James Williams – Ontario Telemedicine Network Objectives: Review policy constraints for EHR systems. 2. Traditional approaches to policies in EHRs. 3. CHI consent management architecture. 4. Current research. 1. Focus: Policies pertaining to personal health information. Policies may touch upon: Consent directives. Acceptable uses. Permissible disclosure. Appropriate safeguards. Emergency overrides. Retention. Sources of Policy: 1. 2. 3. 4. 5. 6. Statutes and regulations Case law Codes of conduct Corporate bylaws Professional guidelines / best practices First Nations Sovereignty Statutes: Privacy The most important legislative instruments are the various privacy and health information statutes. Privacy legislation in Canada is based on a set of fair information practices: 1) Accountability 6) Accuracy 2) Identifying purposes 7) Safeguards 3) Consent 8) Openness 4) Limiting collection 9) Individual access 5) Limiting use, disclosure, retention. 10) Challenging compliance Statutes: Establish a basic rule, and then add exceptions. For example, express consent is generally required in order to disclose information to a third party. But: Emergency situations. Law enforcement. Public health. Eligibility for benefits. Risk to third party. Statutes: Private sector privacy laws Statutes: Health information laws Statutes: additional laws Federal: Statistics Act. Quarantine Act. Provincial: Child Protection Act. Communicable Disease Act. Health Act. Worker’s Compensation Act. Mental Health Act. Other sources Case Law: Eg: Patient has right of access to their own health record. (McInerney v MacDonald). Codes of Conduct: Eg: Canadian Medical Association, Health Information Privacy Code (1998). Corporate bylaws: Hospital policies and procedures. Municipal Information Acts. Best Practices COACH Guidelines for the Protection of Health Information. Sources: OCAP Ownership: information is owned collectively by the Nation. Control: the Nation retains control over all aspects of information management. Access: the Nation has a right to manage and make decisions regarding access to their collective information. Possession: a mechanism to assert ownership. The inter-provincial view: Interoperability: Some Issues: Custodians disclosing PHI are generally under a duty to ensure that the receiving jurisdiction has ‘comparable safeguards’. Patients may issue consent directives. Ontario imposes a ‘duty to notify’ receiving custodians about these. Patients should be able to avail themselves of additional protections in the new jurisdiction. Who now has control of the information? Consent directives are also sensitive. More issues: Even if we have a way to solve these issues, one of the major problems is that laws (etc) are dynamic. Challenge: How do we manage policies in a multi-EHR setting? Traditional route has been to either purchase COTS products, or to develop systems for a particular jurisdiction. (Hard coded business rules). CHI’s Consent Directives Management System Applies constraints prior to providing access or transmitting PHI. Allows consent directives at various levels of granularity. Relies on common privacy vocabulary to apply consent requirements. Can store with EHRi data, or in consolidated form. Processing Consent Directives in a Jurisdiction Transfer consent directives from clinical applications to the EHR. 2. Let either the EHR or (sending clinical application) process consent directives prior to disclosing a patient’s PHI. 3. Transfer consent directives from EHR to clinical applications whenever PHI is disclosed from the EHR. Want to avoid having too many consent directives management systems. 1. Interjurisdictional Transfer Consent directives will be processed whether an access request is received from a POS system, or clinical portal, or from an EHR in another jurisdiction. Jurisdictions need to agree upon and set policies as to how consent directives made in one jurisdiction will be managed following disclosure to another. A nationally adopted messaging schema is required for conveying consent directives between jurisdictions. Interjurisdictional Transfer (2) Several goals must be achieved before policy enforcement can be automated by a policy management service: Jurisdictional policies must be harmonized. Rules must be captured and codified. Special support for changes to rules. Common vocabultary. Data containing consent directives may flow from one jurisdiction to another, but policy related data does not. Can we do better? The inter-jurisdictional data transfer problem is complex. Can we bring some technical tools to bear on the problem? Representing policy rules. Operationalizing the representations. Storing and securing the representations. Managing the representations through their lifecycle. Verification and validation. Current work: There has been quite a bit of work on representing policies and regulations. L.Cranor, M. Langehreich, M. Marchiori, J. Reagle, The Platform for Privacy Preferences (P3P 1.0) Specification. R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, An Xpath based preference language for P3P. N. Li, T. Yu, A.I. Anton, A semantics based approach to privacy languages. (2006) Current Work P. Ashley, S. Hada, G. Karjoth, C. Powers, M. Schunter, Enterprise Privacy Authorization Language (EPAL 1.1). A. Barth, J.C. Mitchell, J. Rosenstein, Conflict and combination in privacy policy languages (2004). (DPAL) eXtensible Access Control Markup Language. (XACML) Current Work The above frameworks provide a formalism to specify data protection policy. They provide methods for evaluating and enforcing policies. Drawback: they are built to manage policies within single organizations. (Guarda, Zannone, Toward the Development of Privacy Aware Systems, 2008) Current Work Recent efforts: Extend XACML with algorithms addressing issue of policy similarities and integration across organizations. (Mazzoleni et al, XACML policy integration algorithms, 2008). Distributed temporal logic. (Hilty et al, On obligations, 2005). Privacy in Peer to Peer Networks. Automated policy enforcement. (Weber, Obry).
© Copyright 2026 Paperzz