Enabling Privacy by Design in Medical Records Sharing
The CHINO methodology
The steps, as shown in Fig. 16.1 are:
Chief Information Officer identifies business requirements describing, for example, the flow of interactions, and tasks to be fulfilled by different actors or organisations. Such requirements, like in the Immunisation scenario, are often described in natural language with operational models describing how actors interact among them and with the medical record systems. At this step also domain experts such as doctors and nurses could be involved in defining the assistance processes and the data that need to be managed and shared.39
Chief Compliance Officer of the organisation identifies the legislation and extracts the compliance requirements including the security and privacy policies that need to be satisfied. For example, as shown by the use case, it could define at each step which security and privacy policies need to be applied, according to the applicable law (national, European, and international), and identifies exceptional cases in which data can be disclosed without patients’ authorisations (policy P5 in Section 3.1). Due to legislation intrinsic complexity, the Compliance Officer could rely on collaborations and consultations with actors having a legal background to extract all requirements. This step could consist of various interactions also among compliance and information officers to devise the set of information that will be managed, the operations and the set of norms that will apply to such operations.
Business Analyst combines business requirements and compliance requirements to devise a high-level representation that describes the steps the involved parties should follow.40 The business analyst can also annotate such representations with the corresponding security and privacy policies identified at Step 2.41 If necessary, the step 2 and 3 can be performed more times iteratively to refine the policies to be enforced.42
Business Analyst and System Developer translate high-level representations into executable business processes and rules. Business processes implement the business logic of data management operations such as Push Record and Get Record. The defined security and privacy rules that are incorporated into business process steps are executed through operations on internal CHINO components.
Finally, the resulting executable business processes and rules are deployed and executed into the shared execution environment.
In summary, the CHINO methodology identifies the sequence of steps carried out by multiple stakeholders, from high-level business requirement collection to the low-level process execution and policy enforcement. Next subsection shows the technology to support the process modelling.
16.4.2 CHINO Modelling Framework
The process and policy Modelling Framework, as described by the methodology, involves the collaboration of Business Analysts and Developers. Figure 16.2 shows the framework at work.
A screenshot of the CHINO Modelling Framework based on the (Activiti Designer Activiti BPM Platform, Available at activiti.org/)
Developers can model processes in Section A by using a set of Business Process Model and Notation (BPMN)43 modelling elements that can be dragged and dropped from Section B. They will need to input some configuration parameters in the Properties tab shown in Section C to make it executable. Once deployed, the processes become automatically executable to manage organisations’ data. The Modelling Framework is implemented by extending the Activiti Designer44 with a set of new constructs called Custom Tasks to provide a comprehensive set of elements and to facilitate process modelling. Custom tasks are extensions to the standard BPMN 2.0 elements and a subset of them is shown in Fig. 16.3.
A subset of the CHINO Custom Tasks
Each of the introduced custom tasks has a specific name, icon and behaviour. The set of custom modelling elements has been introduced to simplify the development of specific CHINO processes that implement data management operations. Namely, each of the custom tasks can be used either to reply to the requester with a specific and predefined message or to interact with the platform internal components.45 They are used to define how patients’ personal information is disclosed to, and managed by CHINO and how it is disclosed to other institutions and users. A subset of custom elements is described below:
C1 – Logging Service is a customisable logging task that logs process status on internal Logging component or an external auditing system. It takes in input a customizable set of information that can be specified by the developers.
C2 – Get Record From Repository restores the requested record from record store. The record store can be also external.46
C3 – Push Record saves a record on the internal record store component.
C4 – Apply Filtering Rules applies purpose-based filtering rules to records to eliminate the unnecessary data based on the specified purpose of use.47 This is fundamental to achieve the proportionality principle and satisfy the policy P2.
The following subsection shows how these elements were used within a process example to implement an operation according to identified requirements.
16.4.3 A Process Example
Here we show an example of a process that is executed inside the CHINO platform to implement an operation over data. We analyse in particular the Get Record operation that is invoked when a medical record is requested by an organisation. The process model in Fig. 16.4 (simplified for readability reason) has been implemented according to policies extracted from HIPAA legislation and listed in section 3.1.
The CHINO “Get Record” Process
It starts by checking the request message content to ensure that the request contains all the mandatory data. According to policies P1, P2 and P3 from Section 3.1, the request needs to be authorised, it needs to access only to the data the requester is entitled to access for that specific task and, all actions need to be logged. If the requester does not have the required access rights, the process will ask for approval to the record owner. Under HIPAA, usually personal doctors approve requests to data on behalf of the patients. Therefore, the process will wait for approval soliciting the doctor periodically. In case of approved request, the process retrieves the requested record from a local record store. The record store could be also remote in case this is mandated by guidelines for EHR creation or laws.48 Once retrieved the record, the process needs to satisfy the proportionality principle that is one of the most important principles identified by Data Protection legislations and that needs to be tackled in combination with the principles of necessity and purpose limitation.49 To satisfy those requirements, the process invokes the Apply Filtering Policies element that filters the data that is not necessary for that requestor for that specific purpose of access. The filtering policies are defined by record owners or entities responsible for record management (e.g. Data Controllers).50 The record is then returned to the requestor replying to Get Record request. In case of request denied, a negative response is returned to the requester, while in case of timeout (neither positive nor negative response) a timeout message is returned. Finally in case something went wrong, an error message is returned.
The proposed process based approach is able also to manage easily the exceptional cases in which data subjects are under a certain age threshold or the records are about mental problems and should not be disclosed to the subjects. The defined processes are then deployed and executed in the CHINO Platform.
16.4.4 CHINO Platform
Following the CHINO methodology, once processes are defined (Step 4), they are deployed and executed inside the shared execution environment (Step 5). CHINO platform provides the execution environment and a set of internal components to manage data and rules. The platform is also responsible for technical aspects such as reliability, scalability, and secure communication with external systems.51
The platform prototype has been developed and tested by integrating it with a popular medical record system called OpenMRS (www.openmrs.org) and by developing the doctor consultation use case according to Italian and UK legislations. We defined data sharing processes in compliance to Italian and UK legislations and executed them inside CHINO to demonstrate that with CHINO, organisations are able to share medical records while being compliant with privacy legislations and while satisfying their internal business requirements.52 This scenario demonstrated also how CHINO can enable cross-border and cross-legislation medical data sharing, according to Directive 2011/24/UE.
Next subsection shows how we analysed legislations in this work and how we tested process modelling with developers.
16.4.5 The Usability Validation
According to the CHINO methodology, Business Analysts and Developers should be able to define the processes in compliance to the identified requirements by using the Modelling Framework. To test these assumptions and the Modelling Framework usability, we performed a user study with a group of nine developers that had preliminary knowledge about process modelling with the standard BPMN Activiti Designer.53 With the user study we tried to understand if the requirements identified at Steps 1, 2 and 3 can be mapped into business processes at Step 4. The users where chosen among master students and employees of the University of Trento. The analysis was based on notions from the Interaction Design (ID) studied in Human Computer Interaction (HCI) discipline and applying the usability testing methodology called Think Aloud.54 According to it, the standard usability test is performed recording users’ performance on an assigned task. In our test we showed to users a document explaining the CHINO framework, the Immunisation scenario and a list of identified requirements. We monitored and stimulated them to speak while performing the assigned tasks to analyse their behaviour.
At the end of the test we asked them to fill a questionnaire about overall satisfaction about the assigned tasks which had two types of responses. The first one in a scale from 1 to 7 points where 1 correspond to negative opinion such as Strongly Disagree and 7 to a positive judgement such as Strongly Agree. The second type was in form of open questions. All the numeric questions were mandatory while the open ones were optional. We report some questions while the complete questionnaire including a detailed analysis of results can be found here55:
“Overall, I am satisfied with the ease of completing the exercise in this scenario.”
“I was able to complete the exercise quickly using this system.”
“This system has all the functions and capabilities I needed.”
“It was easy to understand the concepts introduced by this framework.”
“How do you rate the overall experience with the CHINO Modelling?”
184.108.40.206 Study Results
To evaluate the responses for each question we calculated the mean (μ n ) and variance (σ n 2 ) where the first coefficient expresses the positive or negative opinion of the users, while the second represent the level of disagreement among users.
Test showed a positive impression about the Modeller usage after a few times it has been used. However, when users used it for the first time some differences among opinions emerged. Only two users expressed an overall negative feedback about their performance, however, since they were able to perform their tasks, this does not represent an important limitation, although it suggests us to take into consideration developing a strategy to train new users.
An example of a positive feedback within open questions is:
I am comfortable with the diagrams because it really represents the information which is held on hospitals.
And also some negative ones:
The framework as I said is easy to use but anyway I had some problems of stability during the usage, so for this reason, relatively to the question if I would recommend this tool to others the real answer is yes, but…
The stability issues are related to the Activiti Designer and not to our specific extension and it is just a matter of software maturity since Activiti project is being frequently updated with newer versions.
Overall, the study gave us important feedback about custom task usability and suggested some improvements especially regarding the explanation of their usage. Other suggestions include also the need for better explanation of usage of combinations of different tasks to achieve a specific goal. In conclusion, tests showed a satisfactory usability level of the Modelling Framework and demonstrated that users were able to transpose requirements into processes while underlining the need for smaller improvements of the CHINO platform.
Tests validated the technical usability and feasibility of the CHINO approach, while the next section analyses how CHINO achieves privacy law compliance.
16.5 Privacy Law Compliance with CHINO
Here we analyse CHINO from the legal point of view and reason about its ability to preserve privacy and data protection rights and to support compliant process definition. We show how CHINO can help in achieving the identified goals by answering in particular to the following two macro-questions:
If CHINO provides technological elements (modeller, modelling elements, internal components) to support the development of privacy law compliant healthcare data management processes and policies.
If CHINO process based approach could facilitate the tasks (emphasised in Fig. 16.5) of process and policy approvals or verifications. These activities are typically done before going into production phase or in case of legally motivated inspections by Compliance Officers at runtime.
CHINO Methodology with the focus on compliance inspections and verifications
In order to answer to the first question we summarize here how CHINO technology and, more in general, the process based approach it proposes, can satisfy the set of requirements extracted from the Italian legislation, directives and set of guidelines for the creation of Electronic Health Record (EHR) systems. We start by analysing the set of recommendations of the Art. 29 Data Protection Working Party in Working Document 01/2012 on epSOS, 56 and in Working Document on the processing of personal data relating to health in Electronic Health Records (EHR). 57 Art. 29 Working Party provides recommendations on several topics emphasising the need for special safeguards in order to guarantee the data protection rights of patients and individuals. Some recommendations include the respect for data subjects’ self-determination and authorisation procedures, security measures, transparency, liability issues and finally, the availability of mechanisms to control the data processing.
As described in the paper, CHINO aims at providing a framework to support the privacy by design approach while providing tools and mechanisms to define data management processes and policies. In such way, CHINO proposes a proactive approach in accordance to the privacy by design principles by providing effective technical and organisational tools for healthcare institutions to consider privacy related aspects during the whole project lifecycle.58
Analysing more deeply CHINO with the focus on data protection requirements, it appears to be an appropriate platform for sharing personal and healthcare data also among organizations that belong to different regulatory contexts.59 The flexibility provided by business process technology enables users to customize data management processes and data protection strategy according to their requirements.
From the data security point of view, CHINO technology provides the necessary mechanisms to satisfy the security requirements related to healthcare data management in the Italian scenario. In particular, the architectural features and capabilities have been built following the national level guidelines for EHR creation60 and international standards such as IHE.61 Therefore CHINO satisfies the requirements according to Articles 31 and 33ff of the Italian Data Protection Code,62 and the release of a Privacy Impact Assessment.63 It implements technical and organisational features to avoid loss or unauthorised alteration, processing and access to data. Furthermore it respects data protection general principles from the Directive 95/46/EC, and in particular the principles of purpose limitation, proportionality, data quality, necessity and the data subject’s rights.
CHINO is able to enforce the explicit consent policy that is defined as the data subjects’ explicit consent on the processing of their data and it is an exemption to the general prohibition to personal data processing, according to European legislation (Art. 8, Directive 95/46/EC).64 CHINO access right policies and the assurance mechanism enable data subjects to freely express explicit, specific and informed consent about data sharing. According to the legislation, in special cases data can be processed without consent (e.g. compliance with legal obligations, protect vital interest of data subject, public interests). This is possible in CHINO by defining special conditions on the Check Access Right modelling element. Processes can be also defined to delegate the disclosure of data to data subjects’ personal doctors. Data subjects could also delete and block data sharing (as required for instance by Art. 7, Italian Data Protection Code). Moreover the involved actors are able to receive notifications about the process status, including the requests of access. The updates of wrong data to assure data quality policy according to Italian, European and HIPAA legislations, are done through the Push Record task.