From Lip-Service to Action: Improving Healthcare Privacy Practices


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

From Lip-Service to Action: Improving Healthcare Privacy Practices

  1. 1. 2006Intelligent Information SystemsFrom Lip-Service to Action:Improving Healthcare Privacy PracticesTyrone Grandison & Rafae BhattiIBM Almaden Research Center{rbhatti,tyroneg}
  2. 2. Information ManagementOutline Introduction Background– HIPAA Requirements– P3P and Privacy Policies Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
  3. 3. Information ManagementIntroduction Privacy concerns main inhibitors to use and deployment of electronichealth records– Concerns about loss of reputation resulting from privacy breachestranslating into increased spending on healthcare privacy compliance– In US, HIPAA is assumed to provide baseline for healthcare privacyprotection However, impact of adoption of privacy policies on improvement ofprivacy practices remains to be ascertained– The answer lies in the design and enforceability of policy
  4. 4. Information ManagementHighlight of Issues Policy Design– Policy designed to cover relevant provisions of regulation but still vagueenough to offer little privacy protection Broadly-defined purposes Umbrella authorizations Lax enforcement– Policy is often bypassed or subverted during regular operationConcerns have begun to emerge at national level– Robert Pear. Warnings over Privacy of US Health Network. New YorkTimes, February 18, 2007.
  5. 5. Information ManagementWhy does this situation need improvement? It puts you, the patient, at risk– Results in false sense of privacy Purported compliance with privacy regulations– Undermines the notion of empowering the patient Consent to a policy not a genuine reflection of privacy practices It makes the existence of a policy insignificant– A policy does not reveal a company’s true stance on data protection
  6. 6. Information ManagementOur Contributions Survey of HIPAA-inspired policies of 20 healthcare organizations– Investigate how stated privacy policies measure up to the level ofprotection needed to truly ensure patient data PRIvacy Management Architecture (PRIMA)– Enables refinement of privacy policies based on actual practices of anorganization
  7. 7. Information ManagementGoals of Policy Refinement Improve the design of policies to elevate the level of privacy protectionafforded to the patient Elevate current system from one that purports regulatory compliance to onethat proactively safeguards patient healthcare data Better align the policies with actual privacy practices of the organization
  8. 8. Information ManagementOutline Introduction Background– HIPAA Requirements– P3P and Privacy Policies Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
  9. 9. Information ManagementThe Privacy Space Around the World Canada: Personal Information Protection and Electronic Documents Act(PIPEDA) Japan: Personal Data Protection Law EU Directives on Data Protection US: HIPAATo ground our discussion, we focus on HIPAA Privacy Rule
  10. 10. Information ManagementHIPAA Requirements Terms:– Covered Entities: Health Care Providers and Payers, among others– PHI: Personally Identifiable Health Information Key principles of the Privacy Rule:– Notification: Patient should receive notice of covered entity’s privacypractices– Authorization and Consent: Written authorization required for disclosures notpermitted under Privacy Rule– Limited Use and Disclosure: Covered entities must ensure use anddisclosure of minimum necessary PHI for a specific purpose– Auditing and Accounting: Patients have the right to accounting of alldisclosures of their PHI– Access: Patients have the right to access their records maintained by thecovered entity
  11. 11. Information ManagementP3P and Privacy Policies P3P Policy: a standardized machine-readable policy format Includes elements that describe:– Kinds of data collected– Purpose for which data is used/disclosed– Data retention policy– … and other information Users can supply privacy preferences in P3P Preference ExchangeLanguage (APPEL), which can then be used to evaluate a P3P PrivacyPolicy
  12. 12. Information ManagementOutline Introduction Background– HIPAA Requirements– P3P and Privacy Policies Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
  13. 13. Information ManagementCompanies Surveyed Two kinds ofpolicies found:– WebsitePrivacy Policy– HIPAA Noticeof PrivacyPractices A “policy” in oursurvey refers to avirtualcombination ofboth
  14. 14. Information ManagementObservations on: Notification, Authorization and Consent Policies state that consent is implied by visiting the website– Not quite the best practice to meet the Notification requirement No P3P policies are available– Precludes automated interpretation and analysis for informedconsent Policy updates communicated with little regard for patient– Insufficient to only post them on website– Patient consent to updated policy not obtained Compliant with HIPAA– HIPAA does not require policy to be posted using machine-readableformat– HIPAA does not require policy to be communicated using expedientmeans (such as email, IM)
  15. 15. Information ManagementObservations on: Limited Use and Disclosure Policies define broad and all-encompassing purposes– E.g. “administering healthcare”– Subsumes a huge category of uses and disclosures No fine-grained list of employee categories or roles with authorizations toview specific categories of patient data– E.g. “members of medical staff” category includes most employees– Provides umbrella authorization for employees– Criterion for authorization or exception-based accesses (I.e. “break the glass”privileges) not specified Exception mechanisms being increasingly utilized Compliant with HIPAA– HIPAA has provisions to let organizations design policies with broadly-definedpurposes E.g: While “Marketing” is a purpose requiring explicit authorization, a sub-category “communications for treatment of patient” is exempt and can beexploited– HIPAA calls for policies and procedures for controlling access to PHI but doesnot require stringent technical mechanisms to be in place
  16. 16. Information ManagementObservations on: Audit and Accounting Most organizations maintain audit trails for all actions pertaining to PHI tomeet audit reporting and accounting requirement However, there is still much left to be desired– Audit logs in current systems do not capture all necessary contextualinformation (such as purpose or recipient)– Accounting for data disclosures is ineffective in improving levels ofprivacy protection unless shortcomings in disclosure policies are firstaddressed E.g.: broadly-defined purposes, umbrella authorizations,exception-based accesses– While using audit as a deterrent factor, organizations should not fail todo better by providing more proactive protection
  17. 17. Information ManagementObservations on: Access All policies indicated that patients have a right to access their informationthrough phone, email or online account Meeting this requirement does not translate into adequate privacyprotection for the patient– Ability to access/update personal information provides no measure ofhow much information is actually protected unless patient is in controlof his/her disclosure policy– The process of information access may be simple or laborious- frombeing a matter of few mouse clicks to a waiting period of up to 60days; recent information disclosures may not get reported
  18. 18. Information ManagementSummary Privacy policies cover enough ground to enable regulatory compliance Yet, they are inadequate to communicate understandable privacypractices or provide adequate privacy safeguards to the patients
  19. 19. Information ManagementOutline Introduction Background– HIPAA Requirements– P3P and Privacy Policies Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
  20. 20. Information ManagementPRIvacy Management Architecture (PRIMA) Premise:– Design of a HIPAA-inspired policy hinges primarily on limited use anddisclosure rule which enable proactive fine-grained protection of PHI– Bridge the disparity between policies and practices to transform thehealthcare systems to an enhanced state of protection Approach:– Define an incremental approach to seamlessly embed policy controlswithin the clinical workflow
  21. 21. Information ManagementChallenges Complexities in healthcare workflow– A physician routinely takes notes on paper, which is then entered by anurse into the computer system; requiring the physician to enterinformation would impede the workflow– New patient arrival in a ward or visit to emergency ward requiressensitive information to be provided to on-duty assistants Access cannot be abruptly curtailed– New rules cannot be imposed at once– Policy controls need to grow out of existing practicesLeads to the idea of Policy Refinement
  22. 22. Information ManagementPolicy Refinement Leverage audit results– Analyze all access and disclosure instances– Flag the incidents not explicitly covered by existing rules in policy– Define new rules based on analyzed information Improve the policy coverage– Coverage defined as ratio of accesses addressed by the policy to allaccess recorded by the system Gradually embed policy controls– Enables precise definition of purposes, criteria for exception-basedaccesses and categories of authorized users– Novel approach for driving innovation in clinical systems
  23. 23. Information ManagementPRIMA Architecture
  24. 24. Information ManagementRefinement Framework Prune– Find informal clinical patterns from audit logs– Separate useful exceptions from violations Reduce number of artifacts needed to be examined Do not waste resources on examining violations in analysis phase Extract– Apply algorithm to extract candidate patterns Simple matching:- Assumes pruned data, looks for term combinations, returns frequency of occurrence Richer data mining:- Not only syntactic but also semantics matching- Does not assume pruning, considers relationship between artifacts- Reduces probability of violations being reported for analysis phase– Get usefulness ratings of patterns Filter– Incorporate or discard patterns based on usefulness threshold– Assume a training period Set a threshold appropriate to the target environment Act when threshold is reached over a period of time
  25. 25. Information ManagementExample Data SetTime User Role Ward DataCategoryException?Purposet1 Tom Nurse Emergency PHY JRNL YES ADMINt2 Jenny Doctor Emergency EXT COLLAB YES REFERRALt3 Jim Nurse Emergency PHY JRNL YES ADMINt4 Sarah Doctor Medical LAB RESULT NO OUTPAT ENCt5 Mark Nurse Emergency PHY JRNL YES ADMINt6 Bob Nurse Emergency PHY JRNL YES ADMINt7 Barbara Nurse Emergency PHY JRNL YES ADMINt8 Bill Nurse Emergency PHY JRNL YES ADMINt9 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENCt10 Jason Psychologist Psychology DSCG SUMM YES REG AUTHt11 Jason Psychologist Psychology DSCG SUMM YES REG AUTHt12 George Psychologist Psychology PHY JRNL NO REFERRALt13 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENCt14 Jason Psychologist Psychology DSCG SUMM YES REG AUTH
  26. 26. Information ManagementMining RuleSELECT A.Ward, A.Role, A.Data_Category, A.PurposeFROM Patient-Access_Log AWHERE A.Exception = YESGROUP BY A.Ward, A.Role, A.Data_Category, A.PurposeHAVING COUNT(*) > 5 AND COUNT(DISTINCT(A.User)) > 1;Returned:EmergencyWard : Nurse : PhysicianJournal : Adminoccurred in the log at least 5 timesobserved for at least 2 different usersNot returned:Psychologist : Psychology : DischargeSummary : Regulatoryauthorityoccurred in the log only 3 timesobserved for only 1 user
  27. 27. Information ManagementOutline Introduction Background– HIPAA Requirements– P3P and Privacy Policies Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
  28. 28. Information ManagementConclusion Surveyed 20 healthcare privacy policies Healthcare in need of improved privacy practices Focused on problem of limited use and disclosure rules Presented novel solution based on policy refinement
  29. 29. Information ManagementThank you! Questions?