The API documentation suggests a very static trust model, i.e. application developer who wants to interact with a user's health data stored in HealthVault registers the application information and the public key associated with the private key they'll use to authenticate to HealthVault (similar to OAuth's model).
Similarly, at registration time, the appn developer is expected to supply
End-user-facing text that describes the reasons for needing access to the data types that the application is requesting access to.and
the type of access that the application requires (read, update, create, delete).
What happens if the application's needs and/or purposes change?
It's not clear how the user's identity is expressed within the messages to and from HealthVault. Is it a WS-* mechanism?
I assume the SDK documentation would explain but I'm not willing to have my Vista certified as genuine just so as to perform the SDK download.
Unrelated, is there any company more diversified than Fabrikam? They are now making medical devices!