Improving Healthcare Privacy Through Policy Refinement
1. 2006
Intelligent Information Systems
From Lip-Service to Action:
Improving Healthcare Privacy Practices
Tyrone Grandison & Rafae Bhatti
IBM Almaden Research Center
{rbhatti,tyroneg}@us.ibm.com
3. Information Management
Introduction
Privacy concerns main inhibitors to use and deployment of electronic
health records
– Concerns about loss of reputation resulting from privacy breaches
translating into increased spending on healthcare privacy compliance
– In US, HIPAA is assumed to provide baseline for healthcare privacy
protection
However, impact of adoption of privacy policies on improvement of
privacy practices remains to be ascertained
– The answer lies in the design and enforceability of policy
4. Information Management
Highlight of Issues
Policy Design
– Policy designed to cover relevant provisions of regulation but still vague
enough to offer little privacy protection
Broadly-defined purposes
Umbrella authorizations
Lax enforcement
– Policy is often bypassed or subverted during regular operation
Concerns have begun to emerge at national level
– Robert Pear. Warnings over Privacy of US Health Network. New York
Times, February 18, 2007.
5. Information Management
Why does this situation need improvement?
It puts you, the patient, at risk
– Results in false sense of privacy
Purported compliance with privacy regulations
– Undermines the notion of empowering the patient
Consent to a policy not a genuine reflection of privacy practices
It makes the existence of a policy insignificant
– A policy does not reveal a company’s true stance on data protection
6. Information Management
Our Contributions
Survey of HIPAA-inspired policies of 20 healthcare organizations
– Investigate how stated privacy policies measure up to the level of
protection needed to truly ensure patient data
PRIvacy Management Architecture (PRIMA)
– Enables refinement of privacy policies based on actual practices of an
organization
7. Information Management
Goals of Policy Refinement
Improve the design of policies to elevate the level of privacy protection
afforded to the patient
Elevate current system from one that purports regulatory compliance to one
that proactively safeguards patient healthcare data
Better align the policies with actual privacy practices of the organization
9. Information Management
The Privacy Space Around the World
Canada: Personal Information Protection and Electronic Documents Act
(PIPEDA)
Japan: Personal Data Protection Law
EU Directives on Data Protection
US: HIPAA
To ground our discussion, we focus on HIPAA Privacy Rule
10. Information Management
HIPAA Requirements
Terms:
– Covered Entities: Health Care Providers and Payers, among others
– PHI: Personally Identifiable Health Information
Key principles of the Privacy Rule:
– Notification: Patient should receive notice of covered entity’s privacy
practices
– Authorization and Consent: Written authorization required for disclosures not
permitted under Privacy Rule
– Limited Use and Disclosure: Covered entities must ensure use and
disclosure of minimum necessary PHI for a specific purpose
– Auditing and Accounting: Patients have the right to accounting of all
disclosures of their PHI
– Access: Patients have the right to access their records maintained by the
covered entity
11. Information Management
P3P and Privacy Policies
P3P Policy: a standardized machine-readable policy format
Includes elements that describe:
– Kinds of data collected
– Purpose for which data is used/disclosed
– Data retention policy
– … and other information
Users can supply privacy preferences in P3P Preference Exchange
Language (APPEL), which can then be used to evaluate a P3P Privacy
Policy
13. Information Management
Companies Surveyed
Two kinds of
policies found:
– Website
Privacy Policy
– HIPAA Notice
of Privacy
Practices
A “policy” in our
survey refers to a
virtual
combination of
both
14. Information Management
Observations on: Notification, Authorization and Consent
Policies state that consent is implied by visiting the website
– Not quite the best practice to meet the Notification requirement
No P3P policies are available
– Precludes automated interpretation and analysis for informed
consent
Policy updates communicated with little regard for patient
– Insufficient to only post them on website
– Patient consent to updated policy not obtained
Compliant with HIPAA
– HIPAA does not require policy to be posted using machine-readable
format
– HIPAA does not require policy to be communicated using expedient
means (such as email, IM)
15. Information Management
Observations on: Limited Use and Disclosure
Policies define broad and all-encompassing purposes
– E.g. “administering healthcare”
– Subsumes a huge category of uses and disclosures
No fine-grained list of employee categories or roles with authorizations to
view specific categories of patient data
– E.g. “members of medical staff” category includes most employees
– Provides umbrella authorization for employees
– Criterion for authorization or exception-based accesses (I.e. “break the glass”
privileges) not specified
Exception mechanisms being increasingly utilized
Compliant with HIPAA
– HIPAA has provisions to let organizations design policies with broadly-defined
purposes
E.g: While “Marketing” is a purpose requiring explicit authorization, a sub-
category “communications for treatment of patient” is exempt and can be
exploited
– HIPAA calls for policies and procedures for controlling access to PHI but does
not require stringent technical mechanisms to be in place
16. Information Management
Observations on: Audit and Accounting
Most organizations maintain audit trails for all actions pertaining to PHI to
meet audit reporting and accounting requirement
However, there is still much left to be desired
– Audit logs in current systems do not capture all necessary contextual
information (such as purpose or recipient)
– Accounting for data disclosures is ineffective in improving levels of
privacy protection unless shortcomings in disclosure policies are first
addressed
E.g.: broadly-defined purposes, umbrella authorizations,
exception-based accesses
– While using audit as a deterrent factor, organizations should not fail to
do better by providing more proactive protection
17. Information Management
Observations on: Access
All policies indicated that patients have a right to access their information
through phone, email or online account
Meeting this requirement does not translate into adequate privacy
protection for the patient
– Ability to access/update personal information provides no measure of
how much information is actually protected unless patient is in control
of his/her disclosure policy
– The process of information access may be simple or laborious- from
being a matter of few mouse clicks to a waiting period of up to 60
days; recent information disclosures may not get reported
18. Information Management
Summary
Privacy policies cover enough ground to enable regulatory compliance
Yet, they are inadequate to communicate understandable privacy
practices or provide adequate privacy safeguards to the patients
20. Information Management
PRIvacy Management Architecture (PRIMA)
Premise:
– Design of a HIPAA-inspired policy hinges primarily on limited use and
disclosure rule which enable proactive fine-grained protection of PHI
– Bridge the disparity between policies and practices to transform the
healthcare systems to an enhanced state of protection
Approach:
– Define an incremental approach to seamlessly embed policy controls
within the clinical workflow
21. Information Management
Challenges
Complexities in healthcare workflow
– A physician routinely takes notes on paper, which is then entered by a
nurse into the computer system; requiring the physician to enter
information would impede the workflow
– New patient arrival in a ward or visit to emergency ward requires
sensitive information to be provided to on-duty assistants
Access cannot be abruptly curtailed
– New rules cannot be imposed at once
– Policy controls need to grow out of existing practices
Leads to the idea of Policy Refinement
22. Information Management
Policy Refinement
Leverage audit results
– Analyze all access and disclosure instances
– Flag the incidents not explicitly covered by existing rules in policy
– Define new rules based on analyzed information
Improve the policy coverage
– Coverage defined as ratio of accesses addressed by the policy to all
access recorded by the system
Gradually embed policy controls
– Enables precise definition of purposes, criteria for exception-based
accesses and categories of authorized users
– Novel approach for driving innovation in clinical systems
24. Information Management
Refinement Framework
Prune
– Find informal clinical patterns from audit logs
– Separate useful exceptions from violations
Reduce number of artifacts needed to be examined
Do not waste resources on examining violations in analysis phase
Extract
– Apply algorithm to extract candidate patterns
Simple matching:
- Assumes pruned data, looks for term combinations, returns frequency of occurrence
Richer data mining:
- Not only syntactic but also semantics matching
- Does not assume pruning, considers relationship between artifacts
- Reduces probability of violations being reported for analysis phase
– Get usefulness ratings of patterns
Filter
– Incorporate or discard patterns based on usefulness threshold
– Assume a training period
Set a threshold appropriate to the target environment
Act when threshold is reached over a period of time
25. Information Management
Example Data Set
Time User Role Ward Data
Category
Excep
tion?
Purpose
t1 Tom Nurse Emergency PHY JRNL YES ADMIN
t2 Jenny Doctor Emergency EXT COLLAB YES REFERRAL
t3 Jim Nurse Emergency PHY JRNL YES ADMIN
t4 Sarah Doctor Medical LAB RESULT NO OUTPAT ENC
t5 Mark Nurse Emergency PHY JRNL YES ADMIN
t6 Bob Nurse Emergency PHY JRNL YES ADMIN
t7 Barbara Nurse Emergency PHY JRNL YES ADMIN
t8 Bill Nurse Emergency PHY JRNL YES ADMIN
t9 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENC
t10 Jason Psychologist Psychology DSCG SUMM YES REG AUTH
t11 Jason Psychologist Psychology DSCG SUMM YES REG AUTH
t12 George Psychologist Psychology PHY JRNL NO REFERRAL
t13 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENC
t14 Jason Psychologist Psychology DSCG SUMM YES REG AUTH
26. Information Management
Mining Rule
SELECT A.Ward, A.Role, A.Data_Category, A.Purpose
FROM Patient-Access_Log A
WHERE A.Exception = 'YES'
GROUP BY A.Ward, A.Role, A.Data_Category, A.Purpose
HAVING COUNT(*) > 5 AND COUNT(DISTINCT(A.User)) > 1;
Returned:
EmergencyWard : Nurse : PhysicianJournal : Admin
occurred in the log at least 5 times
observed for at least 2 different users
Not returned:
Psychologist : Psychology : DischargeSummary : Regulatoryauthority
occurred in the log only 3 times
observed for only 1 user
28. Information Management
Conclusion
Surveyed 20 healthcare privacy policies
Healthcare in need of improved privacy practices
Focused on problem of limited use and disclosure rules
Presented novel solution based on policy refinement
