Secondary use of electronic

health information

– the way to guard patient

secrecyPekka Ruotsalainen, Research professor

National Institute for Health and Welfare

Helsinki, Finland

General starting points

People access health services to receive care

and treatment – not to become objects of

research (excluding clinical trials)

Research using digitalised health information can lead

to great improvements on care, prevention and medication.

People have high willingness to disclose their health

history for research purposes if the information

secrecy is proven.

Things making difficult to guarantee patient’s

information secrecy

• It is not self-evident when we are patients

• Research takes many forms

• Ongoing transition from EHR to the PHR

• The ubiquitous computing environment

• The information content of the EHR/PHR

It is not self-evident are we patients or persons

• Early warning health care systems

• Continuously monitoring

• The management of chronically diseases

• Pro-active prevention

• Patients using portable personal health devices

• Connected personal health models

Research has many faces and environments

Different kind of applied research, settlements and analysis

are called “research”.

Researcher society has been expanded outside clinical

settings. It is multi-organisational and cross-border.

Researchers as a profession are not as tightly regulated as

health care providers (i.e. researcher working for insurers

and industry). Their ethics can remain unknown.

The content of the legal EHR is not sufficient for modern

health research.

EHR

LPWR

PHR

Copyof theLEHR

EHR

Lifelong EHR

The transition from legal EHR to PHR and LPWR

Legal EHR

The Lifelong Personal Wellness Record (LPWR) includes the

personal health record (PHR) and pervasive wellness information

Presentresearchtarget

The information content of the PHR/LPWR

From birth to grave all kind of information:• The content of legal EHR,• Data about personal health behaviours• Genealogical and genomic data• Social and psychological functionality• Lifestyle, smell, • Vital signs from BAN, sleeping data, • Communication data,• Context data,• Signals received by implanted nano-sensors,• Emotions etc.

We are moving to the pervasive health

- Health information is stored in PHRs or LPWRs

- Enables pervasive access to PHRs and lifelong EHRs

- Uses services of the ubiquitous computing

Challenges of the ubiquitous computing

- Context information is widely collected and used

- Different data sources can easily be linked

- Large number of heterogeneous users and purposes

- Nearly impossible to guarantee privacy and security using

present safeguards and services

Data banks

Sensors

Primary andSecondary users

Present principles guaranteeing patient’s information secrecy

are based on paternalistic tradition where public purposes

override patients personal preferences and obligations.

To day the patient has to blindly trust that:

- Researchers are processing his/her data lawful and ethically

- ICT-systems and databases are secure and privacy is

protected

In most of cases the patient even do not know that his/her

EHR has been used for research purposes.

Where we are now ?

Two roads to guarantee patient secrecy

1. No new principles and rules are used but the uptake

of new security services will improve security and privacy.

2. A new model Personal Data Under Personal Control

is accepted and implemented using opportunities of

already existing context- and policy-aware IC-technology

We are between Scylla and Charybdis

Risks caused by

insecure research

environments,

ubiquitous

computing and

the rich data

content of the PHR

Present paternalistic rules

Present IC-technology

Source: Google

Benefits for research

It is time to define new rules !

Present paternalistic model can be improved using

1. Encryption together with the Trusted Third Partner

architecture for encryption key management

- It is costly, technically complicated and static solution

2. Anonymisation or de-identification

- Some research requires correct identification of

patients (i.e. cohort based research, risk prediction)

and also knowledge of individual's normal functions.

- Makes data linking complicated (a TTP is still needed)

- Makes PHR sharing complicated

- Difficult to manage in large scale

Personal health data under personal control is the most

sustainable and generic solution because we can use solutions

developed for trusted ubiquitous Web.

For it we have to accept

and to develop

New rights for the patient or data subject

A new interoperable data model with rich

meta-data for the PHR/LPWR

A dynamic context-aware and policy enabled

information infrastructure

Personal Health Data Under Personal Control

- new rules

The data subject/patient should have the right to define

dynamically personal policies (i.e. privileges and obligations)

ruling who, where, in what context and for what purposes

his/her health data can be used.

The patient should be aware of the context and security

policies of users and organisations using his/her data.

The patient should have tools to trigger de-identification

on-the-fly based on his/her preferences.

• Standardisation organisations and the industry should

implement necessary standards and interoperable data

models.

•Software vendors and network operators should

implement the future proof, dynamic and policy enabled

infrastructure.

How this can be done and by whom ?

• Policy makers, research society and administrators

should accept new principles and make them mandatory.

Thank you for listening !

Questions and comments

are welcome.

pekka.ruotsalainen@THL.fi