Confidentiality Preserving Audits of Electronic Medical Record Access

Failure to supply a care provider with timely access to a patient's medical record can lead to patient harm or death. As such, healthcare organizations often endow care providers with broad access privileges to electronic medical record (EMR) systems. In doing so, however, care providers may access a patient's record without legitimate purpose and violate patient privacy. Healthcare privacy officials use EMR access logs to investigate potential violations. The typical log is limited in its information, so that it is often necessary to merge access logs with other information systems. The problem with this practice is that sensitive information about patients and care providers may be disclosed in the process. In this paper, we present a privacy preserving technique that enables linkage of disparate health information systems without revealing sensitive information. The technique permits any number of vested parties to contribute to audit investigations without learning information about those being investigated. We motivate the protocol in a real world medical center and then generalize the protocol for implementation in existing healthcare environments.

[1]  Jules J Berman Zero-check: a zero-knowledge protocol for reconciling patient identities across institutions. , 2004, Archives of pathology & laboratory medicine.

[2]  Peter Christen,et al.  Some methods for blindfolded record linkage , 2004, BMC Medical Informatics Decis. Mak..

[3]  Telecommunications Board For the Record: Protecting Electronic Health Information [link] , 1997 .

[4]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[5]  J. Marc Overhage,et al.  Real World Performance of Approximate String Comparators for use in Patient Matching , 2004, MedInfo.

[6]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[7]  A R Bakker,et al.  Protection of confidentiality in the computer-based patient record. , 1995, M.D. computing : computers in medical practice.

[8]  L Dusserre,et al.  Extraction and anonymity protocol of medical file. , 1996, Proceedings : a conference of the American Medical Informatics Association. AMIA Fall Symposium.

[9]  Hhs Office for Civil Rights Standards for privacy of individually identifiable health information. Final rule. , 2002, Federal register.

[10]  Catherine Quantin,et al.  Security Aspects of Medical File Regrouping for the Epidemiological Follow-up , 1998, MedInfo.

[11]  S Rehm,et al.  Electronic medical records: the FPM vendor survey. , 2001, Family practice management.

[12]  L Dusserre,et al.  Automatic Record Hash Coding and Linkage for Epidemiological Follow-up Data Confidentiality , 1998, Methods of Information in Medicine.

[13]  Edoardo M. Airoldi,et al.  Configurable security protocols for multi-party data analysis with malicious participants , 2005, 21st International Conference on Data Engineering (ICDE'05).