Abstract
Sensitive health information is kept in Electronic Health Records (EHRs) which makes the data accessible, enabling its transfer against patient consent. Hence, the need for privacy-preserving mechanisms is a top priority. As a first step towards the development of privacy-preserving access control language, we used qualitative research methods to characterize scenarios of requests for disclosure of patient data and identify the entities involved, the context of the request, and the requested data.
Background
Privacy can be achieved by adopting the “need-to-know” principle1, where caregivers access only relevant data that is needed for the current encounter. This principle can be carried out via Role-Based Access Control (RBAC)2 languages defined for roles of care givers who request patient data. A contextual RBAC authorization model was proposed by Motta3, where authorization rules are defined for specific contexts. We would like to extend this work by characterizing access requests in typical care-giving situations and defining possible contexts.
Research Question
Can we characterize access-control situations, by defining: (1) the entities that need health information in order to provide and to get proper services, (2) the types of health information that is uncovered, and (3) the contexts where the data disclosure occurs?
Discussion
Our methodology helped to identify access scenarios, and, via OPM analysis, derive their contexts. The complexity of the scenarios, which is measured by the numbers of included context variables, is simple, probably because the respondents were patients and have thus not experienced complex situations themselves. Nevertheless, the first interview phase helped us to plan the next interviews with stakeholder entities that were identified in the patient interviews.
Methods
To characterize access-control situations, we are using qualitative research methods, including interviews, questionnaire, observations, and document studies. We use Object-Process Methodology (OPM)4 to conceptually model the situations and their characteristics.
Results
So far we have conducted three interviews, one observation, three document studies to examine EHRs, and eight questionnaires. Although the interviews focused on entities that get health-services (i.e., patients), the respondents pointed out 23 different health service providing entities, including primary care physician, expert physicians, nurses, secretaries, and insurance agents. Patients identified 14 types of data that should be protected, such as fertility information, chronic medications, sexually-transmitted diseases, and psychiatric treatment. We identified 15 scenarios that include health data disclosure, which involved 13 context variables. According to the respondents, complete data disclosure should occur in emergency care and cases were diagnosis cannot be easily made.
Figure 1 is a model of a scenario we identified (bold words indicate contextual factors, modeled as entities): Dr. Cohen is an urologist who does not have access to gynecology data in the patient's EHR. During his ER shift, he was asked to take care of a woman who suffers from vaginal bleeding. In this case, access to the gynecology data was approved.
Figure 1.
An Object-Process Diagram of a EHR access scenario
References
- 1.Joshi JBD, Aref WG, Ghafoor A, Spafford EH. Security models for web-based applications. Commun ACM. 2001;44:38–44. [Google Scholar]
- 2.Sandhu RS, Coyne EJ, Youman CE. Role-based access control models. IEEE Comput. 1996;29:38–47. [Google Scholar]
- 3.Motta G, Furuie SS. A Contextual Role-Based Access Control Authorization Model for Electronic Patient Record. Transactions on info tech in biomedicine. 2003;7(3) doi: 10.1109/titb.2003.816562. [DOI] [PubMed] [Google Scholar]
- 4.Dori D. Object-Process Methodology - A Holistic Systems Paradigm. Springer; New York: 2002. [Google Scholar]