ehr systems and policy management
DESCRIPTION
EHR Systems and Policy Management. James Williams – Ontario Telemedicine Network. Objectives:. Review policy constraints for EHR systems. Traditional approaches to policies in EHRs. CHI consent management architecture. Current research. Focus:. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/1.jpg)
EHR Systems and Policy Management
James Williams – Ontario Telemedicine Network
![Page 2: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/2.jpg)
Objectives:1. Review policy constraints for EHR systems.2. Traditional approaches to policies in EHRs.3. CHI consent management architecture.4. Current research.
![Page 3: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/3.jpg)
Focus:Policies pertaining to personal health
information. Policies may touch upon:
Consent directives.Acceptable uses.Permissible disclosure.Appropriate safeguards.Emergency overrides.Retention.
![Page 4: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/4.jpg)
Sources of Policy:1. Statutes and regulations2. Case law3. Codes of conduct4. Corporate bylaws5. Professional guidelines / best practices6. First Nations Sovereignty
![Page 5: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/5.jpg)
Statutes: PrivacyThe most important legislative instruments
are the various privacy and health information statutes.
Privacy legislation in Canada is based on a
set of fair information practices:1) Accountability 6) Accuracy2) Identifying purposes 7) Safeguards3) Consent 8) Openness4) Limiting collection 9) Individual access5) Limiting use, disclosure, retention.
10) Challenging compliance
![Page 6: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/6.jpg)
Statutes:Establish a basic rule, and then add exceptions.
For example, express consent is generally required in order to disclose information to a third party. But:Emergency situations.Law enforcement.Public health.Eligibility for benefits.Risk to third party.
![Page 7: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/7.jpg)
Statutes: Private sector privacy laws
![Page 8: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/8.jpg)
Statutes: Health information laws
![Page 9: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/9.jpg)
Statutes: additional laws Federal:
Statistics Act.Quarantine Act.
Provincial:Child Protection Act. Communicable Disease Act.Health Act.Worker’s Compensation Act.Mental Health Act.
![Page 10: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/10.jpg)
Other sourcesCase Law:
Eg: Patient has right of access to their own health record. (McInerney v MacDonald).
Codes of Conduct:Eg: Canadian Medical Association, Health Information Privacy Code
(1998).
Corporate bylaws:Hospital policies and procedures.Municipal Information Acts.
Best PracticesCOACH Guidelines for the Protection of Health Information.
![Page 11: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/11.jpg)
Sources: OCAPOwnership:
information is owned collectively by the Nation. Control:
the Nation retains control over all aspects of information management.
Access: the Nation has a right to manage and make
decisions regarding access to their collective information.
Possession: a mechanism to assert ownership.
![Page 12: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/12.jpg)
The inter-provincial view:
![Page 13: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/13.jpg)
Interoperability:
![Page 14: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/14.jpg)
Some Issues:Custodians disclosing PHI are generally under a duty to
ensure that the receiving jurisdiction has ‘comparable safeguards’.
Patients may issue consent directives. Ontario imposes a ‘duty to notify’ receiving custodians about these.
Patients should be able to avail themselves of additional protections in the new jurisdiction.
Who now has control of the information?
Consent directives are also sensitive.
![Page 15: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/15.jpg)
More issues:Even if we have a way to solve these issues,
one of the major problems is that laws (etc) are dynamic.
![Page 16: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/16.jpg)
Challenge:How do we manage policies in a multi-EHR
setting?
Traditional route has been to either purchase COTS products, or to develop systems for a particular jurisdiction. (Hard coded business rules).
![Page 17: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/17.jpg)
CHI’s Consent Directives Management SystemApplies constraints prior to providing access
or transmitting PHI. Allows consent directives at various levels
of granularity.Relies on common privacy vocabulary to
apply consent requirements. Can store with EHRi data, or in consolidated
form.
![Page 18: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/18.jpg)
Processing Consent Directives in a Jurisdiction
1. Transfer consent directives from clinical applications to the EHR.
2. Let either the EHR or (sending clinical application) process consent directives prior to disclosing a patient’s PHI.
3. Transfer consent directives from EHR to clinical applications whenever PHI is disclosed from the EHR.
Want to avoid having too many consent directives management systems.
![Page 19: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/19.jpg)
Interjurisdictional TransferConsent directives will be processed whether
an access request is received from a POS system, or clinical portal, or from an EHR in another jurisdiction.
Jurisdictions need to agree upon and set policies as to how consent directives made in one jurisdiction will be managed following disclosure to another.
A nationally adopted messaging schema is required for conveying consent directives between jurisdictions.
![Page 20: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/20.jpg)
Interjurisdictional Transfer (2)Several goals must be achieved before policy
enforcement can be automated by a policy management service:Jurisdictional policies must be harmonized.Rules must be captured and codified.Special support for changes to rules.Common vocabultary.
Data containing consent directives may flow from one jurisdiction to another, but policy related data does not.
![Page 21: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/21.jpg)
Can we do better?The inter-jurisdictional data transfer problem
is complex.Can we bring some technical tools to bear on
the problem?Representing policy rules.Operationalizing the representations.Storing and securing the representations.Managing the representations through their
lifecycle.Verification and validation.
![Page 22: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/22.jpg)
Current work:There has been quite a bit of work on representing
policies and regulations.
L.Cranor, M. Langehreich, M. Marchiori, J. Reagle, The Platform for Privacy Preferences (P3P 1.0) Specification.
R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, An Xpath based preference language for P3P.
N. Li, T. Yu, A.I. Anton, A semantics based approach to privacy languages. (2006)
![Page 23: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/23.jpg)
Current WorkP. Ashley, S. Hada, G. Karjoth, C. Powers, M.
Schunter, Enterprise Privacy Authorization Language (EPAL 1.1).
A. Barth, J.C. Mitchell, J. Rosenstein, Conflict and combination in privacy policy languages (2004). (DPAL)
eXtensible Access Control Markup Language. (XACML)
![Page 24: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/24.jpg)
Current WorkThe above frameworks provide a formalism to
specify data protection policy. They provide methods for evaluating and enforcing policies.
Drawback: they are built to manage policies within single organizations. (Guarda, Zannone, Toward the Development of Privacy Aware Systems, 2008)
![Page 25: EHR Systems and Policy Management](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165c3550346895dd8ce8d/html5/thumbnails/25.jpg)
Current WorkRecent efforts:
Extend XACML with algorithms addressing issue of policy similarities and integration across organizations. (Mazzoleni et al, XACML policy integration algorithms, 2008).
Distributed temporal logic. (Hilty et al, On obligations, 2005).
Privacy in Peer to Peer Networks. Automated policy enforcement. (Weber, Obry).