Business process management enabled compliance-aware medical record sharing

Data sharing about electronic health records (EHRs) across healthcare organisations is still a challenging task due to compliance requirements with regulatory policies that can vary across states and countries, and organisations’ internal business requirements. Even when adopting the same regulatory policies, each organisation can interpret and implement these policies and requirements differently in its internal IT environments. This paper proposes a compliance-aware data management solution for EHR systems. It allows healthcare organisations to define their own security and regulatory compliance requirements for accessing and sharing healthcare data, and enables policy enforcement while sharing data with other organisations. The policy requirements are expressed in the form of business processes that govern the access and sharing of data between people and systems. The business process operations are mapped into low-level operations on internal and remote record stores and policy enforcement points. We have implemented a prototype system that supports the proposed approach and integrated it with OpenMRS, an open source electronic medical record system, using which we have defined and enforced some real-world regulations and organisations’ policies for data sharing.

[1]  Shazia Wasim Sadiq,et al.  Compliance Aware Business Process Design , 2007, Business Process Management Workshops.

[2]  Guido Governatori,et al.  On compliance checking for clausal constraints in annotated process models , 2012, Inf. Syst. Frontiers.

[3]  Alan H. Karp,et al.  Managing Data Retention Policies at Scale , 2012 .

[4]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[5]  John Mylopoulos,et al.  Establishing Regulatory Compliance for Information System Requirements: An Experience Report from the Health Care Domain , 2010, ER.

[6]  Silvana Quaglini,et al.  Improving Compliance to Guidelines through Workflow Technology: Implementation and Results in a Stroke Unit , 2007, MedInfo.

[7]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[8]  Fabio Casati,et al.  Privacy Preserving Event Driven Integration for Interoperating Social and Health Systems , 2010, Secure Data Management.

[9]  Vera Künzle,et al.  Towards Object-aware Process Support in Healthcare Information Systems , 2012, eTELEMED 2012.

[10]  Maria E. Orlowska,et al.  Translating business contract into compliant business processes , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[11]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[12]  Ling Liu,et al.  Security Models and Requirements for Healthcare Application Clouds , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[13]  Wil M. P. van der Aalst,et al.  Workflow Patterns , 2004, Distributed and Parallel Databases.

[14]  John Mylopoulos,et al.  Extracting rights and obligations from regulations: toward a tool-supported process , 2007, ASE.

[15]  Kenneth D. Mandl,et al.  Indivo: a personally controlled health record for health information exchange and communication , 2007, BMC Medical Informatics Decis. Mak..

[16]  Anil Nigam,et al.  Business artifacts: An approach to operational specification , 2003, IBM Syst. J..

[17]  Jens H. Weber,et al.  Protecting privacy during peer-to-peer exchange of medical documents , 2012, Inf. Syst. Frontiers.

[18]  Gustavo Alonso,et al.  Web Services: Concepts, Architectures and Applications , 2009 .

[19]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[20]  Monique W. M. Jaspers,et al.  Proclets in healthcare , 2010, J. Biomed. Informatics.

[21]  Marco Casassa Mont,et al.  Dealing with Privacy Obligations: Important Aspects and Technical Approaches , 2004, TrustBus.

[22]  John E. Mattison,et al.  Review: The HL7 Clinical Document Architecture , 2001, J. Am. Medical Informatics Assoc..

[23]  Sharad Singhal,et al.  GEODAC: A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services , 2011, IEEE Transactions on Services Computing.

[24]  John C. Mitchell,et al.  Privacy and Utility in Business Processes , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[25]  Ahmed Awad,et al.  An Iterative Approach for Business Process Template Synthesis from Compliance Rules , 2011, CAiSE.

[26]  Travis D. Breaux,et al.  Managing multi-jurisdictional requirements in the cloud: towards a computational legal landscape , 2011, CCSW '11.

[27]  Tracee Vetting Wolf,et al.  Seeing is believing: Designing visualizations for managing risk and compliance , 2007, IBM Syst. J..

[28]  Christoph Meinel,et al.  Security Requirements Specification in Service-Oriented Business Process Management , 2009, 2009 International Conference on Availability, Reliability and Security.

[29]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[30]  Anne-Marie Kermarrec,et al.  The many faces of publish/subscribe , 2003, CSUR.

[31]  Manfred Reichert,et al.  IT support for healthcare processes - premises, challenges, perspectives , 2007, Data Knowl. Eng..

[32]  Gail-Joon Ahn,et al.  Access Control Model for Sharing Composite Electronic Health Records , 2008, CollaborateCom.

[33]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[34]  Robin C. Meili,et al.  Can electronic medical record systems transform health care? Potential health benefits, savings, and costs. , 2005, Health affairs.