Privacy-aware access to Patient-controlled Personal Health Records in emergency situations

Patient-controlled Personal Health Record (PHR) systems may facilitate a patient not only to share her health records with healthcare professionals but also to control her health privacy, in a convenient and easy way. Governed by privacy protection laws, explicit consent/permission of the respective patient is a prerequisite for sharing personal health records. However, in emergency situations, when the patient becomes unable to give consent on her PHRs, healthcare professionals of emergency care units may need to access her health history for better and safer care. In this paper, we have introduced a novel privacy-aware protocol for handling access to patient-controlled PHR by healthcare professionals in emergency situations. The protocol is for the Privacy-aware Patient-controlled Personal Health Record (P3HR) system. It uses strong authentication using health IC cards, authorizes healthcare professionals and embeds emergency access report into the patients health IC card by which we achieve non-repudiation. Use of a dynamic access token in the authorization process protects replay attack. Intuitive privacy analysis shows that the proposed solution can preserve patients privacy from unauthorized parties while granting traceable access to personal health records by authorized healthcare professionals in emergency situations.

[1]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[2]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[3]  Peter Schartner,et al.  Unique User-Generated Digital Pseudonyms , 2005, MMM-ACNS.

[4]  Noboru Sonehara,et al.  A privacy management architecture for patient-controlled personal health record system , 2009 .

[5]  Robin C. Meili,et al.  Can electronic medical record systems transform health care? Potential health benefits, savings, and costs. , 2005, Health affairs.

[6]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[7]  I. Kohane,et al.  Public standards and patients' control: how to keep electronic medical records accessible but private. , 2001, BMJ : British Medical Journal.

[8]  Kevin B. Johnson,et al.  Personal health records: evaluation of functionality and utility. , 2002, Journal of the American Medical Informatics Association : JAMIA.

[9]  Vincent J. Willey,et al.  HM1 EFFICIENCY AND ECONOMIC BENEFITS ASSOCIATED WITH THE USE OF A PAYER-BASED ELECTRONIC HEALTH RECORD IN AN EMERGENCY DEPARTMENT AMONG A HEALTH INSURED POPULATION , 2009 .

[10]  Eugene Nickolov,et al.  ANALYSIS OF INFORMATION SECURITY OF OBJECTS UNDER ATTACKS AND PROCESSED BY METHODS OF COMPRESSION , 2008 .

[11]  Lillian Røstad,et al.  An Initial Model and a Discussion of Access Control in Patient Controlled Health Records , 2008, 2008 Third International Conference on Availability, Reliability and Security.