dagstuhl seminar model-based design of trustworthy health information systems: data protection...

Dagstuhl SeminarModel-Based Design ofTrustworthy Health Information Systems:

Data Protection Requirements for setting up EHR Systemsand the “Austria ELGA Policy”

Klaus SchindelwigFebruary, 12th, 2009

2Mag. Klaus Schindelwig, MSc.

Content

• Motivation

• EU Directive 95/46/EC and WP 131

• Existing Models

• Development e-health

• a Policy for ELGA (EHR) in Austria


Motivation

growth of health care budget deficits increased expectation of life multi-morbid patients Increasing medical specialization

EHR systems have the potential to achieve greater quality and security in medical information than the traditional forms of medical documentation. However, from a data protection point of view the fact has to be stressed that EHR systems additionally have the potential not only to process more personal data (e.g. in new contexts, or through aggregation) but also to make a patient’s data more readily available to a wider circle of recipients than before. (ARTICLE 29 Data Protection Working Party, WP 131)

Motivation


Requirements

Creating a communication structure, to make available

information relevant for treatment automatized quality proofed just in time privacy compliant interoperability maintaining confidentiality and safety

to the authorized persons at the right time.

Motivation


The Challengeit´s simple the,

„eierlegende Kommunikations-Wollmilchsau“

Motivation


Some problems we have to solve

Motivation


Solutions, ranked by technical challenge

1. Electronic health records supported by private or public institutions

2. Hospitals as health data provider

3. Exchange of health data via secured and proprietary data transmission (e.g. EDIFACT) between co-operating healthcare providers

4. e-mail

5. fax message

6. letter

Motivation


Communication ranked according to current usage (transferred documents) in health care (estimation)

1. letter

2. fax message

3. e-mail

4. Exchange of health data via secured and proprietary data transmission (e.g. EDIFACT) between co-operating healthcare providers

5. Hospitals as health data provider

6. Electronic health records supported by private or public institutions

Motivation


Two basic models for access to patient data at trans-regional

A uniform system of a single manufacturer for all involved communication parties Uniform communication and documentation structure;

central defaults, which are mandatory (English model)

No uniform system, but mandatory uniform standards and uniform interfaces to be preferred for investment protection reasons

(existing systems can be kept / adapted)

Motivation


Independently of the models the question arises:

Is there a common understanding, how privacy in such models should be realized?

Simple answer is NO!!!!

For example a question from a Systems Analyst, Healthcare System, USA:

“I'd like to know if other hospitals/medical groups are allowing employees to access their own patient information in Cerner.”

Motivation


Answers:

Yes, we do. ------------------------------------------------------------------------------------ No, we don't. ------------------------------------------------------------------------------------

No, not without a signed authorization on file in Medical Records. All HIPAA and Release of Information rules apply to staff. In fact, it can be grounds for termination. Access is monitored by our Compliance officer.

------------------------------------------------------------------------------------ The same applies for us and it isn't meant to be an ongoing

viewing of ones own information, it is from an ROI perspective. Our HIM Director is also the HIPAA Privacy Officer and does frequent audits of what EMR's are being accessed.

------------------------------------------------------------------------------------ We allow the employee to access their own chart just not any

family members unless they have a ROI on file with Medical Records. Access is monitored and accessing other's charts is grounds for termination.

Motivation


Answers: Our employees may access their own records once they sign a release form

which is good for the length of their employment. If accessing charts for other family members or friends a release must be signed by the person whose chart they will access and it is good for 1 year.

------------------------------------------------------------------------------------

We do allow employees to access their own medical record, and that of their children up to a certain age. For older children and other family members you must have a release signed in medical records. In auditing access, one of the things they look for is accessing medical records with the same name as yours.

------------------------------------------------------------------------------------

We do not. Employees must fill out a 'request for information' with HIM like everyone else. In fact we have a report that indicates if you have accessed your record, a co-workers record, or any individual with the same last name. Unless you can justify the access, you can be terminated.

------------------------------------------------------------------------------------

We allow employees to look at their own charts only, but we do not encourage it. They may not look at any family members’ charts. There have been those occasions when I’m trying to check something out in the system (‘where do I find’, etc.) that it has been handy to access my own record.

Motivation


Answers:

Absolutely not! If an employee wants to access their own medical record, they need to fill out the proper consent for Medical Records, just like any other patient. We audit, and people are disciplined to the point of being dismissed if they access even their own records without proper authorization

------------------------------------------------------------------------------------

We allow all patients to access their EMR electronically using IQ Health. So if an employee has an IQ Health account their can look at their own records. The content of the records belong to the patient, the paper or electronic record belongs to the institution. So they can't ask to carry away the hard disk just as they can't have the paper record. Releases should be intended for sending information to another clinic or hospital, attorneys, insurance companies, etc.. If a patient is in our office and wants a copy of their chart, we would print it out for them without ROI. I want my patients checking their charts to make sure I am not missing something important.

------------------------------------------------------------------------------------

No, not without a signed authorization on file in Medical Records. All HIPAA and Release of Information rules apply to staff. In fact, it can be grounds for termination. Access is monitored by our Compliance officer.

Motivation


Background EU:

e-Health 2002 e-Health 2005

Part of e-Europe

Gegenstand und MotivationDirective 95/46/EC and WP 131


Background EU eHealth action plan 2004:

In 2004, the Commission adopted the eHealth action plan - which covers everything from electronic prescriptions and health cards to new information systems that reduce waiting times and errors – to facilitate a more harmonious and complementary European approach to eHealth.

The plan sets out the steps needed for widespread adoption of eHealth technologies across the EU by 2010. Faster rollout of high-speed internet access Those groups in society which are least likely to have easy internet access,

such as the elderly, disabled or unemployed are often those who have most need of health services.

The plan calls on Member States to develop tailored national and regional eHealth strategies to respond to their own specific needs.

Cultural differences, varying population profiles and geography all mean that regional and national health policies have to be developed individually.

Through sharing ideas and experiences across Europe, all our citizens can benefit more rapidly from efficient and reliable eHealth systems.

eHealth is an integral component of the EU’s i2010 policy framework which seeks to promote an open and competitive digital economy, ICT-related research, as well as applications to improve social inclusion, public services and quality of lifeNational/regional roadmaps (Mitgliedsstaaten, 2005)

.........

Gegenstand und MotivationGegenstand und Motivation

Directive 95/46/EC and WP 131


EU Regulations

EC Data Protection Directive 95/46/EC and in Directive 2002/58/EC on privacy and electronic

communications, and in the national laws of the Member States implementing

these Directives

Any processing of personal data in EHR must also comply with the rules laid down in the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and the Additional protocol to Convention 108 regarding supervisory authorities and transborder data flows (ETS No. 181).



Working Documenton the processing of personal data relating to healthin electronic health records (EHR)

ARTICLE 29 Data Protection Working Party 00323/07/EN WP 131 Adopted on 15 February 2007

In this Working Document on the processing of personal data relating to health in electronic health records (EHR), the Article 29 Working Party provides guidance on the interpretation of the applicable data protection legal framework for EHR systems and explains some of the general principles. The Working Document also gives indications on the data protection requirements for setting up EHR systems, as well as the applicable safeguards.



Working Documenton the processing of personal data relating to healthin electronic health records (EHR)

1. Respecting self determination2. Identification and authentication of patients and health care

professionals3. Authorization for accessing EHR in order to read and write in EHR4. Use of EHR for other purposes5. Organisational structure of an EHR system6. Categories of data stored in EHR and modes of their presentation7. International transfer of medical records8. Data security9. Transparency10. Liability issues11. Control mechanisms for processing data in EHR



For the purposes of this Working Document, an “electronic health record (hereinafter: EHR)”shall be defined as

“A comprehensive medical record or similar documentation of the past and present physical and mental state of health of an individual in electronic form and providing for ready availability of these data for medical treatment and other closely related purposes.”



special categories of data contained in Article 8 (1) of the Directive

“Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”

EHR systems in addition to the genaral rules subject to the special data protection rules on the processing of sensitive information contained in Article 8 of the Directive



Article 8 (2) (a): “Explicit consent”

According to Article 8 (2) (a) of the Directive: “Paragraph 1 shall not apply where: (a) the data subject has

given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent;”

Consent must be given freely Consent must be specific Consent must be informed



Explicit

In contrast to the provisions of Article 7 of the Directive, consent in the case of sensitive personal data and therefore in an EHR must be explicit. Opt-out solutions will not meet the requirement of being ‘explicit’.

In accordance with the general definition that consent presupposes a declaration of intent, explicitness must relate, in particular, to the sensitivity of the data. The data subject must be aware that he is renouncing special protection. Written consent is, however, not required.



Article 8 (2) (c): “vital interests of the data subject”

could be applied only to a small number of cases of treatment

and could not be used at all to justify processing personal medical data for purposes other than treatment of the data subject such as,

for example, to carry out general medical research that will not yield results until some time in the future



Article 8 (3): “processing of (medical) data by health professionals”

three cumulative conditions: the processing of sensitive personal data must be

“required”, and this processing takes place “for the purposes of

preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services”

and the personal data in question “are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy”



Additional safeguards

However, even if all these prerequisites were fulfilled, the Article 29 Working Party must point out that EHR systems create a new risk scenario, which calls for new, additional safeguards as counterbalance:

EHR systems provide direct access to a compilation of the existing documentation about the medical treatment of a specific person, from different sources (e.g. hospitals, health care professionals) and throughout a lifetime.

A new risk scenario calls for additional and possibly new safeguards beyond those required by Article 8 (3) in order to provide for adequate protection of personal data in an EHR context.



Article 8 (4): substantial public interest exemptions

In the context of EHR, the Article 29 Working Party notes that the arguments for introducing EHR systems (cf. I., above) may establish “substantial public interest”.

In some MemberStates a ‘right to health protection’ is enshrined in the constitution. This underlines the importance attributed to all appropriate means for bringing about “health protection”.

An EHR system in such legal environments would certainly be founded on “substantive public interest” as it is an instrument fundamentally intended to guarantee adequate medical assistance to patients.

Article 8(4) of the Directive could, therefore, serve as a legal basis for EHR systems, provided that all the conditions mentioned therein are fulfilled. In particular, suitable safeguards for the protection of personal data in an EHR system must be provided for.



Examples of implementation status in the member states of the European Union

A lot of Info services and health portals GIN SOGIS netdoktor lifesensor

National efforts: Small countries such as

Denmark or Norway are leading ( rather pragmatic solutions)

Implementation in the large nations slower (Introduction of the eGK in Germany very complex)

Existing Models in europe


Existing Models in europe


Summary: Models in Europe

Different approaches to implement an EPA in Europe1. focusing on medical content:

standardized applications for documentation tasks(security not highest priority)

2. focusing on secure communication based on a smartcard solution:First introducing a secure infrastructure, medical content grows continuously with usage

Which is the right way?

Existing Models in Europe


ELGA: Architecture and applications

Quelle: ELGA Machbarkeitsstudie (IBM), ARGE-ELGA, 2006, 2007

ELGA - Policy

„A hyper-index with sophisticated search functions“

Master PatientIndex

HSP Index

RegistryAuthorizationSystem

e-Report(radiology,

laboratories)

Adaptor

Discharge Summary

Adaptor

…e-Medication

Adaptor

Doctor

Da

ta S

ou

rce

s

PortalELGA

reading

Citizen Card with PIN

Adaptors: Interfaces which make existing applications compatible with ELGA

writing


ELGA View on Data

health care provider Index

Master Patient Index

Registry

HSP

Patient

HSP – LocalStorage of Data

Central Storageof Data

Radiology reports

Laboratory reports

Medication

Discharged Summary

Au

tho

riza

tio

n S

yste

m

ELGA - Policy

Quelle: ARGE ELGA, Schanner/Hurch, 2008


ELGA: Goal and purpose

A goal is it to make possible on the one hand for the authorized ELGA users in efficient way access to defined patient-related sensitive data and to protect on the other hand these data against unauthorized access by technical and organizational measures.

The purpose of ELGA is to improve the diagnostics and therapy of the patient’s treatment in qualitative and communication technical manner.

Therefore a structure is made available, to provide defined patient-related sensitive information to entitled persons. The information shall also be provided in an appropriate way for further external usage (e.g. discharge letter, laboratory findings, radiology findings and in further consequence also vaccination history,…).

ELGA - Policy


Data protection requirements

Who may when, for which time span, from which location, in which role, in which context, to which extent, in which way access which documents?

The security rules have to be balanced between privacy needs and usability.

It is often demanded, but not feasible to define a set of rules which provides exact definitions under which treatment conditions which type of information is needed.

Practicable is however a clear categorization of document types

ELGA - Policy


Structure of the ELGA regarding data contents

Only those data (document types categories according to medical specialties) should be uploaded automatically, which are substantial for the treatment and are approved for ELGA by the legal entity of the hospital.

The evaluation of the relevance is done by the health care provider, which provides the document.

Discharge letter, laboratory findings, radiology findings and e-medication are classified as substantial.

Via ELGA only those data can be accessed, which has been released explicitly for ELGA by a health care provider

ELGA - Policy


Opt In – Opt out

By default no documents will be provided in ELGA without the patient’s consent (Opt-In is necessary)

Therefore no general consent is necessary whether the Patient is willing to participate in ELGA. Without individual consent the Patient’s ELGA will be empty.

As a prerequisite an information campaign should be placed before starting the ELGA project.

The citizen has at any time the option to “opt out” from ELGA. Documents will not be physically deleted but will be no more accessible.

ELGA - Policy


ELGA information retrieval

Medical Treatment Context An access is permitted only if the treating

person has a defined relationship relevant for the treatment of the patient. (e.g. attending physician)

Patient identification The correct verification of the patient’s identity

is a mandatory prerequisite for every access to ELGA

ELGA - Policy



Check of Physical Presence Information can only be retrieved if the health care provider has

proofed the physical presence of the patient via a defined test procedure (e.g. patient’s smartcard)

Patient Consent For an access to the patient’s ELGA, the patient has to sign a

consent. The health care provider is in charge of this consent.

The consent is valid 28 days starting from the time of issuing and can be extended automatically, if a hospital stay still persists. The patient can also give a consent which is longer valid than 28 days containing also restrictions for the access.

The patient can revoke this agreement at any time. The revocation should be easy for the citizen.

ELGA - Policy



Filter criteria for the inquiry Following filter criteria have to be implemented:

Temporal restriction Type of document Medical specialty health care provider

These filter criteria must be selectable by the requesting persons.

The filter settings have to be documented/stored At this time we have not defined how exactly the

patient consent should be handled or logged

ELGA - Policy


Internal authorization system

Access rights have to be defined according to the user’s roles and tasks.

Each health care provider has to take care that only authorized employees have access to the ELGA system and its content. The health care provider is liable for maintaining the internal security (organizational and technical means have to be defined by the health care provider)

Via ELGA retrieved documents (external findings) can become a part of the internal electronic patient record (EPR) of the health care provider.

Further internal access to those documents can (for technical reasons) no more be according to ELGA regulations and lies within responsibility of the health care provider

ELGA - Policy


Data Security for ELGA requests

Mandatory encryption of transmitted data according to the Austrian health telematics and e-governement

laws Logging

It must be possible to derive for each access the accessing person’s identity as well as the treatment context.

Minimum data record: Timestamp of the access Identification of the patient Personal name Identification of the health care provider Filter criteria of the inquiry including result list of the inquiry Accessed documents but not the detailed content of the

documents Actions (read, write, authorization change)

ELGA - Policy


Retain time for log data Log files have to be retained at least 11 years and maximum

31 years!!

Sanctioning of misusage Every access to ELGA without the patient’s consent will be

subject to legal sanctions.

Authorization Matrix

A default for the access to different information types by role is defined by an authorization matrix.

The matrix can be modified according to an individual patient consent.

ELGA - Policy

Data Security for ELGA Requests


Discharge letter

laboratory findings

radiology findings

medicationELGA Policies

Patient Policies

Acess protokollRole

Self-employed

physician r / w r / w r / w r / w O O O

Nurse r / w O O r O O O

assistant medical technician Dzt noch offen

Dzt noch offen

Dzt noch offen

O O OO

Midwife Dzt noch offen

Dzt noch offen

Dzt noch offen

O OO

psychotherapist r / w O O r O O O

psychologist r / w O O r O O O

massage therapist O O O O O OO

pharmacist r O O r / w O O O

Facilities

Hospital Krankenanstalt r / w r / w r / w r / w O O O

Nursing home with physician r / w r / w r / w r / w O O O

Nursing home without physician r / w O O r O O

O

Convalescent home r / w r / w r / w r / w O O O

Emergency service r / w r r r O O O

ELGA - Policy


Discharge letter

laboratory findings

radiology findings

medicationELGA Policies

Patient Policies

Acess protokollRole

Patient r r r r r r / w r

ELGA Policy Administrator O O O r / w O O

health care provider Securitymanager /

O O O O Or (partly.)

ELGA securitymanager/ O O O O O r

ELGA Support / Hotline O O O O r / w r

ELGA - Policy


Summary ELGA policy

The citizens can decide whether information about them is imported in ELGA or not.

Definition of an default authorization matrix for the access to different information types by role. Can be modified based on individual patient consent.

Before accessing ELGA the patient’s consent has to be obtained.

Via ELGA only data can be accessed, which has been explicitly released for ELGA by a health care provider.

Information can only be retrieved if the health care provider has proofed the physical presence of the patient via a defined test procedure.

Every ELGA access is subject to detailed logging. Logs have to be retained for several years.

ELGA - Policy


Thank you for the attention

Mag. Klaus Schindelwig, MSc.

[email protected]

Tel. 0043512 504 24406

health@net

dagstuhl seminar model-based design of trustworthy health information systems: data protection...

Documents

health data provider

exchange of health data

letter motivation slide

patients data

patient data

adapted motivation slide

personal data

data protection requirements