Delegation of access in an information accountability framework for eHealth

Shared eHealth records systems offer promising benefits for improving healthcare through high availability of information and improved decision making; however, their uptake has been hindered by concerns over the privacy of patient information. To address these privacy concerns while balancing the requirements of healthcare professionals to have access to the information they need to provide appropriate care, the use of an Information Accountability Framework (IAF) has been proposed. For the IAF and so called Accountable-eHealth systems to become a reality, the framework must provide for a diverse range of users and use cases. The initial IAF model did not provide for more diverse use cases including the need for certain users to delegate access to another user in the system to act on their behalf while maintaining accountability. In this paper, we define the requirements for delegation of access in the IAF, how such access policies would be represented in the Framework, and implement and validate an expanded IAF model.

[1]  Peter R. Croll,et al.  Determining the privacy policy deficiencies of health ICT applications through semi-formal modelling , 2011, Int. J. Medical Informatics.

[2]  Radha Jagadeesan,et al.  Towards a Theory of Accountability and Audit , 2009, ESORICS.

[3]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[4]  Tony Sahama,et al.  Improving usefulness of eHealth systems through Information Accountability , 2013 .

[5]  John W. Hill,et al.  The national healthcare crisis: Is eHealth a key solution? , 2009 .

[6]  Colin J. Fidge,et al.  Access Control Requirements for Processing Electronic Health Records , 2007, Business Process Management Workshops.

[7]  Luc Moreau,et al.  Provenance-Based Auditing of Private Data Use , 2008, BCS Int. Acad. Conf..

[8]  Robert H. Sloan,et al.  Developing foundations for accountability systems: informational norms and context-sensitive judgments , 2010, GTIP '10.

[9]  Joan Feigenbaum,et al.  Towards a formal model of accountability , 2011, NSPW '11.

[10]  M. Eric Johnson,et al.  Information security and privacy in healthcare: current state of research , 2010, Int. J. Internet Enterp. Manag..

[11]  Renato Iannella,et al.  Accountable-eHealth Systems: The Next Step Forward for Privacy , 2012 .

[12]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[13]  Da-Wei Wang,et al.  Aspect-oriented design and implementation of adaptable access control for Electronic Medical Records , 2010, Int. J. Medical Informatics.

[14]  Miguel López-Coronado,et al.  Analysis of the Security and Privacy Requirements of Cloud-Based Electronic Health Records Systems , 2013, Journal of medical Internet research.

[15]  Tony R. Sahama,et al.  Managing and sharing health data through Information Accountability protocols , 2015, 2015 17th International Conference on E-health Networking, Application & Services (HealthCom).

[16]  Kim G. Larsen,et al.  A Tutorial on Uppaal , 2004, SFM.

[17]  William M. Tierney,et al.  Provider Responses to Patients Controlling Access to their Electronic Health Records: A Prospective Cohort Study in Primary Care , 2014, Journal of General Internal Medicine.

[18]  Mark Stamp,et al.  Information security - principles and practice , 2005 .

[19]  Linda Jaffray,et al.  Realist review to inform development of the electronic advance care plan for the personally controlled electronic health record in Australia. , 2014, Telemedicine journal and e-health : the official journal of the American Telemedicine Association.

[20]  Fiza Abdul Rahim,et al.  Information privacy concerns in electronic healthcare records: A systematic literature review , 2013, 2013 International Conference on Research and Innovation in Information Systems (ICRIIS).

[21]  Siaw-Teng Liaw,et al.  Can we trust the PCEHR not to leak? , 2011, The Medical journal of Australia.

[22]  Tony R. Sahama,et al.  Demonstrating Accountable-eHealth systems , 2014, 2014 IEEE International Conference on Communications (ICC).

[23]  James A. Hendler,et al.  Information accountability , 2008, CACM.

[24]  Mudiyanselage Nuwan Randike Gajanayake Practical issues when designing an information accountability framework for eHealth systems , 2013 .

[25]  Laurie A. Williams,et al.  Modifying without a trace: general audit guidelines are inadequate for open-source electronic health record audit mechanisms , 2012, IHI '12.

[26]  D. Blumenthal,et al.  The benefits of health information technology: a review of the recent literature shows predominantly positive results. , 2011, Health affairs.