EHR Systems and Policy Management

James Williams – Ontario Telemedicine Network

Objectives:1. Review policy constraints for EHR systems.2. Traditional approaches to policies in EHRs.3. CHI consent management architecture.4. Current research.

Focus:Policies pertaining to personal health

information. Policies may touch upon:

Consent directives.Acceptable uses.Permissible disclosure.Appropriate safeguards.Emergency overrides.Retention.

Sources of Policy:1. Statutes and regulations2. Case law3. Codes of conduct4. Corporate bylaws5. Professional guidelines / best practices6. First Nations Sovereignty

Statutes: PrivacyThe most important legislative instruments

are the various privacy and health information statutes.

Privacy legislation in Canada is based on a

set of fair information practices:1) Accountability 6) Accuracy

2) Identifying purposes 7) Safeguards

3) Consent 8) Openness

4) Limiting collection 9) Individual access

5) Limiting use, disclosure, retention.

10) Challenging compliance

Statutes:Establish a basic rule, and then add exceptions.

For example, express consent is generally required in order to disclose information to a third party. But:Emergency situations.Law enforcement.Public health.Eligibility for benefits.Risk to third party.

Statutes: Private sector privacy laws

Statutes: Health information laws

Statutes: additional laws Federal:

Statistics Act.Quarantine Act.

Provincial:Child Protection Act. Communicable Disease Act.Health Act.Worker’s Compensation Act.Mental Health Act.

Other sourcesCase Law:

Eg: Patient has right of access to their own health record. (McInerney v MacDonald).

Codes of Conduct:Eg: Canadian Medical Association, Health Information Privacy

Code (1998).

Corporate bylaws:Hospital policies and procedures.Municipal Information Acts.

Best PracticesCOACH Guidelines for the Protection of Health Information.

Sources: OCAPOwnership:

information is owned collectively by the Nation. Control:

the Nation retains control over all aspects of information management.

Access: the Nation has a right to manage and make

decisions regarding access to their collective information.

Possession: a mechanism to assert ownership.

The inter-provincial view:

Interoperability:

Some Issues:Custodians disclosing PHI are generally under a duty to

ensure that the receiving jurisdiction has ‘comparable safeguards’.

Patients may issue consent directives. Ontario imposes a ‘duty to notify’ receiving custodians about these.

Patients should be able to avail themselves of additional protections in the new jurisdiction.

Who now has control of the information?

Consent directives are also sensitive.

More issues:Even if we have a way to solve these issues,

one of the major problems is that laws (etc) are dynamic.

Challenge:How do we manage policies in a multi-EHR

setting?

Traditional route has been to either purchase COTS products, or to develop systems for a particular jurisdiction. (Hard coded business rules).

CHI’s Consent Directives Management SystemApplies constraints prior to providing access

or transmitting PHI. Allows consent directives at various levels

of granularity.Relies on common privacy vocabulary to

apply consent requirements. Can store with EHRi data, or in consolidated

form.

Processing Consent Directives in a Jurisdiction

1. Transfer consent directives from clinical applications to the EHR.

2. Let either the EHR or (sending clinical application) process consent directives prior to disclosing a patient’s PHI.

3. Transfer consent directives from EHR to clinical applications whenever PHI is disclosed from the EHR.

Want to avoid having too many consent directives management systems.

Interjurisdictional TransferConsent directives will be processed whether

an access request is received from a POS system, or clinical portal, or from an EHR in another jurisdiction.

Jurisdictions need to agree upon and set policies as to how consent directives made in one jurisdiction will be managed following disclosure to another.

A nationally adopted messaging schema is required for conveying consent directives between jurisdictions.

Interjurisdictional Transfer (2)Several goals must be achieved before policy

enforcement can be automated by a policy management service:Jurisdictional policies must be harmonized.Rules must be captured and codified.Special support for changes to rules.Common vocabultary.

Data containing consent directives may flow from one jurisdiction to another, but policy related data does not.

Can we do better?The inter-jurisdictional data transfer problem

is complex.Can we bring some technical tools to bear on

the problem?Representing policy rules.Operationalizing the representations.Storing and securing the representations.Managing the representations through their

lifecycle.Verification and validation.

Current work:There has been quite a bit of work on representing

policies and regulations.

L.Cranor, M. Langehreich, M. Marchiori, J. Reagle, The Platform for Privacy Preferences (P3P 1.0) Specification.

R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, An Xpath based preference language for P3P.

N. Li, T. Yu, A.I. Anton, A semantics based approach to privacy languages. (2006)

Current WorkP. Ashley, S. Hada, G. Karjoth, C. Powers, M.

Schunter, Enterprise Privacy Authorization Language (EPAL 1.1).

A. Barth, J.C. Mitchell, J. Rosenstein, Conflict and combination in privacy policy languages (2004). (DPAL)

eXtensible Access Control Markup Language. (XACML)

Current WorkThe above frameworks provide a formalism to

specify data protection policy. They provide methods for evaluating and enforcing policies.

Drawback: they are built to manage policies within single organizations. (Guarda, Zannone, Toward the Development of Privacy Aware Systems, 2008)

Current WorkRecent efforts:

Extend XACML with algorithms addressing issue of policy similarities and integration across organizations. (Mazzoleni et al, XACML policy integration algorithms, 2008).

Distributed temporal logic. (Hilty et al, On obligations, 2005).

Privacy in Peer to Peer Networks. Automated policy enforcement. (Weber, Obry).