electronic data consent and electronic privacy policy domain analysis
DESCRIPTION
Electronic Data Consent and Electronic Privacy Policy Domain Analysis. Ioana Singureanu Eversolve, LLC. Overview. Giving privacy protection options is a requirement for the adoption of secure Electronic Health Record systems SAMHSA is a leader in promoting privacy protection - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/1.jpg)
Electronic Data Consent and Electronic Privacy Policy Domain Analysis
Ioana Singureanu
Eversolve, LLC
![Page 2: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/2.jpg)
Overview
Giving privacy protection options is a requirement for the adoption of secure Electronic Health Record systems
SAMHSA is a leader in promoting privacy protection Long-term experience to inform future direction
HL7 standards enable communication/exchange over the web for Privacy policy Consumer preferences Provider override
![Page 3: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/3.jpg)
Consumer-driven Privacy
Privacy Consent Directives+Privacy Policy
Personal Health Records(including IIHI)
Direct Care Research
Diagnosis
Consumer
Maintain
Request (based on consumer’s criteria)
Data filtered (based on rules)
Override
Administrator
![Page 4: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/4.jpg)
Terms and Concepts
Privacy Policy A set of rules intended to protect specific aspects of PHR from abuse
Personal Health Records – identified personal health records that include: PHI- Protected Health Information IIHI
Privacy Consent Directives Agreement/disagreement with policies Directives
Identity (unique identifiers) Consumer Identity
Used to protect privacy, in place of identifying traits Information Identity
Object Identifier (OID
![Page 5: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/5.jpg)
eConsent Management over time
![Page 6: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/6.jpg)
Explicit Privacy Consent or Privacy Policy
En
terp
rise
-sp
ecif
ic
![Page 7: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/7.jpg)
ePolicy-based Privacy (implied consent)
Privacy Policy
Personal Health Records(including IIHI)
• The consumer cannot opt-in or opt-out. • Default policies are applied without consumer’s explicit involvement (e.g. HIPAA)
Direct Care Research
Diagnosis Administrator
Request (based on consumer’s criteria)
Data filtered (based on rules)
![Page 8: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/8.jpg)
Terms
Implied Consent DirectivesAlso referred as “deemed” privacy consent
directivesLocal privacy policies apply by default without
explicit consumer sign-off
![Page 9: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/9.jpg)
Manage Privacy Policy over time
![Page 10: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/10.jpg)
Using Implied Consent for privacy protection
![Page 11: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/11.jpg)
ePolicy-based Privacy (consumer signs-off)
Privacy Policy
Personal Health Records(including IIHI)Request (based on criteria)
Data filtered (rules)
The consumer signs-off on the consent policy as available.
Direct Care Research
Diagnosis Administrator
Consumer
Agrees
![Page 12: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/12.jpg)
Consumer sign-off
![Page 13: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/13.jpg)
The Role of ePolicy for eConsent
Privacy Consent Directives
Consumer
Maintain
National, Local, Organizational Policy
Use/lookup
![Page 14: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/14.jpg)
Policies and rules - Analysis
National State
Organization
Consumer adds privacy consent directive Collect Access Use Disclose
![Page 15: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/15.jpg)
1234
1
2
3
4
Sample Consumer Preferences Web Portal
Policy Rule Sets(Venn Diagram)
1
2
3
4
![Page 16: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/16.jpg)
I disallow restricted info to be accessed by administrators for any purpose
I allow restricted info to be accessed by direct care providers for treatment
![Page 17: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/17.jpg)
Policy and Consent Directives
Runtime Rules
EnginesPlatform-specific
Rules
Platform-independent, standard-based, interoperable, harmonized
Consent Directives
Privacy Policies
HL7 Standard
Common Terminology
![Page 18: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/18.jpg)
Policy and Consent Directives
Runtime Rules Engines
HL7 Standard eConsent<XML>instance
eConsent<XML>instance
eConsent<XML>instance
ePolicy<XML>instance
ePolicy<XML>instance
ePolicy<XML>instance
ePolicy<XML>instance
ePolicy<XML>instance
eConsent<XML>instance
eConsent<XML>instance
XSD ePolicy eConsent
(XMLSchemas)
XACML
Policy rules
ODRL
Policy rules
XrML
policies rules
Platform-independent,standard-based, interoperable, harmonized
![Page 19: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/19.jpg)
Interoperable, standard-based, automated privacy protection
ePolicy<XML>instance
National Jurisdiction
ePolicy<XML>instance
State/Province/Local JurisdictionConsumer’s
Consent Directives
eConsent<XML>instance
![Page 20: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/20.jpg)
ePolicy synchronization
Automatic notification/publication of new privacy rules between jurisdictions
National Jurisdiction
ePolicy<XML>instance
State/Province Jurisdiction
![Page 21: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/21.jpg)
Man
age
Ele
ctro
nic
Pri
vacy
Po
licy
(eP
oli
cy)
![Page 22: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/22.jpg)
Actors (stakeholders)
Consenterresponsible for
maintaining privacy policies
A patient is a consumer who receives medical services
Responsible for maintaining
privacy policies
![Page 23: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/23.jpg)
Evaluation Engine
![Page 24: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/24.jpg)
= Policy Rule Elements = Constraint Catalog
Sensitive
![Page 25: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/25.jpg)
![Page 26: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/26.jpg)
ePolicy used in Personal Health Records
Information references the privacy policy or category type
Like confidentialityCode confidentialityCode
RESTRICTED
HIV-RELATED
Discharge Summary
![Page 27: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/27.jpg)
eConsent Structure
![Page 28: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/28.jpg)
![Page 29: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/29.jpg)
eConsent Override
![Page 30: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/30.jpg)
![Page 31: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/31.jpg)
Vocabulary proposals
Additional coversheets/proposals
CompletedProposal
ISO 13606 Part 4: Functional roles
NewProposal
![Page 32: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/32.jpg)
Terminology - 1
CBCC WGCBCC WG CBCC WG
CBCC WG
CBCC WG
CBCC WG
CBCC WG
Condition may be redundant re: purpose
Security W
G
![Page 33: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/33.jpg)
Obligation, Condition, and Purpose
Obligation Code Action that is required to receive the permission
specified in the privacy rule Condition Code
Prerequisite for a permission to collect, access, use, or disclose personal health records (e.g. trusted computing environment).
Purpose Code It specifies the purpose of a allowing or denying
a permission.
![Page 34: Electronic Data Consent and Electronic Privacy Policy Domain Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062806/56814f36550346895dbcd381/html5/thumbnails/34.jpg)
Terminology – 2
CBCC WG
Security W
G
Security WG
Secur
ity W
G
Security WG
Security W
G
Security W
G