1

LEFIS – Legal Framework for the Information Society---

Privacy and identity management in a European e-health system: an experience in the making

Cesare Maioli

CIRSFID and University of Bolognacesare.maioli@unibo.it

Rovaniemi, January 19, 2007

2

Legislation on privacy Code of the

Digital Public Administration

e-Europe ande-health

Enterprise Application Integration

Business Process Reengineering

Identity managementSoftware reuse

Interfaces and performance

I-Care project and S2I system

An overview

3

Integrated Care

Shareddata

Application software

Compliance toprocesses of the organization

Changemanagement

Education

(Cedaf)

4

I-Care project - I

The project is designed to support local government bodies (city administrations, provinces, the region, and health-care organisations) in providing community services, and the service of care delivery at home in particular

A collaborative project entrusted to a group of university research centres, local agencies, and private companies, designed to provide online access to health and social services, chief among which the service of providing care, medical or otherwise, at home

It was launched in 2004 by municipal, county and health authorities of a number of cities in co-operation with a few technical partners, with the financing support of Emilia-Romagna Region

It was finished on January 15, 2007

5

I-Care project - II

The ICT system necessary to this end will have to support a number of functions, including processing and assessing service requests, putting together a work plan and the team entrusted to it, and providing the service itself

Interaction is designed for users (health medical practitioners, health social workers and social operators) and provides a responsive set of health and welfare services to citizens; users are provided with new tools such as cooperative interfaces and wireless palm pilots

The mission is to integrate social and health services, and to do so reversing the model on which basis this kind of care is typically provided, which means setting up a situation in which the citizens in need of care become the focal point around which revolves the entire organisational system, rather than the other way around

6

National Service Card, Digital Identity CardNational Service Card, Digital Identity CardNational Service Card, Digital Identity CardNational Service Card, Digital Identity Card

National networks, RUPA, RUPAR National networks, RUPA, RUPAR National networks, RUPA, RUPAR National networks, RUPA, RUPAR

System of application co-operationSystem of application co-operationSystem of application co-operationSystem of application co-operation

Key elements

Digital Digital recognitionrecognition

Access Access channelschannels

Supply Supply OrganizationsOrganizations

InteroperabilityInteroperability

Telecommunication Telecommunication infrastructureinfrastructure

Citizens Enterprises

Nazional LocalHealth

Web (Portals P.A.)

Call center

One-stop- shop

Cellulars,palm pc

ISP (Post offices, Banks, …)

…………Munici-

palitiesRegions PAC

• Communication metaphorCommunication metaphor• Levels of users Levels of users

authenticationauthentication• Priority services Priority services • Measures of the service levelsMeasures of the service levels

•Process re-Process re-engineeringengineering

•Privacy issuesPrivacy issues

•International issuesInternational issues

•Commercial issuesCommercial issues

•From From As isAs is to to To beTo be

Application Integration

Back office

Reference view for e-society services

(modification from Minister of Innovation)

7

Projects and institutional cooperation in e-government

The projects and initiatives of e-government (quorum I-Care) are the result of a joint and coordinated effort among local, regional, and national government bodies and were preceded by long negotiations undertaken to reach formal definitions and agreements

It was felt that the systems should be designed and implemented only upon establishing a common willingness to jointly give shape to the projects according to user expectations;

The existence of wide-area plans, such as the European initiatives for the information society and the national e-government plans was a guarantee

Legislative bodies and financial institutions offered a set of innovative and open-ended solutions to the problem of drawing up rules and regulations and the problem of co-financing

8

European e-health issues

1990, definition of telemedicine by EU 1991, definition of telemedicine by WHO

“...supply of assistance and care, where distance is a critical factor, by any health operator through ICTs... useful for diagnosis, medical treatment, information exchange...on behalf of the health of citizens and society...”

2004, Action plan e-Health; sharing plans for the growth of health system in the EU • Vision: citizen centred approach (importance of privacy issues)• Objectives: strategies and methods, common action for e-health, diffusion of best practices • Central involvement of the Regions and the territorial authorities• Social perspective: integration of social and health services

2005, i2010 initiative, a comprehensive strategy for the information society 2005-2010

9

Italian e-health initiatives

E-government national plan, Phase I, 2001-2004Architectures; new services; priority actions and projects

E-government national plan, Phase II, 2004-2006 Federal e-government; reuse of solutions

National health plan, 2003-2005“...an integrated network of online services for the socio-sanitary support to the elderly, the disabled, the chronic invalids...”

Emilia-Romagna Region initiative for the growth of online service, 2005-2006

10

Enterprise Application Integration and the e-health sector

The non-integrated nature of Healthcare Information Systems is strongly associated with a reduction in the quality of care and the medical errors that occur. There is therefore a real need to integrate the Information Technology infrastructures, to improve the quality of care provided

In the attempt to integrate these systems many healthcare organizations have adopted integrated technologies (e.g. EDI), standards (e.g. HL7, CENT/TC 251) and projects.

During the last years much emphasis has been given on Enterprise Application Integration (EAI) technology to bridge heterogeneous systems and to enable seamless movement of information from one application to the other

EAI combines a variety of integration technologies (e.g. message broker and application servers) to build a centralized integration infrastructure

The integration is achieved through four layers: • connectivity; creation of points of access between the applications and the EAI

infrastructure • transportation; transfer of data elements• transformation; translation and reformatting of the application elements into a

recognisable format for the target system • process automation; business process automation and integration

11

Business Process Re-engineering - I

The success of the design and distribution of information services depends on the rationalization of the procedures and, many time, the re-engineering of the process one needs to activate and implement

Phases: • definition of the application field • detailed survey of the processes, documents and relations in use and diagnosis

of the current status (so-called as-is) followed by the identification of the improvement lines

• re-design of the processes according to the problems arisen in the diagnosis phase (so-called to be)

The purpose of the analysis is to identify the needs to change and to adopt more advanced ICT solutions, measuring the costs and estimating the benefits, thus modifying and rationalizing the organizational processes

12

Business Process Re-engineering and public administration

When the application software deals with the supplying of a service by a public administration, the reengineering usually brings either the re-organization of the data flows and streams and the new definition of the administrative process

The mission and the tasks performed by the public administration must conform to a detailed normative discipline and are under the control and supervision of control bodies and political bodies

Therefore: • any intent of BPR in the public sector must assume the law in force as a

constraint• the design of BPR and the initiatives of ITC application may bring to the proposal

of modification to the law in force that usually develop into the activation of so-called administrative simplification procedures

13

The perspective of the Code for the digital public administration

Participation to the administrative procedure through ICTs

Customer satisfaction. Personnel education and training

Digital document and probative value

Electronic signature and Registration Authority

Certified electronic mail

Interoperability and reuse of software

14

Privacy law in Italy European Directive 1995/46/CE Law 31-12-1996, n. 675 European Directive 2002/58/CE Legislative Decree 30 - 6- 2003, n. 196; a.k.a. Code on the matter of the protection of personal data or

Code on Privacy

General principle:

any person has the right to protect personal data pertaining to him/her

Requirements for the management (treatment) of personal data: correct and lawful, exact and updated clear and declared purposes pertinent, complete, not in excess of the purpose of original collection and treatment conserved as long as they are necessary

Community laws have set up a general prohibition against processing data suited to revealing a person’s state of health: prohibition subject only to exception framed to allow national law to provide for adequate security measures and data-access authentication

15

Legislative decree n. 196, 2003

The category of health data

The health professionals and the public health offices

Data processing: the aim/purpose of the tutelage of people’s health

The protection of public welfare and people’s health

The consent of the dependents and health emergency

Simplified formalities

Specific security measures

16

Code on Privacy highlights - I

Title V, Processing of personal data in the health area

Sections from 75 to 94

the protection of privacy of the patient’s data are not any longer a matter of professional secret of the physician nor a matter under administrative measures, but there is a full new legislation

personal data “suitable to reveal” the health condition and not just data “which” directly “reveal” that condition

health data may include any kind of information about a person’s physical, psychic, relational condition

health as a person’s general condition qualification and legitimation of the operators (health, auxiliary health, social) who deal with

health data the notification document formal consent and simplified consent (e.g. oral consent recorded by a designated operator)

17

Code on Privacy highlights - II

Title V, Processing of personal data in the health areaSections from 75 to 94

Sections 75, 76 - General principles

Sections 77 to 84 – Information to data subject and agreement

Sections 85, 86 - Purposes in the public interest

Sections 87 to 89 - Medical prescriptions

Section 90 - Genetic data

Sections 91 to 94 - Various: data on magnetic cards, clinical records, certification of birth, health data bank and files

18

Personal data processing

Data collected in violation of the Code can not be used

Data processing concerns:

collection organization consulting modification extraction usage block diffusion destruction

registration conservation computation selection comparison interconnection communication cancellation

19

I-Care as a research project in legal informatics

Privacy

Security: minimum security measures, security planning document

Federal governance, subsidiarity, public law

Interoperability and applicative cooperation

Deontological codes

20

I-Care main legal issues

Appropriate classification of the data: personal, sensitive, health

Data integrity

Qualification of the social health operator

Proper level of management of the clinical records

Encryption of sensitive data

Administrative and health data processing

Security aspect connected to the dignity of the beneficiary

The consent of the dependent

21

I-Care normative frame - I

Legislative Decree No. 196/2003, on the Protection of personal data

Legislative Decree No. 82/2005 on national e-government plans, Code of the Digital Administration

Legislative Decree No. 445/2000, Single Text on the Laws and Regulations pertaining to the Use of Administrative Documents

Legislative Decree No. 502/1992 (restating health legislation)

Legislative Decree No. 229/1999 (on rationalizing the national health system)

Law No. 328/2000 (Framework law – an integrated system for social services)

Decree of the President of the Council of Ministers No. 129/2001 (setting out policy and coordination for social and health services)

22

I-Care normative frame - II

Constitutional Law No. 3/2001 (amending Title 5 of Part Two of the Italian Constitution)

Regional Law No. 5/1994 (protecting the elderly and for social dependents) and relative deliberations

Regional Health Plan for 1999-2001 and 2002 Action Plan in Favour of the Elderly

Regional Law No. 2/2003 (promoting citizen participation and providing for integrated social services) and Regional Law No. 29/2004 (framing the organization and functioning of the region’s health services)

Regional Plan for Online Development - 2004 Operative Program: Strategies for the Information Society in Emilia-Romagna

Legislative Deliberation No. 134/04 (Emilia-Romagna) – Regional Development of the Information Society

23

I-Care legal frame

The legal issues concerning the planning and allocation of online socio-sanitary services are:

– protection of privacy – information security

The legal research which started from the individuation and classification of the data under treatment and of the operations executed by the different health and social service organizations made it possible:

– to identify the main legal issues connected with the protection of data privacy during the various phases of the processing of personal, sensitive and health data and in relation with the security measures to adopt for their lawful usage

– to make clear to any person involved in the procedure that the sections from 75 to 94 of the Code on Privacy regulate the processing of health data only in those cases where such processing is aimed at health protection and only if this is done by professionals, at the different levels, of the health sector

– to specify that the regulation by the above mentioned articles applies only in case the purpose of the treatment is the tutelage of the health of the interested person, of third party and of the general public

24

I-Care legal problems

the project being designed for delivery of both medical and social services, it will accordingly make it necessary to process two types of personal data, medical and non-medical

we thus needed to set up two standards (a double set of regulations) according as the data to be processed is classified as medical (under art. 76 of the Italian code on privacy) or otherwise

the same problem applies to the personnel themselves: under the above-mentioned art. 76, only medical personnel can handle medical data. Again a a double set of regulations is needed, one for medical personnel and the other for social workers

assigning a legal and administrative status to the document being processed and affixing a digital signature accordingly. This kind of specification will make it necessary to work closely with the administrations involved, and it will also require a back-office apparatus capable of supporting the new document-management system and protocol

25

I-Care codes of conduct

the right to privacy: here it will be necessary to publish a legal notice setting out the responsibilities and obligations of those in charge of processing the data and obtaining the user’s consent to go ahead with such processing

data-processing techniques: here it will be necessary to set out requirement for cryptography and digital signatures and the responsibilities of the individual whose signatures these are

authenticating the system operators: here, we need access codes and digital signatures for all documents needing to be underwritten for administrative purposes

A basis for drawing up a code of conduct setting out rules for all the operations required in carrying out the online service

26

I-Care framework

Framework

(technological)

Integrator

Manager

Othersystems

Field

Framework(logical)

Local

AuthoritiesHealth Organizations

Data.

sources

Data

users

Communication

(Cedaf)

27

I-Care architecture

Other Systems

(Cedaf)

28

I-Care telecommunication framework

(Cedaf)

29

S2I as an EAI system

The part dealing with the support of organizational and managerial activities by the political and health authorities

An EAI component specific for the different domains; it coordinates and certifies le data streams among the application components (S2I-Manager, S2I-Field and other external and legacy systems)

The systems supporting the activities of the organisations serving the patients, either at the field level (through portable systems with good usability interfaces) and in the back-office

Other Systems

(Cedaf)

30

S2I manager

A system to support the activities of the companies which manage the project; its functions include:

to register and validate the requests for assistance service to collect and consolidate the information on the services allocated

and executed to extract and load into a data warehouse all the activities

performed and registered by the connected S2I-Field components to control and report the assistance service supplied to trace and maintain the welfare and health history of the citizens,

perform statistics and build benchmarks to act as an interface toward legacy and specific back-office

systems

31

S2I Integrator

A system to coordinate and certify the information flows among the components; its function is to give assurance for :

the integrity of data exchanges, either in synchronous and asynchronous way

the observance of security constraints (e.g. access rights, respect of privacy,

encryption)

the mapping of communication protocols and information ontologies in the

information interchange with external systems

the management of communication protocol with S2I-Manager e S2I-Field

32

S2I field

A system to support the operator giving field assistance (through Personal Digital Assistant or Tablet-PC); its functions include:

planning and optimizing of the resources to be distributed according to specified standards

managing interactions for exceptions and unforeseen situations; (scalability aspects)

automatic reporting of time, treatment, materials used and supplied to the patients

reporting on access to medical extempore data, upon specific call

accessing special services, upon request

producing reports and statistics

33

S2I functionalities

Reservations

Discharge from hospitals

Personal data

from municipal registries

Personal data from Health organizations

Reports from house assistance

Admissions (ordinary and emergency)

Field reports(Cedaf)

34

A grid for the legal and organizational analysis

list of the processing operations

kind of professionals involved: health and non-health operators

kind of processed data: health, sensitive, personal, none

kind of interaction: mono-directional and bi-directional

kind of documents involved in the processing

need of digital authentication and digital authorization

access points to the information systems

tools used by the information systems

files and digital archives used in the information systems

35

As-is for the Municipalities (reduced example) - I

1. Front office: not well defined ways to point out the needs

2. Protocolling: it was not always clear how to identity the exact time when the protocol procedure takes into account an incoming document and when the citizen makes a request for a welfare service; for some kind of requests the protocol procedure is not defined

3. Data Processing: the was not always clear between sensitive data and personal data in the health care sector nor was the juridical qualification of the different operators (social assistant, welfare operator, social health operator)

4. Consent: a few misunderstanding between consent and information to data subject. In the forms distributed to the citizens the distinction among data controller, data processor, and person in charge of the processing was blurred

5. Filing: mainly based on paper document with some redundancies and lack of

integrity; the security measures of the Code on Privacy about paper archives were sometimes poorly applied

36

As-is for the Municipalities (reduced example) - II

6. Administrative process: sometimes administrative procedures lacked rules for tracking applications or the application was not properly protocolled. Lacks were detected in regard to: transparency, right to access the administrative documents by the applicants, respect of the time due to close a procedure

7. Communications between organizations: sometimes they were quite informal through electronic mail

8. Observance of privacy legislation: delay in implementing the Regulation on sensitive data and the drafting of the Security Policy Document

9. Codes of conduct: they were almost absent and an education and adoption of effective privacy measure were poor. Sometimes personnel lacked a full knowledge and insight into deontological norms of their professional body or trade.

37

To-be for the Municipalities (reduced example) - I

1. Front office: in keeping with e-government guidelines by Italian ministerial decrees, redefinition and restructuring of the services have been implemented. Significant work on the back-office integration to promote a orientation toward citizens’ needs. Devising of new forms including online procedures

2. Protocolling: in keeping with Legislative Decree No. 445/00 and Legislative Decree No. 82/05, as soon as a document enters IT Document Processing system it is univocally accepted and distributed to proper Homogeneous Application Area. General introduction of the management handbook and clear responsibility assigned to the head of the service

3. Data Processing: in keeping with the Code on Privacy, a clear distinction was introduced between sensitive data and health data, in particular between sensitive data with health content and health data, according to the norms of pertinence, when they belong to different kind of public organization. The distinction among the juridical qualifications of the different operators (social assistant, welfare operator, social health operator) was made stricter

4. Consent: in keeping with the Code on Privacy, it was clearly established a clear prediction of the cases when there is a need of consent and which cases only needed the information to data subject. The simplified arrangements concerning information and consent were implemented together with the re-design of the forms with a clear distinction between the different responsible persons. Implementation of the different ways for the citizens to give different options for receiving health communications

38

To-be for the Municipalities (reduced example) - II

5. Filing: in keeping with the technical indications of the Minister of Innovation, the digital formatting of the documents and their filing are saved following the rules of the Code on Privacy

6. Administrative process: in keeping with the Law 241/1990 on the rules to access to administrative documents, a clearer configuration of the administrative procedures was implemented in accordance with the Code on Privacy. The participation of the citizen to the decision process is encouraged while there is full respect of the principles of transparency, accountability, explanation and completion in due time

7. Communications between organizations. in keeping with the Legislative the Decree DPR 68/2005 on the certified electronic mail, a more reliable and dependable way of communication was introduced

8. Observance of privacy legislation: a new regulation on sensitive data was adopted and the Security Policy Document was drafted. A new set of conventions between administrative and health organizations was undertaken.

9. Codes of conduct: in keeping with the Code on Privacy, an effort is going on to foster a stronger care of privacy issues. The adoption of deontological norms for the different categories of operators has been promoted

39

BPR: an example of an integration scheme

Segnalazione, Erogazione e monitoraggio

ADI AD

CAD

ope

rato

re

ADB

CAD

ope

rato

re

ADB

CAD

coo

rdin

ator

eC

AD c

oord

inat

ore

Ausl

(Inf

Terri

toria

le)

Ausl

(Inf

Terri

toria

le)

Ausl

(PU

A,

Inf.C

oord

inat

ore)

Ausl

(PU

A,

Inf.C

oord

inat

ore)

Com

une

(UA)

Com

une

(UA)

Prov

inci

aPr

ovin

cia

Monitora i dati

Eroga ed Inserisce i dati dell’intervento

Può attivare un intervento socio assistenziale

Monitora i dati

Consulta alcuni dati

dell’intervento

Può attivare un intervento sanitario

Valuta il caso e pianifica

l’intervento

Accoglie la domanda

Accoglie la domanda

Pianifica l’intervento

Monitora i dati di sintesi

Valuta il caso

Monitora i dati

Eroga ed Inserisce i dati dell’intervento

Monitora i dati di sintesi

Consulta alcuni dati dell’intervento

1

1

6

2

2

6

Segnala il caso

Segnala il caso

40

Identity management - I

A user is a welfare or health professional; a user is authenticated through name, userid, password, operator status

For any user identified the authentication process defines one or more roles

Domain of visibility: access allowed, for any organizational entity, to the functions or applications. The options are:

– operator; limited and specific set of entities– operative unit; set of operators view and permissions– service; set of operative units– total

A role includes a set of authorizations

41

Identity management - II

An authorization is made up of: • enabled functions

• actions (e.g. insert, modify, cancel in relation to the function)

• accessible and operable sets of data

• domain of visibility

The configuration system for authorizations implemented in I-Care includes the set of users, the functions and actions allowed, the set of data upon which the functions are allowed to operate

42

Reuse of software and open formats

Public Administration must follow these criteria when buying software applications:

• Transferability of acquired solutions to other public administrations• Interoperability between administrations• Independency from unique supplier and unique proprietary technology• Availability of source code at least for inspection and traceability• Exportability of data, documents in many formats (at least one must be open)

Public Administration must follow also these suggestions when buying software applications:

• Administration must consider any software solution included OSS• Administration must own the software developed under its own specifications and

it can be able to transfer software licences to other administrations without any further cost

• Public Administration must allow the reuse of software whenever it is possible

Emilia-Romagna Region, Law 24/05/2004, n.11

Directive of the Minister of Innovation and Technology, December 19, 2004 aka Development and use of computer programs from Public Administrations

43

Legislation on privacy Code for the

Digital Public Administration

e-Europe ande-health

Enterprise Application Integration

Business Process Reengineering

Identity managementSoftware reuse

Interfaces and performance

An overview

I-Care project and S2I system

44

Main conclusions

A part of the project aimed at working out all the legal issues involved in setting up and running an e-health service

There are at least three questions that we needed to addressed in the regard of issue of the privacy of medical data : the question of the right to privacy: here it was necessary to publish a legal notice setting out the

responsibilities and obligations of those in charge of processing the data and obtaining the user’s consent to go ahead with such processing; being the project designed for delivery of both medical and social services, we accordingly had to process two types of personal data, medical and non-medical, with the need to set up two standards (a double set of regulations) according as the data to be processed is classified as medical (under the Italian Code on Privacy) or otherwise

the question of data-processing techniques: here it was necessary to set out requirement for cryptography and digital signatures and the responsibilities of the individual whose signatures these are

the question of authenticating the system operators: here, we needed access codes and digital signatures for all documents needing to be underwritten for administrative purposes