1 / 39

Electronic Data Consent and Electronic Privacy Policy Domain Analysis

Electronic Data Consent and Electronic Privacy Policy Domain Analysis. Ioana Singureanu Eversolve, LLC. Overview. Giving privacy protection options is a requirement for the adoption of secure Electronic Health Record systems SAMHSA is a leader in promoting privacy protection

dane-dodson
Télécharger la présentation

Electronic Data Consent and Electronic Privacy Policy Domain Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Data Consent and Electronic Privacy Policy Domain Analysis Ioana Singureanu Eversolve, LLC

  2. Overview • Giving privacy protection options is a requirement for the adoption of secure Electronic Health Record systems • SAMHSA is a leader in promoting privacy protection • Long-term experience to inform future direction • HL7 standards enable communication/exchange over the web for • Privacy policy • Client preferences • Provider override

  3. Client-driven Privacy Personal Health Records (including IIHI) Direct Care Research Request (based on client’s criteria) Data filtered (based on rules) Override Diagnosis Administrator Maintain Client Privacy Consent Directives+Privacy Policy

  4. Terms and Concepts • Privacy Policy • A set of rules intended to protect specific aspects of PHR from abuse • Personal Health Records – identified personal health records that include: • PHI- Protected Health Information • IIHI • Privacy Consent Directives • Agreement/disagreement with policies • Directives • Identity (unique identifiers) • Client Identity • Used to protect privacy, in place of identifying traits • Information Identity • Object Identifier (OID

  5. eConsent Management over time

  6. Explicit Privacy Consent or Privacy Policy Enterprise-specific

  7. ePolicy-based Privacy (implied consent) Personal Health Records (including IIHI) Direct Care Research Request (based on client’s criteria) Data filtered (based on rules) Diagnosis Administrator • The client cannot opt-in or opt-out. • Default policies are applied without client’s explicit involvement (e.g. HIPAA) Privacy Policy

  8. Terms • Implied Consent • Local privacy policies apply by default without explicit client sign-off • Directives restrict collection, use, or disclosure of PHI • Assumes consent has been given, based on Client's action (is implied) • Client's have the right to withdraw or withhold consent

  9. Terms • Express Consent • Consent must be explicitly obtained prior to collection, use, or disclosure of PHI

  10. Terms • Deemed Consent • No ability for the Client to withdraw or withhold consent • By requesting service, the Client consents to the collection, use, and disclosure of PHI for the stated purpose(s)

  11. Manage Privacy Policy over time

  12. Using Implied Consent for privacy protection

  13. ePolicy-based Privacy (client signs-off) Personal Health Records (including IIHI) Request (based on criteria) Direct Care Research Data filtered (rules) Diagnosis Administrator The client signs-off on the consent policy as available. Agrees Client Privacy Policy

  14. Client sign-off

  15. The Role of ePolicy for eConsent Client Maintain Use/lookup Privacy Consent Directives National, Local, Organizational Policy

  16. Policies and rules - Analysis • National • State • Organization • Client adds privacy consent directive • Collect • Access • Use • Disclose

  17. 1 2 4 3 Sample Client Preferences Web Portal Policy Rule Sets (Venn Diagram) 3 1 1 2 4 2 3 4

  18. I disallowrestricted info to be accessed by administrators for any purpose I allowrestricted info to be accessed by direct care providers for treatment

  19. Policy and Consent Directives Common Terminology Consent Directives HL7 Standard Runtime Rules Engines Platform-specific Rules Privacy Policies Platform-independent, standard-based, interoperable, harmonized

  20. Policy and Consent Directives HL7 Standard eConsent <XML> instance eConsent <XML> instance eConsent <XML> instance eConsent <XML> instance eConsent <XML> instance XACML Policy rules ODRL Policy rules XrML policies  rules ePolicy <XML> instance ePolicy <XML> instance XSDePolicy eConsent (XML Schemas) ePolicy <XML> instance ePolicy <XML> instance ePolicy <XML> instance Runtime Rules Engines Platform-independent,standard-based, interoperable, harmonized

  21. Interoperable, standard-based, automated privacy protection National Jurisdiction State/Province/Local Jurisdiction Client’s Consent Directives eConsent <XML> instance ePolicy <XML> instance ePolicy <XML> instance

  22. ePolicy synchronization • Automatic notification/publication of new privacy rules between jurisdictions State/Province Jurisdiction National Jurisdiction ePolicy <XML> instance

  23. Manage Electronic Privacy Policy (ePolicy)

  24. Actors (stakeholders) Consenterresponsible for maintaining privacy policies Responsible for maintaining privacy policies A patient is a client who receives medical services

  25. Evaluation Engine

  26. Sensitive = Policy Rule Elements = Constraint Catalog

  27. Privacy Policy and Consent Privacy Subject (client, patient) authority Privacy Policy Content/PHI • Info Users • Direct care • Ancillary Action Privacy Preferences (Consent) • Qualifiers • Coverage (public vs. private) • Custodian Examples: HIPAA: Authority over selling of PHI SAMHSA: Control of disclosure ofpublic pay substance abuse PHI

  28. Policy Rule

  29. ePolicy used in Personal Health Records • Information references the privacy policy or category type Discharge Summary Like confidentialityCode confidentialityCode RESTRICTED HIV-RELATED

  30. eConsent Structure

  31. eConsent Override

  32. ISO 13606 Part 4: Functional roles Additional coversheets/proposals CompletedProposal Vocabulary proposals NewProposal

  33. Terminology - 1 Condition may be redundant re: purpose CBCC WG CBCC WG Security WG CBCC WG CBCC WG CBCC WG CBCC WG CBCC WG

  34. Obligation, Condition, and Purpose • Obligation Code • Action that is required to receive the permission specified in the privacy rule • Condition Code • Prerequisite for a permission to collect, access, use, or disclose personal health records (e.g. trusted computing environment). • Purpose Code • It specifies the purpose of a allowing or denying a permission.

  35. Terminology – 2 Security WG CBCC WG Security WG Security WG Security WG Security WG Security WG

More Related