The increasing momentum for adoption of electronic health records following passage of the American Recovery and Reinvestment Act (http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf, in particular, Title XIII: Health Information Technology) has fostered continued discussion about the privacy of electronic health care information, a discussion that preceded President Obama’s inauguration (http://www.nytimes.com/2009/01/18/us/politics/18health.html?_r=1).
The debate has engaged representatives from a variety of special interest groups ranging from patient advocacy groups to health care information technology vendors. Within the broader debate, one key issue is that of patient control over the sharing of personal health care information across provider organizations and from provider organizations to other organizations that are not directly involved with care delivery.
Although a coherent case for Personal Health Records (PHRs) was made by the NCVHS (National Committee on Vital and Health Statistics) in a white paper that included broad recommendations for assuring privacy ((http://www.ncvhs.hhs.gov/0602nhiirpt.pdf), there has been little attention paid to using PHRs to assert patient control of the flow of personal health care information within the National Healthcare Information Network. In particular, the Office of the National Coordinator (ONC) has yet to articulate technical requirements that would assure patient control of exchange of health care information (http://healthit.hhs.gov/portal/server.pt?open=512&objID=1200&mode=2),
Technical empowerment of principles of patient privacy is not only feasible and practical, it is taking place today. In this presentation, we shall demonstrate how open source software that includes “security by design” has facilitated implementation of a model for patient privacy in the Netherlands that has been synchronized with patient privacy recommendations from the Health Record Banking Alliance (HRBA) in the United States; the project offers a way for patients in the United States to regain confidence in the privacy of their health care information.
Security by Design: Articulating Principles
The HRBA (www.healthbanking.org) has declared that health information privacy refers to an individual’s right to control the acquisition, use, or disclosure of his or her identifiable health data. Their statement is derived from material prepared by the NCVHS (http://www.ncvhs.hhs.gov/060622lt.htm). The HRBA believes that patient privacy and protection of healthcare information is essential for widespread adoption of a nationwide network of health information creation and exchange and that any distribution of healthcare information outside of the organization that created it must be under the control of the patient unless such distribution is mandated by government regulation (such as for public health reporting for critical exercises in epidemiology).
The HRBA has published a set of principles that include the following recommendations for protecting the privacy of personal health care information.
• Health record banks protect the individual consumer’s right to health information privacy and confidentiality by acting as trusted legal custodians of consumers’ health records.
• Health record banks are repositories for trustworthy copies of health information selected or submitted by the consumer from various sources.
• Health information in a health record bank is owned by the consumer and is not an asset of the health record bank.
• Consumers may authorize someone else to manage their health record bank account.
• Health record banks provide consumers and others they authorize with immediate electronic access to their health information.
• Consumers control all disclosures of their health information by a health record bank unless otherwise required by law.
• With consumer consent based on advance disclosure appropriate to the circumstances, health record banks enable secondary use of health information, such as for public health and research purposes.
• All access and updates to information in health record banks are recorded as they occur in an appropriately detailed audit trail database, and each health record bank shall maintain those unaltered audit records at least during the time that a consumer’s health record is kept at the bank, and will make those audit records immediately accessible to consumers.
Security by Design: Complying with Privacy Regulations in the Netherlands
A project in the Netherlands (http://www.rijnmondnet.nl/) closely adheres to the principles outlined by the Health Record Banking Alliance. In this project, in keeping with Dutch law, the patient controls the distribution of his/her personal healthcare information outside of the organization that has created it.
RijnmondNet is implementing a patient-centered system for exchange of health information between hospitals, patients and physician offices in the region around Rotterdam. In this implementation, patient consent is required for any exchange of information across stakeholder boundaries. The functional outline of the system follows.
Clinical information is packaged in conformity with the HL7 CDA (Health Level Seven Clinical Document Architecture) standard before it is sent from a medical center to a “holding area” repository, which we can call the Medical Center electronic Clinical Health Record (MC eCHR). Neither patients nor clinicians are able to view information in the MC eCHR. Patients are only able to view their own clinical information when copies of that information have been sent to the patient’s ePHR from the MC eCHR. A clinician is only able to view copies of information that have been sent by a patient from a patient ePHR to either a Clinician eCHR or a Specialty eCHR.
Any participating patient has the opportunity to create an ePHR account. A secure exchange between the patient and the system results in the set up of the ePHR account. Any ePHR patient user can browse the list of clinical organizations that participate in the project. The patient user can select the appropriate medical center in order to receive copies of his/her information from the MC eCHR account.
Upon receipt (and approval) of the request by the MC eCHR, all CDA documents for that patient from that time forward will be automatically copied from the MC eCHR and sent to that patient’s ePHR. At any time, the patient may cease participation in the health information exchange.
The ePHR user can also browse the list of participating clinical organizations, which includes the individual clinicians participating in the pilot as well as the specialty groups participating in the pilot and can select which Clinician eCHR or which Specialty eCHR account can receive copies from this ePHR. The ePHR user can select any or all categories of information to be copied to the selected “provider”
Each participating clinician has his/her own Clinician eCHR account and each participating clinician can also be a member of a specialty account which has its own Specialty eCHR. Each member of a Specialty eCHR account is able to view information that has been copied to that Specialty eCHR
A participating clinician has a Clinician eCHR account created for him by an authorized administrator. Each participating clinician creates himself as a “provider” by using the appropriate application screens. Submitting this information places this clinician’s name on the “Public” provider list, allowing for viewing by patients in the system.
A participating Specialty Group has a Specialty eCHR created for it by an authorized administrator. This action places this specialty group’s name on the “Public” provider list for viewing by patients in the system. A patient can send copies of any documents held in his/her ePHR account to any Clinician eCHR whose clinician name appears on the “public” provider list and to any Specialty eCHR whose group name appears on the “public” Provider list.
Security by Design: an Open Source Technical Infrastructure from Tolven
The Tolven open source platform and application development environment is being used by a number of electronic healthcare information projects being implemented by Tolven and its partners (http://www.tolvenhealth.com/TolvenClients.html), among them the RijnmondNet project described above. Tolven systems are web-based, allowing for broad participation by authorized users. The following comments regarding security and privacy are derived from documents available on the Tolven web site (http://www.tolven.org/architecture/briefs/index.html)
The Tolven platform and applications approach the issue of “consent” by including provisions for the following; consumers have the right to opt out of participating at any time; once consumers have elected to “opt in”, they can also explicitly grant consent to authorized users to view only specified sections of their personal healthcare information; consent to view/not view can be limited to selected logically meaningful categories of information in their medical records; and consent may be granted (or denied) to individuals or groups. The pairing of the Tolven eCHR (electronic clinician health record) and the Tolven ePHR empowers consumers and their families/agents to participate in managing their healthcare to an extent not yet seen because each can easily exchange information with the other, upon registration of consent.
It would be as unusual for a physician to have access to someone’s personal account as it would for a patient to have access to data in the physician’s account. Therefore, the process of sharing data between accounts in Tolven is explicit. Simply granting users in one account access to see data in another account is not allowed and if it were, it wouldn’t be useful because of the “absolute” encryption described above. Instead, sharing data between accounts requires a user in the outgoing account to initiate an action that internally makes a COPY of the source document that has been encrypted so that only members of the receiving account can read the COPY. In this way, privacy is enhanced at the cost of extra disk space. This explicit action provides a very reliable audit trail because the act of sharing data is recorded in space and time with the medium being the document itself
If a citizen OPTS IN to a research program, cancer registry, public health, shares an intake questionnaire (clip board) with his or her family doctor, or a physician releases a lab result to the patient, each such “sharing” is explicitly recorded in the form of a new document only visible to members of the receiving account.
Sharing data among users within a single account is not subject to such strict control. When needed, access can be controlled by “traditional” authorization and role-based access. However, Tolven expects accounts to be small enough (a family or a single clinic for example) so that cumbersome user-level permission schemes can be reduced or avoided completely.
Document encryption provides an “absolute” level of protection between Tolven accounts. For example, a document created in a person’s personal health record is only visible to users of that personal health record account (typically that one person or members of that person’s family) and to no one else. This absolute partition cannot be violated, even by a system administrator with root passwords and a complete copy of the (encrypted) data, log files, etc.
Tolven is concerned with protecting data in transit (e.g., SSL) and protecting data at rest (e.g., in the database).Tolven requires proper authentication of users, accounts (e.g., family, clinic, lab, etc.), and system components (App server, LDAP server, Database server). End users (via their browser) verify authenticity of web/application server using digital certificates. SSL then protects the communication between browser and application server from “man in the middle” attack. The application server, with the aide of the LDAP server, usually authenticates the user via username and password entry
Although typically behind a firewall, Tolven further requires mutual authentication (digital certificates) and secure communication (SSL/TLS) between backend system components. For example, the application server must authenticate the database server that it connects to and likewise the database server must authenticate the application server. The same approach is used for communication between the application server and the LDAP server
While SSL is designed to guard against “man in the middle” attacks, it does nothing to protect data once it arrives at its destination where the SSL encryption is removed. In Tolven, new “document data” is immediately encrypted in the application server, before being transported to the database. Thus, as a new document travels from the application server to the database server, it is essentially double encrypted because of SSL. Upon arrival, the SSL encryption is removed. Yet, when the document comes to rest, it is still encrypted because of the document-level encryption
Open source software developed by Tolven has incorporated principles for assuring privacy from the Health Record Banking Alliance in order to fulfill national requirements for privacy protection of health care information in the Netherlands. The RijnmondNet project is projected to encompass health record information for several million patients in the Netherlands and provides a valuable model for securing exchange of personal health care information in the United States
Dr Jones received his MD from Stanford in 1969. He spent the next 26 years at the University of Chicago where he and his colleagues developed the Centennial Patient Care Workstation, a model for allowing clinicians to enjoy the benefits of new information technology.
In 1995, Dr. Jones joined Oacis Healthcare Systems, where he focused more deeply on the clinical functionality of applied informatics. At Oacis, he had the opportunity to work closely with some of the founding members of the HL7 organization. Understanding how clinicians communicate with one another led to an appreciation of how the standardization of clinical information fosters more rapid and accurate communication.
In 2000, Dr. Jones joined Oracle where, as Chief Medical Officer, he provided the clinical leadership for Oracle’s Healthcare Strategy group. Dr. Jones worked with provider organizations, payor organizations, academic institutions, healthcare informatics standards organizations, government representatives and pharmaceutical firms in 34 countries. He participated in the creation of white papers for the European Commission and chaired the Technical Committee for the Interoperability Consortium.
In 2006, Dr. Jones co-founded Tolven Inc., which was formed to bring to market a consumer-centric, open source, integrated electronic platform for medical information that promotes clinician-consumer collaboration.
For information on exhibition and sponsorship opportunities at the conference, contact Sharon Cordesse at firstname.lastname@example.org
Download the OSCON Sponsor/Exhibitor Prospectus
For media-related inquiries, contact Maureen Jennings at email@example.com
To stay abreast of conference news and to receive email notification when registration opens, please sign up for the OSCON Newsletter (login required)
Have an idea for OSCON to share? firstname.lastname@example.org
View a complete list of OSCON contacts