Rfid Healthcare

8/2/2019 Rfid Healthcare

1/37

RFID and Privac y

Guidanc e for Hea lth-Ca re Providers

January 2008


2/37

The autho rs gra tefully ac know ledg e the wo rk of Fred Ca rter, Senior Policy & Tec hnology Advisor,

Offic e of the Informa tion and Privacy Co mm issioner of Onta rio, a nd the HP Ca nada Eme rging

Tec hnologies Tea m in the p rep aration of this paper.

Cover ima ge c reate d by Fred Carter


3/37


4/37


5/37

Foreword

Health care providers around the world are recognizing the benefits of adopting RadioFreq uenc y Identific at ion (RFID) tec hnology into the ir op erations, in orde r to e nhanc e health c a reservic e de livery. The ava ilability a nd use of innova tive new RFID-ena bled information tec hnologyapplications are helping providers to track medical equipment and supplies more efficiently,verify the authentic ity and adm inistration of d rugs, and improve p at ient safe ty and sec urity, suchas by using RFID-enabled identification bracelets for newborns and patients. However, as the

benefits of RFID uses and applications are realized, concerns are also being raised about thepo tent ial privac y imp lic at ions assoc iated with use of this tec hnology, espe c ially when RFID tagsare linked to ide ntifiab le p eop le.

In the a utumn o f 2006, I wa s ap proa c hed by Victor Garc ia , Chief Tec hnology Office r forHew lett-Pac kard (HP) Ca nad a , seeking the e xpertise o f my o ffic e in how po tent ia l priva cy issuescould be identified and safeguards developed and implemented into the usage of RFIDtechnology. I was more than willing to contribute my insight and expertise because, asCommissioner, part of my mandate includes reaching out to external organizations. In additionto being one of my most important duties, I have also found it beneficial to assist both publicand private organizations working on emerging technologies, and to always be proactivewheneve r po ssible to d evelop e ffective guidelines and c od es of c ond uct be fore a ny problemsarise. Further, I was also interested in working with HP given that it is an organization that takes

the protection of privacy very seriously, having a history of working alongside legislative andstandards bodies, partners, customers, and NGOs to help drive the adoption of privacyprinc iples to p rotec t c onsumer privac y rights. Spec ific a lly rega rding HPs wo rk with RFID, I wa sencouraged by its corporate values in that individuals should always be given notice about thepresenc e o f RFID tag s, and whe re p ossible, have the c hoice to remove or de ac tivate RFID tag s.HP p rod uc ts with an RFID tag on the b ox are alwa ys ac c ompa nied b y an EPCg loba l log o, whichalerts the consumer to the presence of the tag. Lastly, I was also impressed by the fact that mycolleagues at HP and I share the same belief that being visible about RFID use will breedconfidence in the technology, while being secretive will heighten the misconceptions and fears.

My work with RFID began in 2003 when I released Tag, You re It: Priva c y Imp lica tions of RadioFreq uency Ident ifica tion (RFID) Tec hnology, and I first identified the potential privacy concernsra ised by RFID tec hnology. Since then, I have g one on to wo rk with a num be r of organizat ions

such as EPCglobal Canada, with whom I consulted when I wrote Priva c y Guidelines for RFIDInforma tion Systems (RFID Guidelines). My office ha s also helpe d to shap e p olic y and idea s, fromRFID tags in Ontarios public libraries to lectures on how to implement privacy protections in RFIDsystems. This pub lic ation is a cont inuat ion o f my ongoing wo rk with RFID. For many m onths, IPCand HP sta ff wo rked ha rd to examine questions rega rding RFID privac y p rotec tions. The result isthis c o-authored d oc ument.

The e ssent ial purpose o f this pub lic ation is to assist the health-ca re sec to r in und ersta nd ing thecurrent and potential applications of RFID technology, its potential benefits, its privacyimp lic ations, and step s that can b e ta ken to m itiga te p otential threa ts to p rivac y. I, and my c o-author, Victor Garcia at Hewlett-Packard, sincerely believe that this document will serve as abenchmark for considerations relevant to the application of, and the privacy issues associatedwith, RFID tec hnology in hea lth c a re.

During the time I was working toward making the Personal Health Information Protection Act(PHIPA) a rea lity, I rep ea ted ly sta ted tha t, I be lieve in the nec essity of PHIPA not only bec ause Iam the Commissioner, but also because I am a patient. I believe that the same sentiment alsoap plies to this do c ume nt. While I, as a p at ient, wo uld we lcome the p rospe c t of RFID tec hnologyimproving my health-care services, I, as Commissioner, also believe that we must ensure thede ployment o f this tec hnolog y d oes not infringe upo n our privac y.

Ann Ca voukian, Ph.D.Informat ion and Priva cy Commissioner of Onta rio

- 3 -


6/37


7/37

Introduction

Informat ion and c ommunicat ions tec hnolog ies (ICTs) a re transforming the wo rld we live inthrough revolutionary developments in bandwidth, storage, processing, mobility, wireless, andnetworking technologies.

The hea lth-ca re sec tor has rec og nized the va lue of new tec hnology in the de livery of healthcare. For example, globally, billions of dollars are now spent annually on advanced diagnostic

and treatm ent e quipm ent. Until rec ently, howe ver, ICTs we re limited to ad ministrative a ndfinancial applications and played only a small role in direct care for patients. But we arebeginning to see an evolutionary perhaps even revolutionary change in how health care isdelivered.

Health-care providers around the world are undergoing a digital transformation, harnessingc utting-edg e IT to inc rea se op erationa l effic ienc ies and save lives. For exam ple, they arereplacing expensive, hard-to-share and easily lost x-ray films with digital images that can beeffortlessly and sec urely shared , stored , transmitted and ac cessed . They are a lso mo ving a wa yfrom an environme nt d ominated by hand -written note s and physic ian orders to one where staffuse ICTs to doc ument patient rec ords and enter and process orders. Thanks to ICTs, the v ision o fc omprehensive a nd instantly available elec tronic hea lth rec ords is now within reac h.

But the digital transformation is about much more than just software applications. It involves

taking a dva ntag e o f ad vanc ed tec hnolog y such as RFID to imag inatively me et a host of nee ds.Invente d o ver 60 years ago , RFID is funda me nta lly a te c hnology fo r autom at ic ident ific a tion thatc an be d ep loyed in a nearly unlimited numb er of ways. The te c hnology is sta rting to hit its stride ,finding a wealth of new uses and applications related to automated identification, safety andbusiness process improvem ent .

Patient sa fety is one of the m ost c ritica l issues in the he alth-ca re sec tor tod ay. There is amounting concern about medical errors, such as from the administration of incorrectmedications or dosages, or from patients being misidentified. A 1999 study of 1,116 hospitals bythe United Sta tes Institute o f Me dic ine sugg ests that mo re t han 44,000 de aths oc cur eac h yea r inthe United Sta tes as a result of in-hosp ital med ica tion e rrors.1 Canadian estimates put the figureat 700 deaths per year due to medication errors.2 A 2002 study of m ed ica tion errors at 14 ac utec are hosp ita ls in Onta rio counte d ove r 4,000 errors, only 800 of w hich w ere c ounte d as adverse

drug effects.3 A similar stud y c ond uc ted at the Children s Hospita l of Eastern Onta rio publishedin 2003 counted over 800 medication errors during a six-year period. 4 RFID technologies mayoffer remed ies for these p at ient safe ty p rob lem s.

Operational inefficiencies, in some cases due to the inability to rapidly find and track medicaleq uipm ent, are also a conc ern for the health-care sec tor. It has be en estima ted that the theft ofeq uipme nt a nd supp lies c osts hospita ls $4,000 per be d ea ch year a nd with over 975,000 sta ffedbeds in the U.S., this represents a potential loss of $3.9 billion annually. 5 Conside rab le time andeffort is spent searching for valuable mobile medical assets, and in maintaining an accurateand up-to-date inventory huma n resources that m ight o therwise b e b etter ded ic ate d to moreprod uc tive end s. Once a ga in, RFID tec hnolog ies c an he lp p rovide cost-effec tive solutions.

1 Institute of Me dic ine, To Err is Huma n: Building a Safer Hea lth Syste m, Washington, D.C.: National Academy Press, 1999.

2 David U, BSc Phm, M Sc Phm., (President and CEO, Institute fo r Safe Med ica tion Prac tices Ca nad a ), Med ica tion Error and Patient Safe ty,Longwoods Publishing, Vol 2, No. 1, at: www.longwoods.com/product.php?productid=16442.

3 Joa n A Ma rshma n, David K U, Rob ert WK Lam , and Sylvia Hyland , Medication Error Events in Ontario Acute Care Hospitals, Ca n J HospPharm 2006;59:243-50, at: www .ismp -c ana da .org/ dow nload / Med ica tion_Error_Events_in_Ontario_Acute_Care_Hospitals.pdf.

4 W. James King, MSc, M D*,, Naomi Paice , MD*, Jag ad ish Rangrej, MMa th,, Grego ry J. Forestell, MHA| | and Ron Swa rtz, BScPharm, TheEffec t of C om put erized Physician O rder Entry on Me dic at ion Errors and Ad verse Drug Event s in Ped iatric Inpa tients, in PEDIATRICS Vol. 112No. 3 Sep t 2003, pp . 506-509, at: http://pediatrics.aappublications.org/cgi/content/abstract/112/3/506 .

See also: Health Ca nad a, Look-alike Sound -alike Health Prod uc t Nam es, at: www.hc-sc.gc.ca/dhp-mps/alt_formats/hpfb-dgp sa/ pdf/ brgtherap/ lasa-pspc s_factsheet-faitsaillant_e.pdf, and Institute for Safe M ed ica tion Prac tices Cana da (ISMP Ca nad a),Ca nada Saf ety Bulletin, Vol 6, Issue 4 (July 2006), Eliminate Use o f Da nge rous Ab breviat ions, Symb ols, and Dose Designa tions, at:www .ismp -c ana da .org/ dow nload / ISMPCSB2006-04Abbr.pd f.

5RFID: Coming to a Hospita l nea r You, Sun Mic rosystems pre ss, Ap ril 2004

- 5 -


8/37


9/37

Wha t is Priva c y?

Informa tiona l p rivac y defined

Informational privacy is the right of an individual to exercise control over the collection, use,disclosure and retention of his or her personal information, including his or her personal healthinformation. Persona l informa tion (a lso know n as persona lly ident ifiab le informa tion or PII ) isany information, recorded or otherwise, relating to an identifiable individual. Almost any

information, if linked to an identifiable individual, can become personal in nature, be itbiographical, biological, genealogical, historical, transactional, locational, relational,c omputat ional, voc at ional, or rep uta tional. The d efinition of p ersona l informat ion is quite b roa din sc op e. The c hallenge s for privac y and da ta protec tion a re eq ually broad .

How p rivac y is reg ula ted in the hea lth-c are sec tor in Onta rio

On November 1, 2004, the Persona l Hea lth Information Prote c tion Ac t(PHIPA)6 c ame into effec tin the province of Onta rio. PHIPA provides individuals with control over the collection, use anddisclosure of their personal health information by requiring persons and organizations in thehealth sector, defined as health information custodians, to collect, use and disclose personalhealth information only with the consent of the individual to whom the information relates,subject to limited exceptions. It also provides individuals with the right to access and requirec orrec tion of the ir persona l health rec ords, subjec t to spe c ific excep tions.

PHIPA defines personal health information as identifying information about an individual that,among other things, relates to the physical or mental health of the individual, relates to theprovision of health care to the individual, identifies a provider of health care to the individual,identifies the substitute decision-maker of the individual, or is the individuals health number.

It defines a health information custodian as a person or organization listed in PHIPA that hascustody or control of personal health information. Examples of health information custodiansinclude health-care practitioners, hospitals, psychiatric facilities, long-term care homes,pharma c ies, lab orato ries, and a mb ulance servic es.

PHIPA reflects worldwide privacy criteria, such as the principles of fair information practices setforth in the Ca nad ian Standards Assoc ia tion Mod el Cod e fo r the Prote c tion of Persona lInformation7 and the Glob al Privac y Sta nd ard, an effort of the international privacy and dataprote c tion commissioners, led by the IPC, to ha rmo nize the va rious p rivac y c od es and p rac tice sc urrently in use a round the wo rld.8

Ob liga tions of the hea lth-c are sec tor in rela tion to persona l hea lthinformation

Health information custodians are required, under PHIPA, to collect, use and disclose personalhealth information only with the consent of the individual to whom the personal healthinformation relates, subjec t to limited excep tions. They a re a lso req uired to c omply with thewishes of a n individua l who withho lds or withd raws c onsent, or who g ives express instruc tions tha t

the information must not be used or disc losed for hea lth-care p urpo ses in ce rta in circumsta nces.PHIPA also prohibits health information custodians from collecting, using or disclosing personalhealth information if other information will serve the purpose and requires that only theinformation that is reasonably necessary be collected, used, or disclosed. Custodians arerequired to take reasonable steps to ensure that personal health information is protected

6 PHIPA text availab le at: www .e-law s.gov .on.ca / html/ statutes/ english/ elaw s_statutes_04p03_e.htm and A Guide to the Personal HealthInformation Protec tion Ac tavailable at: www.ipc.on.ca/images/Resources/hguide-e.pdf .

7 Availab le at: www.csa.ca/standards/privacy/code/.

8 Availab le at: www.ipc .on.ca/ image s/ Resources/ up-gp s.pdf.

- 7 -


10/37

ag a inst theft, loss and unauthorized use or d isc losure, ensure tha t rec ords a re prote c ted ag a instunauthorized copying, modification and disposal, and retain, transfer, and dispose of healthinformation in a sec ure m anne r.

In addition, PHIPA req uires hea lth informat ion custod ians to provide ind ividua ls with the right toac c ess their rec ords and have them correc ted subjec t to spe c ific excep tions.

Ob liga tions of elec tronic servic es p roviders in rela tion to persona l

hea lth informationSupp liers of e lect ronic services (who are no t a ge nts) tha t ena ble the hea lth informa tioncustodian to collect, use, modify, disclose, retain or dispose of personal health information arebound by certain obligations in PHIPA. These inc lude not using persona l hea lth informa tionexcept as necessary in the course of providing services, not disclosing personal healthinformation, and not permitting employees or others acting on the suppliers behalf to haveacc ess to persona l health informa tion unless they a gree to be bo und by these restric tions.

Further, if the supp lier is a hea lth information netwo rk provide r, providing servic es to two ormore health information custodians primarily to enable them to disclose personal healthinforma tion to one another elec tronica lly, reg ardless of whe ther or not it is an a ge nt, the hea lthinforma tion netwo rk provide r is sub ject to further ob liga tions p resc ribed in reg ulation.

- 8 -


11/37

What is Rad io Frequenc y Identific a tion (RFID)?

RFID tec hnology fund ame nta ls

RFID is a c onta c tless tec hnolog y tha t uses rad io freq uenc y signals to transmit a nd rec eive d atawirelessly, from a d ista nc e, from RFID ta gs or transponders to RFID rea ders. RFID tec hno log y isgenerally used for automatic identification and to trigger processes that result in data collectionor autom at ion of manua l proc esses.

Key advantages of RFID-based systems for health-care delivery include:

Ac curate ide ntific ation without the nee d to t ouc h (or even see) the RFID tag ; Sensors c an be inc orpora ted into RFID ta gs to record tem pe rature o r identify po sitioning; Data stored inside RFID tag s can be enc rypted , mod ified and rewritten o n d ema nd; Tag s are rec yclab le a nd c an b e mad e d iffic ult to c ounterfeit; Spec ial d evices are required to rea d RFID ta gs, inc reasing priva c y in some c ases

(e.g. in c omp arison t o huma n-rea da ble informa tion).

The most c omm on a pp lication type s, group ed ac c ording to the p urpo se o f ide ntific ation, arepresented be low :

Purpose of Identific ation Application Typ e

Determine the presenc e of, and identify, an item Asset ma nag eme nt, safety

Determine the locat ion of an item Trac king, em ergenc y response

Determine the source of an item Authenticity verifica tion

Ensure affiliated items are not sep arate d Ma tc hing

Correlate informa tion with the item for de c ision-making Proce ss control, pa tient safe ty

Authentica te a pe rson holding a tag ged item Ac c ess c ontrol, ID verifica tion

Ma ny RFID ap plica tions will often span multip le purposes.

An RFID system is typ ica lly c om posed of:

1. RFID ta gs, which c an b e Passive, Ac tive o r Semi-Ac tive, typic ally c onta ining a uniqueide ntifying d ata string a nd po tentially ad ditional d ata ;

2. RFID rea de rs and writers, which c an be wireless hand held or fixed rea de r/a ntennadevices;

3. An infrastructure, including middleware, that permits RFID readers and writers to processda ta to and from the RFID tag s, ma nag e communicat ions, ac cess c ontrol and sec urity,c onnec t to b ac k-office a pp lic ations, and ta ke ac tions on the ba sis of that d ata .

- 9 -


12/37

Figure 1 - Typ ica l Passive RFID system

It is imp ortant to note that the RFID ta g and rea de r are only the up-front, visib le pa rt o f a n RFIDsystem, which often connects through a wired or wireless network to a back-office applicationand one or more d ataba ses or hospita l information system s.

There a re som e imp orta nt typ es and va riet ies of RFID tags and assoc iate d RFID informa tiontec hnolog ies and systems. These a re outlined b riefly be low.

1. Passive vs. Ac tive RFID tags

RFID tags can be Passive (non-ba ttery p owered), Ac tive (ba ttery-powered), or Bat tery-AssistedPassive (dua l mod e). Passive ta gs, which are b y far the mo st c ommo n, are the simp lest a nd leastexpensive to ma nufac ture a nd use. They c onta in a chip and antenna on a substrate , typic allyat tac hed to a labe l or brac elet, are typ ica lly c lassified within Low-Freq uenc y, High-Frequenc y orUltra-High Freq uenc y group ings and c om ply with sta nd ards suc h as ISO o r Elec tronic Produc tCo de (EPC). To t ransmit their data payloa d, pa ssive ta gs use rad io ene rgy supp lied by RFIDinterrog ators or rea ders. Passive tag s typ ica lly conta in sma ll data pa yloa ds, ca n be read-only orread-write, and must be physically close to the reader to communicate effectively (Hi-Frequency tag read-ranges can vary from 3 to 30, Ultra-High-Frequency tags can be read upto 15 to 20 from the read er-antenna ). The new ge neration o f Bat tery-Assisted Passive ta gs ca n

c onta in la rge r am ounts of data, and transmit over long er dista nces.Active RFID tags, or transponders, contain a battery and can be configured to transmit theirinformation at g iven time interva ls or rea c t to a n aw akening signal or event. The ta g s ba tterylife typically ranges from one year to over five years, depending on the frequency that theytransmit da ta . These ta gs are muc h mo re expensive than p assive ta gs, but p rovide ad ditionalfunc tionality. The ta gs can be rea d a t longe r distanc es (e.g. 100 to 500 feet ), c an hold largeramounts of data and can contain integrated sensors (e.g. temperature, motion, tamper-de tec tion, etc .). Some ac tive ta gs c an p rovide tw o-way communic ations using c ustomizab lebutto ns, LED lights or buzzers integ rated into the ta g, simila r to a pager. This technology is

- 10 -


13/37

typically used in high-value asset management solutions or real-time medical equipmenttrac king solutions, inc luding de tec tion of presenc e, zone c overage or rea l-time loc at ion services(RTLS). RTLS syste ms func tion in a manner similar to GPS loc ation syste ms, me asuring the signa lstrength from the tag received by three or more readers and graphically displaying the currentor histo rica l loc a tion o f the ta g on a ma p. Som e RTLS systems use p roprieta ry ante nna s andreaders and others can leverage an existing WiFi infrastructure to communicate with the tags.The system s c an be c onfigured to provide custom ized mo nitoring a nd a lerting o f events, suc h asba ttery pow er status, a ta g entering a restric ted area, a tag falling to the floor, or a ta g be ingremo ved from an o bjec t without authorization.

All of the d esc ribed types of ta gs have imp ortant imp lic at ions for privac y and sec urity.

2. Referentia l vs. non-re ferential RFID system s

The te rm referent ial is used for RFID systems using ta gs tha t typ ica lly conta in a unique key orsemi-random data string, which allows retrieval of relevant information from an application ordata base. Refe rential RFID systems are the d om inant t ype in use to day. As suggested b y Figure 1above, the data on the tags serves as a pointer or reference to a centralized storage andproc essing system s located elsewhere on the ne two rk. The informat ion stored on the ta g allowsretrieval of information from the database, file, or document contained in the back-officesystem , or log ic e mb ed de d inside a loca l or remote information system or proc ess. For example,an RFID-enabled proximity card can contain a serial number that, when waved near an

antenna connected to a reader, triggers that reader to collect the data and send it to acomputer or server where the data is compared against stored values. If there is a positivematch, an action is then performed, such as unlocking the door to an office or opening apatients medical record. If the network is down, the system may not function as desired, as theinforma tion c onta ined in the ta g m ay no t b e suffic ient to trigg er the d esired ac tion.

By c ontrast, non-referential RFID system s are a ble t o store a ll or some o f the da ta neede d forsystems operation in the tags memory, and may contain logic running on mobile devices or theta g itself. This functionality a llows de c isions to be ma de ba sed on the information stored in thetag, without any need for linked networks and back-end databases to function, which canprove useful if the network is down, or the data can not be accessed online. Non-referentialsystems conta in func tionality to synchronize the informa tion b etwe en the tag and a ba ck-offic edata base or application and encryption is typically used to protect against unauthorized

ac c ess to the da ta.

Both typ es of RFID systems have implications for pe rsona l informa tion a nd priva cy.

3. Closed vs. Open Loop App lica tions

A closed-loop RFID application the most common type is any RFID system that is deployedentirely within a single organization, rather than across several organizations. Closed-loop RFIDinforma tion system s ma y involve the use o f either standards-based or prop rietary tags, enc od ingformats, transmission protocols, and processing middleware.

An open-loop RFID application, by contrast, is intended to function across organizationalboundaries, requiring adoption of common standards and information-sharing protocols. RFID

deployments for supply-chain management, in which an item is tracked across variousorga niza tions in a range of loc at ions, are a c lassic exam ple o f op en-loo p RFID ap plica tion.

Just as the authenticity of the RFID-enabled proximity card is verified against a back-enddatabase, the authenticity of a pharmaceutical product may be verified to ensure that theproduct is not counterfeit. A record of access can be kept for billing purposes or to record thetime tha t someone e ntered a pa rticular building o r room. The trave ls of a n RFID-tagg ed itemc an b e mo nitored a nd trac ked a c ross time a nd d istanc e through p eriod ic rea ds of the tag andc orrela tion of its unique identific a tion in a data base. This is what oc c urs when RFID-tag gedsupplies and inventory are shipped from a production facility to a distributor to a retailer,providing visibility and a c c ounta bility througho ut the entire supply cha in.

- 11 -


14/37

Sample RFID System

- 12 -

hnolog y vs bar c od es

ea lth-c are settings, but a re known to have tec hnical

epresents a next-generation improvement over traditional bar codes.

Barcoding RFID

RFID tec

Bar c od e system s are c om mo nly used in hlimitat ions such a s inac cessibility when a pa tient c ove rs the wrist b and with his or her bo dy or thebar code is curved around a wrist band. In such cases, manual entry of the patient ID isrequired, or the patient must be awaken or touched to facilitate reading of the bar code,potentially increasing the risk of nosocomial infections. Bar codes also have limited storagespa c e for informa tion a nd c an w ea r out after protrac ted use. They do not fa c ilitate mod ificationand upd at ing of informa tion (unless the ba r co de is rep rinted ). These limitat ions c onsumeresources that could otherwise be spent on other tasks, increase the risk of human error, andincrease op erating c osts.

Generally speaking, RFID rSome differences betwe en the two tec hnolog ies are identified be low.

Req uires line of sight of sight not required Line Sc an o ne item at a time Multiple items at a time Inexpensive More expe nsive Widely used Emerging a pp lication in health c are Standards-ba sed Standards de velop ing Read only Digital, rea d-write c ap ab le Depends on external data store cess to Ca n store da ta o r trigger ac

external da ta

Provides licenc e p late information o nly nt data (Serial # , loc ., Ca n store relevasta tus, etc .)


15/37


16/37

of the ind ividua l who m ay b e c arrying the ta g. This has po tent imp lica tions for informedconsent.

4. RFID information systems can also capture time and location data, upon which itemhistories and profiles can be constructed, making accountability for data use critical.When such systems are applied to people, it may be viewed as surveillance (or worse,de pe nding on what is do ne with the da ta).

To first und ersta nd priva c y and sec urity risks, and then to mitiga te t hese risks, we must a lways

follow the (personal) data as it flows throughout the entire information system: what data isc ollec ted , how and for wha t p urpo ses, where it is stored , how it is used , with who m it is shared orpotent ially disc losed , unde r wha t c ond itions, and so fo rth. This is referred to a s the informationlife-cyc le, and the d ispo sition and g ove rnanc e o f pe rsona l health informat ion throughout its life-c ycle lies at the hea rt o f mo st informa tion privac y c onc erns in the health c are environme nt.

RFID systems are, fundamentally, information systems put in place by organizations toautomatically capture, transmit and process identifiable information. Informational privacyinvolves the right of individuals to exercise control over the collection, use, retention anddisclosure of personally ide ntifiab le information b y o thers. There a re inherent tensions betw eenthe, at times, competing interests of organizations and individuals over the disposition of theinformation, espe c ia lly ove r the und isc losed or unautho rized reve lation of fa c ts ab out individua lsand the nega tive effec ts they may experienc e as a c onseq uenc e.

As was described in a recent European study on the many uses of RFID technology, RFIDinformation technologies can exacerbate a power imbalance between the individual and thecollecting organization.10

Genera l approa c h and framewo rk to b uild ing p rivac y in ea rly

Build ing p rivac y into informa tion system s and tec hnolog ies, whe ther RFID-enab led or not , be ginsat the to p of the organizational de c ision lad de r, and at the e arly stag es of p roject de sign a ndimplementa tion. A c omprehensive, m ultidisc iplinary a pp roa c h is req uired . The step s outlinedhere p rovide a high-level ap proac h a nd gene ral fram ework for building p rivac y into informa tiontechnologies and systems.

As a fram ework, it is useful for gene ral orienta tion and p lanning purpo ses, and ma y be used as astarting point for deeper analyses, according to the specific objectives, operationalc harac teristics, and othe r pa ram ete rs of the RFID prop osal o r projec t in question.

1. Clearly de fine, do cume nt and limit purpo ses for co llec ting and using pe rsona l data, inorder to m inimize the potential for priva cy invasion. The purpo ses ide ntified should me etthe tests of ne cessity, effe c tivene ss, prop ortiona lity, and no-less invasive a lternat ive.

2. Develop a c omprehensive a nd realistic projec t ma nag eme nt plan, with the p ivota linvolvem ent of a knowled ge able p rivac y offic er, with suffic ient autho rity and resource s.

3. Ide ntify all information sec urity a nd priva c y risks throughout the data life-cyc le, inc ludingrisks from inside the organization as well as external sources.

4. Conduc t a c om prehensive Privac y Imp ac t Assessme nt (PIA) of t he entire system at theconc eptua l, log ical and physic al stag es of its de velopment, with a c lea r plan a ndtimeta b le for addressing ide ntified risks.

5. Build p riva c y and sec urity in at the outset . This mea ns inco rporating the p rinc iples of fa irinformation p rac tice s into the de sign and op eration o f an RFID informat ion system , and thepo lic ies tha t gove rn its op eration.11

10 See RFID and Identity Manag eme nt in Everyday Life: Striking the ba lance bet wee n co nvenience, c hoice a nd c ontrol, study by t he (July2007) Europ ea n Parliame nt Scientific Tec hno logy Opt ions Assessme nt (STOA), IPOL/A / STOA/ 2006-22.

- 14 -


17/37


18/37

RFID Ap p lic a tions in the Hea lth Sec to r

Hea lth-ca re p rovide rs a round the wo rld ha ve be en using or testing RFID tec hnology in a va rietyof contexts for several years. For example, RFID technology has successfully been used to tagpharmaceutical products to reduce the risk of counterfeit medications use in the UnitedKingdom.

RFID is also proving to be very useful in identifying patients, increasing safety and reducing

incidents of mistaken identity during critical surgery. It is being successfully used to locatepa tients needing extra ca re, suc h a s the elde rly, or pa tients suffering from Alzheimer or me mo ryloss.

Medical equipment is being more rapidly located and tracked within health-care facilities,lea ding to mo re e ffective use o f resourc es. Waste m ana gem ent ha s be en improved through theuse of RFID.

From a privacy point of view, the single most relevant consideration is whether and to whatextent the RFID-related data collected or generated from the tags may be characterized aspe rsona lly identifiable (health) informa tion. To the extent tha t it is (or co uld be ) p ersona llyide ntifiab le da ta, t hen lega l and regulatory privac y requireme nts are invoked.

For this reason, we have o rga nized some of the known RFID tec hnology de ploym ents into three

broad c ate go ries of inc rea sing p rivac y relevanc e a nd c onc ern:1. Tagging things;2. Tag ging things linked to p eople; and3. Tag ging p eop le.

- 16 -


19/37

Tagging things

RFID technologies have proven to be ideal for identifying and locating thingsbecause theyincrease the reading accuracy and visibility of tagged items far beyond bar codes and otherlab els. The results c an inc lude g reater efficienc y for auto ma ting inventory proc esses, findingmisplaced items, and generally keeping better track of things as they move through their life-cycles.

Automatic identification remains the basis of all RFID information systems, but specific

applications may be variously described as asset management, tracking, authenticityverification, matching, and process or access control, depending on the context andcircumstances. Application types are not mutually exclusive: an implementation or deploymentcan combine elements of several application types. For example, RFID-based informationsystems that both identify and locate tagged items combine asset management with tracking(real-time or otherwise).

All of these application types are currently being used by health-care providers, many of whichare large institutions with c omplex asset m ana ge me nt a nd logistica l req uirements.

Sam p le RFID hea lth-c are d ep loyment scena rios tha t involve the ta gg ing o f thingsinclude:

Bulk pha rmac euticals; Invento ry and assets (e.g . trolleys, whe elcha irs, medica l supplies); Medical equipm ent and instruments (e.g. infusion pum ps, wheelcha irs); Elec tronic IT dev ices (e.g . co mpute rs, printers, PDAs); Surgica l pa rts (e.g . prosthe tics, spong es); Boo ks, do c uments, do ssiers and files; Waste a nd b io-hazards ma nag eme nt.

One of the key reasons for introducing RFID-based automatic identification technologies andsystems is often to improve operational efficiency. The integra tion o f RFID tec hnology withbusiness intelligenc e and analytics system s has proven t he be nefit of leveraging this tec hnologyfor business proc ess improvem ent .

RFID-tagging and tracking of items has also been shown to save valuable staff time and costsassociated with manual data collection and input (especially when it is routine and repetitive),and a lso with p hysica l sea rche s for misp lac ed or lost item s. Further, RFID-tag ge d assets and itemscan help reduce human errors and mistakes, as well as improving auditability andac counta bility, resulting in be tter q uality hea lth-ca re services.

Effic ienc y ga ins ma y also b e realized from more a cc urate and up-to-date inventory acc ounting,and from reduced shrinkage of valuable assets.

Many pharmaceutical RFID tracking and tracing initiatives are underway in the U.S., E.U., andAsia. Pharmaceutical drug e-Pedigrees have become the subject of considerable attentionby the hea lth ca re and RFID industries, as well as by gove rnme nt he alth regulatory and licensingag enc ies ac ross North Americ a.

A drug pedigree is a statement of origin that identifies each prior sale, purchase or trade of adrug product, including the date of these transactions and the name and addresses of allparties to them.

The U.S. Foo d and Drug Ad ministrat ion (FDA) e -Ped igree req uirem ents were o utlined in a 1988set of FDA regulations enacted following the passage of the Prescription Drug Marketing Act(PDMA) of 1987, created to address problems of drug counterfeiting in the pharmaceuticalsupply chain. Pharmaceuticals can travel through many different points in the distribution chainfrom the fac tory to a pharma cy or hospita l, c rea ting a significant c ounte rfeit d rugs issue. Toadd ress these issues and asc ertain prop er c hain o f c ustod y, the FDA ha s be en investiga ting

- 17 -


20/37

the use of RFID technology to increase supply chain security. At the time, the FDA anticipatedthat the e-Ped igree would be ac hieva ble b y 2007.

The b roa d intent is to p rovide a do c umente d c hain of custod y for high-value pha rma ceutica ls,from the production plant through to the dispensary, as well as the return and disposition ofpharmaceutical items. In addition to automating the identification, documentation andpharmaceutical supply-chain management processes, drug pedigrees are also expected tohelp minimize incide nc e of c ounte rfeiting a nd d iversion, and to fa c ilita te rec alls.

Drug pedigree requirements can be fulfilled through traditional paper methods, but RFID

technologies, combined with networked databases, offer a more automated, secure, andtrusted wa y to e stablish suc h a pe digree.

Privac y Considerations

Generally speaking, the business of identifying and tracking inventory and objects does notinvolve c ollec tion, use or retent ion of pe rsona lly ident ifiab le informa tion. The unique ly identifyingdata stored on the RFID tags, which are read by interrogators, transmitted across networks,processed by middleware, stored in logs, shared with third parties, and acted upon in thec ontext of releva nt business proc esses, refe rs exc lusively to things in a ma nner ana logous to aprod uc t seria l number. Acc ordingly, if there is no pe rsona lly-identifiab le hea lth informa tion, thenprivac y doe s not c ome into play.

In February 2004, the U.S. Food and Drug Administration recognized the potential of RFIDinforma tion tec hnolog ies to c omb at c ounterfeit pharmac euticals and to p rovide more effectivefulfillment of U.S.-ma nda ted d rug pe d igree req uirements.12 In November 2004, the FDA issued areport recommending that drug makers use RFID to track bottles of the most commonlycounterfeited drugs, with eventual extension to more drugs over time.13 The FDA a lso pub lisheda guida nce p olicy a round the use o f RFID in the p harma ceutica l industry, which sta tes, inter a liathat:

RFID tags are attached only to immediate containers, secondary packaging, shippingc onta iners and / or pa llets of drugs that a re b eing p lac ed into c omm erce;

Drugs involved will be limited to presc ription o r over-the-counter finished prod uc ts; RFID will be used only for inventory control, trac king and trac ing of p rod uc ts, verifica tion

of shipm ent a nd rec eipt o f such produc ts, or finished produc t a uthentication;

The ta gs will not c onta in or transmit informa tion for the hea lthca re p rac titioner or theconsumer;

The ta gs will not c onta in or transmit advertisem ents or information abo ut p rod uc tindica tions or off-lab el prod uc t uses.

The scop e o f the FDAs guida nc e m akes c lear that pe rsona lly-identifiab le information is notinvolved in the pharmaceutical supply chain management, and hence, privacy issues, do notc ome into play.

Examples of RFID Uses

The follow ing exam ples p rovide a glimp se into the b roa d range of uses for which RFIDtec hnolog ies ma y be d ep loyed by ta gg ing things:

12 CO MBATING C OUNTERFEITDRUGS: A Repo rt of the Foo d an d Drug Ad ministration (Feb ruary 18, 2004) a vailab le a t:www.fda.gov/ oc/ initiatives/ counterfeit/ report02_04.pdf.

13 Rad iofreque nc y Identifica tion Feasibility Studies and Pilot Program s for Drugs, Guida nc e fo r FDA Staff and Industry, Comp lianc e PolicyGuides, Sec.400.210, Rad iofreque nc y Identific atio n Fea sibility Stud ies and Pilot Program s for Drugs, November 2004, available at:www.fda.gov/ oc/ initiatives/ counterfeit/ rfid_cp g.html.

- 18 -


21/37


22/37

Guidance

Generally spea king, whe re the re is no p ersona lly identifiab le information c ollec ted or used by a nRFID-based information system, and little likelihood or risk of RFID-generated data becomingpersonally identifiable information, then there are no privacy issues and, in Ontario, theprovisions of PHIPA do not c ome into play.

In a similar manner, to the extent that pharmaceutical tagging and e-pedigree programsremain strictly a (bulk) supply-chain management issue, ending at the dispensary, the privacyimplica tions are m inimal, while the b ene fits ma y be c onside rab le. The a pp lic at ion o f c lear rulesand guidance by regulatory agencies, such as by the FDA 14, will help to provide additionalassuranc e a nd c onfide nce tha t p rivac y interests are not e nga ge d.

14 For more FDA info and guida nc e, see www.fda.gov/ oc/ initiatives/ counterfeit/.

- 20 -


23/37

Tagging things linked to p eop le

The next c lass of RFID tec hnology uses involve RFID ta gging of items that are (or ma y be) linkedto identifiable individuals and to personal information, usually on a more prolonged basis(ranging from one week in the case of tagged garments, to several years or longer in the caseof pa tient dossiers).

Some RFID d ep loyment sc ena rios tha t involve ta gg ing things linked to peopleinclude:

Medica l equipm ent b eing used by pa tients, visitors or sta ff; Rea ders, tab lets, mob ile a nd other IT dev ice s assigned to sta ff; Ac c ess c ards assigned to sta ff o r visitors; Sma rt cab inets; Devices, garments, or spaces (rooms) assigned to patients; Blood sam p les and o ther pa tient spe c ime ns; Patient files and dossiers; and Ind ividua l presc rip tion v ials.

In each usage scenario, the main purpose of the tagging is to identify and track objects, asbefore, but the relative p erma nence of the tag , the nature a nd a mount of the d ata co llec ted,and the strength of the datas linkage to identifiable individuals may invoke privacy issues andconcerns.

Privac y Considerations

Increasingly, RFID tags are being attached to items that are, or may be, linked to individuals.Privacy interests become progressively engaged with the strength and ease of this linkage,a long w ith the sensitivity of the linked data . The same basic p roperties tha t make RFIDinformation technologies and systems so useful for inventory control and supply managementpurposes can imp ac t individua l privac y whe n that trac king and c ontrol extends to individua ls,espe c ially whe n informed consent is lac king.

There a re a sset ide ntificat ion, trac king a nd m ana ge me nt sc ena rios tha t c ould involve a link with

personally identifiable information. For example: all touch-points or interactions with taggeditems (and the da ta g enerated ) by staff might be log ged for aud it a nd a c c ountab ility purposes,eng ag ing employee p rivac y interests. Tag ge d assets c ould a lso b e te mp orarily a ssigned toindividuals (beds, rooms, equipment) and, if they are mobile items, can become a proxy fortracking people through inference. Even if the data on an RFID tag is encrypted or otherwiseunintelligible, the tag can still be used as a basis for tracking and its history correlated withpe rsona lly ident ifiable informat ion from anothe r system . This c ould hap pen, for exam ple, whenuse of an RFID-enabled visitor access card is correlated with a video capture of the bearer, atac c ess po ints or othe r chokepoints.

Some RFID tags are re-writa b le and re-usable. If data ab out an individual, suc h a s a pa tientidentifier or drug presc rip tion, is written locally to the ta g, the n it is possible it m ay be rea d andused in an una uthorized ma nner if it is not prop erly sec ured or de stroyed .

If the RFID-tag ged item travelswith the individual, then extensive tracking and monitoring of theitem is tantamount to tracking and surveillance of that individual. In the case of access cards,the threats and risks extend to hacking and cloning of the embedded RFID tags, allowingunauthorized individua ls to e ffec tively ac c ess sec ure spa ces and to c ommit identity theft.

Unauthorized identification, tracking, surveillance, and profiling of individuals are very seriouspriva c y issues. In a dd ition, sec urity issues rela ted to RFID tag s, includ ing skimm ing e avesdropping,interception, interference, tampering, cloning and misuse, can also impact individual privacy(as well as the ope rat ions of he alth-ca re p rovide rs).

- 21 -


24/37

As noted e arlier (see referent ial vs non-refe rential systems), RFID tags do no t a lways c onta inpersonally identifiable information, such as a persons name. In most cases they encode somesemi-rand om unique a lphanum eric string tha t c an serve as a p ointer, or index key, to a pe rson slinked identifiable information, such as a medical or transaction record stored in a networkedda ta ba se (p erhap s eve n transmitted offsite a nd c ontrolled by third parties). RFID rea ders oftenmobile read tag data and use it to trigger an action, such as to display and record the tagc ontents, or to look up and retrieve (and use) d ata c orrespo nding to the tag ID.

Readers themselves, or any RFID-enabled portable computing and communications device,may be assigned to health-care personnel to help them collect and transmit data stored ontags elsewhere. Usually this is intended to help staff accomplish their tasks faster and moreefficiently, but the data collected can then be correlated with the personnel ID or role, andused to establish audit trails and to enhance accountability.

Generic (i.e., blank) RFID-embedded access cards many not serve as identity cards, yet theirassignment to sta ff and permissible uses are cont rolled c ent rally. Typ ica lly, there is som e linkagewith identified individuals (i.e., the bearer), and all uses and attempted uses of the cards areroutinely collec ted a nd reta ined in log s. This a llow s for the p ossibility of deta iled profiles to b econstructed.

Tagg ing p at ient spe c ime ns and o ther wa ste for prope r hand ling o r d isposal ma y ac tua llyenhance privacy if the alternative involves labeling the item with human-readable personally-identifiable information or bar codes. As usual, much depends upon the strength of the linkage

to the patient and the ease with which parties may make that connection (e.g. databaseaccess). In general, however, any tagged file or item that must be linkable to an individual, yetbe passed around to multiple parties in a privacy-preserving manner (e.g., admission slip, testresults, survey results/ fee dbac k, files, etc .), c ould p otent ially be nefit from the dep loyment o f RFIDtechnology.

While the concern here is with the privacy and security issues related to RFID technologies, therewill be very justifiable and defensible health care-related reasons for deploying suchtec hnolog ies eve n whe re the re a re informat iona l priva cy implicat ions. In these c irc umsta nces, itis important that the benefits be demonstrable, the privacy risks identified and properlymitigated, and the entire system developed and deployed in a transparent, and responsiblemanner.


The follow ing d ep loyment e xamp les p rovide a g limp se into the b roa d rang e o f uses for whichRFID technologies for ta gg ing things linked to pe op le may b e d ep loyed :

Hand -washing c omp lianc e: To reduc e the spread of infec tions, a new auto ma ted hand -sanitizing syste m uses RFID to monitor how w ell hea lth-c are wo rkers wash the ir ha nd s. The w ashcycle automatically starts when the caregiver's hands are inserted into the machine's cylindricalopenings. Health-care-associated infections affect nearly 2 million individuals annually in theU.S., and are responsible fo r approxima tely 80,000 dea ths ea ch yea r, ac cording to a guidepublished by the Centers for Disease Control and Prevention (CDC), in collaboration with theInfec tious Disea se Soc iety of Americ a (IDSA) a nd the Soc iety of Hea lthc are Ep idemiolog y ofAmerica (SHEA). The transmission of hea lth-ca re-rela ted p atho ge ns most often oc c urs via thec onta minated hand s of hea lth-ca re workers. When w ashing ha nds, a ca reg iver wea ring an RFIDba dg e is identified by the machine's RFID interrog ator. The d evice records the d a te a nd t ime , aswell as the beginning and end of the wash cycle, then communicates that information to thedatabase. If a caregiver removes the hands before the 10-second cycle finishes, theinterrogator transmits this information to the back-end database. Hospital administrators canthen run departmental statistics and other compliance reports to determine which caregivershave c ompleted the wa shing c ycles.

Sma rt Cab inets: Texas University Medica l Center resea rche rs are using RFID to mana ge thesupp ly of c hemica ls and othe r materia ls used in b iolog y resea rch. The Center has insta lled two

- 22 -


25/37

storage cabinets fitted with RFID interrogators. Items stored inside the cabinets are fitted withRFID ta gs. Every autho rized resea rche r at the university ha s bee n issued a c red it c ard-sized RFIDkey c a rd c arrying a unique six-digit ID numb er that is used to relea se the loc k. The interrog atorreads the key cards ID number and the item tags in the cabinet before and after it has beenopened, enabling the software application to calculate what has been removed, and toupda te the online invento ry d ata. This informa tion is acc essible via the Web by universityadministrators, researchers and suppliers, and generates e-mail messages to the schoolsaccounts payable department and to the person who removed the items. Besides recordingeach transaction, the system helps suppliers know immediately what supplies have been used,

wha t need s to be p aid for and wha t need s rep lac ing.

Spe c ime ns: A well-known me dic al prac tice with diag nosis and treatm ent fa c ilities sc at teredac ross the U.S. pilote d an RFID system to allow me dica l prac titioners to be tter manag especimens of patient tissue. Deployed at endoscopy facilities, the tissue samples are taggedand tracked from the moment they are collected until they are delivered to the pathologylab orato ry for ana lysis, a series of steps c harac te rized as c rucia l. The p ilot lasted five m onths,and the de monstrab le be nefits included ac curate da ta c omm unic ation and ve rific ation, as wellas improved efficienc ies in spec ime n ma nag ement. The p lan now is to rap id ly pha se in anexpa nsion o f the p ilot.

Blood bags: In Malaysia, the government and three medical institutions are testing an RFIDsystem for tracking blood bags, with the ultimate goal of eventually equipping more than 300othe r go vernment a nd p riva te hospita ls and c linics. The system c omb ines bloo d b ag ta gg ingwith smart cabinets to enable automated, efficient track-and-trace visibility. Eventually thesystem could manage Malaysias entire blood bank, which includes 500,000 transfusionsannually. The expec ted be nefits inc lude imp roved blood ba g ide ntific ation, inventorying, a ndlogistics. Cross-matching, in which a recipients blood type is matched to available donatedblood, will be streamlined. Internal blood management processes will be made more efficient.Blood stock will be better maintained. Errors, blood-type mismatches, and waiting times will bered uced . Data ma nag eme nt a nd a c cess overall will imp rove, inc luding ea sy rep ort generationfor inventory, donation history, and donor/patient profiles. Registration and results screeningduring the blood donation processes will be simplified. Lastly, the system will enable analytics forthe entire blood ba nk ma nag eme nt proce ss.

Medicine Dispensing: A Southeast Asian RFID systems provider has introduced RFID-enabled

products designed to help health-care providers track pharmaceuticals and monitor drugad ministration, to ma ke sure tha t c orrec t doses are g iven. The c ompany s intelligent med ic ine-dispensing system combines RFID tags and readers, workflow software, electronic medicalrecords (EMRs) and a c ent ral da ta base in an integ rated solution. This ena bles nurses anddoctors to view patient records, update them in real-time, and double-check prescriptiondo sage s at the m om ent the y ad minister them. The system c an a lso a utom at ica lly sendprescriptions to pharmacists.

Patient Files: An acute-care and teaching hospital in New Jersey is implementing an RFID-ena bled pa tient reco rd ma nag eme nt solution. Seeking b oth increased effic ienc y andcompliance with Health Insurance Portability and Accountability Act (HIPAA) (which placesheightened importance on patient information management), the hospital has targeted itsSleep Centers, which p rovide c omprehensive eva luation a nd trea tment for pa tients

experienc ing sleep -rela ted p rob lems. The Centers ma nage 5,000 patient files. Eac h file is ta gge dwith an RFID tag, allowing it to be tracked from the moment it is created for a new patient untilthe file is retained in storage. RFID readers are positioned in key locations around the center toenable automatic tracking and encoding of the tags as they are moved from one place toanother. Reads and writes to the tags are dynamically updated in the central database,ensuring rea l-time, ac c urate loc at ion d ata . The Cente rs also ha ve a series of ha ndhe ld read ersfor routine invento ry and locat ing misp lac ed files.

Handheld Devic es to Verify Med ica tions: The St. Clair Hospital in Pittsburgh develop ed andimplemente d a n RFID-ba sed system to he lp protec t pat ients from me dicat ion e rrors and red ucehealth-care costs. Using bar code and RFID technology and a wireless network combined with

- 23 -


26/37

HP iPAQ Poc ket PCs, the VeriSc an med ica tion a dministrat ion verific a tion system c onfirms tha t anurse has the correct patient, medication, time, dose and route each time a medication isadministered. The system ha s bee n in use fo r two ye ars and is preventing more than 5,000me d ic at ion errors yea rly, acc ording to the hospita ls c hief op erating office r. With c lose to 1.3million d oses d ispe nsed ea c h yea r from St. Clair Hosp ita l s pha rma cy, we have p lenty ofop portunities for med ica tion e rrors. The RFID system helps the hospital nursing sta ff a vo id most o fthose errors and the associated costs, with estimated costs savings of more than $500,000annually. When it comes time to administer a medication, the nurse uses an HP iPAQ Pocket PCto sc an ba r cod es on the med ication p ac kage and RFID tag s on the pa tient s wristba nd. The

VeriSc an softwa re c omp ares the tw o sets of p atient a nd med ication d ata and alerts the nurseto any discrepancies. New orders, changes to orders and discontinued orders are available inreal-time so that the nurse is aware of medication changes without delay. Not only does patientinforma tion p op up o n the ha ndheld d isplay sc reen, but a lso a picture of the p atient, whic h wa staken when the p atient was ad mitted. The de vic e rec ords the da te a nd time the tag s and ba rcodes are read, and then wirelessly sends all the data (bar codes, RFID tag numbers andtimestamp) to the database, where it is compared with the doctor's latest orders. Voicecommands on the handheld announce, "Patient identification confirmed," or, in the case ofdiscrepancies, "Access denied." In addition, any new medication orders, order changes orc anc ellations are auto ma tic ally do wnload ed so tha t nurses can learn ab out them imm ed iately.

Pharmaceutical tagging (item-level): While most industry efforts are directed at realizing thebe nefits of ta gg ing a nd trac ing bulk pha rma ceutica ls in the supp ly c ha in, as d isc ussed ea rlier, a

smaller subset of initiatives is investigating the benefits of tagging item-level drugs, or evenindividual prescriptions, usually in more limited health-care provider contexts.

As noted in some of the case studies above, health-care providers are seeing merit in taggingand tracking specific drugs within their own care environments, principally to reduce patientmedication errors and also to maintain accurate inventory records. Using RFID technology,spe c ific drugs ma y be com e a ssoc iated with pa tients and sta ff in the c ourse o f their use, helpingto provide a n ac co untab le and auditable rec ord.

More ambitious RFID pilot projects involve integrating the technology into medicationpackaging for monitoring, patient diary and reminding purposes. In these cases, RFIDtechnologies serve as an automated mechanism for ensuring that patients are taking thecorrect drugs, in the rights dose, at the right times, perhaps for clinical testing and recording

purposes. The informed prior consent of the p atient is c ritica l in suc h sc ena rios.Less c lea r is the extent to which p resc ription vials p rovide d direc tly to individua ls by pha rma c iesare current ly being RFID-tag ge d (for exam ple, to help t rac k and spe ed up refills). This use c asescenario presents the strongest privacy issues, i.e., the possibility that individuals may carry ontheir persons RFID ta gs co nta ining sensitive p resc rip tion informa tion tha t c ould be sc anne d andrea d b y unautho rized pa rties.

Patients have a legitimate right to know how easy it would be for unauthorized parties to scanand read the contents of personal prescription vials carried in a purse or pocket, and to begiven a non-RFID alternative choice. Personal health information that may be inferred from thedrugs a person takes is highly sensitive, and requires strict controls and assurances againstunauthorized disclosure and collection. Efficiency and convenience should never automaticallytrump privacy interests!

Guidance

To the e xtent tha t p ersona l informat ion is involved and po tent ia lly a t risk, we urge mo vingforwa rd with ca ution, dilige nce, and a c omp rehensive informa tion governance p rog ram . Whenassessing the extent of personally identifiable information involved and the degree of riskinvolved, the following important questions should be asked regarding the system design andinformation flows:

Whether personal information is stored on the tags;

- 24 -


27/37

Whether the tag ge d items are c onside red pe rsonal; The likelihood tha t the tag w ill be in the p roximity of c ompa tible un-authorized rea ders; The leng th o f time reco rds are retained in ana lytic or a rchival system s; and The e ffec tiveness of RFID sec urity controls, in pa rticular:

The efficac y of ta g m emo ry ac c ess control and authentica tion me c hanisms; The a bility o f ta gs to be disabled a fter use; and The ability o f users to effec tively shield ta gs to p reve nt una uthorized read ing.

Prescription tagging: If and when RFID tags are affixed to individually-prescribed vials,pharmacies and health-care providers will have to address a number of privacy questions andconcerns:

Objective of tagging vials are they clearly defined? Combating pharmaceuticalcounterfeiting, fraud and diversion are less compelling reasons at the individualprescription level.

An account of any (new) information vulnerabilities and threats, and appropriatecountermeasures to mitigate them. How easy is it for others to read and understand thecontents of the tagged vials? Can these vulnerabilities be addressed through informationsec urity mea sures, suc h as enc rypt ion or shielding, and through b ette r pa tient ed ucat ion?

Do your privacy policies and procedures extend to the handling of RFID-tagged vials? Dothey c ove r any po tent ia l use o r misuses of the ta g a nd its da ta ?

- 25 -


28/37

Tagging people

The third a nd final c lass of RFID uses involves the intent iona l tag g ing and identifica tion o findividuals, rather than the devices, tokens or other assets they may be carrying or associatedwith. The d istinction c an be subt le since , tec hnic ally spe aking, it is alwa ys the ta g tha t isidentified in any RFID systems. However, when we talk about tagging people, we are focusingon the prima ry p urpo se of t he RFID dep loyment in question, as well as the relative strength andpermanenc e of the linkag e of the ta g to the individual and his or her pe rsona l informa tion.

For example, we would excludefrom this category a generic or reprogrammable RFID-enabledacc ess c ard tha t is tem porarily signe d out for use b y an em p loyee, c ontrac tor or visitor. Theprima ry p urpo se o f the c ard is to authorize p hysica l ac c ess to c ertain fac ilities or spac es, ratherthan ide ntifying t he b ea rer. The c ard a ssignment m ay be tempo rary in na ture, and the c ardcontains no specific personally identifiable information embedded or on its face. Any linkage ofthe c a rd ID to the individua l is retained only in a c entral reg ister rather than for operationa l use.Someone else m ay use the ac cess card a t a late r date .

Examples of RFID used (or intended to be used) to identify and track individuals in health carecontexts include:

Hea lth c are em ployee identific ation c ards; Patient health care identification cards; Ankle a nd w rist identifica tion brac elets(e.g., for pa tients, ba bies, wa ndering or elde rly pa tients); and Imp lanta b le RFID c hips.

The assignment o f temp orary RFID-ena bled b rac elets or anklets to p at ients for the d urat ion oftheir hospitalization and treatment, especially in large facilities, can help reduce the risk ofpa tient misidentific at ion, wa ndering o r treatm ent error.

RFID-enabled bracelets are being effectively used by many hospitals and health-care facilitiesas alternat ives to printed ba r code identific at ion to sec urely identify pa tients. Consent is typ ica llyprovided or implicit, in the same manner as would be provided to allow identification throughthe use of a ba r c ode or human reada ble tags.

The p rac tice of a ssigning RFID-enab led b racelets to newbo rn b ab ies, in orde r to p reve ntinadvertent mix-ups or abduction, is considered to be a reasonable, proportional and effectiveme asure. One suc h maternity identific at ion p rog ram a lso a ssigns a matching RFID to the m othe r,for ad de d a ssuranc e, in orde r to c onfirm the matc h betw een mother and c hild.

In many cases, the use of RFID wristbands, surprisingly, offer better patient privacy due to thefac t tha t c onfident ial and ofte n sensitive me dica l informat ion ca n be sec urely stored in the RFIDtag, or accessed automatically from a centralized system rather than printed in human-rea da ble forma t on the b and itself.

Other examples include tracking medical researchers who work with bio-hazardous andc onta gious ma terials, where rec ords of a ll mo vem ents and interac tions are imperative.

RFID-embedded (contactless) Identification cards are a special category of health care RFID

use. Here we must distinguish between employee identification (and access) cards (whethersmart or not), and patient identification cards. Employee Identification cards are increasinglybeing equipped with RFID technologies in order to identify and authenticate the bearer andfacilitate access to physical spaces and other (e.g. computer) resources, as well as for processcontrol and audit purposes. Dual or multi-purpose employee identity cards can serve differingfunctions at different times, ac c ording to c ontext. Such a multi-purpo se c ard a nd the d ata itc onta ins, if not prop erly c ontrolled , invites ove r-ide ntific at ion for som e func tions, funct ion c reep ,and unwante d em ployee profiling.

- 26 -


29/37


30/37

At least three sta tes have enac ted laws to b an m and atory RFID c hipping of individua ls. Highlycontentious public proposals for large-scale RFID-enabled passports, travel documents,enhanced drivers licenses and other portable documents continue to be actively debated,with privac y c onc erns at the forefront.

It is interesting to note the com plexity a nd c onte ntiousness of the m at ter for c ivil soc iety. Few ofthese proposals, however, deal with health-care scenarios. One major exception is thesubcutaneous chipping of patients, such as for long-term care patients suffering fromAlzheimers or dementia, who may be incapable of reliably identifying themselves for properc are and treatme nt, and are prone to w ande ring.

The p rac tice o f subcutaneous c hipping ha s been ap proved b y the U.S. Foo d a nd DrugAd ministration as safe , and at least one U.S. co mp any o ffers a na tion wide prog ram fo rindividuals to voluntarily become chipped in order to be identified faster by participatingc areg ivers, espe c ially if unc onsc ious or othe rwise una ble to com municate. The c hip conta ins ashort alpha nume ric string tha t, when q ueried ag ainst a sec ure d atab ase, allows rap id ac c ess topersonally-stored health records.

The U.S. Counc il on Ethica l and Judic ial Affa irs (CEJA), which develop s policies for the America nMedical Association, issued a report (2007) saying that implantable RFID devices maycompromise people's privacy and security because it is yet to be demonstrated that theinforma tion in the tag s can b e p rop erly protec ted .

Comp lex lega l and ethica l questions are invoked by RFID (and othe r ICT) imp lants in the huma nbody. Many of these questions were addressed by the European Group on Ethics (EGE) inSc ienc e a nd Tec hnology to the Europea n Com mission. In its 2005 rep ort, the EGE stressed tha tRFID (and other implants) in the human body can have repercussions for human dignity, andtha t their use for hea lth-ca re req uires informed consent, utm ost t ranspa renc y a nd stric t limits inthe case of patients unable to consent. Implants to gain control over the will of people shouldbe ba nned, and the a utonomy of the pa tient is the yardstic k.

Apart from subcutaneous chipping of the hospitalized elderly, there may be other justifiablereasons and circumstances for using RFID technologies in a less-invasive and less-permanentmanner, to identify staff and patients. At least one elderly-care treatment center assigns theelderly an active tag on a lanyard, allowing staff to automatically monitor and track theloc ation of p atients as they mo ve a bo ut the fa c ilities, and to respo nd imme diately in the eventof an incident.


Patient ID system: In January 2007, HP and Precision Dynamics Corporation (PDC) announcedthe deployment of a comprehensive RFID-based patient management system at the Chang-Gung Mem orial Hospital (CGM H) in Ta iwan. The system offe rs the m ed ica l fac ility numerousbenefits and has already realized positive results in patient identification. Patients are givenwristb and s with emb ed de d RFID chips that increase the ac c urac y of p atient identific ation a nddecrease the risk of so-called wrong-site and wrong-patient surgery, in which the incorrectoperation is performed on the correct patient, or the correct operation is performed on theincorrect patient. Under the new system, CGMH has realized 100% accurate patientidentificat ion in the op erating room. The system also autom ates da ta g athering, which c utsdown on p revious huma n error resulting from o ral c ommunica tion and ma nual da ta entry. Thisautomation also yields better compliance with standard operating procedures. Alerts arege nerated in real-time w hen the seq uenc e o f a p resc ribed proc ess is go ing am iss. In addition toimproved acc urac y, the HP-PDC system brings imp rove d e ffic iency. Me d ic al sta ff now spe nd 4.3minute s less verifying p atient d ata per inc ident. This figure multiplied ac ross hund reds or eve nthousands of daily patients (CGMH is part of an 8,800-bed health care system) can bringdramatic savings and, ultimately, better health care. Lastly, the RFID wristbands offer betterpatient privacy in that the confidential and often sensitive medical information is stored on theRFID c hip rathe r than p rinted in plain view o n a wristb and .

- 28 -


31/37

Wi-Fi Elde rly Care: An Austra lian p rovider of e lde rly c are is using a Wi-Fi-ba sed RFID syste m toena b le residents to q uic kly and ea sily ca ll for help w hen the y need it. The med ica l alertingsystem notifies caregivers any time a resident wanders into a dangerous area or hasn't movedfor a long time, indicating that they may need help. Affixed to lanyards that can be wornaround the ne ck, the ta gs me asure a pp roxima tely 2 by 1.5 inc hes and are a half-inc h thick. Theyare water-resistant and feature large, easy-to-find call buttons that residents can press whenthey are in troub le or need a ssista nc e. Sta ff a lso w ea r the t ags so they c an ea sily issue a nemergenc y a lert. When a ta g's c all butto n is pressed , the ta g transmits its unique ID numb er to anearby Wi-Fi access point, which passes that information on to each staff member's mobile

handhe ld d evice, a s we ll as to flat-sc ree n monitors insta lled throughout the com plex. The systemcan identify the room in which a tag is located, and includes a set of configurable rulesde signed to t rigg er alerts whe n broken.

Patient Monitoring: A Belgian University Hospital may be the first to use RFID technology not justto trac k where pa tients are, but ho w the y a re. The hosp ita l is using WiFi RTLS ta gs integrated withme dica l monitoring e quipme nt to remote ly transmit pa tient hea lth da ta a nd e mergenc y alerts.Nurses carrying wireless phones can instantly access patient information from the monitoringequipment, including blood pressure, oxygen level, and even electrocardiogram images. Inc ase o f emerge nc y, the RTLS ta gs c an a utoma tica lly issue a n a lert. The system is c urrent ly be ingdep loyed at a 1,100-be d hospita l. The integ rated system inc ludes the hospita ls lega c y WiFiwireless network, WiFi-ena bled RTLS ta gs, wireless phones, a Wireless Loc ation Ap p lianc e, va riouscommunication technologies, and monitoring equipment from a major medical systems

ma nufac turer. The ta gs are p lac ed on m onitoring eq uipm ent a ssigned to c ardiolog y p atients,who are the n free to take strolls, visit loung es, and mo ve a bout the fa c ility. The a pp lica tion willprovide p atient loc ation data in add ition to ad vanc ed m ed ical telema tics informa tion.

Prote c ting New bo rns: Eac h yea r in the U.S., there are 100-150 bab y a bduc tions, with mo re t han50% of those ba bies ta ken from hea lth-ca re fac ulties. There a re also o ver 20,000 mix-ups, withthe majority caught before the parents even know. A Dallas hospital was the first hospital toimplement the "Hugs and Kisses" RFID system, which uses active RFID tags to tag babies andmothers. A 'Hugs' tag is attached to the baby's foot. Mothers wear a 'Kisses' wrist band. If theypick up the w rong ba by the y hear an aud ible a larm, while p ic king up the c orrec t b ab y results ina confirmation. RFID reader installations mean that any attempted abduction is detected as theba by is mo ved , with the system linked to CCTV and sec urity. The ta gs a re d isab led a fter a t imeloc k whe n the fire a larm ha s bee n ac tivated. Over 400 U.S. hosp itals are current ly using the RFID-

ba sed ba by a nd mother monitoring system.

Medical Implant: Doc tors a t the University of Texas Southwestern Med ica l Cente r, wo rking w itheng ineers from the University of Texa s, Arlington, ha ve develop ed innova tive RFID-ba sedmedical technology to detect gastroesophageal reflux disease, caused by stomach contentsmo ving up the e sop hagus. The c ond ition, c om mo nly referred to a s esop hage a l reflux or GERD, isestima ted to a ffec t a s ma ny as 19 million peo p le. The ne w solution c om bines RFID with sensortec hnology to m ea sure a nd t ransmit data from within a pat ient's bo dy. A dime-sized RFID chip isinserted into the esop hag us, where it rema ins p inned until a physician remove s it. Equipp ed withan elec tric al impulse sensor, the c hip mea sures pa rticular imp ulses tha t indicate the p resenc e o fac idic o r non-ac id ic liquids in the esop hagus. These c ollec ted me asurements are transferredfrom the RFID chip to a wireless rec ep tor hanging a round the p at ient's nec k.

Imp lants: In Sep temb er, VeriChip Corporat ion, a p rovide r of RFID system s for hea lth ca re andpatient-related needs, announced that more than 90 Alzheimers patients and caregiversreceived the VeriMed RFID implantable microchip at the official launch of their Project withAlzheimers Community Care. VeriChips collaboration with Alzheimers Community Carec onsists of a volunta ry, two-year, 200-pa tient trial to eva luate the e ffec tiveness of the VeriMedPat ient Ide ntifica tion System in manag ing the reco rds of Alzheimers pa tients and theircaregivers.

- 29 -


32/37

Guidance

Because RFID technology allows for the automatic identification of identifiable individuals,spe c ial vigilance is req uired whe n ta gg ing p eop le. The p riva cy a nd sec urity risks assoc ia ted withc ollec ting, processing, and reta ining pe rsona l informat ion are the g rea test here, and req uire thestrictest, most rigorous and most transparent application of project management skills and riskmitigat ion me asures.

Subc utaneous RFID c hips app ea r to b e the mo st e xtreme form o f using RFID tec hnology toidentify humans with its inherent risks. The m a jority o f dep loyments, howeve r, involve the simp leassigning of an RFID-embedded card or bracelet to an individual. When pursuing this type ofidentific at ion p urpo se, the follow ing imp ortant d esign pa ram ete rs should b e c onsidered:

Whether the RFID ta gs will direc tly enc od e pe rsona lly ide ntifiab le informa tion,or serve as pointers to PII stored elsewhere;

Whether the tag s and their data will be p art of an op en-loop system(i.e., involving multiple organizations and actors);

Whether the data w ill be stored or co ntrolled b y an o utside third p a rties; Whether and to wha t extent the tag s are vulnerab le to ta mp ering a nd c loning; Whether and to w hat e xtent the ta g a nd its c ontents will be unde r the c ontrol of the

individual;

Whether the tags will be ac tive or p assive, rea d-only or re-writa ble; Whether the tag is tem porary or othe rwise remova ble from the individua l

(e.g. b rac elets, anklets, lanya rds, imp lants, ID or nam ec ard or othe r token); and

Whether the tag s unique d ata , or tag itself, be p erma nently de stroyed onc e its useexpires.

Professiona l and Ethical Considerations

Wheneve r considering, d esigning a nd implementing informat ion system s tha t involve c ollec ting,using, retaining and disclosing sensitive personal (health) information of patients, health-care

providers are strongly advised to consult appropriate professional codes and other codes ofethics. When in doubt , always chec k with a dd itiona l source s.

In Canada, many such policies, guidelines and codes for the ethical uses of health informationhave be en d evelope d and are read ily availab le. Rea de rs are enc ourag ed to visit the followinguseful websites:

Ca nadian Institute for Health Resea rch (CIHR):Policies and Guide lines in Ethicsat: www.cihr-irsc.gc.ca/e/29335.html

Develop ing a q ua lity c riteria fram ework for pa tient dec ision aids: online internationa lDelph i consensus proc essat: www.bmj.com/cgi/content/full/333/7565/417

Ethics in Menta l Hea lth Resea rchat: ww w.emhr.net/ ethics.htm

- 30 -


33/37

Conclusions

In this paper, we have described RFID technology, provided examples of current uses anddiscussed its suitability for the health-care sector. RFID offers many potential benefits in a widevariety of health-care contexts for improving the safety, efficiency and effectiveness of health-c are d elivery. How eve r, if not imp lemente d w ith due c are, it c an a lso impac t privac y interests inprofound and ne ga tive wa ys.

We have grouped together three different classes of RFID deployment and described, at a

general level, some of the security and privacy issues that could arise. We have suggested theuse of various privacy-enhancing methodologies, tools, and techniques intended to ensure thatprivacy safeguards are built into information systems from the very start, sufficient to mitigateknown vulne rab ilities, threa ts and risks. The resulting RFID systems should m erit the c onfidenc eand trust of all users and stakeholders, as well as meeting legislative compliance requirements.

The f irst c lass of RFID use invo lves the ta gging of things a lone, with no linkage to persona lidentifiers, and accordingly, no privacy issues.

The sec ond c lass involves the potential for data linkage to personal identifiers, raising thepo ssibility tha t individua ls c ould be identified and trac ked . This ca lls for the introd uc tion o f strongprivacy-protec tive mea sures to ensure tha t no unintende d c onseq uenc es arise.

The third c lass involves the use o f RFID intend ed prec isely for the purpose o f identifying p eo ple,

thus serving as personal identifiers. While strong privacy measures are clearly required here, theconcern with unintended consequences in this category is arguably less than in the previousone, where data linkage with personal identifiers is ancillary to the primary purpose. Care mustalways be taken, however, regardless of the extent of the threat posed, for strong protection ofprivacy.

We must ensure that Fair Information Practices - the heart of privacy and data protection - areclearly understood and implemented. Doing so invariably paves the way to preserving onprivacy.

- 31 -


34/37

RFID Resources

RFID Tec hnolog y Informatio n Sources

RFID App lica tions, Security, a nd Priva cy, Ga rfinkel & Rosenb erg, ed s. 2006. HP Glob al issue Brief - Radio Freq uenc y Ident ific a tion (RFID):

www .hp.com / hpinfo/ ab outhp/ government/ ww/ gib_rfid.html?jumpid=reg_R1002_USENTBC.

GS1 EPCg lob al: GS1: www.gs1.org EPCglobal: www.epcglobalinc.org Discover RFID: www.discoverrfid.org

RFID Journa l: www.rfidjournal.com . RFID Upda te: www.rfidupdate.com.

RFID & Hea lth Care/ Life Sc iences

RFID Journa l, Radio Freq uency Ident ifica tion in Hea lth Ca re(Dec 2007),a t: www.rfidjournal.c om/ article/ articleview/ 3777.

Informa tionsforum RFID, RFID for the Hea lthc are Sec to r(August 2007),a t: www.info-rfid.de / do wnloa ds/ RFID_-_for_the_Hea lthcare_Sec tor.pdf.

The Europ ea n Group on Ethics in Sc ienc e and New Tec hnologies to the Europ ea nCommission, Op inion 20: Ethica l aspec ts of ICT implants in the hum an b od y(2006)Press Relea se: http:/ / ec .europa .eu/europea n_group_ethic s/ doc s/ cp20_en.pdf.Report: http:/ / ec .europa .eu/e uropea n_group_ethics/ doc s/ avis20co mp l_en.pdf.

- The e thica l aspec ts of ICT imp lants in the huma n bod y: Proc ee dings of the Roundta b leDebate(Amsterda m, 21 Dec embe r 2004) a t:http:/ / ec .europa .eu/europea n_group_ethics/p ublications/ doc s/ tb21dec _ict_en.pdf.

AMA Co unc il on Ethica l and Judic ial Affa irs, CEJA Rep ort 5-A-07:Ethic s Co de fo r RFID Chip Imp lants(July 2007) at : www.ama-assn.org/ama1/pub/upload/mm/467/ceja5a07.doc.

IDTec h Ex, RFID for Healthcare and Pharmaceuticals 2007-2017,a t: www.idtechex.com/products/en/view.asp?productcategoryid=101 .

RFID & Privac y

Office of the Informa tion and Priva c y Co mm issione r (IPC) o f Onta rio (Ann Ca voukian,Ph.D.), www.ipc.on.ca - Tag, You 're It: Privac y Imp lica tions of RFID Tec hno logy (2004)

- Overview of RFID Privacy-Related Issues (2006), Presentation by the Commissioner toEPCg lobal Inc (July 2006), at :www.ipc .on.ca/ ima ge s/ Resource s/ up-2006_07_20_IPC_EPCglobal.pdf.

- Can You Rea d Me Now? The Privac y Implic ations of RFID (Ma rch 2007), spee c h to theInternationa l Assoc iation o f Priva c y Professiona ls/ Know ledgeNet Toronto on the p riva c y

implications of RFID technology, at:www.ipc .on.ca/ ima ges/ Resource s/ up-12007_03_13_IAPP_Knowledge Net.pd f.

RFID and Priva c y: A Pub lic Information Center:http:/ / rfidprivacy .mit.edu/ac cess/ happ ening_legislation.html.

- 32 -


35/37


36/37

"Sec urity Ana lysis of a Cryptog rap hica lly-Ena bled RFID Devic e" at :www.usenix.org/events/sec05/tech/bono/bono.pdf .Priva c y-Enha nc ing Tec hno log y (PET) Award Press Release a t:www.microsoft.com/ emea / pressc entre/ pressreleases/20062007PETawardsTS.mspx.

- 34 -


37/37

Hewlett-Pac kard (Canad a) Co.Ma il Stop # H38

5150 Spe c trum Wa yMississauga , Onta rioCana da L4W 5G1Website: www .hp.ca/ rfid

Information and Privacy Commissioner of Ontario 2 Bloo r Street EastSuite 1400Toronto , Ont arioCanad a M4W 1A8Website: www .ipc .on.ca

Th i f ti t i d h i i bj t t h ith t ti

Date post:	06-Apr-2018
Category:	Documents
Upload:	sani-yusuf
View:	219 times
Download:	0 times

Rfid Healthcare

Documents