基于规则引擎的隐私数据访问控制系统

随着信息技术在医疗服务领域越来越广泛的应用,医疗机构和第三方医疗服务机构所使用的医疗系统也变得越来越复杂,如何灵活地控制不同系统中用户的数据访问权限,管理实施复杂多变的隐私保护规章制度来保护患者的隐私成为一个越来越重要的问题。介绍了一种基于规则引擎的隐私数据访问控制系统,通过引入规则引擎技术可以有效地增强系统隐私保护策略的灵活性,为系统管理人员设定和维护隐私策略提供更好的支持。     

Design of a management support system for hospital strategic planning

Recent changes in the health care industry that foster competition are drastically affecting hospital planning and marketing activities. Increased price competition, the development of less costly alternative health care delivery systems and providers, and the shift to prospective average-cost reimbursement for Medicare beneficiaries are major factors promoting a new emphasis on strategic hospital planning. Hospital information systems do not currently support the sophisticated data-collection and analysis requirements that will be needed to implement strategic planning activities. New data must be collected and old data must be analyzed and stored in new ways. New hospital information systems designs are needed to cope with the change in the economic structure of the health care industry and its effects on hospital information needs. This paper proposes a system design for a management support system that will assist hospital administrators and planners in analyzing internal organizational data and external industry data to develop strategic planning objectives, strategies, and business plans. Analysis of the structure and process of hospital strategic planning was performed to identify the information needs of hospital planners. A prototype system is currently being implemented at the University of Arizona. The system provides an integrating framework for data base management systems, executive information systems, model management systems, and dialogue management systems. Objective analytical models and subjective strategic planning models are available to assist with idea structuring and decision processing.     

Privacy and occupational health services

Privacy is a key ethical principle in occupational health services. Its importance is emphasised in several laws, in ethical codes of conduct as well as in the literature, yet there is only very limited empirical research on privacy in the occupational health context. Conceptual questions on privacy in the occupational health context are discussed. The baseline assumption is that, in this context, privacy cannot be approached and examined only from the employee's (an individual) vantage point but the employer's (a group) point of view must also be taken into account, and that the concept has several dimensions (physical, social, informational and psychological). Even though privacy is a basic human need, there is no universally accepted definition of the concept and no consensus on whether an organisation can have privacy in the same way as people do. Many of the challenges surrounding privacy in the context of occupational health seem to be associated with the dual loyalties of occupational health professionals towards the employee and employer and with their simultaneous duties of disseminating and protecting information (informational privacy). Privacy is thus not an absolute value, but more research is needed to understand its multidimensional nature in the context of occupational health.     

DigiSwitch: A Device to Allow Older Adults to Monitor and Direct the Collection and Transmission of Health Information Collected at Home

Home monitoring represents an appealing alternative for older adults considering out-of-home long term care and an avenue for informal caregivers and health care providers to gain decision-critical information about an older adults’ health and well-being. However, privacy concerns about having 24/7 monitoring, especially video monitoring, in the home environment have been cited as a major barrier in the design of home monitoring systems. In this paper we describe the design and evaluation of “DigiSwitch”, a medical system designed to allow older adults to view information as it is collected about them and temporarily cease transmission of data for privacy reasons. Results from a series of iterative user studies suggest that control over the transmission of monitoring data from the home is helpful for maintaining user privacy. The studies demonstrate that older adults are able to use the DigiSwitch system to monitor and direct the collection and transmission of health information in their homes, providing these participants with a way to simultaneously maintain privacy and benefit from home monitoring technology.     

Legal issues concerning electronic health information: privacy, quality, and liability.

Personally identifiable health information about individuals and general medical information is increasingly available in electronic form in health databases and through online networks. The proliferation of electronic data within the modern health information infrastructure presents significant benefits for medical providers and patients, including enhanced patient autonomy, improved clinical treatment, advances in health research and public health surveillance, and modern security techniques. However, it also presents new legal challenges in 3 interconnected areas: privacy of identifiable health information, reliability and quality of health data, and tortbased liability. Protecting health information privacy (by giving individuals control over health data without severely restricting warranted communal uses) directly improves the quality and reliability of health data (by encouraging individual uses of health services and communal uses of data), which diminishes tort-based liabilities (by reducing instances of medical malpractice or privacy invasions through improvements in the delivery of health care services resulting in part from better quality and reliability of clinical and research data). Following an analysis of the interconnectivity of these 3 areas and discussing existing and proposed health information privacy laws, recommendations for legal reform concerning health information privacy are presented. These include (1) recognizing identifiable health information as highly sensitive, (2) providing privacy safeguards based on fair information practices, (3) empowering patients with information and rights to consent to disclosure (4) limiting disclosures of health data absent consent, (5) incorporating industry-wide security protections, (6) establishing a national data protection authority, and (7) providing a national minimal level of privacy protections.     

移动健康应用程序的应用现况与展望

本文讨论了面向消费者的移动健康应用程序（mHealth APP）的现状、发展障碍以及发展方向。目前主要的应用商店中有超过16.5万个mHealth APP,居排名前2位的为健康管理、疾病管理APP,其他类别包括自我诊断、药物提醒、患者电子门户、康复管理APP。这些APP在全球范围内为终端用户提供了低成本、高质量、全天候访问的健康信息。然而,由于缺乏监管监督、相关循证资料不足以及对隐私和安全性的担忧,mHealth APP还有很多地方需要完善。未来的发展方向可能包括：将数据集成到卫生保健系统,可互操作的应用程序平台,允许访问电子健康档案并记录数据,基于云的个人健康记录,以及由医务人员提供APP处方。为了使mHealth APP充分发挥医疗保健和慢病管理的价值,从业的所有利益攸关方必须协作克服相关障碍。     

National health information privacy: regulations under the Health Insurance Portability and Accountability Act.

Health information privacy is important in US society, but existing federal and state law does not offer adequate protection. The Department of Health and Human Services, under powers granted by the Health Insurance Portability and Accountability Act of 1996, recently issued a final rule providing systematic, nationwide health information privacy protection. The rule is extensive in its scope, applying to health plans, health care clearinghouses, and health care providers (hospitals, clinics, and health departments) who conduct financial transactions electronically ("covered entities"). The rule applies to personally identifiable information in any form, whether communicated electronically, on paper, or orally. The rule does not preempt state law that affords more stringent privacy protection; thus, the health care industry will have to comply with multiple layers of federal and state law. The rule affords patients rights to education about privacy safeguards, access to their medical records, and a process for correction of records. It also requires the patient's permission for disclosures of personal information. While privacy is an important value, it may conflict with public responsibilities to use data for social goods. The rule has special provisions for disclosure of health information for research, public health, law enforcement, and commercial marketing. The privacy debate will continue in Congress and within the president's administration. The primary focus will be on the costs and burdens on health care providers, the ability of health care professionals to use and share full medical information when treating patients, the provision of patient care in a timely and efficient manner, and parents' access to information about the health of their children.     

AMIA Advocates National Health Information System in Fight Against National Health Threats

To protect public health and national safety, AMIA recommends that the federal government dedicate technologic resources and medical informatics expertise to create a national health information infrastructure (NHII). An NHII provides the underlying information utility that connects local health providers and health officials through high-speed networks to national data systems necessary to detect and track global threats to public health. AMIA strongly recommends the accelerated development and wide-scale deployment of electronic public health surveillance systems, computer-based patient records, and disaster-response information technologies. Such efforts hold the greatest potential to protect our citizens from disaster and to deliver the best health care if disaster strikes.To protect public health and national safety, AMIA recommends that the federal government dedicate technologic resources and medical informatics expertise to create a national health information infrastructure (NHII). An NHII provides the underlying information utility that connects local health providers and health officials through high-speed networks to national data systems (e.g., Centers for Disease Control and Prevention) necessary to detect and track global threats to public health.In the short term, this means adapting existing information systems to facilitate public health surveillance and emergency response. To establish a permanent infrastructure, AMIA strongly recommends the accelerated development and wide-scale deployment of electronic public health surveillance systems, computer-based patient records, and disaster-response information technologies. Such efforts hold the greatest potential to protect our citizens from disaster, and to deliver the best health care if disaster strikes.While meeting the acute needs of today, this initiative will begin laying the groundwork for a NHII that will continue to serve the health needs of the nation—a lasting endowment for future generations. Establishing an NHII requires thoughtful strategic planning and strong inter-agency leadership. Work on key components of the NHII must begin immediately. These key components include:

• Strategic planning and coordination. There must be a central coordinating entity that can quickly inventory existing public- and personal-health initiatives and develop a strategy to fashion a national system to protect Americans against health threats of various types, including biological, chemical, nuclear, and physical. The short-term strategy must be part of a framework for a permanent infrastructure that serves public health, patient care, and research.
• Connectivity and communications. Local, regional, and national coordination cannot exist without efficient, instantaneous communication. Public health services must be linked using secure connections to the Internet as an immediate top priority. AMIA recommends federal government funding to guarantee high-speed, dedicated access to the Internet for all public and private health care facilities and related organizations. Minimum-level workstations should be required, and adequate tools and training should be provided.
• Standards. Effective communication among local, community, state, and federal facilities require the use of standards. Health care messaging standards should be used for data interchange. A common vocabulary standard and required data elements for public health surveillance databases are required to enable effective sharing of data. Without a common vocabulary, data from local systems cannot be analyzed to detect emerging health threats. Government coordination and support for consensus standardization and low-cost distribution of common vocabularies for health event detection, prevention, and intervention are a fundamental aspect of an NHII.
• Resource databases. An up-to-date, central, Internet-based health resources directory containing information about available resources—knowledge, physical, and human—is vital to providing the timely information needed to manage any public health crisis. The national health resource directory would include information about physical resources, such as health care organizations, safety facilities, and environmental agencies; human resources, including physicians, nurses, and public health and support personnel; organizational resources, such as emergency medical services, county and city law enforcement agencies, and other emergency-response groups; and knowledge resources ranging from clinical guidelines to extensive clinical decision support algorithms related to threat vectors. Local health authorities must be trained in use of the directory to effectively derive maximal benefit when responding to national health threats.
• Public health surveillance systems. Effective public health practice and decision making depend on timely information, much of which is not readily available. Information about patients with clinical conditions of public health importance, symptoms compatible with prodromes of serious infection or exposure, health behaviors, and environmental risk factors must be collected, transmitted, aggregated, analyzed, and utilized for prompt decision making. Whether the health threat is biological, chemical, or nuclear, early detection and rapid response are essential. Existing public health systems in place and under development should be adapted to meet the current needs. Implementation of public health system initiatives such as the National Electronic Disease Surveillance System and Health Alert Network must be accelerated to meet the acute threat posed by bioterrorism.
• National identifiers. National identifiers for providers, insurers, businesses, and individuals are required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The privacy provision of HIPAA that protects confidential health information has been finalized. In the face of the acute crisis, the work on identifiers should be accelerated so that effective epidemiologic data can be gathered and analyzed and appropriate health care services delivered where needed.

AMIA is an organization of professionals who operate at the interface between health care and computer and information science. Our leadership and members are capable and willing to contribute to solving the acute situation while laying the foundation for a lasting infrastructure to manage health information for the benefit of patients and the public.TANG, National Health Information System Proposal     

Towards Secure and Privacy-Preserving Data Sharing in e-Health Systems via Consortium Blockchain

Electronic health record sharing can help to improve the accuracy of diagnosis, where security and privacy preservation are critical issues in the systems. In recent years, blockchain has been proposed to be a promising solution to achieve personal health information (PHI) sharing with security and privacy preservation due to its advantages of immutability. This work proposes a blockchain-based secure and privacy-preserving PHI sharing (BSPP) scheme for diagnosis improvements in e-Health systems. Firstly, two kinds of blockchains, private blockchain and consortium blockchain, are constructed by devising their data structures, and consensus mechanisms. The private blockchain is responsible for storing the PHI while the consortium blockchain keeps records of the secure indexes of the PHI. In order to achieve data security, access control, privacy preservation and secure search, all the data including the PHI, keywords and the patients’ identity are public key encrypted with keyword search. Furthermore, the block generators are required to provide proof of conformance for adding new blocks to the blockchains, which guarantees the system availability. Security analysis demonstrates that the proposed protocol can meet with the security goals. Furthermor, we implement the proposed scheme on JUICE to evaluate the performance.     

Codesigning a community-based participatory research project to assess tribal perspectives on privacy and health data sharing: A report from the Strong Heart Study

Broad health data sharing raises myriad ethical issues related to data protection and privacy. These issues are of particular relevance to Native Americans, who reserve distinct individual and collective rights to control data about their communities. We sought to gather input from tribal community leaders on how best to understand health data privacy and sharing preferences in this population. We conducted a workshop with 14 tribal leaders connected to the Strong Heart Study to codesign a research study to assess preferences concerning health data privacy for biomedical research. Workshop participants provided specific recommendations regarding who should be consulted, what questions should be posed, and what methods should be used, underscoring the importance of relationship-building between researchers and tribal communities. Biomedical researchers and informaticians who collect and analyze health information from Native communities have a unique responsibility to safeguard these data in ways that align to the preferences of specific communities.     

Whose Personal Control? Creating Private,Personally Controlled Health Records for Pediatric and Adolescent Patients

Personally controlled health records (PCHRs) enable patients to store, manage, and share their own health data, and promise unprecedented consumer access to medical information. To deploy a PCHR in the pediatric population requires crafting of access and security policies, tailored to a record that is not only under patient control, but one that may also be accessed by parents, guardians, and third-party entities. Such hybrid control of health information requires careful consideration of both the PCHR vendor''s access policies, as well as institutional policies regulating data feeds to the PCHR, to ensure that the privacy and confidentiality of each user is preserved. Such policies must ensure compliance with legal mandates to prevent unintended disclosures and must preserve the complex interactions of the patient-provider relationship. Informed by our own operational involvement in the implementation of the Indivo PCHR, we provide a framework for understanding and addressing the challenges posed by child, adolescent, and family access to PCHRs.     

Consent Mechanisms for Electronic Health Record Systems: A Simple Yet Unresolved Issue

Electronic health record (EHR) systems are now in widespread use in healthcare institutions worldwide. EHRs include sensitive health information and if they are integrated among healthcare providers, data can be accessible from many different sources. This leads to increased concern regarding invasion of privacy and confidentiality. Incorporating consent mechanisms into EHRs has the potential to enhance confidentiality. However there are both positive and negative effects from employing such mechanisms—they need to balance privacy, safety, consumer and public interest.     

Secure Dynamic Access Control Scheme of PHR in Cloud Computing

With the development of information technology and medical technology, medical information has been developed from traditional paper records into electronic medical records, which have now been widely applied. The new-style medical information exchange system "personal health records (PHR)" is gradually developed. PHR is a kind of health records maintained and recorded by individuals. An ideal personal health record could integrate personal medical information from different sources and provide complete and correct personal health and medical summary through the Internet or portable media under the requirements of security and privacy. A lot of personal health records are being utilized. The patient-centered PHR information exchange system allows the public autonomously maintain and manage personal health records. Such management is convenient for storing, accessing, and sharing personal medical records. With the emergence of Cloud computing, PHR service has been transferred to storing data into Cloud servers that the resources could be flexibly utilized and the operation cost can be reduced. Nevertheless, patients would face privacy problem when storing PHR data into Cloud. Besides, it requires a secure protection scheme to encrypt the medical records of each patient for storing PHR into Cloud server. In the encryption process, it would be a challenge to achieve accurately accessing to medical records and corresponding to flexibility and efficiency. A new PHR access control scheme under Cloud computing environments is proposed in this study. With Lagrange interpolation polynomial to establish a secure and effective PHR information access scheme, it allows to accurately access to PHR with security and is suitable for enormous multi-users. Moreover, this scheme also dynamically supports multi-users in Cloud computing environments with personal privacy and offers legal authorities to access to PHR. From security and effectiveness analyses, the proposed PHR access scheme in Cloud computing environments is proven flexible and secure and could effectively correspond to real-time appending and deleting user access authorization and appending and revising PHR records.     

A systematic literature review of Native American and Pacific Islanders’ perspectives on health data privacy in the United States

BackgroundPrivacy-related concerns can prevent equitable participation in health research by US Indigenous communities. However, studies focused on these communities'' views regarding health data privacy, including systematic reviews, are lacking.MethodsWe conducted a systematic literature review analyzing empirical, US-based studies involving American Indian/Alaska Native (AI/AN) and Native Hawaiian or other Pacific Islander (NHPI) perspectives on health data privacy, which we define as the practice of maintaining the security and confidentiality of an individual’s personal health records and/or biological samples (including data derived from biological specimens, such as personal genetic information), as well as the secure and approved use of those data.ResultsTwenty-one studies involving 3234 AI/AN and NHPI participants were eligible for review. The results of this review suggest that concerns about the privacy of health data are both prevalent and complex in AI/AN and NHPI communities. Many respondents raised concerns about the potential for misuse of their health data, including discrimination or stigma, confidentiality breaches, and undesirable or unknown uses of biological specimens.ConclusionsParticipants cited a variety of individual and community-level concerns about the privacy of their health data, and indicated that these deter their willingness to participate in health research. Future investigations should explore in more depth which health data privacy concerns are most salient to specific AI/AN and NHPI communities, and identify the practices that will make the collection and use of health data more trustworthy and transparent for participants.     

疫情应对中公共信息公开与个人信息保护的考量与辨析

疫情防控中公共信息公开是体现政府公信力的关键砝码，疫情监测信息的及时、准确、全面公开彰显政府的责任与担当，确诊病例个体活动轨迹的信息公布有利于实现疫情的精准防范。而疫情处置中个人隐私信息保护则属于个体基本权益要求，应秉持“以人为本”的伦理原则，既要保障个体的生命安全，也要维护个体的人格尊严。公共信息公开应建立在个人隐私保护的基础之上，政府部门在进行公共卫生监测信息及时公开的同时，应加强对信息安全的有效监管，对于涉及个体隐私的信息必须进行妥善保护。鉴于疫情防控的应急之需，专业技术机构如疾病预防控制中心及医疗机构在特殊时期拥有获取个人信息的合法性以及对于个人隐私信息保护的强制性。基于利益分配的角度而言，疫情防控中公众知情权和个体隐私权的冲突与协调，其实质是公共利益和个人利益的制约与权衡。在疫情应对的特殊时期，政府及有关部门更需要妥善协调好个体利益和公共利益二者之间的张力，既不能以一昧牺牲个体利益来实现公共利益的最大化，也不能仅囿于个体利益而忽略公共利益的集体维护。在疫情应对中，出于公共利益的考虑而必须限制或干预某些个人权利时，应尽量做到对公民权利的侵犯限定在最小范围内，对个体权益的适当限制要符合公共利益集体维护的合理要求，应是鉴于当时情境下所必须采取的权宜之策。      

Disease control in the information era

As a result of advances in information technology, there is now a new capacity to manage, interpret and apply data for the benefit not only of individual patients but of the population as a whole. Population health information systems are currently inadequate to meet the needs of disease control. In a rapidly changing world, effective public health action requires timely and efficient data about what is happening in the whole population. As the national effort to harness information technology to the needs of individual patient care begins, it is desirable that the electronic patient record also becomes the building block for public health research and monitoring. Individual healthcare and population healthcare should be two sides of the one coin. Ownership, privacy and access to the contents of the electronic health record should now be addressed in the context that disease control in the whole population will increasingly depend upon an efficient "real time" information system.     

Physicians in health care management: 6. Physician *bytes* computer.

Revolutionary advancements in information technology are improving access to medical information, operational efficiency and clinical effectiveness. Health care facilities and agencies are planning to acquire information systems that will affect clinical and administrative functions. Federal and provincial agencies are beginning to define and collect diverse health care data and integrate them in a national database. As the demand for and access to information grows physicians will be key providers and users. They will have increasing access to critical patient data through clinical information systems; however, their practice patterns, clinical outcomes and resource utilization will also be subject to increasing scrutiny. To ensure appropriate use of technology and information systems, careful planning, selection, implementation and management will be needed. Physicians will require training to use the information and systems effectively. They must also recognize the increasing importance of such systems in delivering and managing health care; they must play a pivotal role in resolving management, information and systems issues and in promoting sound information and management strategies; and they must encourage research and education in medical informatics.     

e-Consent: The Design and Implementation of Consumer Consent Mechanisms in an Electronic Environment

The effective coordination of health care relies on communication of confidential information about consumers between different health and community care services. However, consumers must be able to give or withhold “e-Consent” to those who wish to access their electronic health information. There are several possible forms for e-Consent. In the general consent model, a patient provides blanket consent for access to his or her information by an organization for all future information requests. Conversely, general denial explicitly denies consent for information to be used in future circumstances, and in each new episode of care, a new consent would be needed to obtain information. In the general consent with specific denial model, a patient attaches specific exclusion conditions to his or her general approval to future accesses. In contrast, in the general denial with explicit consent model, a patient issues a blanket block on all future accesses but allows the inclusion of future use under specified conditions. There also are several alternative functions for an e-Consent system. Consent could be captured as a matter of legal record. E-Consent systems could be more active by prompting clinicians to indicate that they have noted consent conditions before they access a record. Finally, the record of patient consent could be fully active and used as a gatekeeper in a distributed information environment. There probably will need to be some form of data object that is associated with patient information. This e-Consent object (or e-Co) will contain the specific conditions under which the data to which it is attached can be retrieved. Given the complexity of clinical work and the substantial variation we can expect in an individual''s desire to make his or her personal medical details available, it is unlikely a “one size fits all” approach to e-Consent will work. Consequently, with a well-chosen consent design, it should be possible to balance the specific need for privacy of some of the population against the desire by others to err on the side of clinical safety, and clinicians desire to minimize the burden that an electronic consent mechanism would impose.The effective coordination of health care relies on the communication of confidential information about consumers between different health and community care services. Electronic data exchange and Internet technologies increasingly play important roles in such communications. Consumers must, however, be able to give or withhold consent to those who wish to access their electronic health information.For example, electronic patient records are seen by many as an essential prerequisite for health care,¹ opening up patient data to the whole clinical team involved in patient care. So, by definition, the presence of an electronic environment means that more clinical workers will be able to access patient information more often and in a greater diversity of locations. With the broadening of access to patient information comes the risks that such information is used for purposes not originally consented to by the patient.While much is known about the ways in which security technology can protect information transactions from unwanted interception,² very little work exists to determine how a consumer''s consent to view their private information is safeguarded in a networked and online environment. This report will outline a framework for obtaining and determining electronic consent (e-Consent) within health care. It will examine a range of models for e-Consent and examine some of the technical issues associated with transforming those models into working systems. It is not the intention of this report to make a specific judgment about which consent models are more acceptable or to make specific recommendations about the detailed implementation of an e-Consent system. Such decisions would need to reflect the legal framework within which any e-Consent system operates, and the expressed wishes of consumers regarding the strength of protection they desire.Specifically, the report proposes a set of basic design principles that any consent framework might need to adhere to and focuses on some of the trade-offs in system performance that these principles imply. It then examines various possible forms of consent, explores the ways that these can be implemented in an online environment, and examines how well these models reflect the design principles. Next, the report explores the nature of information exchanges in health care and uses this to reflect on the acceptability of the different consent mechanisms in the clinical workplace, as well as to consumers. Finally, the report develops a health transaction model and uses this to sketch the set of behaviors or services an e-Consent system will need to perform its key functions. Appendices contain detailed examples of information transactions in health and an example set of computational rules for determining consent.     

Quality of care in family planning clinics in Jamaica. Do clients and providers agree?

This paper uses data from 199 providers and 20 simulated clients collected at 50 public sector and Non Governmental Organization (NGO) health facilities islandwide in 1995 to compare the two groups' views on quality of care of family planning services. Each of the five components of quality of care studied can be improved in Jamaica. Nearly two-thirds of the simulated clients felt able to freely choose a contraceptive method; however, more adequate and appropriate information needs to be imparted to clients through improved counselling, including promotion of dual method use (against STD/HIV/AIDS and conception). The requirement that a woman must be menstruating to receive services has inadvertently resulted in many clients going away empty-handed (without counselling or condoms) when they visit family planning clinics. While providers generally treat clients well, training and service delivery practices need to be revised to improve the technical competence of providers. All of the providers would recommend these clinics to others, compared to a little over half of the simulated clients. Both the providers and simulated clients said that privacy should be strengthened, particularly in small facilities in rural areas. Many of these aspects of quality of care are being improved in Jamaica's public sector health facilities. Managers can learn more about quality of care by seeking the knowledge, opinions and experiences of both providers and clients.