From Lip-Service to Action: Improving Healthcare Privacy Practices

2006

Intelligent Information Systems

From Lip-Service to Action:

Improving Healthcare Privacy Practices

Tyrone Grandison & Rafae Bhatti IBM Almaden Research Center{rbhatti,tyroneg}@us.ibm.com

Information Management

Outline

Introduction Background

– HIPAA Requirements– P3P and Privacy Policies

Healthcare Privacy Policies Survey Privacy Management Architecture Conclusion


Introduction

Privacy concerns main inhibitors to use and deployment of electronic health records

– Concerns about loss of reputation resulting from privacy breaches translating into increased spending on healthcare privacy compliance

– In US, HIPAA is assumed to provide baseline for healthcare privacy protection

However, impact of adoption of privacy policies on improvement of privacy practices remains to be ascertained

– The answer lies in the design and enforceability of policy


Highlight of Issues

Policy Design– Policy designed to cover relevant provisions of regulation but still vague

enough to offer little privacy protection Broadly-defined purposes Umbrella authorizations

Lax enforcement– Policy is often bypassed or subverted during regular operation

Concerns have begun to emerge at national level– Robert Pear. Warnings over Privacy of US Health Network. New York

Times, February 18, 2007.


Why does this situation need improvement?

It puts you, the patient, at risk– Results in false sense of privacy

Purported compliance with privacy regulations

– Undermines the notion of empowering the patient Consent to a policy not a genuine reflection of privacy practices

It makes the existence of a policy insignificant– A policy does not reveal a company’s true stance on data protection


Our Contributions

Survey of HIPAA-inspired policies of 20 healthcare organizations– Investigate how stated privacy policies measure up to the level of

protection needed to truly ensure patient data

PRIvacy Management Architecture (PRIMA)– Enables refinement of privacy policies based on actual practices of an

organization


Goals of Policy Refinement

Improve the design of policies to elevate the level of privacy protection afforded to the patient

Elevate current system from one that purports regulatory compliance to one that proactively safeguards patient healthcare data

Better align the policies with actual privacy practices of the organization


Outline





The Privacy Space Around the World

Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

Japan: Personal Data Protection Law

EU Directives on Data Protection

US: HIPAA

To ground our discussion, we focus on HIPAA Privacy Rule


HIPAA Requirements

Terms:– Covered Entities: Health Care Providers and Payers, among others– PHI: Personally Identifiable Health Information

Key principles of the Privacy Rule:

– Notification: Patient should receive notice of covered entity’s privacy practices

– Authorization and Consent: Written authorization required for disclosures not permitted under Privacy Rule

– Limited Use and Disclosure: Covered entities must ensure use and disclosure of minimum necessary PHI for a specific purpose

– Auditing and Accounting: Patients have the right to accounting of all disclosures of their PHI

– Access: Patients have the right to access their records maintained by the covered entity


P3P and Privacy Policies

P3P Policy: a standardized machine-readable policy format

Includes elements that describe:– Kinds of data collected– Purpose for which data is used/disclosed– Data retention policy– … and other information

Users can supply privacy preferences in P3P Preference Exchange Language (APPEL), which can then be used to evaluate a P3P Privacy Policy


Outline





Companies Surveyed

Two kinds of policies found:

– Website Privacy Policy

– HIPAA Notice of Privacy Practices

A “policy” in our survey refers to a virtual combination of both


Observations on: Notification, Authorization and Consent

Policies state that consent is implied by visiting the website– Not quite the best practice to meet the Notification requirement

No P3P policies are available– Precludes automated interpretation and analysis for informed

consent

Policy updates communicated with little regard for patient– Insufficient to only post them on website– Patient consent to updated policy not obtained

Compliant with HIPAA– HIPAA does not require policy to be posted using machine-readable

format– HIPAA does not require policy to be communicated using expedient

means (such as email, IM)


Observations on: Limited Use and Disclosure

Policies define broad and all-encompassing purposes– E.g. “administering healthcare”– Subsumes a huge category of uses and disclosures

No fine-grained list of employee categories or roles with authorizations to view specific categories of patient data

– E.g. “members of medical staff” category includes most employees– Provides umbrella authorization for employees– Criterion for authorization or exception-based accesses (I.e. “break the glass”

privileges) not specified Exception mechanisms being increasingly utilized

Compliant with HIPAA– HIPAA has provisions to let organizations design policies with broadly-defined

purposes E.g: While “Marketing” is a purpose requiring explicit authorization, a sub-

category “communications for treatment of patient” is exempt and can be exploited

– HIPAA calls for policies and procedures for controlling access to PHI but does not require stringent technical mechanisms to be in place


Observations on: Audit and Accounting

Most organizations maintain audit trails for all actions pertaining to PHI to meet audit reporting and accounting requirement

However, there is still much left to be desired

– Audit logs in current systems do not capture all necessary contextual information (such as purpose or recipient)

– Accounting for data disclosures is ineffective in improving levels of privacy protection unless shortcomings in disclosure policies are first addressed

E.g.: broadly-defined purposes, umbrella authorizations, exception-based accesses

– While using audit as a deterrent factor, organizations should not fail to do better by providing more proactive protection


Observations on: Access

All policies indicated that patients have a right to access their information through phone, email or online account

Meeting this requirement does not translate into adequate privacy protection for the patient

– Ability to access/update personal information provides no measure of how much information is actually protected unless patient is in control of his/her disclosure policy

– The process of information access may be simple or laborious- from being a matter of few mouse clicks to a waiting period of up to 60 days; recent information disclosures may not get reported


Summary

Privacy policies cover enough ground to enable regulatory compliance

Yet, they are inadequate to communicate understandable privacy practices or provide adequate privacy safeguards to the patients


Outline





PRIvacy Management Architecture (PRIMA)

Premise:– Design of a HIPAA-inspired policy hinges primarily on limited use and

disclosure rule which enable proactive fine-grained protection of PHI

– Bridge the disparity between policies and practices to transform the healthcare systems to an enhanced state of protection

Approach:– Define an incremental approach to seamlessly embed policy controls

within the clinical workflow


Challenges

Complexities in healthcare workflow– A physician routinely takes notes on paper, which is then entered by a

nurse into the computer system; requiring the physician to enter information would impede the workflow

– New patient arrival in a ward or visit to emergency ward requires sensitive information to be provided to on-duty assistants

Access cannot be abruptly curtailed– New rules cannot be imposed at once– Policy controls need to grow out of existing practices

Leads to the idea of Policy Refinement


Policy Refinement

Leverage audit results– Analyze all access and disclosure instances– Flag the incidents not explicitly covered by existing rules in policy– Define new rules based on analyzed information

Improve the policy coverage– Coverage defined as ratio of accesses addressed by the policy to all

access recorded by the system

Gradually embed policy controls – Enables precise definition of purposes, criteria for exception-based

accesses and categories of authorized users– Novel approach for driving innovation in clinical systems


PRIMA Architecture


Refinement Framework

Prune– Find informal clinical patterns from audit logs– Separate useful exceptions from violations

Reduce number of artifacts needed to be examined Do not waste resources on examining violations in analysis phase

Extract– Apply algorithm to extract candidate patterns

Simple matching:- Assumes pruned data, looks for term combinations, returns frequency of occurrence

Richer data mining:- Not only syntactic but also semantics matching- Does not assume pruning, considers relationship between artifacts- Reduces probability of violations being reported for analysis phase

– Get usefulness ratings of patterns

Filter– Incorporate or discard patterns based on usefulness threshold– Assume a training period

Set a threshold appropriate to the target environment Act when threshold is reached over a period of time


Example Data Set

Time User Role Ward Data Category

Exception?

Purpose

t1 Tom Nurse Emergency PHY JRNL YES ADMIN

t2 Jenny Doctor Emergency EXT COLLAB YES REFERRAL

t3 Jim Nurse Emergency PHY JRNL YES ADMIN

t4 Sarah Doctor Medical LAB RESULT NO OUTPAT ENC

t5 Mark Nurse Emergency PHY JRNL YES ADMIN

t6 Bob Nurse Emergency PHY JRNL YES ADMIN

t7 Barbara Nurse Emergency PHY JRNL YES ADMIN

t8 Bill Nurse Emergency PHY JRNL YES ADMIN

t9 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENC

t10 Jason Psychologist Psychology DSCG SUMM YES REG AUTH


t12 George Psychologist Psychology PHY JRNL NO REFERRAL

t13 Patrick Radiologist Medical LAB RESULT NO OUTPAT ENC



Mining Rule

SELECT A.Ward, A.Role, A.Data_Category, A.PurposeFROM Patient-Access_Log AWHERE A.Exception = 'YES'GROUP BY A.Ward, A.Role, A.Data_Category, A.PurposeHAVING COUNT(*) > 5 AND COUNT(DISTINCT(A.User)) > 1;

Returned:EmergencyWard : Nurse : PhysicianJournal : Adminoccurred in the log at least 5 timesobserved for at least 2 different users

Not returned:Psychologist : Psychology : DischargeSummary : Regulatoryauthorityoccurred in the log only 3 timesobserved for only 1 user


Outline





Conclusion

Surveyed 20 healthcare privacy policies

Healthcare in need of improved privacy practices

Focused on problem of limited use and disclosure rules

Presented novel solution based on policy refinement


Thank you!

Questions?

Technology

From Lip-Service to Action: Improving Healthcare Privacy Practices