Costs | Website design | Proxy setup | Trustee setup | Trustee setup |
| Physician Credentials | Proxied through HIE of One | Proxied through Community | Proxied through Community | Direct from Issuer |
| Website Modifications | Get Trustee Button | Get uPort credentials and | Directory is for administrative support only | Issue credentials for Directory access |
| Patient App Registration | Proxied through HIE of One | Proxied through HIE of One | Proxied through Community | Proxied through Community |
| Signature Timestamps | Merkelized by HIE of One | Merkelized by Community | Merkelized by Community | Merkelized by Community |
| Signed Document Display | Displayed by HIE of One
(no record kept) |
Displayed by Community
(no record kept) |
Displayed by Community
(no record kept) |
Verifier installs display app |
| Legal Records Retention | Secure email to issuer physician | Secure email or IPFS | Secure email or IPFS | Secure email or IPFS |
| Privacy Policy | Community has no data access | Proxy responsibility | Support access | Value added access |
| Support Policy | Forward all to HIE of One | Forward all to HIE of One | First call | First call |
| Revenue to Community | None | None | Support only | Data use sales |
| Revenue to
HIE of One |
Monthly Trustee hosting payment | Monthly Trustee hosting payment | Licensing and Support | Licensing and Support |
| Monitoring | Monthly report (aggregate only) | Monthly report (aggregate only) | Live analytics | Live analytics |