Securing electronic health records without impeding the flow of information

OBJECTIVE: We present an integrated set of technologies, known as the Hippocratic Database, that enable healthcare enterprises to comply with privacy and security laws without impeding the legitimate management, sharing, and analysis of personal health information. APPROACH: The Hippocratic Database approach to securing electronic health records involves (1) active enforcement of fine-grained data disclosure policies using query modification techniques, (2) efficient auditing of past database access to verify compliance with policies and track security breaches, (3) data mining algorithms that preserve privacy by randomizing information at the individual level, (4) de-identification of personal health data using an optimal method of k-anonymization, and (5) information sharing across autonomous data sources using cryptographic protocols. CONCLUSIONS: Our research confirms that policies concerning the disclosure of electronic health records can be reliably and efficiently enforced and audited at the database level. We further demonstrate that advanced data mining and anonymization techniques can be employed to analyze aggregate health records without revealing individual patient identities. Finally, we show that web services and commutative encryption can be used to share sensitive information selectively among autonomous entities without compromising security or privacy.     

Perspectives of Australian adults about protecting the privacy of their health information in statistical databases

ObjectivesThe aim of this study was to discover the public's attitude and views towards privacy in health care. This is a part of a larger project which aims to gain an insight into what kind of privacy is needed and develop technical measures to provide such privacy.MethodsThe study was a two-stage process which combined qualitative and quantitative research. Stage One of the study comprised arranging and facilitating focus groups while in Stage Two we conducted a social survey.MeasurementsWe measured attitudes towards privacy, medical research and consent; privacy concern about sharing one's health information for research; privacy concern about the possibility that some specific information from medical records could be linked to the patient's name in a situation that was not related to medical treatment.ResultsThe results of the study revealed both great support for medical research (98%), and concern about privacy of health information (66%). Participants prefer to be asked for their permission before their health information is used for any purpose other than medical treatment (92%), and they would like to know the organisation and details of the research before allowing the use of their health records (83%). Age, level of education, place of birth and employment status are most strongly associated with privacy concerns. The study showed that there are some particularly sensitive issues and there is a concern (42–60%) about any possibility of linking these kinds of data to the patient's name in a situation that is not related to medical treatment. Such issues include sexually transmitted diseases, abortions and infertility, family medical history/genetic disorders, mental illness, drug/alcohol related incidents, lists of previous operations/procedures/dates and current medications.ConclusionsParticipants believe they should be asked for permission before their health information is used for any purpose other than medical treatment. However, consent and privacy concerns are not necessary related.Assuring individuals that their personal health information is de-identified reduces their concern about the necessity of consent for releasing health information for research purposes, but many people are not aware that removing their names and other direct identifiers from medical records does not guarantee full privacy protection for their health information. Privacy concerns decrease as extra security measures are introduced to protect privacy. Therefore, instead of “tailoring concern” as proposed by Willison [1] we suggest improving privacy protection of personal information by introducing additional security measures in data publishing.     

Patient data confidentiality and patient rights

There has been a recent trend to gather and record more comprehensive and more detailed personal medical information in computerized databases. Retrieval and access are much easier from electronic records than from hard copies stored in the archives of care-providing institutions. The Institute of Medicine voiced concern that these developments raised numerous problematic issues, the most disturbing of which is a much more widespread and systematic violation of privacy via what they called 'authorized abuse', i.e. authorized users abusing their access privileges. Other worries stemmed from the sharing of patient information among different entities. Multitudes of organizations receive information about patients' health records, often without their knowledge or consent. These include care providers, insurers, pharmacists, employers, life insurance companies and marketing firms. This article addresses the issues of medical data ownership and some health data-recording problems to which we propose co-ownership and co-documentation as part of the solution. We believe that a cooperative approach will help to maintain greater accuracy of personal medical data, written in language that can be shared and understood by the consumers and not one couched in terminology understandable only to professional personnel and to delegate the power to the patient to decide when and to whom to give authorization for its use by a third party and for research.     

Aspects of privacy for electronic health records

Patients' medical data have been originally generated and maintained by health professionals in several independent electronic health records (EHRs). Centralized electronic health records accumulate medical data of patients to improve their availability and completeness; EHRs are not tied to a single medical institution anymore. Nowadays enterprises with the capacity and knowledge to maintain this kind of databases offer the services of maintaining EHRs and adding personal health data by the patients. These enterprises get access on the patients' medical data and act as a main point for collecting and disclosing personal data to third parties, e.g. among others doctors, healthcare service providers and drug stores. Existing systems like Microsoft HealthVault and Google Health comply with data protection acts by letting the patients decide on the usage and disclosure of their data. But they fail in satisfying essential requirements to privacy. We propose a privacy-protecting information system for controlled disclosure of personal data to third parties. Firstly, patients should be able to express and enforce obligations regarding a disclosure of health data to third parties. Secondly, an organization providing EHRs should neither be able to gain access to these health data nor establish a profile about patients.     

Privacy-preserving record linkage on large real world datasets

Record linkage typically involves the use of dedicated linkage units who are supplied with personally identifying information to determine individuals from within and across datasets. The personally identifying information supplied to linkage units is separated from clinical information prior to release by data custodians. While this substantially reduces the risk of disclosure of sensitive information, some residual risks still exist and remain a concern for some custodians. In this paper we trial a method of record linkage which reduces privacy risk still further on large real world administrative data. The method uses encrypted personal identifying information (bloom filters) in a probability-based linkage framework. The privacy preserving linkage method was tested on ten years of New South Wales (NSW) and Western Australian (WA) hospital admissions data, comprising in total over 26 million records. No difference in linkage quality was found when the results were compared to traditional probabilistic methods using full unencrypted personal identifiers. This presents as a possible means of reducing privacy risks related to record linkage in population level research studies. It is hoped that through adaptations of this method or similar privacy preserving methods, risks related to information disclosure can be reduced so that the benefits of linked research taking place can be fully realised.     

Some methods for blindfolded record linkage

Background  

The linkage of records which refer to the same entity in separate data collections is a common requirement in public health and biomedical research. Traditionally, record linkage techniques have required that all the identifying data in which links are sought be revealed to at least one party, often a third party. This necessarily invades personal privacy and requires complete trust in the intentions of that party and their ability to maintain security and confidentiality. Dusserre, Quantin, Bouzelat and colleagues have demonstrated that it is possible to use secure one-way hash transformations to carry out follow-up epidemiological studies without any party having to reveal identifying information about any of the subjects – a technique which we refer to as "blindfolded record linkage". A limitation of their method is that only exact comparisons of values are possible, although phonetic encoding of names and other strings can be used to allow for some types of typographical variation and data errors.     

A notary archive model for secure preservation and distribution of electrically signed patient documents

The healthcare industry is moving from paper-based documentation into the digital era. Electronic health records (EHR) are playing a major role in this development. Electronic health records will not only to be shared among a growing number of healthcare providers but they have also to be archived over long periods of time. The required life cycle depends of national regulations, but typically the preservation time of patient data varies between 20 and 100 years. Availability, integrity, confidentiality and non-repudiation of stored data over these lengthy preservation periods needs to be fully proven, both to preclude loss and also ensure the ability to read and understand content is maintained. This document describes a co-operative trusted notary archive (TNA) which receives granular health data from different EHR-systems, stores data together with associated meta-information for long periods and distributes granular EHR-data objects. TNA communicates with EHR-systems and external users via archive request and distribution messages. TNA can store objects in XML-format and prove the non-repudiation and integrity of stored data with the help of event records, Time-stamps and archive e-signatures.     

A computational model to protect patient data from location-based re-identification

OBJECTIVE: Health care organizations must preserve a patient's anonymity when disclosing personal data. Traditionally, patient identity has been protected by stripping identifiers from sensitive data such as DNA. However, simple automated methods can re-identify patient data using public information. In this paper, we present a solution to prevent a threat to patient anonymity that arises when multiple health care organizations disclose data. In this setting, a patient's location visit pattern, or "trail", can re-identify seemingly anonymous DNA to patient identity. This threat exists because health care organizations (1) cannot prevent the disclosure of certain types of patient information and (2) do not know how to systematically avoid trail re-identification. In this paper, we develop and evaluate computational methods that health care organizations can apply to disclose patient-specific DNA records that are impregnable to trail re-identification. METHODS AND MATERIALS: To prevent trail re-identification, we introduce a formal model called k-unlinkability, which enables health care administrators to specify different degrees of patient anonymity. Specifically, k-unlinkability is satisfied when the trail of each DNA record is linkable to no less than k identified records. We present several algorithms that enable health care organizations to coordinate their data disclosure, so that they can determine which DNA records can be shared without violating k-unlinkability. We evaluate the algorithms with the trails of patient populations derived from publicly available hospital discharge databases. Algorithm efficacy is evaluated using metrics based on real world applications, including the number of suppressed records and the number of organizations that disclose records. RESULTS: Our experiments indicate that it is unnecessary to suppress all patient records that initially violate k-unlinkability. Rather, only portions of the trails need to be suppressed. For example, if each hospital discloses 100% of its data on patients diagnosed with cystic fibrosis, then 48% of the DNA records are 5-unlinkable. A na?ve solution would suppress the 52% of the DNA records that violate 5-unlinkability. However, by applying our protection algorithms, the hospitals can disclose 95% of the DNA records, all of which are 5-unlinkable. Similar findings hold for all populations studied. CONCLUSION: This research demonstrates that patient anonymity can be formally protected in shared databases. Our findings illustrate that significant quantities of patient-specific data can be disclosed with provable protection from trail re-identification. The configurability of our methods allows health care administrators to quantify the effects of different levels of privacy protection and formulate policy accordingly.     

Security of the distributed electronic patient record: a case-based approach to identifying policy issues

The growth of managed care and integrated delivery systems has created a new commodity, health information and the technology that it requires. Surveys by Deloitte and Touche indicate that over half of the hospitals in the US are in the process of implementing electronic patient record (EPR) systems. The National Research Council has established that industry spends as much as $15 billion on information technology (IT), an amount that is expanding by 20% per year. The importance of collecting, electronically storing, and using the information is undisputed. This information is needed by consumers to make informed choices; by physicians to provide appropriate quality clinical care: and by health plans to assess outcomes, control costs and monitor quality. The collection, storage and communication of a large variety of personal patient data, however, present a major dilemma. How can we provide the data required by the new forms of health care delivery and at the same time protect the personal privacy of patients? Recent debates concerning medical privacy legislation, software regulation, and telemedicine suggest that this dilemma will not be easily resolved. The problem is systemic and arises out of the routine use and flow of information throughout the health industry. Health care information is primarily transferred among authorized users. Not only is the information used for patient care and financial reimbursement, secondary users of the information include medical, nursing, and allied health education, research, social services, public health, regulation, litigation, and commercial purposes such as the development of new medical technology and marketing. The main threats to privacy and confidentiality arise from within the institutions that provide patient care as well as institutions that have access to patient data for secondary purposes.     

A conceptual framework and principles for trusted pervasive health

Background

Ubiquitous computing technology, sensor networks, wireless communication and the latest developments of the Internet have enabled the rise of a new concept—pervasive health—which takes place in an open, unsecure, and highly dynamic environment (ie, in the information space). To be successful, pervasive health requires implementable principles for privacy and trustworthiness.

Objective

This research has two interconnected objectives. The first is to define pervasive health as a system and to understand its trust and privacy challenges. The second goal is to build a conceptual model for pervasive health and use it to develop principles and polices which can make pervasive health trustworthy.

Methods

In this study, a five-step system analysis method is used. Pervasive health is defined using a metaphor of digital bubbles. A conceptual framework model focused on trustworthiness and privacy is then developed for pervasive health. On that model, principles and rules for trusted information management in pervasive health are defined.

Results

In the first phase of this study, a new definition of pervasive health was created. Using this model, differences between pervasive health and health care are stated. Reviewed publications demonstrate that the widely used principles of predefined and static trust cannot guarantee trustworthiness and privacy in pervasive health. Instead, such an environment requires personal dynamic and context-aware policies, awareness, and transparency. A conceptual framework model focused on information processing in pervasive health is developed. Using features of pervasive health and relations from the framework model, new principles for trusted pervasive health have been developed. The principles propose that personal health data should be under control of the data subject. The person shall have the right to verify the level of trust of any system which collects or processes his or her health information. Principles require that any stakeholder or system collecting or processing health data must support transparency and shall publish its trust and privacy attributes and even its domain specific policies.

Conclusions

The developed principles enable trustworthiness and guarantee privacy in pervasive health. The implementation of principles requires new infrastructural services such as trust verification and policy conflict resolution. After implementation, the accuracy and usability of principles should be analyzed.     

A Privacy Preservation Model for Health-Related Social Networking Sites

The increasing use of social networking sites (SNS) in health care has resulted in a growing number of individuals posting personal health information online. These sites may disclose users'' health information to many different individuals and organizations and mine it for a variety of commercial and research purposes, yet the revelation of personal health information to unauthorized individuals or entities brings a concomitant concern of greater risk for loss of privacy among users. Many users join multiple social networks for different purposes and enter personal and other specific information covering social, professional, and health domains into other websites. Integration of multiple online and real social networks makes the users vulnerable to unintentional and intentional security threats and misuse. This paper analyzes the privacy and security characteristics of leading health-related SNS. It presents a threat model and identifies the most important threats to users and SNS providers. Building on threat analysis and modeling, this paper presents a privacy preservation model that incorporates individual self-protection and privacy-by-design approaches and uses the model to develop principles and countermeasures to protect user privacy. This study paves the way for analysis and design of privacy-preserving mechanisms on health-related SNS.     

Electronic consent channels: preserving patient privacy without handcuffing researchers

Advances in health information technology and electronic medical records have the tremendous potential to accelerate translational and clinical research. However, privacy concerns threaten to be a rate-limiting factor. By recognizing and responding to patient privacy concerns, policy-makers, researchers, and information technology leaders have the opportunity to transform trial recruitment and make it safer to electronically locate and convey sensitive health information.     

The health care information directive

Background  

Developments in information technology promise to revolutionise the delivery of health care by providing access to data in a timely and efficient way. Information technology also raises several important concerns about the confidentiality and privacy of health data. New and existing legislation in Europe and North America may make access to patient level data difficult with consequent impact on research and health surveillance. Although research is being conducted on technical solutions to protect the privacy of personal health information, there is very little research on ways to improve individuals power over their health information. This paper proposes a health care information directive, analogous to an advance directive, to facilitate choices regarding health information disclosure.     

By the London post. Private rights and the public good - sterilization of minors - comment or report?

The erosion of personal liberty and privacy is discussed in terms of the computer and data bank and the sterilization of minors. In Sussex C ounty, England a computerized school health service records the health a nd physique of school children. In 1970, 55 family physicians sent off personal details of their patients to be computerized without patient pe rmission. Mr. Hugh Macpherson has conceded the medical and administrative advantages of a computer system but thinks it is the perfect tool for the police state. The mother of an 11-year-old epileptic, mentally retarded, and sexually precocious girl asked to have the girl sterilized. A pediatrician had advocated the operation, and a gynecologist had agreed to perform it. A psychologist at the girl's school challenged the decision, and the girl was made a ward of court. Judge Heilbron ruled that the operation should not be carried out because it involved the deprivation of a fundamental human right. The Central Ethical Committee of the British Medical Association is reviewing the situation, and the Dept. of Health will publish a discussion document.     

Examining the evidence of the impact of health information technology in primary care: An argument for participatory research with health professionals and patients

PurposeHealth information technology represents a promising avenue to improve health care delivery. How can we use lessons learnt from existing health information technologies in primary care to inform the optimal design of newer developments such as personal health records?MethodsThe results of systematic literature reviews about the impact of different information systems on health outcomes in primary care are critically discussed in a narrative synthesis, with a focus on their implications for the development of personal health records.ResultsGiven the proliferation of systematic reviews and randomized controlled trials, high quality evidence for health information technology in primary care is accumulating with mixed results. The heterogeneity of systems being compared and the quality of research can no longer account for these findings. One potential explanation may be that systems originally designed for acute care settings are being implemented in primary care. Early studies evaluating personal health records suggest that targeting patient outcomes directly and adapting systems to patients’ needs may be part of the solution.ConclusionIn order to develop personal health records for primary care, studies are needed that involve the users, namely patients and primary care health professionals, in the design and evaluation of these systems from their inception. Participatory research is a recommended methodological approach.     

Description and comparison of documentation of nursing assessment between paper-based and electronic systems in Australian aged care homes

PurposeTo describe nursing assessment documentation practices in aged care organizations and to evaluate the quality of electronic versus paper-based documentation of nursing assessment.MethodsThis was a retrospective nursing documentation audit study. Study samples were 2299 paper-based and 6997 electronic resident assessment forms contained in 159 paper-based and 249 electronic resident nursing records, respectively, from three aged care organizations. The practice of nursing assessment documentation in participating aged care homes was described. Three attributes of quality of nursing assessment documentation were evaluated: format and structure, process, and content by seven measures: quantity, completeness, timeliness comprehensiveness, frequencies of documentation specific to care domains and data items, and whether assessment forms were signed and dated.ResultsVarying practice in documentation of nursing assessment was found among different aged care organizations and homes. Electronic resident records contained higher numbers and more comprehensive resident assessment forms than paper-based records. The frequency of documentation was higher in electronic than in paper-based records in relation to most care domains. There was no difference between the two types of documentation systems on other aspects of nursing assessment documentation (overall completeness and timeliness, variation of frequencies among different care domains, and item completion in personal hygiene assessment forms).ConclusionsElectronic nursing documentation systems could improve the quality of documentation structure and format, process and content in the aspects of quantity, comprehensiveness and signing and dating of assessment forms. Further studies are needed to understand the factors leading to the variations of practice and the limitations of nursing assessment documentation and to evaluate documentation quality from a clinical perspective.     

Towards a privacy preserving cohort discovery framework for clinical research networks

BackgroundThe last few years have witnessed an increasing number of clinical research networks (CRNs) focused on building large collections of data from electronic health records (EHRs), claims, and patient-reported outcomes (PROs). Many of these CRNs provide a service for the discovery of research cohorts with various health conditions, which is especially useful for rare diseases.Supporting patient privacy can enhance the scalability and efficiency of such processes; however, current practice mainly relies on policy, such as guidelines defined in the Health Insurance Portability and Accountability Act (HIPAA), which are insufficient for CRNs (e.g., HIPAA does not require encryption of data – which can mitigate insider threats). By combining policy with privacy enhancing technologies we can enhance the trustworthiness of CRNs. The goal of this research is to determine if searchable encryption can instill privacy in CRNs without sacrificing their usability.MethodsWe developed a technique, implemented in working software to enable privacy-preserving cohort discovery (PPCD) services in large distributed CRNs based on elliptic curve cryptography (ECC). This technique also incorporates a block indexing strategy to improve the performance (in terms of computational running time) of PPCD. We evaluated the PPCD service with three real cohort definitions: (1) elderly cervical cancer patients who underwent radical hysterectomy, (2) oropharyngeal and tongue cancer patients who underwent robotic transoral surgery, and (3) female breast cancer patients who underwent mastectomy) with varied query complexity. These definitions were tested in an encrypted database of 7.1 million records derived from the publically available Healthcare Cost and Utilization Project (HCUP) Nationwide Inpatient Sample (NIS). We assessed the performance of the PPCD service in terms of (1) accuracy in cohort discovery, (2) computational running time, and (3) privacy afforded to the underlying records during PPCD.ResultsThe empirical results indicate that the proposed PPCD can execute cohort discovery queries in a reasonable amount of time, with query runtime in the range of 165–262 s for the 3 use cases, with zero compromise in accuracy. We further show that the search performance is practical because it supports a highly parallelized design for secure evaluation over encrypted records. Additionally, our security analysis shows that the proposed construction is resilient to standard adversaries.ConclusionsPPCD services can be designed for clinical research networks. The security construction presented in this work specifically achieves high privacy guarantees by preventing both threats originating from within and beyond the network.     

Ethics and subsequent use of electronic health record data

The digital health landscape in the United States is evolving and electronic health record data hold great promise for improving health and health equity. Like many scientific and technological advances in health and medicine, there exists an exciting narrative about what we can do with the new technology, as well as reflection about what we should do with it based on what we value. Ethical reflections about the use of EHR data for research and quality improvement have considered the important issues of privacy and informed consent for subsequent use of data. Additional ethical aspects are important in the conversation, including data validity, patient obligation to participate in the learning health system, and ethics integration into training for all personnel who interact with personal health data. Attention to these ethical issues is paramount to our realizing the benefits of electronic health data.     

Description and comparison of quality of electronic versus paper-based resident admission forms in Australian aged care facilities

PurposeTo describe the paper-based and electronic formats of resident admission forms used in several aged care facilities in Australia and to compare the extent to which resident admission information was documented in paper-based and the electronic health records.MethodsRetrospective auditing and comparison of the documentation quality of paper-based and electronic resident admission forms were conducted. A checklist of admission data was qualitatively derived from different formats of the admission forms collected. Three measures were used to assess the quality of documentation of the admission forms, including completeness rate, comprehensiveness rate and frequency of documented data element. The associations between the number of items and their completeness and comprehensiveness rates were estimated at a general level and at each information category level.ResultsVarious paper-based and electronic formats of admission forms were collected, reflecting varying practice among the participant facilities. The overall completeness and comprehensiveness rates of the admission forms were poor, but were higher in the electronic health records than in the paper-based records (60% versus 56% and 40% versus 29% respectively, p < 0.01). There were differences in the overall completeness and comprehensiveness rates between the different formats of admission forms (p < 0.01). At each information category level, varying degrees of difference in the completeness and comprehensiveness rates were found between different form formats and between the paper-based and the electronic records. A negative association between the completeness rate and the number of items in a form was found at each information category level (p < 0.01), i.e., more data items designed in a form, the less likely that the items would be completely filled. However, the associations between the comprehensiveness rates and the number of items were highly positive at both overall and individual information category levels (p < 0.01), suggesting more items designed in a form, more information would be captured.ConclusionBetter quality of documentation in resident admission forms was identified in the electronic documentation systems than in previous paper-based systems, but still needs to be further improved in practice. The quality of documentation of resident admission data should be further analysed in relation to its specific content.