The roles of policy and professionalism in the protection of processed clinical data: A literature review

BACKGROUND Routinely collected clinical data is increasingly used for health service management, audit, and research. Even apparently anonymised data are subject to data protection. The relevant principles were set out in a treaty of the Council of Europe and subsequent policy has been based on these. However, little has been written about implementing policy and the role of health informaticians in this process. OBJECTIVE To define the elements of an effective implementation policy; the role of the health informatician in protecting processed clinical data. METHODS We performed a literature review of bibliographic databases, a manual search of the major medical informatics associations' websites, relevant working groups and an affiliated journal. Fifty-four papers relevant to implementation were identified. RESULTS The effective implementation of policy requires consideration of technical, organisational, personnel and professional issues. However, there is no clearly defined formula for successful implementation of data protection policy. CONCLUSIONS Patients and professionals need a system they can trust, and processes that can be easily incorporated into everyday practice. The lack of a core generalisable theory or strong professional code in health informatics limits the ability of the health informaticians to implement policy.

[1]  Anastasios Gounaris,et al.  Data Base Management Systems (DBMSs): Meeting the requirements of the EU data protection legislation , 2003, Int. J. Inf. Manag..

[2]  Jack Smith Towards a secure EPR: cultural and educational issues , 2000, Int. J. Medical Informatics.

[3]  M. Musen,et al.  Handbook of Medical Informatics , 2002 .

[4]  Shigekoto Kaihara Realisation of the computerised patient record; relevance and unsolved problems , 1998, Int. J. Medical Informatics.

[5]  A. Rector Clinical Terminology: Why Is it so Hard? , 1999, Methods of Information in Medicine.

[6]  William Morris The American Heritage dictionary of the English language , 1969 .

[7]  Tom Chan,et al.  Identifying patients with chronic kidney disease from general practice computer records. , 2005, Family practice.

[8]  Eike-Henner W. Kluge Fostering a security culture: a model code of ethics for health information professionals , 1998, Int. J. Medical Informatics.

[9]  Nicholas Gaunt,et al.  Practical approaches to creating a security culture , 2000, Int. J. Medical Informatics.

[10]  Albert R. Bakker Security in perspective; luxury or must? , 1998, Int. J. Medical Informatics.

[11]  Vimla L. Patel,et al.  Cognitive models in training health professionals to protect patients' confidential information , 2000, Int. J. Medical Informatics.

[12]  Nick Gaunt,et al.  Installing an appropriate information security policy , 1998, Int. J. Medical Informatics.

[13]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[14]  E. Kluge,et al.  A handbook of ethics for health informatics professionals , 2003 .

[15]  Batami Sadan Patient data confidentiality and patient rights , 2001, Int. J. Medical Informatics.

[16]  Marc Berg,et al.  Implementing information systems in health care organizations: myths and challenges , 2001, Int. J. Medical Informatics.

[17]  Heather Strachan Nursing Information: The Electronic Patient Record , 2003 .

[18]  Andrew J. Rohm,et al.  Just what the doctor ordered: The role of information sensitivity and trust in reducing medical information privacy concern , 2004 .

[19]  B. Sen,et al.  Research governance: implications for health library and information professionals. , 2003, Health information and libraries journal.

[20]  P. Fugelli,et al.  Trust — in general practice , 2001 .

[21]  Simon de Lusignan,et al.  An educational intervention to improve data recording in the management of ischaemic heart disease in primary care. , 2004, Journal of public health.

[22]  Behlen Fm,et al.  Multicenter patient records research: security policies and tools. , 1999 .

[23]  SweeneyLatanya Navigating computer science research through waves of privacy concerns , 2004 .

[24]  Rosa Julià-Barceló,et al.  "Towards a european framework for digital signatures and encryption": The european commission takes a step forward for confidential and secure electronic communications , 1998, Comput. Law Secur. Rev..

[25]  Eike-Henner W. Kluge Professional codes for electronic HC record protection: ethical, legal, economic and structural issues , 2000, Int. J. Medical Informatics.

[26]  Kees Louwerse The electronic patient record; the management of access - case study: Leiden University Hospital , 1998, Int. J. Medical Informatics.

[27]  Jim Chalmers,et al.  Patient privacy and confidentiality , 2003, BMJ : British Medical Journal.

[28]  Bernd Blobel,et al.  A systematic approach for analysis and design of secure health information systems , 2001, Int. J. Medical Informatics.

[29]  David Jewell,et al.  How to change clinical behaviour: no answers yet. , 2003, The British journal of general practice : the journal of the Royal College of General Practitioners.

[30]  M. Polanyi Chapter 7 – The Tacit Dimension , 1997 .

[31]  R. Brown,et al.  The application of security policy to role-based access control and the common data security architecture , 2000, Comput. Commun..

[32]  Barry Barber,et al.  Patient data and security: an overview , 1998, Int. J. Medical Informatics.

[33]  James G. Anderson,et al.  Security of the distributed electronic patient record: a case-based approach to identifying policy issues , 2000, Int. J. Medical Informatics.

[34]  Bernd Blobel Advanced tool kits for EPR security , 2000, Int. J. Medical Informatics.

[35]  Günther Gell Safe, controllable technology? , 2002, Int. J. Medical Informatics.