Access report final iso format 29 mar 2000

© ISO 1999 – All rights reserved

Reference number of working document: ISO/TC 215/WG1 000Date: 2000-.03-15

Reference number of document: ISO/WD nnn-n

Committee identification: ISO/TC 215/WG 1

Secretariat: XXXX

Access to Electronic Health Records

Warning

This document is not an ISO International Standard. It is distributed for review and comment. It is subject to change without notice and may not be referred to as an International Standard.

Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation.

/tt/file_convert/547a4f1ab47959a4098b4a10/document.docBasic template BASICEN2 1999-02-12

Document type: Technical ReportDocument stage: (20) PreparationDocument language: E

ISO/WD nnn-n

Copyright notice

This ISO document is a working draft or committee draft and is copyright-protected by ISO. While the reproduction of working drafts or committee drafts in any form for use by participants in the ISO standards development process is permitted without prior permission from ISO, neither this document nor any extract from it may be reproduced, stored or transmitted in any form for any other purpose without prior written permission from ISO.

Requests for permission to reproduce this document for the purpose of selling it should be addressed as shown below or to ISO’s member body in the country of the requester:

the full addresstelephone numberfax numbertelex numberand electronic mail address

Reproduction for sales purposes may be subject to royalty payments or a licensing agreement.

Violators may be prosecuted.

II

ISO/WD nnn-n

Contents

Foreword........................................................................................................................................................... v

Introduction:.................................................................................................................................................... vi0.1 Executive Summary........................................................................................................................... vi0.2 History of New Zealand’s involvement.............................................................................................vi0.3 Scope Statement of the ISO/TC215 committee...............................................................................vii

1.0 Scope and Aims.................................................................................................................................. 11.1 Specifically excluded from the scope...............................................................................................11.2 Specific Aims....................................................................................................................................... 1

2 Terms and definitions......................................................................................................................... 1

3 Review concepts and literature on access to health records.........................................................23.1 Cultural concepts about rights and obligations which pertain to access to personal health

information.......................................................................................................................................... 23.1.1 The definition of social man...............................................................................................................23.1.2 Pakeha and Maori concepts in New Zealand....................................................................................23.1.3 National and Jurisdictional Differences............................................................................................23.1.4 The Concept of Ownership................................................................................................................. 23.2 Review of international literature on access to health records......................................................33.2.1 Background: The Ethics of Privacy...................................................................................................33.2.2 Overview of national standards and procedures.............................................................................33.2.3 Data Collection.................................................................................................................................... 33.2.4 Storage and Security.......................................................................................................................... 33.2.5 Access and Corrections.....................................................................................................................43.2.6 Access43.2.7 Unique Identifiers................................................................................................................................ 53.2.8 Recommendations for international consistency............................................................................53.2.9 Problems with inconsistencies across jurisdictions.......................................................................53.2.10 Possible solutions.............................................................................................................................. 6

4 Relevance to EHR of access control in electronic commerce........................................................64.1 Levels of Access control.................................................................................................................... 64.2 Types of access control..................................................................................................................... 64.2.1 Client hostname and IP address restrictions...................................................................................64.2.2 Password protected access control lists..........................................................................................74.2.3 Role Based Access Control (RBAC)..................................................................................................74.2.4 Strong Authentication Techniques....................................................................................................74.2.5 Intellectual Property Rights................................................................................................................74.2.6 The Platform for Privacy Preferences...............................................................................................8

5 Concepts relevant to EHR access.....................................................................................................85.1 Developing operational concepts and their interrelationships relevant to EHR access..............85.1.1 Roles and Rules.................................................................................................................................. 85.1.2 Self–defining systems........................................................................................................................ 85.1.3 The Role concept in Messaging.........................................................................................................85.1.4 The Role concept in Security processes..........................................................................................95.2 Minimum concepts that could be implemented in a global system...............................................95.2.1 Four related concepts......................................................................................................................... 95.2.2 Three irreducible outcomes...............................................................................................................95.2.3 The Access Control Matrix...............................................................................................................10

6 EHR access control across jurisdictional and national boundaries............................................106.1 Jurisdictional boundaries................................................................................................................. 106.2 Requirements.................................................................................................................................... 106.2.1 Availability......................................................................................................................................... 106.2.2 Data Integrity..................................................................................................................................... 11

III

ISO/WD nnn-n

6.2.3 Auditability......................................................................................................................................... 116.2.4 Confidentiality................................................................................................................................... 116.2.5 Interoperability.................................................................................................................................. 116.2.6 Accessibility...................................................................................................................................... 116.3 The Access Object Model.................................................................................................................116.3.1 Attestation......................................................................................................................................... 126.3.2 The Security WG4 contribution........................................................................................................126.4 Access Objects................................................................................................................................. 126.5 Model of Access Control Mechanism..............................................................................................136.5.1 Use Case Diagram of Access Control Mechanism.........................................................................136.5.2 Access Lock Objects........................................................................................................................ 146.5.3 Class Diagram of Architecture of Patient Information...................................................................156.5.4 Class Diagram of Access Control Mechanism...............................................................................166.5.5 Sequence Diagram of the Request Patient Information Usecase.................................................176.5.6 Sequence Diagram of the Request De-identified Information Usecase.......................................17

7 Discussion......................................................................................................................................... 18

8 Recommendation.............................................................................................................................. 19

Annex A: Terms and Definitions................................................................................................................... 20

Annex B - Part 1: National policies regarding access to health records.................................................26

Annex B - Part 2: Legislation relevant to privacy in various countries....................................................28

Annex C: UML Models from Russia and Sweden........................................................................................33

Bibliography................................................................................................................................................... 43

IV © ISO 1999 – All rights reserved

ISO/WD nnn-n

Foreword

ISO (the International Standards Organization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.

Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote.

International Standard ISO nnn-n was prepared by Technical Committee ISO/TC 215, WG1, Modelling.

ISO nnn consists of the following parts, under the general title Access to Electronic Health Records (EHR):

© ISO 1999 – All rights reserved V

ISO/WD nnn-n

Introduction:

0.1 Executive Summary

The ISO/TC215 process aims to deliver an interoperability standard for healthcare computer systems. Access control interoperability would be a crucial feature of the standard, but this is challenging because of the diversity of access control policies and procedures current in different countries, jurisdictions and institutions. This report explores these issues, and concludes with some specific models using Unified Modelling Language notation (UML). We argue the case for developing a shared global technique for regulating access to electronic health records (EHR). Such a technique, if widely accepted, might also have application beyond health care.

The design for the global EHR standard that emerges should be accessible to clinical practice at all levels of technological sophistication and complexity. The ISO process could be used to facilitate the ‘business plan’ for global health care that Peter Treseder mentioned in his first address to the inaugural TC/215 meeting in Orlando, August 1998. In this report, we explore ways that this might be done. The Access Object concept that we develop could be used as a 'universal currency' for healthcare information. Although Access Objects would need to be customisable to any configuration required by national or jurisdictional policy, basic default settings could be taken from international conventions. The ‘Universal Declaration of Human Rights’ is an appropriate reference document.

This report explores a variety of access policies which presently apply to personal health information, and points out the diversity of cultural concepts and definitions relevant to EHR access. It outlines how these might be expressed through a generic access control matrix. The outcome of match and mismatch between request and data access criteria is expressed in the simple outcomes of access and denial of access, the latter further divisible into privacy (data located but not viewable) and secrecy (data not located).

A technique by which this might be done is described: the 'access object' technique would permit de-identified data to be available from participating systems, including across jurisdictional and national boundaries. The technique could also allow cross-boundary access to personally identifiable data in emergency situations. More detailed negotiations between jurisdictions on the attributes of Access Objects would facilitate full interoperability.

A process is described whereby the authentication techniques of digital signatures and attribute certificates could be incorporated in the process of requesting and obtaining EHR. The concept of 'role' is explored with reference to Work Groups Four and Two, and mention made of Work Group Three in content definitions. The technique is thus a synthesis of all the work groups, and the Access Object concept might be implemented on 'smart cards' (Work Group Five).

We advocate that an agreed international EHR standard be freely available to those with suitable credentials, and that the standard itself should not be ‘owned’, unless by an accredited international body such as ISO or the UN. Health Workers should be able to freely obtain ISO accredited 'access objects' which they could then customise to their own jurisdictions (or use with default pre set access definitions). This could make the simplest documents (such as word processed files) into ISO accredited records, which would also be valid within (and compatible with) complex and sophisticated systems. Access Objects could thus become a global 'currency' for healthcare, and might have a function in protecting access to other sorts of confidential information as well.

This report is a 'working draft' of a work item that might, ultimately, lead to an implementable standard. There is no sense in which it is complete. It is offered as 'work in progress', in the hope that it contributes to discussion in this area.

0.2 History of New Zealand’s involvement

The history of this project on Access Rights to the EHR goes back to the inaugural meeting of the committee in August 1998. At this meeting the domain of Health Informatics was divided into four work groups.

WG1 Modelling

VI © ISO 1999 – All rights reserved

ISO/WD nnn-n

WG2 Messaging

WG3 Content

WG4 Security

After the Berlin meeting in April 1999, a fifth work group was added:

WG5 Health Cards

The New Zealand delegation volunteered for WG1 at this meeting. At the subsequent meeting of WG1 in Sydney (January 1999) Dr Mair contributed to the discussion of the proposed work group item on ‘Ownership and Access’ to the global health record by suggesting that the ‘ownership’ concept could be deconstructed into rights and obligations surrounding health records.

WG1 delegated the responsibility of developing this work item to New Zealand. This was presented to the ISO committee first as a completed ‘Form 4’ with attachments ‘A’ and ‘B’, prior to the Berlin ISO/TC215 WG1 and plenary session in April 1999. It was then amended as a result of discussions there to reflect that our involvement was to be with an ISO ‘Technical Report’. An updated and expanded attachment including many of the ideas from attachments ‘A’ and ‘B’ was included with an amended Form 4, and submitted to ISO for vote (see ISO document NP17128). These documents are to be found on: http://www.hl7.org/special/committees/tc215/

The acceptance of the work item was confirmed unanimously by vote in September 1999, and ten of the fourteen ‘P’ (voting) members of the committee offered to help with the report. However there were some constructive critical comments made which were returned to ISO from member countries at the time of the vote. There was a comment from Germany that the ‘attachment’ was not in the required format, and one from the UK that it was an outline document only and did not address ‘conformance issues’. The US and the UK also emphasized that the report should not be a specification, whereas the Japanese comment was that it should be a specification not a report. There was a further WG1 meeting in London in September 1999, which requested a succinct statement on the scope of the project, which would clarify its significance to Working Group 1 and distinguish it from security mechanisms, which are the responsibility of Working Group 4.

With these injunctions, and with the collaboration of David Menkes and Lindsay Stewart, we developed a statement of ‘Scope’ and ‘Aims’ for the report. The ‘Aims’ were intended as content list. These were submitted before the Tokyo meeting of WG1 and the plenary TC/215 committee in November 1999, with David Menkes representing New Zealand.

In discussions at the meeting, and with the encouragement of members from Australia, Japan, Sweden, amongst others, the concept of ‘ownership’ was dropped from the title of the work item, and relegated to the status of a ‘cultural’ concept. One of the resolutions from the WG1 meeting was about the work item. It said that:

The agreed title of the Work Item is “Access to the Health Record”

The objectives of this Work Item are to define concepts for modelling access, not to determine a set of rules for access

A further recommendation was that the work item should lead to a 'technical report', not a 'specification'.

0.3 Scope Statement of the ISO/TC215 committee

The TC215 Scope Statement reads:

“Standardisation in the field of information for health, and Health Information and Communications Technology (ICT), to achieve compatibility and interoperability between independent systems. Also to ensure compatibility of data for comparative and statistical purposes (e.g. classifications), and to reduce duplication of effort and redundancies.”

The ISO/TC215 committee has a brief to deliver a working standard for global interoperability in health care within a defined time span. Interoperability is an urgent need for healthcare systems. The proliferation and provenance of information technology in Health Care cannot realize its full potential without it. The new technologies developing around the World Wide Web are delivering an entirely new environment for electronic data exchange of all sorts.

© ISO 1999 – All rights reserved VII

http://www.hl7.org/special/committees/tc215/

ISO/WD nnn-n

The ISO process in its founding assumptions looks for international standards separate from de facto proprietary standards.

VIII © ISO 1999 – All rights reserved

WORKING DRAFT ISO/WD nnn-n

1.0 Scope and Aims

To prepare a report, in collaboration with WG4, on workable definitions and models relevant to EHR access. This will include definition of the operations to be performed by an ethical framework for facilitating global, authorised access to EHR.

1.1 Specifically excluded from the scope

Channel related security issues, authentication techniques, encryption algorithms, and other technical matters which belong specifically within the scope of WG4.

1.2 Specific Aims

1. To retrieve and review the available international literature on access to health records

Consider cultural concepts about rights and obligations which pertain to access to personal health information

Gather from different nations standards and documents that currently purport to regulate access to health information (e.g. New Zealand ‘Health Information Privacy Code’)

2. To consider the relevance to EHR of access control in electronic commerce

Consider current developments for access control in e-commerce

Identify common ground with access control processes which might be of use in e-health

3. To explore and define concepts relevant to EHR access

Develop operational concepts and their interrelationships relevant to EHR access

Identify an underlying minimum set of concepts that could be implemented in a global system

4. To develop concepts and models of EHR access control across jurisdictional and national boundaries

To propose a global technique to both accommodate national differences in access control and facilitate cross border access

To marry these concepts with the evolving work from WG4 (especially the Technical Specification Draft for Secure Exchange of Health Information, February 2000)

5. In light of the above, and in collaboration with WG4, to develop policies regarding appropriate EHR access:

6. To advocate that an agreed global access mechanism be freely available to all credentialled healthcare workers and free from commercial control

2 Terms and definitions

Terms and definitions used in this technical report are to be found in Annex A.

© ISO 1999 – All rights reserved 1


3 Review concepts and literature on access to health records

3.1 Cultural concepts about rights and obligations which pertain to access to personal health information.

There is a diversity of views and practices surrounding the definition of personal information. This diversity is apparent both between and within nations.

3.1.1 The definition of social man

The definition of social man can vary markedly between cultures, and with it are defined differing views of sociall responsibility and distributive justice. Within the Western Tradition, some presuppose a definition of individual autonomy that places care of others in the context of enlightened self-interest. More fundamentally, the concept of 'self' is seen as socially constituted (see Mulhall and Swift, 1996). There is a diversity of views in the area of rights and obligations, definitions of the self, and relationships between the individual and society.

In order to be truly international, the Access Standard thus needs to be compatible with diverse definitions of self and society and should have the flexibility to reflect cultural differences. It must therefore contain a framework, which permits diverse solutions to these age-old questions. It should facilitate exchange of health information between systems with different 'set up' configurations in the networks of rights, obligations, access, and privacy considerations that surround health records.

3.1.2 Pakeha and Maori concepts in New Zealand

In New Zealand, the indigenous Polynesians (the Maori) have rather different concepts of family and community compared to the now numerically dominant European (the Pakeha). Because New Zealand is bicultural, European and Maori concepts of access and access control can be compared within the same country. Preliminary discussions with Maori health professionals have emphasised the communal focus of Maori values, which contrasts rather with the more individualistic Western tradition. For example, the notion of an extended family group (whanau) helps to explain the Maori’s greater collective interest/input bearing on access to personal information.

Similarly, infirm or incompetent individuals often have a 'minder' (Kia Awhina) consensually assigned by the whanau, who is then responsible for decisions relating to, the individual's health care. Similarly, whanau in practice may overrule the decision of an individual to undergo a medical procedure (e.g., abortion) based on cultural values and extensive social supports. These and other examples challenge the supremacy of the individual enshrined in Western privacy laws, based on the OECD guidelines (see Introduction).

It might be possible within New Zealand to have a 'Maori values' option for the individual to select how the rights and obligations surrounding EHR access are specified. This has a precedent in the choice that individuals of Maori descent have in their political (electoral) role. Quite possibly, the option of 'Maori values' as a customisation choice in EHR access control would be open to all New Zealanders.

3.1.3 National and Jurisdictional Differences

Access to EHR will need to be customised to respect these cultural differences within one country, and it can be confidently predicted that national differences will, in many cases, be greater than those discussed above. Moreover, access control will need to be applied in military and other institutional environments (e.g. jails) where quite other than conventional Western concepts of individual autonomy and sovereignty may prevail.

In this report, we will not grapple further with cultural concepts. As indicated in the Introduction, our brief is to develop models of access, rather than sets of rules. We propose that national, cultural and institutional differences in EHR access control should be achievable by customisation of access parameters.


ISO/WD nnn-n

3.1.4 The Concept of Ownership

This concept is commonly employed in access regulation processes at present. The concept of ‘Ownership’ can however be deconstructed into rights and their reciprocal obligations. A decision was taken by WG1 members at the Tokyo meeting November 1999 to delete the ownership concept from the title of the work item.

3.2 Review of international literature on access to health records

This section includes:

Background on ethics of privacy and autonomy

Critical overview of national standards and procedures, including assessment of the extent of international consensus on principles relevant to access

Assessment of the extent to which nations endorse the concept that access is justified in some circumstances and not in others

Assessment of the implied requirements for ethical access, and comparison with our 'requirements list' (see below)

Synthetic overview, conclusions and recommendations

3.2.1 Background: The Ethics of Privacy

An important cornerstone of medical ethics in the Western world is the notion of autonomy (Beauchamp 1994). As rational decision makers we are obliged to give others the freedom to make and carry out their own decisions regarding their ‘life plans’, this freedom and the corresponding responsibility for these decisions are considered to be “fundamental to human flourishing” (Gillett 1989, page 35). Privacy interacts with other social conditions to create an environment in which a person is able to make and execute rational decisions, that is, exercise their autonomy (Friedlander 1982). In this way privacy is not something that needs to be justified in its own right, but is rather a means towards an already justified and important end, autonomy.

3.2.2 Overview of national standards and procedures

A review of various national and other documents is summarized in the Table (Annex Two). In 1980 the OECD issued guidelines for privacy policy in order to facilitate the development of compatible legislation. These guidelines have been influential, and consequently there is a reasonable degree of concordance in policy internationally. However, this concordance can be seen to relate mainly to principles rather than to specific rules or procedures relating to access. In particular, laws and policies regarding personally identifiable data often do not explicitly relate to health information (e.g., United Kingdom Data Protection Act, see European Commission Report 1999).

Despite a variety of approaches to regulation of access, there is a general harmony of underlying principles which should facilitate the development of a global standard. The following is a summary of what would be needed in a privacy policy in order to satisfy the requirements of the documents reviewed in Annex Two.

3.2.3 Data Collection

There is widespread agreement that at the time of collection of data consent must be obtained for its storage and for the intended uses. There is some variation in policy as to whether consent should be written, and whether the terms can be changed later by either party (see Table, Annex Two).

Some countries require that the data be collected from the individual where possible. This is not universal but it is logically consistent with the principle of gaining an individual’s consent for the collection of data. Although not openly stated in all documents, data collection should also be by means which are legal, fair and not unduly intrusive.

The data that are collected and stored should be limited to those which are necessary for the purpose for which they are being collected. In addition, this purpose ought to be a legitimate one. These principles correspond to those governing legitimate access, in the sense that access should be limited to data which are necessary for the


ISO/WD nnn-n

purpose at hand (e.g., clinical care, funding or research).

3.2.4 Storage and Security

The agency which stores the data is generally held to be responsible for taking reasonable steps to ensure the security of the data. Although the term reasonable is widely used, its interpretation may vary. In the case of health records it would be reasonable to expect a high standard of security. The data ought to be protected from loss, unauthorised use, modification, or disclosure, or other use. As part of this protection some countries expect that the agency holding the data ought to be able to account for all accesses to an individual’s data. Thus, with regard to EHR, provision for an access audit trail would be important to include.

Mechanisms of security, though not part of this report, also have pervasive ethical and legal implications. These will be specifically addressed by WG4.

3.2.5 Access and Corrections

There is also widespread agreement internationally (Annex Two) that individuals have the right to access any data held about them, and request changes be made if necessary. The strongest right is to know that information is being held. Following this, the right to access the information. There are a number of exceptions to this principle:

If disclosure of information would breach another’s confidentiality. This would be avoided by only storing information gathered from or known by the individual, but there will be instances when such an approach is not practicable

If disclosure of the data could compromise the individual’s mental or physical health. Such clauses seem to be included in order to assuage concerns of doctors, although actual cases where such concerns are justified are likely to be rare

Court orders or proceedings can also be used as a reason to refuse access in various jurisdictions, although there is considerable national variation in how this is done

There are other reasons stated also, for example if the request is ‘frivolous or vexatious” (New Zealand Health Information Privacy Code, 1994)

Of note is that if one of these exceptions pertain, this should be indicated to the individual, and reasons for denial of access explained in full. In addition all other data must still be made available with the relevant/sensitive items removed.

In terms of requesting changes, it is generally agreed that all reasonable requests must be complied with. If the agency is to refuse a request it must explain why. An individual may then request that a note is made that a certain request for change was made. Again there are varying degrees of detail regarding this issue from country to country.

The USA document recommends that, if necessary, individual institutions develop and document policies regarding rights to access and corrections. In New Zealand there are very detailed policies in the Privacy Code which are intended to apply across the whole country. Other nations fall between.

New Zealand and the USA which have explicitly required that each agency that holds health information to have a Privacy Officer/Official who is responsible for handling such requests and complaints and would then report to a statutory authority, such as the Privacy Commissioner in New Zealand (see Annex Two).

3.2.6 Access

In the documents reviewed in Annex Two, the concept of access was referred to in terms of legitimate uses and disclosures of health information. There is considerable variation in how access is sought and achieved in various countries. France and Canada, for example, have proposed information systems which include access control. Most other countries (e.g., New Zealand, USA) have concerned themselves more with privacy protection legislation in advance of such anticipated developments in technological mechanisms of access.

There is also some inconsistency in terms of uses of health information. There is widespread agreement that there should be consent at the time of collection for the use of the data (see above). Development of a robust consent

4 © ISO 1999 – All rights reserved

ISO/WD nnn-n

procedure is the most reasonable way that an internationally compatible system can be produced. Canada in particular proposes a fairly detailed consent procedure that includes any future possible research. The proposed rules for the USA state that the agency that holds the data must have documented policy regarding data use, but allows for agencies to change this policy at any time. This may not be acceptable internationally. In general most types of data use can be predicted. In addition to personal health care, these further uses might include public health measures and epidemiological or other biomedical research. It should be possible to obtain consent from the individual at the time of data collection for these various uses in general terms. For example identifiable, non-identifiable, identifiable but reported in a non-identifiable way.

There are some compulsory uses of the data, such as notifiable disease reporting, etc. Whilst consent cannot be withheld for these required uses, the individual ought to be informed of the possibility of these uses.

In terms of access and disclosure there is inconsistency in how detailed the various documents are (see Annex Two) but the underlying principle seems uniform. Although in general terms disclosure is very limited there will be a number of exceptions required. These will be in order to conform with other laws. Different countries will have various laws regarding compulsory disclosures under court order, to facilitate investigations, to report crimes, or for quality assurance or peer review, to name a few. In general these are important and necessary to the functioning of that society. However, international inconsistency could be a real problem in this regard. If something is recorded in confidence in one jurisdiction, but requires reporting in another, where does responsibility lie?

3.2.7 Unique Identifiers

Involved in the issue of unique identifiers is the question of cross referencing health information with other personally identifiable information. Although unique identifiers can enhance privacy in some situations when they are used too widely they may endanger privacy. For this reason it would be unacceptable to use a unique identifier for the health information database that was also used for some other purpose, e.g., electoral roll, welfare benefit, vehicle licensing, etc. This obviously would not include using name, birthdate or address.

3.2.8 Recommendations for international consistency

At the time of collection written consent should be obtained for the storage of the data. In addition the potential further uses for public health and research should be consented for in general terms. This consent should not be conditional, ie. failure to consent to all or part of this should not affect the patient’s care in any way.

Data should be collected by legal, fair and non-intrusive means, and where possible from the individual concerned. Data should be limited to what is, or is likely to become, necessary.

The organisation that controls the EHR would be responsible for ensuring a reasonable level of security.

An individual is entitled to know that data are being held about them. They have a right to access but this right is not absolute. They also have the right to request changes, if this request is refused they may reasonably ask that a record of their request be added to the EHR.

Uses should be restricted to those consented for at the time of collection. Disclosure should only be with the consent of the individual. There will have to be exceptions to these two points in order to comply with other legislation.

Any unique identifiers would have to be unique to the EHR. Cross referencing to other databases would be problematic because of risks to privacy.

3.2.9 Problems with inconsistencies across jurisdictions

Differences between states/provinces/counties in some countries add to the total differences worldwide being many. The positive side of this is that by the time federal governments have sorted things so that states have compatible laws they will probably be so generic as to also be compatible with most other countries.

Non-OECD countries may present a problem as they are less likely to have privacy laws compatible with the guidelines. In this case it would be up to local case law and possibly the strength of local contract law regarding rules of access to the database in order to protect privacy. This might not be acceptable for OECD countries. The origin of the OECD guidelines was from reluctance to exchange information with countries with less stringent or absent privacy laws. This reluctance may continue to inhibit exchange of health information today.


ISO/WD nnn-n

An extension of this inconstancy is the difference between punitive measures for breaches of privacy between nations. Most of the policies reviewed agree that there must be significant penalties for breaches of privacy but the exact meaning or degree of significance varies and is often not specified. Differences in this and all the other complications of international law may complicate enforcement or punishment following a breach. The nature of these complications is outside the scope of this report.

3.2.10 Possible solutions

For Western nations, from an ethical point of view it is not acceptable to allow potential breaches of a person’s privacy to occur through data sharing with a country with poor privacy protection. A “lowest common denominator” approach may not be satisfactory, neither would a “when in Rome” approach. The OECD viewpoint suggests that any person is entitled to enjoy the level of privacy protection described in the above recommendations. If this level is not provided in a given country, some would argue that the international community (UN and other) should facilitate development of such privacy protection, and not condone breaches of an individual’s privacy whilst they are in such a jurisdiction.

As a means of augmenting protection, civil contracts relating to data access might be useful in countries with few privacy laws in order to provide more protection than provided by current law.

As a means of reaching international standardization with respect to EHR access, a set of principles might include the above headings, as well as provision for specification of national and cultural differences. However an ISO standard cannot be prescriptive in this regard.

Based on the foregoing, we suggest that interoperability across jurisdictional and national boundaries can only be served by a basic shared technique for performing the requirements for EHR Access. The differences in access requirements between different jurisdictions can be expressed as customisation of elements within such a shared technique

4 Relevance to EHR of access control in electronic commerce

4.1 Levels of Access control

Access control in electronic commerce can be considered to have the same levels as in the EHR,

application

computing hardware

physical (e.g., site security, locks on doors).

Only the first of these is of relevance to this report.

4.2 Types of access control

Three types of access control mechanisms are generally available for protecting confidential documents through Web access:

Client hostname and IP address restrictions

User and password authentication

Strong authentication techniques

4.2.1 Client hostname and IP address restrictions

The simplest technique is that of the access control list. The first method cannot be considered secure enough for EHR. This is because the server implicitly trusts the information sent by the client request in order to make its access decision, and this can be easily 'spoofed' or fabricated.


ISO/WD nnn-n

4.2.2 Password protected access control lists

These can be centralised or distributed. The distributed scheme creates an access control file in the directories of the protected resources. This has the advantage that every time access to a protected resource is requested, the corresponding ACL file is reread and re-evaluated. However, it is more of a problem for the system administrator than the centralised scheme. He or she must maintain distributed access control files. When the distributed system has large numbers of users working under different access control regimes (as would be the case with a global healthcare standard), the logistic problems are multiplied (Ghosh 1998).

4.2.3 Role Based Access Control (RBAC)

The decision to allow access to objects is based on the role of the user, rather than on permission based on another user. The determination of the role membership and the allocation of each role's capabilities are determined by the organisation's security policies.

There is some work reported by DSTC, one commercial concern specialising in interoperability between computer applications. Details are available at: http://security.dstc.qut.edu.au/projects/access/RBAC.html

DSTC suggests that the greatest advantage of RBAC is its flexibility and low management overhead. In a large organisation or distributed system, a RBAC framework can also establish such that the administrative task can be decentralised. Thus it can naturally reflect the organisational structure. This work might be adapted for use in e-health but it does not appear to be highly developed as yet.

4.2.4 Strong Authentication Techniques

E-commerce makes use of the strong forms of authentication supplied by digital signatures and certificates. Discussion of these is beyond the scope of this paper. Clearly the concept of Attribute Certificates as mentioned in the Draft Technical Specification by WG4 (see below) is very relevant for e-health. It does appear that roles and their validation can be identified and confirmed as securely as digital certificates. It is with this exciting concept that some proposal are made below for collaboration between WG1 and 4 on EHR Access.

The challenge of EHR transmission may result in new techniques for RABC that could contribute to role based access control in e-commerce generally.

4.2.5 Intellectual Property Rights

A related field is that of ‘intellectual property’ rights, and these have a large legal literature. There is overlap between rights in intellectual property, and rights in medical data, and both might be validly argued to be part of any global EHR structure.

However, it appears that there is already a global standard in evolution for the electronic management of intellectual property. Such a standard is the ‘INDECS’ project (Interoperability of data in e-commerce systems generic metadata model. See www.indecs.org/ ). This aims to provide a standard semantic framework for an XML (Extensible Mark Up Language)-based infrastructure for integrating metadata (data about data) in the World Wide Web. The very existence of such a product for e-commerce will influence our attempts to gain global consensus (or alignment) for the EHR. The concept has architectural features. The generic concepts of ‘People’, ‘Stuff’, and ‘Deals’ and the relationships between them could also be made to apply to the EHR. To quote from the ‘INDECS’ document: “Not only can metadata be precise and all-embracing, but in the distributed digital environment now dominating the future of intellectual property management, it has (sic) to be”.

The INDECS generic model will be expressed as a technical data model using the W3C standard RDF (Resource Description Framework) based in XML www.W3org/RDF/. This is intended to integrate a variety of web-based metadata activities.

The model that we develop below separates demographic and ID data (people), clinical data (stuff) and financial data (deals), and might be compatible with the INDECS scheme. The INDECS project as yet lacks an access control technique. The approaches from intellectual property and e-health might be complementary.

4.2.6 The Platform for Privacy Preferences

The World Wide Web Consortium also has developed a Privacy Preferences Protocol, which can mediate between


http://www.W3org/RDF/)

http://www.indecs.org/

http://security.dstc.qut.edu.au/projects/access/RBAC.html

ISO/WD nnn-n

the privacy practices in different web sites, to come to an agreement about the release of information (http://www.w3org/TR/2000/WD-P3-P0000211). However this is limited to regulating information that web sites collect on clients, and does not regulate access to data themselves.

5 Concepts relevant to EHR access

5.1 Developing operational concepts and their interrelationships relevant to EHR access

5.1.1 Roles and Rules

We suggest that cultural concepts regulating access can be considered as sets of ‘roles’, and ‘rules’ relating those roles. Operationalizing them comprehensively for any one culture or jurisdiction will be a challenging exercise and may well show up redundancies, inconsistencies and gaps in sets of concepts.

Systems of roles and rules are mutually defining. Our task is not to try to evolve some sort of ‘definitive set’. Rather it is to develop a model or models that can implement different sets of rules and roles for specified nations or jurisdictions, yet remain globally interoperable.

5.1.2 Self–defining systems

The concept of self-defining systems has its origin in theoretical linguistics (de Saussure, 1899). The 'values' or 'meaning' of individual roles can only be discovered in relation to the whole set. The game of chess is an example. The concept of ‘roles’ has its own extensive literature in sociology (cf. Cicourel 1973).

In healthcare, we suggest that any role definition will comprise relationships to other roles relevant to that setting. Considerable overlap in definitions is likely between related jurisdictions. As mentioned above, the OECD work preceded many Western national efforts to regulate access, and has imparted many common elements to such efforts. These are likely to flavour the ultimate standard. However it is not the concern of a standard for interoperability to argue for any particular ‘solution’ or group of related solutions.

5.1.3 The Role concept in Messaging

In Annex C: of the CEN TC251 'Short Strategic Study on Message Alignment', there are proposals for implementation of the "revised structure for the representation of Healthcare Agents". This same document was included in minutes for distribution after a recent ISO/TC215 WG2 meeting.

With this concept, we find that WG2 is already considering the tools needed for modelling roles and rules generically. In the CEN scheme, (Markwell 1999, section 3.3) the concept of role is defined, "A role of a healthcare agent is undertaken in the context of their relationship with another agent". This concept is further illustrated by the statement, "A healthcare agent in the context of a specified relationship with another healthcare agent (a healthcare agent in context) may perform a role”. Thus the ‘messaging’ standard role comprises an agent, a context and an action. Thus a role can be considered a simple syntactic structure (Subject, Noun, Verb).

The CEN document referred to above is under consideration for adoption as the ISO standard. This would include a synthesis of HL7 and CEN proposals. Markwell indicates, from the CEN perspective, that the technique of defining roles is an attempt to be generic. We suggest that this is an area where WG1, 2, and 4 need to collaborate.

Markwell also suggests that the 'message' could be a direct transcription of UML to XML. If the role and rule sets were locally defined, there could be a local document type definition set for the XML expression of the local rules and roles. The 'standard' would be concerned with the way this was done, not the concepts used within any one user group or jurisdiction.

5.1.4 The Role concept in Security processes

The ISO/TC215 WG4 paper ‘Technical Specification Public Key Infrastructure for Secure Exchange of Health Information Across National Boundaries’ (February 2000) uses the concept of ‘role’ in relation to ‘attribute certificates’. They point out that control decisions about request and disclosure can be rule-based, role-based and


ISO/WD nnn-n

rank based . They suggest that such information should be supplied by using an ‘attribute certificate’ that is bound to a health professional’s public key. A health professional may have many of these, which reflect multiple roles. Such attribute certificates are typically more short lived than the identity certificates.

When these processes have authenticated and verified the identity and role of the healthcare agent who makes a request, some kind of matching process must occur to establish the rights and obligations that the requester has to data. The WG4 work does not define a complete access-regulating process, but will be essential to such a process. The model below suggests how identity and attribute verification might be built in to a generic process of access control.

5.2 Minimum concepts that could be implemented in a global system

5.2.1 Four related concepts

The concept of ‘Access’ to the EHR has a reciprocal, 'Failure of Access' or which is further separable into Privacy, Secrecy, and Data Not Found. The concepts of Rights, Obligations, Access and Failure of Access are interrelated concepts which define each other, and can be considered together both theoretically and practically.

Rights

Access Failure of Access

Obligations

5.2.2 Three irreducible outcomes

We have identified a minimum set of possible outcomes from requests for information subject to access control.

Access access criteria matched, information identified and available

Failure of Access information identified, access denied (Privacy)

information identified by receiver, not identified to requester (Secrecy)

information not identified by receiver (Data Not Found)

N.B. From the requester’s (but not the receiver’s) perspective, the latter two outcomes are indistinguishable.

Thus, the receiver would be aware of four, and the requester three, basic outcomes.

Hirose (1998) has provided an elegant simplification of access errors which cuts across the above outcomes:

Case 1 "Could not access, although the information was necessary for clinical use" (inappropriate access failure)

Case 2 "was able to access, without valid reasons for patient care or management"(inappropriate access)

These similarly reduce down the multitude of different errors to two simple categories, and encourage us to think that the same basic logical model of access is global in its relevance.

This simple triplet of possible outcomes for access requests is 'Boolean' in its derivation. An access request can either find matches, or not find matches. Once found, a data object can either be opened, or it cannot be opened. That simple reality models our three basic conditions of access, privacy, and secrecy.

5.2.3 The Access Control Matrix

The level of rules and roles can be modelled as existing above and triggering one of three outcomes depending on the match between the reasons for access offered by the request and the criteria required to access the target


ISO/WD nnn-n

data. The computations involved can be modelled with an Access Control Matrix (ACM). This can have as many dimensions or variables as are found necessary. Hirose (1998) has demonstrated a graphic representation of such an ‘n’ dimensional ACM. This might also be modelled in the form of a tree diagram.

A generic ACM would specify the dimensionality of the variable space on which roles can be defined. It would not specify any particular role or rule set. The outcome of the match between request ACM and the ACM protecting identified target data would supply the data if an appropriate match were made. Different request objects might allow different levels or ranges of access, depending on their request template and ACM. Such is the complexity and sophistication of contemporary computer game technology that the above concept should be readily implementable.

6 EHR access control across jurisdictional and national boundaries

6.1 Jurisdictional boundaries

The purpose of this section is to develop concepts and models of EHR access control across jurisdictional and national boundaries. The goal of the ISO/TC215 process will include this among its requirements. Differences in access control policies are one of the defining parameters separating jurisdictions. A jurisdictional boundary is not necessarily the same as a national boundary, and in some instances a jurisdiction might be as small as a single provider organisation or even provider. We need to:

To propose a global policy to both accommodate jurisdictional and national differences in access control and facilitate cross border access

To marry these concepts with the evolving work from WG4 (including the Technical Specification Draft for Secure Exchange of Health Information, February 2000)

6.2 Requirements

In 'Requirements' lists for components of an EHR, the elements are arbitrarily demarcated from each other. In a functioning EHR, all the elements are part of all the other ones. For example, a separate listing for ‘medico-legal’, ethical, ‘privacy and security’ and ‘exchange and sharing’ requirements is misleading, since each is part of the others.

We recognise that 'Communication' security services and 'Application 'security services need to be distinguished. (see discussion of electronic commerce, above).

We assume that we are dealing with the latter, which will involve the ethical and privacy aspects, although the implications for 'security' again emphasise the overlap between categories. This is why our report needs to be in collaboration with WG4. Our 'requirement' list includes:

6.2.1 Availability

Involved in this concept are the ‘what’ ‘when’ ‘who’ ‘where’ and ‘why’ of access to health information

What: there should some indexing system for classification and retrieval. (It is the task of WG3 to determine this)

When: a method should be defined for regulating access to health information with respect to time.

Who: there should be some system in place for defining personal identity information, regulating ‘who’ can access a demarcated segment of information, based on their role with the individual (e.g., as their doctor) and the situation (e.g., urgent medical need for records).

Where: there should be a location of source identifying system applied to health information, which determines where information can be accessed

Why: there should be a ‘reason for obtaining’ information applied to demarcated segments of health


ISO/WD nnn-n

information

6.2.2 Data Integrity

Participating systems should have procedures which authenticate the source of health information and which verify it as unchanged when communicated

6.2.3 Auditability

EHR should be auditable, both with regard to content and by an ‘audit trail’ of access (an ‘access history’ for health information should be traceable) It should be possible to discern modification/updating of EHR using version control.

6.2.4 Confidentiality

Procedures should be in place which restrict access to health information by defined criteria (e.g. the ‘what’ ‘when’ ‘who’ ‘where’ and ‘why’ list above)

The criteria, which may be culture or jurisdiction specific, must be able to be locally defined according to ethical precepts current in that culture or jurisdiction.

6.2.5 Interoperability

There should be a process or processes mediating the exchange of health information at jurisdictional boundaries

This should allow EHR to interoperate in a way that is truly global yet respects local customs and culture. It follows that the process should be both simple and be amenable to customisation in different jurisdictions

6.2.6 Accessibility

There should be open access for suitably credentialled workers

6.3 The Access Object Model

'Ordinary life fits the absolute as a box and its lid'

from: 'Sandokai' ('Identity of Relative and Absolute') Shih-tou 700-790 CE

In pursuit of a universal solution for an interoperable 'access' technique, we propose the following axioms:

Axiom 1: The boundaries of what can be accessed in EHR should be configured around the subject of care.

Axiom 2: Data collection in medical practice occurs at the clinical interview and other clinical encounters.

Axiom 3: Access to EHR and other health resources will be significant determinants of how medical and personal narratives develop.

Axiom 4: There is a need for a generic technique to de-identify data. This facility must be built in to any global system.

Our model links the 'action' of 'attestation' to the assignment of culturally sanctioned access rules at the time of the creation of data objects (or object clusters) which occurs in the clinical encounter. The assignment of access controls is not seen as a separate process to data collection, but to occur at the time of collection, as part of 'attestation'.


ISO/WD nnn-n

6.3.1 Attestation

This a concept with practical, medical, and medico-legal implications. For a practising doctor in the pre-electronic era, attestation could be considered to occur constantly, in the recording on paper. The undertaking not to alter or modify records except explicitly has been a fundamental medical-legal assumption of medical practice. More fundamentally, a surgeon can be thought of as continually 'attesting' his or her work on the patient.

This 'automatic' nature of attestation must be transferred to the electronic record making medium in a way that does not delay or embarrass the process of medical care. However, attestation remains the ‘action’ of medico legal significance in medical record keeping.

6.3.2 The Security WG4 contribution

The mechanisms of digital certificates and signatures are the closest that we have to any concept of 'the absolute' on the web. If we can find a way of allowing the relativity of cultural concepts and practices to be grounded in this absolute universal technology, we will have achieved the desired fit of the relative and absolute for this process.

It seems likely that the global public key infrastructure proposed by WG4 will provide the basis for implementation of a global system. The concept of ‘attribute certificates’ would seem to be crucial to the implementation of access control by ‘role’, and our task is to develop a models of the ‘access’ process which will enable that synthesis.

The Technical Specification that WG4 has developed is remarkable for its detail about Certifying Authorities, Registering Authorities, Public Key Infrastructure, and Attribute Certificates. WG4 are in no doubt that the specification must be internet-based.

'To define the essential elements of a health care public key infrastructure to support the secure transmission of health care information across national boundaries. The specification must be Internet based if it is to work across national boundaries.'

The ISO/TC 215 WG4 specification suggests that interoperability across national boundaries be achieved by a series of bilateral and multinational agreements between registration authorities. They point out that the infrastructure for this does not yet exist, but suggest that it should. Until it does, they recognise that there is some risk in the transfer of confidential information.

The solution we propose will be based on the PKI and Attribute Certificate Infrastructure proposed by WG4. The security techniques now appear available for authentication, non-repudiation, and for ensuring integrity and confidentiality of transmitted health data. However, they are insufficient in themselves to constitute a global access regulating technique.

6.4 Access Objects

We propose a class of metadata (data about data) objects, which are created alongside health data at the clinical encounter or interview. They could also be used to protect data objects created in other kinds of transactions.

These metadata objects are linked to clinical data in a standard (ISO certified) way, but are themselves not prescriptive of the form or grain of those data.

Access Objects could thus serve different schemata for data structure and architecture. They would also be functional for linkage to data objects with little formal structure, e.g. word processed documents, as might be predominant in technologically unsophisticated environments.

The proposed model would work by authentication of identities and roles occurring like 'welds' or 'rivets' in the ongoing process of medical work. We have modelled this process using the Unified Modelling Language (UML).


ISO/WD nnn-n

6.5 Model of Access Control Mechanism.

The following section contains a UML model that outlines the basic processes of accessing patient information. The section also gives a brief overview of a model for an implementation. The focus in on a high level conceptual model of the process of accessing patient information; underlying issues such as techniques for authentication and security are assumed to be dealt with elsewhere.

The Use Case Diagram below illustrates the scope of the system under consideration.. It shows the actors who will interact with the system and the way that the system will be used.

Data providers create information. The model assumes that default sets of access rules can be established according to the local customs and legislation. These are automatically associated to the different categories of data when the data are created or collected.

One role of the patient is to define or modify, as necessary, the access rules that are applied to their information.

Two types of actors generate requests for access to information:

1. Data Users, are people who generate requests for specific information about a patient.

2. Researchers, who request de-identified information about groups of patients.

The supervision of the system and the establishment of access rules is under the control of the security manager.

6.5.1 Use Case Diagram of Access Control Mechanism

The behaviour of the system can be realised by the activities of a number of objects that are represented in the


request de-identified informationresearcher

create patient information

Data provider

monitor access to information security manager

request patient information

Data User

patient define access rights

ISO/WD nnn-n

Class Diagram, given below.

The implementation of the class diagram has some major assumptions. Firstly, there are issues relating to the structure and mechanisms associated with the storage of the patient information:

1. A patient record consists of some fairly constant data (here called demographic data) plus a number of attestable units that are created during consultations, examinations, laboratory procedures, etc. The “demographic data” may in fact be broken down into smaller units under separate control, but this is not shown here for the sake of clarity.

2. Attestable units consist of multiple clinical objects which may be built from other clinical objects.

3. Attestable units may also contain financial information under separate control.

4. The audit trail is associated with the object. (in order to record access to the data).

5. Access permissions may operate at any level, with the option of access being increasingly restricted at the attestable unit level, clinical object level or financial object level.

6.5.2 Access Lock Objects

Access to data is afforded via the Access Lock objects that contain:

a (data base) key to the data contained –(patient ID),

a content definition, indicating the type of information contained in the object,

the access control rules applicable to the object,

a reference by which the data can be located,

encryption keys

Access locks are replicable objects which may be stored in various locations, such as servers or smart cards, and provide the link between a request and a data object.

All these assumptions could require extensive debate, for example:

Record structure could be different

audit and control might be applied at either a higher or a lower level

relationships may be associations rather than aggregations. Aggregation has been used because access keys and audit trails are essentially part of’ the data and there is no logical reason for them to have a separate existence from the data to which they relate.

The following diagram illustrates the Class Structure of the Architecture of a Patient Record


ISO/WD nnn-n

6.5.3 Class Diagram of Architecture of Patient Information

The handling of a request for information is implemented by 4 major components:

1. The Request Manager object handles the interface between the user and the data storage and retrieval system. It is which is responsible for formulating a valid request with parameters and ranges, it is also responsible for authentication of the user, user’s role, reason for access etc. It produces an Access Request object.

2. The Access Request object (analogous to the codon in the immune system) is replicated and distributed to Access Controller objects located at various data repositories for processing.

3. Access Controller objects serve as interface objects whose role is to handle the information contained within their local repository. They receive Access Requests which they match against their known Access Lock objects for matching data.

4. Access Controllers are also responsible for translating some aspects of Access Requests into the local format between systems and jurisdictions. For example they may be responsible for translating roles or relationships.

5. When the Access Request has located a matching Access Lock, the Access Lock enforces access controls, updates the audit trail and returns the requested information via the Access Request.

The overall class diagram illustrating the structure of the system is given below. Notice the symmetrical relationship between the Access Request and the Access Lock. Access is granted when the request matches the patient identifier and content definition and also when the user, role and reason for access meet the criterion expressed in the access rules.


access lock

patient idcontent definitionaccess rulesreference to dataencryption keys

demographic data

audit trail

clinical objects

attestable unit

financial objects

ISO/WD nnn-n

6.5.4 Class Diagram of Access Control Mechanism

The processes involved in handling requests for information are explained in the sequence diagrams given below. These are used to define the sequences of actions of the system.

The first figure illustrates the request patient information usecase, for the case where a successful match is found for some demographic data and on some information held within an attestable unit.

The second figure illustrates the request de-identified information usecase, for the case where a successful match is found on some information held within an attestable unit, but no information is returned from the demographic data.


request manager

access request

patient idrequest templateuser iduser rolereason for access

access controller

access lock

patient idcontent definitionaccess rulesreference to dataencryption keys

demographic data

audit trail

clinical objects

attestable unit

financial objects

ISO/WD nnn-n

6.5.5 Sequence Diagram of the Request Patient Information Usecase.

6.5.6 Sequence Diagram of the Request De-identified Information Usecase.

The philosophy behind the model is that it is to be built on multi-level architecture, with the user’s workstation being attached to a local server and then widely connected via a network.


: Data User

: request manager

: access controller

: demographic data

: attestable unit

: audit trail : access request

: access lock

1:

14:

2:

3:

4:

12:

13:

11:

5: 6: 7:

8: 9:

10:

: researcher

: request manager

: access controller

: demographic data

: attestable unit

: audit trail : access request

: access lock

1:

11:

2:

3:

9:

10:

4:

8:

6: 5:

7:

ISO/WD nnn-n

Patients may also carry smartcards, which interface to the workstation.

With this architecture, the actual data are under the control of the local access controllers.

The access lock objects may be replicated and stored at any level: smartcard, workstation or server.

This facilitates the matching of an access request that is generated on the workstation with an appropriate access lock, which will eventually lead to the retrieval and delivery of the data.

7 Discussion

Access objects, which could be stored on smart cards or identified by search could constitute a currency for the exchange of health information around the world. However, without detailed alignment of attribute definitions in the access objects and their matching request objects, the access objects would not constitute interoperable currency. Therefore, without a previous treaty that permits the access object to be recognized in a new (host) jurisdiction, the ‘currency’ would not be accepted and interoperability would fail.

However since the technique for accessing (or failing to access) data would be shared, alignment negotiations would be greatly simplified and might be expected to occur in a similar way for each pair of countries or jurisdictions. With basic research justification, and without further negotiation, ISO compliant systems could share de-identified data. The advantages for epidemiological research would be profound.

To summarise the process:

Attestation occurs at the clinical encounter

The collection of clinical objects thus formed has, by the same act, an access object assigned to it.

These contain a (data base) key to the data contained –(patient ID), a content definition, indicating the type of information contained in the object, the ACM applicable to the object, a reference by which the data can be located, encryption keys

The Request Object made by the request manager also contains encryption keys verifying ID and role of requesting agency, and the access rules for that role (what classes of data can be accessed. as well as a content template, and a statement of ‘reasons for request’.

If the ACM of the access object, and the roles and reason for request as well as the content search criteria from the request object are met, the requesting agency gets access to the referent in the access object

There is a final verification stage for the source of the requested data using the encryption key which is part of the access object, and then a ‘secure socket’ is established which permits exchange of data.

This concept might bridge the work of WG1,2 and 4, but WG3 would need to address content coding.

8 Recommendation

That the possibility of such a synthesis between requirements and implementation is further explored, along with


smart card workstation

Server network

ISO/WD nnn-n

any other options offered by other members of WG1 and WG4.

If a shared technique were developed which facilitated interoperability, it itself should not be ‘owned’ by any

individual or organization, except possibly ISO or the UN. This would safeguard flexibility in innovation and delivery

of healthcare for the future, and allow for the emergence of possibilities as yet undreamed, or as the classic and

ubiquitous Latin medical acronym states, ‘for that yet to be born’, or pro res nata (PRN).


ISO/WD nnn-n

Annex A: Terms and Definitions

Terms and definitions are from diverse sources, including Standards Australia 'National Requirements for the EHR, and Markwell (1999).

Access

Right, opportunity, or means of finding, using, or retrieving information

Access Control Rule

A constraint on the action of a health care agent in a particular context to access health information

Accountability

The property that ensures the actions of an entity can be traced uniquely to the entity (Ref : ISO 7498–2)

Authentication

The process of reliably identifying security subjects by securely associating an identifier and its authenticator (Ref : ISO 7498-2)

Authorise

Granting of rights, which includes granting of access based on access rights (Ref : ISO 7498-2)

Availability

The property of being accessible and useable upon demand by an authorised entity (Ref : ISO 7498-2)

Classification

Systematic idenitication and arrangement of business activities and/or records into categories according to logically structured conventions, methods, and procedural rules represented in a classification scheme

Clinical information

Information about a subject of care, relevant to the health or treatment of that subject of care, that is recorded by or on behalf of a healthcare person

NOTE: Clinical information about a subject of care may include information about the subject of care’s environment or about related people where this is relevant (Ref : ENV 1613)

Confidentiality

The characteristic of data and information being disclosed only to authorised persons, entities and processes at authorised times and in the authorised manner (Ref : AS4400). Alternatively, the policy and procedures used by an organization or individual given access for a particular purpose.

Conversion

Process of changing records from one medium to another or from one format to another.


ISO/WD nnn-n

Data

Representation of facts, concepts or instructions in a formalised manner suitable for communication, interpretation or processing by human beings or by automatic means (Ref : OECD Security Guidelines)

Data integrity

Property that data has not been altered or destroyed in an unauthorised manner (Ref : ISO 7498-2)

Document

Structured units of recorded information, logical or physical, not fixed as records

Electronic health record

(1) A collection of data and information gathered or generated to record clinical care rendered to an individual. It is to be noted that the EHR is a virtual entity where the actual physical information may be distributed across various systems and geographies.

(2) A comprehensive, structured set of clinical, demographic, environmental, social, and financial data and information in electronic form, documenting the health care given to a single individual. (Ref : ASTM 1769)

The EHR is the structured record of an individual’s complete health status and health care. It is a comprehensive, structured set of clinical, demographic, environmental, social, and financial data and information in electronic form, documenting the health care given to a single individual and extends from pre-birth to post-death and must meet all record keeping requirements.’ It may be a ‘virtual entity where the actual physical information may be distributed across various systems and geographies.’

Electronic patient record

The EPR describes the record of the periodic care provided mainly by one institution or provider. It generally exists in one place or on one system, and therefore is seldom virtual. An EHR is made up of EPRs. The fact that EPRs can come from diverse sources where different Access criteria may apply is one of the reasons we need to develop a Standard to facilitate interoperability.

Electronic record

Record on electronic storage media, produced, communicated, maintained and/or accessed by means of electronic equipment

Electronic health record system

An Electronic Health Record system forms the mechanism by which patient records are created, used, stored, and retrieved. It includes people, data, rules and procedures, processing and storage devices, and communication and support facilities. (Ref : CBPR)

healthcare agent

Healthcare person, healthcare organisation, healthcare device or healthcare software component that performs a role in a healthcare activity.

healthcare agent in context


ISO/WD nnn-n

One or more healthcare agents related together in a specified manner for the purposes of performing a particular role in a healthcare activity.

healthcare agent in context reference

Reference to a healthcare agent in context, which uniquely identifies that healthcare agent in context in the context within which it is used.

NOTE: Use of healthcare agent in context reference depends on the existence of shared information describing the healthcare agent in context to which it refers.

healthcare agent role

A role played by a healthcare agent (or by a healthcare agent in context) in a healthcare activity.

EXAMPLE: Originator/author of a record entry, Requester of a service, Provider of a service, Sender of a message, Recipient of a message, Person signing a message or record entry.

healthcare agent reference

Reference to a healthcare agent, which uniquely identifies that healthcare agent in the context within which it is used.

NOTE: Use of healthcare agent reference depends on the existence of shared information describing the healthcare agent to which it refers.

healthcare agent relationship

A relationship between two healthcare agents.

NOTE 1: A healthcare agent relationship may apply for a specified period of time.

EXAMPLE 1: Employee / employer

NOTE 2: A healthcare agent relationship may be specific to a particular healthcare agent role.

EXAMPLE 2: On behalf of / responsible for.

healthcare device

Device or equipment involved in the direct or indirect provision of healthcare services to an individual or to a population.

EXAMPLE: ECG machine, auto-analyser, syringe pump.

healthcare organisation

Organisation involved in the direct or indirect provision of healthcare services to an individual or to a population.

NOTE: Groupings or subdivisions of an organisation, such as departments or sub-departments, may also be considered as organisations where there is need to identify them.

healthcare party

Organisation or person involved in the direct or indirect provision of healthcare services to an individual or to a population.

healthcare person

Person involved in the direct or indirect provision of healthcare services to an individual or to a population.


ISO/WD nnn-n

EXAMPLE: Primary care physician, dentist, nurse, social worker, pharmacist, medical secretary.

healthcare software

Software component involved in the direct or indirect provision of healthcare services to an individual or to a population.

EXAMPLE: EHCR system, decision support software, viewing tools.

Healthcare data

Data which are input, stored, processed or output by the automated information system which support the business functions of a the Healthcare organisation. These data may relate to person identifiable records or may be part of an administrative system where persons are not identified (Ref : HL7)

Health information

The determinants of the population’s health, including those in the external environment (physical, biological, social, cultural and economic) and those internal to individuals (for example, knowledge, behaviour, disease risk factors, and physiological, biochemical and anatomical variables which might be measured or imaged);

Health interventions or health services, including those which have been provided directly to individuals and those provided to communities, and covering information on the nature of interventions, management, resource allocation, accessibility, use and effectiveness; and

The relationships among these elements

Information

The meaning assigned to data by means of conventions applied to those data (Ref : OECD Security Guidelines)

Longitudinal/lifetime patient record

A permanent, coordinated record of significant information, in chronological sequence. It may include all historical data collected or be retrieved as a user designated synopsis of significant demographic, genetic, clinical, and environmental facts and events maintained within an automated system. (Ref : ASTM 1384)

Metadata

Data describing data

Migration

Moving records, while maintaining authenticity, from one electronic system to another without major conversion or inputting of data

Originating organisation

Corporate body or organisational unit in which records are created or received and accumulated in the conduct of its business

Privacy

The legal right a person has to determine what information is accessed by whom and to what purpose

Preservation

The processes and operations involved in the stabilisation and protection of records


ISO/WD nnn-n

Records

Data created, received, and maintained as evidence and information by an agency, organisation, or person, in pursuance of legal obligations or in the transaction of business

Records capture

Recognition of a record resulting in its inclusion in a system that manages records operations

Records management

The discipline and organisational function of managing records to meet operational business needs, accountability requirements and community expectations

Records management plays many roles within an organisation and in the organisation’s relationships with the world. Thus records management is concerned with the following :

Managing the records continuum, from the design of a recordkeeping system to the end of the records’ existence.

Providing a service to meet the needs, and protect the interests, of the organisation and its clients.

Capturing complete, accurate, reliable and useable documentation of organisational activity to meet legal, evidential and accountability requirements.

Managing records as an asset and information resource, rather than as a liability.

Promoting efficiency and economy, both in the management of records and in organisational activity as a whole, through sound recordkeeping practices.

(Ref : AS 4390.1)

Records systems

Information systems which capture, maintain and provide access to records over time

Registration

A method for giving a record a unique identifier

Retention period

The time period records are kept according to requirements including operational, legal, regulatory and fiscal

Records Retrieval

Process of recalling specific records from storage

Request

Attempt to access health information, whether personal, pedigree/group, or anomymised

Security copy

Copy of a record made in order to preserve the evidence and information it contains in case the original is lost, damaged or destroyed

SNOMED

The Systematized Nomenclature of Human and Veterinary Medicine is a comprehensive, multiaxial nomenclature classification work created for the indexing of the entire medical record, including signs and symptoms, diagnoses,


ISO/WD nnn-n

and procedures (Ref : NHS IFH)

Standard

Document, established by consensus and approved by a recognised body, that provides, for common and repeated use, rules, guidelines, or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context

Note: Standards should be based on the consolidated results of science, technology and experience, and aimed at the promotion of optimum community benefits

(Ref : ISO/IEC Guide 2:1996)

Storage

Measures for keeping records under defined conditions and permitting their retrieval

Storage medium

Physical base on which information may be recorded

Subject of care

Person or defined groups of persons receiving or registered as eligible to receive healthcare services or having received healthcare services [Example: patient]

(Ref : CEN ENV 12443:1996)

Tracking

Capturing and maintaining information about the movement and use of records

Trust

Reliance on the integrity, justice etc of a person, or on some quality or attribute of a thing

Universal identifier

A means to provide positive recognition of a particular individual for all people in a population. A universal health care or patient identifier provides the identifier for use in health care transactions. (Ref : ASTM 1714)

User

A person or other entity authorised by a provider to use some or all of the services provided by the provider (Ref : COACH)



Annex B - Part 1: National policies regarding access to health records

Table of national policies regarding access to health records.

Document Reviewed

Rules Governing

Collection

Storage &

Security

Individual Access and

Corrections

Access (Use and

Disclosure)

Using data for

Research

Consent Unique

Identifiers/

Linkage

Relevant legislation

New Zealand

(Slane 1994) Detailed Important Detailed

guidelines

Limited Non-id & with ethical

Approval

Important Limited use Privacy Act 1993

Australia (NSW Health Department 1999)

limits on collection

Important Allowed Limited Non-id & with ethical

Approval

Important Limits on linkage

Privacy Act 1988

USA (Department of Health and Human Services 1999)

(2000 ehealthethics summit 2000)

No Important Allowed Limited Non-id & with ethical

Approval

Important but terms can be changed

Limited Use Privacy Act (1974)

And State Laws


ISO/WD nnn-n

Canada (Minister of Public works and Government Services 1999)

Important Important Limited Non-id & ethical

Approval

Important, and written

Limited use Privacy Act (1983)

Personal Information Protection and Electronic

Documents Act,

OECD (OECD ; OECD 1980)

Limits on collection

Important Important Limited Not specifically considered

Important Not Stated Guidelines on the protection of privacy and transborder flows of personal data

(1980)

Declaration on transborder data flows (1985)

EC (GEHR 1993)(European Commission: Secretariat of the European Group on Ethics in Science and New Technologies 1999)

Limits on collection

Important Important Limited Non-id & with ethical

Approval

Important Limited Directive 95/46/EC (24/Oct/1995)

Directive 96/9/EC (11/Mar/1996)



Annex B - Part 2: Legislation relevant to privacy in various countries

After: Working Party on Information Security and Privacy

INVENTORY OF INSTRUMENTS AND MECHANISMS CONTRIBUTING TO THE IMPLEMENTATION AND ENFORCEMENT OF THE OECD PRIVACY GUIDELINES ON GLOBAL NETWORKS

DSTI/ICCP/REG(98)12/FINAL

Country Constitution Federal Law State Law

Australia Privacy Act 1988

Crimes Act 1914

Taxation

Administration Act 1953

Telecommunications Act1997

The Data-matching Program (Assistance and Tax) Act 1990

Various

Austria Federal Data Protection Act of 1978

Austrian Telecommunications Act (1997)

Industrial Code (1994)

Genetic Engineering

Act 1994

Belgium Articles 22 and 32 Law on the Protection of Privacy Regarding the Processing of Personal Data (1992)

Law of 30 June 1994

Canada Privacy Act (1983)

Personal Information Protection and Electronic

Documents Act,

Various, most comprhensive in Quebec Act Respecting the Protection of


ISO/WD nnn-n

Personal Information in the Private Sector (1993),

Czech Republic Protection of Personal Data in Information Systems Act

Denmark section 72 Law on Public Access

Law on Public Filing Systems

Danish Penal Code,

Finland Section 8 Personal Data Act (1999)

Statistics Act

Act on the Medical Research Development Centre

Act on the Protection of Privacy and Data Security in Telecommunications,

France Law No. 78/17 (1978) Data Processing, Data Files and Individual Liberties

Penal Code.

Labour Code

Law on Video Surveillance (1995).

Germany Federal Data Protection Act (1990)

Central Register of Foreigners Act (1994) Federal Telecommunications Act (1996 Telecommunications Carriers Data Protection Ordinance

Article 2 of the Federal Information and Communication Services Act (1997)

individual data protection laws

Greece Article 9 Article 19 Law No. 2472/97 Protection of the Individual Against Processing of Personal

Data

Law No. 2225/94 protects freedom of correspondence and communication.


ISO/WD nnn-n

Hungary Article 59 Protection of Personal Data and Disclosure of Data of Public Interest (1992)

and privacy included in other legislation.

Iceland Act Nr. 121 Concerning the Registration and Handling of

Personal Data (1989)

Ireland The Irish Constitution recognises a right to privacy

Data Protection Act 1988

Some coverage under other legislation.

Italy Data Protection Act (1996)

Labour Decree n. 39/93

Law No. 59 of 15 March 1997

Legislative decree No. 171 of 13.05.98

Japan Act on Protection of Computer Processed Personal Data held by Administrative Organs

(1988)

large number of Ordinances enacted by local authorities

Korea Article 17 & 18 Protection of Personal Information by Public Organisations Act

The Use and Protection of Credit Information Act

Protection

of Confidentiality in Communications.

Luxembourg Nominal Data (Automatic Processing) Act (1979)

other regulations eg. with respect to police and medical data files.

Mexico Articles 6, 7 and 16 Federal District Penal Code

The Netherlands Article 10 Data Protection Act (1988)

Police Registration

Act (1991)


ISO/WD nnn-n

Medical Treatment Information Act (1995)

New Zealand The Privacy Act 1993

Official Information Act 1982,

Local

Government Official Information and Meetings Act 1987,

Electoral Act 1993

Domestic Violence Act 1995.

Norway Act no.48 of 9 June 1978 relating to Personal Data Registers, etc.

Poland Article 51 Act on the Protection of Personal Data (1997)

An Order of the Ministry of Health in 1993

Portugal Article 35 Protection of Personal Data Act (1991)

Law on Computer Crime (1991), regulations such as the Registry of Non-Donors of Human Organs and the Identity Card Centre, and regulations controlling

the databases operated by the Gendarmerie, the Border and Foreign Services and the Criminal Police

Spain Article 18.4 Law on the Regulation of the Automated Processing of Personal Data (1992)

Law on public statistics

Sweden contains privacy provisions and also the “Instrument of

Government”

Personal Data Act 1998

Credit Information Act,

Debt Recovery Act

Official Statistics Act.

Switzerland Federal Law on Data Protection (1992)

Telecommunications Law; Employment Contract

Most of the Swiss Cantons

have introduced data


ISO/WD nnn-n

Provisions

Federal Statistics

Swiss Criminal Code. Professional Secrecy in Medical Research 1993.

protection laws

Turkey draft law on Data Protection

United Kingdom Data Protection Act 1984

Financial Services Act 1986, Human Fertilisation and Embryology Act 1990

Charities Act 1993

Criminal Justice and Public Order Act 1994

United States does not explicitly mention a right of privacy

Privacy Act (1974)

Federal Trade Commission Act (1914)

Fair Credit Reporting Act (1970)

Cable Communications Policy Act (1984)

Electronic Communications Privacy Act (1986)

Computer Matching and Privacy Protection Act (1988)

Tax Reform Act of 1976,

and the Right to Financial Privacy Act of 1978

Video Privacy Protection Act (1988)

Telephone Consumer Protection Act (1991)

"Children’s Online Privacy Protection Act" (1998)

A number of State Constitutions include a right to privacy. States generally follow the federal

sectoral model and enact privacy enhancing statutes on a sectoral (industry by industry) basis.


ISO/WD nnn-n

Annex C: UML Models from Russia and Sweden

Contribution by Ivan Emelin, Russia, member of WG2 ([email protected])

Use Case

I suppose you have the following dilemma:

1. If Patient is not an actor, then your Use Case is not healthcare specific at all and it is reasonable to bring up the question why it is considered in context of healthcare specific standard.

2. If Patient is an actor, then you have to use healthcare specific roles for other actors (maybe not for all of them).

I suppose the second approach is preferable. In this case the possible actors may be different healthcare agents (see definitions in the appendices to the report “ISO TC215 WG2 MDF and XML Work Items Status Report for Tokyo, November 1999: Andrew Hinchley”): healthcare person, healthcare organization, healthcare device and healthcare software (application). For example master patients index software may request access to various sources of personal data by itself. This application may have no human users beside system administrator. Therefore such an application may to be considered as separate kind of actor.

Class Diagram

I suppose aggregation links are rather not suitable for these classes. Second, demographic data is also gathered in the course of the same events as clinical data. The following class diagram may be preferred:

Attestable unit

Demographic data

1

0..*

1

0..*

Clinical data

1

0..*

1

0..*

Access lock

Financial data

1

0..*

1

0..*

Patient Identification

1

1..*

1

1..*

Audit trail


ISO/WD nnn-n

User of anonymous data

create identifiable data

request identifiable data

request anonymous data

grant rights to access to anonymous data Authority

User of identfiable data

Data provider

grant rights to access to identfiable data

Security manager

Use Case

Role of Security Manager

"In my opinion, the 'security manager' is a mechanism (person or piece of software) that implements access to data according to rules established by authority. This is a complicated task including access control, audit trail, and so on.

Of course, access rights to HER and EPR depend on many parameters, not only on type of data (demographic, financial, clinical, identified, anonymous), but also on state of data (dictated, incomplete, authenticated, legally authenticated etc). If you want to take states of data into consideration, see Ch 9, medical records/information management of HL7 v2.3.1.

From Ivan Emelin.


ISO/WD nnn-n

Contribution from Sweden

From: Broberg, Helen, Univeristy Hospital of Lund, Sweden; [email protected], Lagerlund, Britt, Region Skane, Sweden, [email protected]; Lundgren, Per-Arne, [email protected]; Torlöf, Per, University Hospital of Lund, [email protected].

Introduction

In our work with security in healthcare we have identified a number of use cases. Some are translated into english and can be found in the reports Semric and Distribution Rules. A use case produced within a project called SITHS; Secure IT in Healcht Care analyses the process from a healthcare request to the end of that care episode. In these we identify the requirements for security.

As a starting assumption for these have been the the fact that healthcare information is created in the encounter between the healthcare professionals (HCP) and the patient.

Use Case – Access and distribution of information

The HCP retrieve, manipulate and distribute information both within the own organization (intra) and with other organizations (inter). During this process the healthcare professionals have a need for a secure access and communication of healthcare data at different points in the care and treatment process. The use cases in figure 1 and 2 need to be covered to get a secure system..

1. Access and distribution of healthcare data

Data provider: definition to be added

Data user: definition to be added

2. Authentication and authorization


mailto:[email protected]




ISO/WD nnn-n

Authentication

Strong Authentication

"Sof t"Authentication

Create information Access information Process information

Data userData ProvisionData provider

Authorised User

AuthorisationPotentialAuthorised User

<<Extends>> <<Extends>> <<Extends>>

<<Extends>><<Extends>><<Extends>>

<<Extends>><<Extends>>

<<Uses>>

Comment: Create includes storage, process include distribution and communication.

Policy for information security – the key to secure co-operation

A policy for information security consists of laws, regulations, practice/ethical guidelines and recommendations for how information, functions and resources are to be controlled, protected, stored, distributed and communicated. Here we focus on the access and to a certain degree on the distribution part.

1. Secure identification and authentication (The ID principle)

Each user must be securely identified within the specified domain, which may consist of one or several activities. The systems must also identify themselves to the users.

2. A relation to the patient. (The relationship principle)

Authorisation to access information about a patient is only given to those who have a relevant relationship to the patient. There are various forms of relationships. The basic one is the requirement for a care (treatment) relationship. A provider of healthcare is only authorised to access the information if the provider is involved in the care of the patient. Other relationships may be those of family or of the government.

Here we are considering "reason for access". In some way it should be mandatory.

3. Access on a need to know basis. (The need principle)

Access is to be given based on the needs arising in the care and treatment of the patient. What constitutes need and the extent of information access are specified by the health care providers and the profession in consultation with the patient and based on law, ethics and existing practice.

4. Patient influence. (The patient principle)

The patient is to have influence over the access to the information in his/her own record.

Remark: The work now is to operationalise these principles. The focus will be on patient influence and a healthcare relation. In the policy we are talking about an official relation; for healthcare it means a care relation to the patient. We still have to cover access for pure research purposes and for instance administrative or legal purposes. But these are not processed, at least not so far, through this access mechanism.


ISO/WD nnn-n

Three communication environments

Three situations have been identified in our work with different implications and requirements for security. We give a brief introduction to each of them. After that we give an interpretation of how to act in each of these based on a new sugested not legaly tried interpretation of the present legal framework regulating access/distribution in Sweden. The interpretation illustrates a situation that exists. The boundaries of your own domain depends on a wider or narrower interpretation of the law. This is an ongoing work.

Own domain

This can be a hospital, a hospital and primary care or a number of hospitals. The same security policy and access/distribution principles are implemented. Access/distribution is regulated by an access/control system.

Interpretation: Availability is governed by the Secrecy Act. The Act is valid for interchange of information between domains; not within your own domain. Within the domain availability is governed by the professional need for information. It is the professional that requests/retrieves the information that is liable. It is the organisation form that determines what is to be considered as an "own domain".

Co-operating domains

This can be two "own domains" that co-operate. It can also be two different organisations that co-operate (in a way the same as two domains).

Some kind of “EDI”-agreement exists that regulates the co-operation.

The interchange requires that the requesting domain has authorised access rules.

Interpretation: Interchange of information between domains requires patient consent or implicit consent if the patients opinion is not known. There is also the requirement for considering potential damage to the patient or to those close of kin if the information is distributed. Liability in the case rests with the person distributing the information.

Unknown domain(s)

Still to be described and analyzed.

Model of concepts to consider

This model is a simplified version of a model developed within the DGIII Semric project. We enclose an electronic version of the chapter on user requirements from that report, see Annex A. We are not positive that it is thefinal publized version. There you also will find the original model with defintions of the terms used. The model in figure one has an explanation in english that puts it into a user context. Unfortunately we can´t find the electronic version right now. We hope to be able to supply it later it it is considered to be of interest.

The model is based on the following concepts expressing the global security needs:

Availability; Establishing rights, granting priviliges Authentication

Confidentiality

Integrity

Accountability (maybe today auditability)

These have been decomposed to conceptual security needs and modeled to a conceptual security model.

The terminology “global security needs” and “conceptual security needs” come from the CEN report PrENV 13608-1:1999.

3. Conceptual security model


ISO/WD nnn-n


ISO/WD nnn-n

List of requirements

From the policy and the modeling exercise we have, though not strictly, deducted e.g. the following requirements (See also the Semric report):

1 Secure identification and authentication

1.1 Passwords should follow the standard xxxx. This could be seen as a mechanism supplied by WG4.

1.2 Smart cards and cryptographic methods. This could be seen as a mechanism supplied by WG4

2 Mechanisms to establish rights and grant privileges.

2.1 Access to functions

2.1.1 Read

2.1.2 Write

2.1.3 Medication and so on.

2.2 Access to domain of patients

2.2.1 Based on unit (in older systems it is presumed that all people on the unit has a care relation)

2.2.2 Care relation (suggested in policy)

2.2.3 Responsibility (doctor on duty, healthcare plan manager …)

2.3 Access to information

2.3.1 Distribution Rules, a subset of the ones defined in PrENV 13606-3:1999 Electronic Healthcare Record Communication Part 3 Distribution Rules. Minimum set is to comply with a minimalist interpretation of the policy.

Comment: We have identified eight rules that we have started to discuss and have plans to implement in a prototype.

3 Communication requirements

3.1 Guarantees that received information is free of distortion, that the information has not been tampered with or otherwise changed.

3.2 The integrity of the mechanisms that communicate the information.

3.3 Guarantees for the origin of the information.

3.4 The possibility for an electronic signature.

3.5 The communicated information should be protected against unauthorised access.

4 The concepts (e.g. attestation, healthcare party, organisation, item/complex a.s.o) in the model should be managed and used by the access mechanism and of the target systems.

5 Need for a negotiation procedure. We have experiences from EDI-agreements. Remark: In the DR we identified the need for a negotiation procedure but it was not defined.

5.1 Example of a model for a negotiation procedure.


ISO/WD nnn-n

4. Example of a model for a negotiation procedure

Basic security model

The model is based on the security model created within the framework of the Semric project (Secure Medical Record Information Communication). The model shows the concepts that need to be handled by an information system in health care in order to maintain security requirements. Please note that the model does not describe how authorisation is to be assigned or what rules that are to apply.

Description


ISO/WD nnn-n

In the description below of the model, we start in the upper right-hand corner at Organisation and then proceed clockwise until we return to Organisation. The numbers indicate what descriptions the objects appear in.

1. An Organisation (such as a region) consists of a number of units (such as hospitals and primary care centers) which in turn consists of a number of units (such as Medical departments). There are different types of organisations (such as regional health care and community health care).

2. To each unit, a number of persons are associated (such as employees). Also, a number of roles have been defined (such as chief head physician, physician-on-call). By “manning” the roles with the people at the unit, the health care provider is created.

3. When verifying identity, the stated identity, for example at log-in, is checked when there is communication between two systems or when information is exchanged between users. Each health care provider is required to be able to verify that it really is what it claims to be; such verification can for example be done using a certificate. After passing the verification of identity. You become a user based on selected types of user role. Verification of identity is logged.

4. The users is then given authorisation assignment, that is, determination and approval of the user’s right of access to different system resources. The authorisation profile states the conditions for allowing or denying a type of user role access to functions and information. As an example, one precondition for allowing access to patient record data is that the health care provider has a health care relationship to the patient. Access to information is always logged.


ISO/WD nnn-n

Patient record data are comprised of patient record items (each representing the smallest possible amount of information in the patient record) and patient record item complexes (that represent self –sufficient amount of information in the patient record). For the amount of information contained in at patient record item to be described in its context, each patient record item is linked to at least one patient record complex.

5. A patient has a problem (for example, a hurting knee). There are different types of problems. A patient has a number of contacts and a number of activities related to a problem, during which patient record data are generated. The contacts and the activities are aggregated to form a health care plan. It is possible that there are key also to other objects, apart from the patient, such as problem, activities and contacts.

6. In an information exchange, a communication object is generated (such as a laboratory report or a patient record excerpt). There are different types of patient record items, such as a laboratory referral, a specialist consultant referral and confirmation messages, but it may also consist of one or several patient record item complexes.


ISO/WD nnn-n

7. When information exchange takes place regarding communication objects. The transaction is checked against a directory to find an agreement and a security policy that applies to the exchange.

8. When health care takes place across organisational boundaries, there must be rules and a policy that regulates the provision an access to information. These cans, for example be available in a directory with set rules and ethical principles.


ISO/WD nnn-n

Bibliography

2000 ehealthethics summit (2000). The Draft Code of Ethics. http.//www.ihealthcoalition.org/community/draft.html.

Australian Government article: http://www.health.gov.au/healthonline/welcome.htm

Beauchamp, T. L. and J. F. Childress (1994). Principles of Biomedical Ethics. New York Oxford, Oxford University Press.

Caldicott Committee. Report on the review of patient-identifiable information. December 1997. London: NHS Executive. See: http://doh.gov.uk/confiden/crep.htm

Canadian documents http://www.hc-sc.gc.ca/ohih-bsi/achis/fin-rpt_e.html

Cicourel Aaron V. Cognitive Sociology e.g p26 Penguin 1973

CEN documents cen.251.org

Distribution Rules. (CEN/TC 251/N98-120).

CEN architecture (CEN/TC 251/N98-119)

Department of Health and Human Services (1999). Standards for Privacy of Individually Identifiable Health Information; Proposed Rule. http.//aspe.hhs.gov/admnsimp/pvclist.htm, Office of the Secretary.

De Saussure F (1899). Un Cours General de Linguistic. Paris

DSTC http://security.dstc.qut.edu.au/projects/access/RBAC.html

Essential Characteristics of Messaging and Communication Standards ISO TC215 WG2-NWIP-Technical Report by Gary Dickinson 1999

http://www.hl7.org/special/committees/tc215/docs/990624TC215-WG2-arch.pdf

European Commission: Secretariat of the European Group on Ethics in Science and New Technologies (1999). Ethical Issues of Healthcare in the Information Society (Press Dossier). Helsinki, European Commission: 77.

Friedlander, W. J. (1982). “The Basis of Privacy and Autonomy in Medical Practice.” Social Science and Medicine 16(19): 1709-1718.

GEHR documents (current): www.gehr.org

GEHR (1993). The Good European Health Record: Ethical and Legal Requirements. http://www.chime.ucl.ac.uk/Healthl/EUCEN/del8.pdf, GEHR. 2000.

Gillett, G. R. (1989). Reasonable Care. Bristol, The Bristol Press.

Ghosh, AK. 'E-Commerce Security' Wiley 1998

Hanley, Eliazabeth http://www.health.nsw.gov.au/iasd/hi/ethics/ethical.html 'Ethical Mangement' Discussion Paper from the NSW department of Health

Harding, E. (1999). Mental Health Information Project: Privacy Impact Assessment and Commentary on the Mental Health Information Project for the New Zealand Health Information Service. http://www.nzhis.govt.nz/projects/mh_toc.html, NZHIS.

Harding E. http://www.know.govt.nz/integrated/files/kidznet.pdf


http://www.know.govt.nz/integrated/files/kidznet.pdf

http://www.health.nsw.gov.au/iasd/hi/ethics/ethical.html

http://www.hl7.org/special/committees/tc215/docs/990624TC215-WG2-arch.pdf

http://security.dstc.qut.edu.au/projects/access/RBAC.html

http://www.health.gov.au/healthonline/welcome.htm

ISO/WD nnn-n

Hirose Y. Access Control and System Audit Based on "Patient-Doctor Relation and Clinical situation" Model. Medinfo 1998. B Cesnik et al. (Eds)

INDECS project (Interoperability of data in e-commerce systems) generic metadata model. See www.indecs.org/

ISO standards DIN EN 60950 (~DIN IEC 74/484/CD) ISO/IEC 7816-4

Markwell D (1999) CEN TC251. Short strategic study on message alignment – draft report 5-8-1999. Annex C: Healthcare Parties and Healthcare Agents.

Minister of Public works and Government Services (1999). Canada Health Infoway: Paths to Better Health. Final report of the Advisory Council on Health Infostructure. http://www.hc-sc.gc.ca/ohih-bsi/achis/finrpt/pref_e.html.

Mulhall, Swift. Liberals and Communitarians. Blackwell 1996

NSW Health Department (1999). Ethical Management of Health Information: A Discussion Document. http.//www.health.nsw.gov.au/iasd.hi.ethics/ethical.html, New South Wales Health Department.

New Zealand Privacy Commission. NZ standard AS/NZS 4444

OECD Electronic Commerce Overview. http://www.oecd.org//subject/electronic_commerce/documents/overviewframe.htm.

OECD (1980). Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org/dsti/sti/it/secur/prod/. 2000.

The Platform for Privacy Preferences http://www.w3org/TR/2000/WD-P3-P0000211

Slane, B. H. (1994). Health Information Privacy Code 1994. Auckland, Privacy Commissioner: 52

Takeda, H, Matsumura, Y, Okada, T, Kuwata, S., and Inoue, M,: A Japanese approach to establish an electronic patient record system in an intelligent hospital. Int. J. Med. Info. 49(1):45-51, 1998.

Tresseder P NATIONAL SET OF REQUIREMENTS for ELECTRONIC HEALTH RECORDS (Australian government study, February 2000)

Unified Modelling Language Grady ,Booch ,and Rumbaugh 1997

US Government. http://aspe.hhs.gov/admnsimp/pvclist.htm

ASTM .E31.17 Standards

E 1869 Guide for Confidentiality, Privacy, Access and Data Security Principles for Health Information Including Computer Based Patient Records

E 1986 Standard Guide for Information Access Privileges to Health Information

E 1987 Standard Guide for Individual Rights Regarding Health Information

E 1988 Standard Guide for the Training Persons Who Have Access to Health Information

E 2017 Standard Guide for Amendments to Health Information

PS 115 Provisional Standard Specification for Security Audit and Disclosure Logs for Use in Health Information Systems

Universal Declaration of Human Rights www.un.org/Overview/rights.html

World Wide Web Consortium www.W3.org


http://www.W3org/RDF/)

http://www.un.org/Overview/rights.html)

http://aspe.hhs.gov/admnsimp/pvclist.htm

http://www.indecs.org/

Access report final iso format 29 mar 2000

Documents

Transcript of Access report final iso format 29 mar 2000