Secondary Use of Electronic Health Information – the Way to Guard Patient Secrecy. Ruotsalainen P. eHealth week 2010 (Barcelona: CCIB Convention Centre; 2010)

1. Secondary use of electronic
health information
– the way to guard patient
secrecy
Pekka Ruotsalainen, Research professor
National Institute for Health and Welfare
Helsinki, Finland

2. General starting points
People access health services to receive care
and treatment – not to become objects of
research (excluding clinical trials)
Research using digitalised health information can lead
to great improvements on care, prevention and medication.
People have high willingness to disclose their health
history for research purposes if the information
secrecy is proven.

3. Things making difficult to guarantee patient’s
information secrecy
• It is not self-evident when we are patients
• Research takes many forms
• Ongoing transition from EHR to the PHR
• The ubiquitous computing environment
• The information content of the EHR/PHR

4. It is not self-evident are we patients or persons
• Early warning health care systems
• Continuously monitoring
• The management of chronically diseases
• Pro-active prevention
• Patients using portable personal health devices
• Connected personal health models

5. Research has many faces and environments
Different kind of applied research, settlements and analysis
are called “research”.
Researcher society has been expanded outside clinical
settings. It is multi-organisational and cross-border.
Researchers as a profession are not as tightly regulated as
health care providers (i.e. researcher working for insurers
and industry). Their ethics can remain unknown.
The content of the legal EHR is not sufficient for modern
health research.

6. The transition from legal EHR to PHR and LPWR
LPWR
PHR Legal EHR
Lifelong EHR
Copy EHR
of the
LEHR
EHR
Present
research
target
The Lifelong Personal Wellness Record (LPWR) includes the
personal health record (PHR) and pervasive wellness information

7. The information content of the PHR/LPWR
From birth to grave all kind of information:
• The content of legal EHR,
• Data about personal health behaviours
• Genealogical and genomic data
• Social and psychological functionality
• Lifestyle, smell,
• Vital signs from BAN, sleeping data,
• Communication data,
• Context data,
• Signals received by implanted nano-sensors,
• Emotions etc.

8. We are moving to the pervasive health
- Health information is stored in PHRs or LPWRs
- Enables pervasive access to PHRs and lifelong EHRs
- Uses services of the ubiquitous computing
Challenges of the ubiquitous computing
- Context information is widely collected and used
- Different data sources can easily be linked
- Large number of heterogeneous users and purposes
- Nearly impossible to guarantee privacy and security using
present safeguards and services
Data Primary and
Secondary users
banks
Sensors

9. Where we are now ?
Present principles guaranteeing patient’s information secrecy
are based on paternalistic tradition where public purposes
override patients personal preferences and obligations.
To day the patient has to blindly trust that:
- Researchers are processing his/her data lawful and ethically
- ICT-systems and databases are secure and privacy is
protected
In most of cases the patient even do not know that his/her
EHR has been used for research purposes.

10. Two roads to guarantee patient secrecy
1. No new principles and rules are used but the uptake
of new security services will improve security and privacy.
2. A new model Personal Data Under Personal Control
is accepted and implemented using opportunities of
already existing context- and policy-aware IC-technology

11. We are between Scylla and Charybdis
Present paternalistic rules
Present IC-technology Benefits for research
Risks caused by
insecure research
environments,
ubiquitous
computing and
Source: Google the rich data
content of the PHR
It is time to define new rules !

12. Present paternalistic model can be improved using
1. Encryption together with the Trusted Third Partner
architecture for encryption key management
- It is costly, technically complicated and static solution
2. Anonymisation or de-identification
- Some research requires correct identification of
patients (i.e. cohort based research, risk prediction)
and also knowledge of individual's normal functions.
- Makes data linking complicated (a TTP is still needed)
- Makes PHR sharing complicated
- Difficult to manage in large scale

13. Personal health data under personal control is the most
sustainable and generic solution because we can use solutions
developed for trusted ubiquitous Web.
For it we have to accept
New rights for the patient or data subject
and to develop
A new interoperable data model with rich
meta-data for the PHR/LPWR
A dynamic context-aware and policy enabled
information infrastructure

14. Personal Health Data Under Personal Control
- new rules
The data subject/patient should have the right to define
dynamically personal policies (i.e. privileges and obligations)
ruling who, where, in what context and for what purposes
his/her health data can be used.
The patient should be aware of the context and security
policies of users and organisations using his/her data.
The patient should have tools to trigger de-identification
on-the-fly based on his/her preferences.

15. How this can be done and by whom ?
• Policy makers, research society and administrators
should accept new principles and make them mandatory.
• Standardisation organisations and the industry should
implement necessary standards and interoperable data
models.
•Software vendors and network operators should
implement the future proof, dynamic and policy enabled
infrastructure.

16. Thank you for listening !
Questions and comments
are welcome.
pekka.ruotsalainen@THL.fi