from lip-service to action: improving healthcare privacy practices
TRANSCRIPT
2006
Intelligent Information Systems
From Lip-Service to Action:
Improving Healthcare Privacy Practices
Tyrone Grandison & Rafae Bhatti IBM Almaden Research Center{rbhatti,tyroneg}@us.ibm.com
Information Management
Outline
Introduction Background
– HIPAA Requirements– P3P and Privacy Policies
Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
Information Management
Introduction
Privacy concerns main inhibitors to use and deployment of electronic health records
– Concerns about loss of reputation resulting from privacy breaches translating into increased spending on healthcare privacy compliance
– In US, HIPAA is assumed to provide baseline for healthcare privacy protection
However, impact of adoption of privacy policies on improvement of privacy practices remains to be ascertained
– The answer lies in the design and enforceability of policy
Information Management
Highlight of Issues
Policy Design– Policy designed to cover relevant provisions of regulation but still vague
enough to offer little privacy protection Broadly-defined purposes Umbrella authorizations
Lax enforcement– Policy is often bypassed or subverted during regular operation
Concerns have begun to emerge at national level– Robert Pear. Warnings over Privacy of US Health Network. New York
Times, February 18, 2007.
Information Management
Why does this situation need improvement?
It puts you, the patient, at risk– Results in false sense of privacy
Purported compliance with privacy regulations
– Undermines the notion of empowering the patient Consent to a policy not a genuine reflection of privacy practices
It makes the existence of a policy insignificant– A policy does not reveal a company’s true stance on data protection
Information Management
Our Contributions
Survey of HIPAA-inspired policies of 20 healthcare organizations– Investigate how stated privacy policies measure up to the level of
protection needed to truly ensure patient data
PRIvacy Management Architecture (PRIMA)– Enables refinement of privacy policies based on actual practices of an
organization
Information Management
Goals of Policy Refinement
Improve the design of policies to elevate the level of privacy protection afforded to the patient
Elevate current system from one that purports regulatory compliance to one that proactively safeguards patient healthcare data
Better align the policies with actual privacy practices of the organization
Information Management
Outline
Introduction Background
– HIPAA Requirements– P3P and Privacy Policies
Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
Information Management
The Privacy Space Around the World
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Japan: Personal Data Protection Law
EU Directives on Data Protection
US: HIPAA
To ground our discussion, we focus on HIPAA Privacy Rule
Information Management
HIPAA Requirements
Terms:– Covered Entities: Health Care Providers and Payers, among others– PHI: Personally Identifiable Health Information
Key principles of the Privacy Rule:
– Notification: Patient should receive notice of covered entity’s privacy practices
– Authorization and Consent: Written authorization required for disclosures not permitted under Privacy Rule
– Limited Use and Disclosure: Covered entities must ensure use and disclosure of minimum necessary PHI for a specific purpose
– Auditing and Accounting: Patients have the right to accounting of all disclosures of their PHI
– Access: Patients have the right to access their records maintained by the covered entity
Information Management
P3P and Privacy Policies
P3P Policy: a standardized machine-readable policy format
Includes elements that describe:– Kinds of data collected– Purpose for which data is used/disclosed– Data retention policy– … and other information
Users can supply privacy preferences in P3P Preference Exchange Language (APPEL), which can then be used to evaluate a P3P Privacy Policy
Information Management
Outline
Introduction Background
– HIPAA Requirements– P3P and Privacy Policies
Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
Information Management
Companies Surveyed
Two kinds of policies found:
– Website Privacy Policy
– HIPAA Notice of Privacy Practices
A “policy” in our survey refers to a virtual combination of both
Information Management
Observations on: Notification, Authorization and Consent
Policies state that consent is implied by visiting the website– Not quite the best practice to meet the Notification requirement
No P3P policies are available– Precludes automated interpretation and analysis for informed
consent
Policy updates communicated with little regard for patient– Insufficient to only post them on website– Patient consent to updated policy not obtained
Compliant with HIPAA– HIPAA does not require policy to be posted using machine-readable
format– HIPAA does not require policy to be communicated using expedient
means (such as email, IM)
Information Management
Observations on: Limited Use and Disclosure
Policies define broad and all-encompassing purposes– E.g. “administering healthcare”– Subsumes a huge category of uses and disclosures
No fine-grained list of employee categories or roles with authorizations to view specific categories of patient data
– E.g. “members of medical staff” category includes most employees– Provides umbrella authorization for employees– Criterion for authorization or exception-based accesses (I.e. “break the glass”
privileges) not specified Exception mechanisms being increasingly utilized
Compliant with HIPAA– HIPAA has provisions to let organizations design policies with broadly-defined
purposes E.g: While “Marketing” is a purpose requiring explicit authorization, a sub-
category “communications for treatment of patient” is exempt and can be exploited
– HIPAA calls for policies and procedures for controlling access to PHI but does not require stringent technical mechanisms to be in place
Information Management
Observations on: Audit and Accounting
Most organizations maintain audit trails for all actions pertaining to PHI to meet audit reporting and accounting requirement
However, there is still much left to be desired
– Audit logs in current systems do not capture all necessary contextual information (such as purpose or recipient)
– Accounting for data disclosures is ineffective in improving levels of privacy protection unless shortcomings in disclosure policies are first addressed
E.g.: broadly-defined purposes, umbrella authorizations, exception-based accesses
– While using audit as a deterrent factor, organizations should not fail to do better by providing more proactive protection
Information Management
Observations on: Access
All policies indicated that patients have a right to access their information through phone, email or online account
Meeting this requirement does not translate into adequate privacy protection for the patient
– Ability to access/update personal information provides no measure of how much information is actually protected unless patient is in control of his/her disclosure policy
– The process of information access may be simple or laborious- from being a matter of few mouse clicks to a waiting period of up to 60 days; recent information disclosures may not get reported
Information Management
Summary
Privacy policies cover enough ground to enable regulatory compliance
Yet, they are inadequate to communicate understandable privacy practices or provide adequate privacy safeguards to the patients
Information Management
Outline
Introduction Background
– HIPAA Requirements– P3P and Privacy Policies
Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
Information Management
PRIvacy Management Architecture (PRIMA)
Premise:– Design of a HIPAA-inspired policy hinges primarily on limited use and
disclosure rule which enable proactive fine-grained protection of PHI
– Bridge the disparity between policies and practices to transform the healthcare systems to an enhanced state of protection
Approach:– Define an incremental approach to seamlessly embed policy controls
within the clinical workflow
Information Management
Challenges
Complexities in healthcare workflow– A physician routinely takes notes on paper, which is then entered by a
nurse into the computer system; requiring the physician to enter information would impede the workflow
– New patient arrival in a ward or visit to emergency ward requires sensitive information to be provided to on-duty assistants
Access cannot be abruptly curtailed– New rules cannot be imposed at once– Policy controls need to grow out of existing practices
Leads to the idea of Policy Refinement
Information Management
Policy Refinement
Leverage audit results– Analyze all access and disclosure instances– Flag the incidents not explicitly covered by existing rules in policy– Define new rules based on analyzed information
Improve the policy coverage– Coverage defined as ratio of accesses addressed by the policy to all
access recorded by the system
Gradually embed policy controls – Enables precise definition of purposes, criteria for exception-based
accesses and categories of authorized users– Novel approach for driving innovation in clinical systems
Information Management
PRIMA Architecture
Information Management
Refinement Framework
Prune– Find informal clinical patterns from audit logs– Separate useful exceptions from violations
Reduce number of artifacts needed to be examined Do not waste resources on examining violations in analysis phase
Extract– Apply algorithm to extract candidate patterns
Simple matching:- Assumes pruned data, looks for term combinations, returns frequency of occurrence
Richer data mining:- Not only syntactic but also semantics matching- Does not assume pruning, considers relationship between artifacts- Reduces probability of violations being reported for analysis phase
– Get usefulness ratings of patterns
Filter– Incorporate or discard patterns based on usefulness threshold– Assume a training period
Set a threshold appropriate to the target environment Act when threshold is reached over a period of time
Information Management
Example Data Set
Time User Role Ward Data Category
Exception?
Purpose
t1 Tom Nurse Emergency PHY JRNL YES ADMIN
t2 Jenny Doctor Emergency EXT COLLAB YES REFERRAL
t3 Jim Nurse Emergency PHY JRNL YES ADMIN
t4 Sarah Doctor Medical LAB RESULT NO OUTPAT ENC
t5 Mark Nurse Emergency PHY JRNL YES ADMIN
t6 Bob Nurse Emergency PHY JRNL YES ADMIN
t7 Barbara Nurse Emergency PHY JRNL YES ADMIN
t8 Bill Nurse Emergency PHY JRNL YES ADMIN
t9 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENC
t10 Jason Psychologist Psychology DSCG SUMM YES REG AUTH
t11 Jason Psychologist Psychology DSCG SUMM YES REG AUTH
t12 George Psychologist Psychology PHY JRNL NO REFERRAL
t13 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENC
t14 Jason Psychologist Psychology DSCG SUMM YES REG AUTH
Information Management
Mining Rule
SELECT A.Ward, A.Role, A.Data_Category, A.PurposeFROM Patient-Access_Log AWHERE A.Exception = 'YES'GROUP BY A.Ward, A.Role, A.Data_Category, A.PurposeHAVING COUNT(*) > 5 AND COUNT(DISTINCT(A.User)) > 1;
Returned:EmergencyWard : Nurse : PhysicianJournal : Adminoccurred in the log at least 5 timesobserved for at least 2 different users
Not returned:Psychologist : Psychology : DischargeSummary : Regulatoryauthorityoccurred in the log only 3 timesobserved for only 1 user
Information Management
Outline
Introduction Background
– HIPAA Requirements– P3P and Privacy Policies
Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion
Information Management
Conclusion
Surveyed 20 healthcare privacy policies
Healthcare in need of improved privacy practices
Focused on problem of limited use and disclosure rules
Presented novel solution based on policy refinement
Information Management
Thank you!
Questions?