Enabling Privacy by Design in Medical Records Sharing

The process and policy Modelling Framework, as described by the methodology, involves the collaboration of Business Analysts and Developers. Figure 16.2 shows the framework at work.

Developers can model processes in Section A by using a set of Business Process Model and Notation (BPMN)⁴³ modelling elements that can be dragged and dropped from Section B. They will need to input some configuration parameters in the Properties tab shown in Section C to make it executable. Once deployed, the processes become automatically executable to manage organisations’ data. The Modelling Framework is implemented by extending the Activiti Designer⁴⁴ with a set of new constructs called Custom Tasks to provide a comprehensive set of elements and to facilitate process modelling. Custom tasks are extensions to the standard BPMN 2.0 elements and a subset of them is shown in Fig. 16.3.

Each of the introduced custom tasks has a specific name, icon and behaviour. The set of custom modelling elements has been introduced to simplify the development of specific CHINO processes that implement data management operations. Namely, each of the custom tasks can be used either to reply to the requester with a specific and predefined message or to interact with the platform internal components.⁴⁵ They are used to define how patients’ personal information is disclosed to, and managed by CHINO and how it is disclosed to other institutions and users. A subset of custom elements is described below:

The following subsection shows how these elements were used within a process example to implement an operation according to identified requirements.

Here we show an example of a process that is executed inside the CHINO platform to implement an operation over data. We analyse in particular the Get Record operation that is invoked when a medical record is requested by an organisation. The process model in Fig. 16.4 (simplified for readability reason) has been implemented according to policies extracted from HIPAA legislation and listed in section 3.​1.

It starts by checking the request message content to ensure that the request contains all the mandatory data. According to policies P1, P2 and P3 from Section 3.​1, the request needs to be authorised, it needs to access only to the data the requester is entitled to access for that specific task and, all actions need to be logged. If the requester does not have the required access rights, the process will ask for approval to the record owner. Under HIPAA, usually personal doctors approve requests to data on behalf of the patients. Therefore, the process will wait for approval soliciting the doctor periodically. In case of approved request, the process retrieves the requested record from a local record store. The record store could be also remote in case this is mandated by guidelines for EHR creation or laws.⁴⁸ Once retrieved the record, the process needs to satisfy the proportionality principle that is one of the most important principles identified by Data Protection legislations and that needs to be tackled in combination with the principles of necessity and purpose limitation.⁴⁹ To satisfy those requirements, the process invokes the Apply Filtering Policies element that filters the data that is not necessary for that requestor for that specific purpose of access. The filtering policies are defined by record owners or entities responsible for record management (e.g. Data Controllers).⁵⁰ The record is then returned to the requestor replying to Get Record request. In case of request denied, a negative response is returned to the requester, while in case of timeout (neither positive nor negative response) a timeout message is returned. Finally in case something went wrong, an error message is returned.

The proposed process based approach is able also to manage easily the exceptional cases in which data subjects are under a certain age threshold or the records are about mental problems and should not be disclosed to the subjects. The defined processes are then deployed and executed in the CHINO Platform.

Following the CHINO methodology, once processes are defined (Step 4), they are deployed and executed inside the shared execution environment (Step 5). CHINO platform provides the execution environment and a set of internal components to manage data and rules. The platform is also responsible for technical aspects such as reliability, scalability, and secure communication with external systems.⁵¹

The platform prototype has been developed and tested by integrating it with a popular medical record system called OpenMRS (www.​openmrs.​org) and by developing the doctor consultation use case according to Italian and UK legislations. We defined data sharing processes in compliance to Italian and UK legislations and executed them inside CHINO to demonstrate that with CHINO, organisations are able to share medical records while being compliant with privacy legislations and while satisfying their internal business requirements.⁵² This scenario demonstrated also how CHINO can enable cross-border and cross-legislation medical data sharing, according to Directive 2011/24/UE.

Next subsection shows how we analysed legislations in this work and how we tested process modelling with developers.

According to the CHINO methodology, Business Analysts and Developers should be able to define the processes in compliance to the identified requirements by using the Modelling Framework. To test these assumptions and the Modelling Framework usability, we performed a user study with a group of nine developers that had preliminary knowledge about process modelling with the standard BPMN Activiti Designer.⁵³ With the user study we tried to understand if the requirements identified at Steps 1, 2 and 3 can be mapped into business processes at Step 4. The users where chosen among master students and employees of the University of Trento. The analysis was based on notions from the Interaction Design (ID) studied in Human Computer Interaction (HCI) discipline and applying the usability testing methodology called Think Aloud.⁵⁴ According to it, the standard usability test is performed recording users’ performance on an assigned task. In our test we showed to users a document explaining the CHINO framework, the Immunisation scenario and a list of identified requirements. We monitored and stimulated them to speak while performing the assigned tasks to analyse their behaviour.

At the end of the test we asked them to fill a questionnaire about overall satisfaction about the assigned tasks which had two types of responses. The first one in a scale from 1 to 7 points where 1 correspond to negative opinion such as Strongly Disagree and 7 to a positive judgement such as Strongly Agree. The second type was in form of open questions. All the numeric questions were mandatory while the open ones were optional. We report some questions while the complete questionnaire including a detailed analysis of results can be found here⁵⁵:

Here we analyse CHINO from the legal point of view and reason about its ability to preserve privacy and data protection rights and to support compliant process definition. We show how CHINO can help in achieving the identified goals by answering in particular to the following two macro-questions:

In order to answer to the first question we summarize here how CHINO technology and, more in general, the process based approach it proposes, can satisfy the set of requirements extracted from the Italian legislation, directives and set of guidelines for the creation of Electronic Health Record (EHR) systems. We start by analysing the set of recommendations of the Art. 29 Data Protection Working Party in Working Document 01/2012 on epSOS, ⁵⁶ and in Working Document on the processing of personal data relating to health in Electronic Health Records (EHR). ⁵⁷ Art. 29 Working Party provides recommendations on several topics emphasising the need for special safeguards in order to guarantee the data protection rights of patients and individuals. Some recommendations include the respect for data subjects’ self-determination and authorisation procedures, security measures, transparency, liability issues and finally, the availability of mechanisms to control the data processing.

As described in the paper, CHINO aims at providing a framework to support the privacy by design approach while providing tools and mechanisms to define data management processes and policies. In such way, CHINO proposes a proactive approach in accordance to the privacy by design principles by providing effective technical and organisational tools for healthcare institutions to consider privacy related aspects during the whole project lifecycle.⁵⁸

Analysing more deeply CHINO with the focus on data protection requirements, it appears to be an appropriate platform for sharing personal and healthcare data also among organizations that belong to different regulatory contexts.⁵⁹ The flexibility provided by business process technology enables users to customize data management processes and data protection strategy according to their requirements.

From the data security point of view, CHINO technology provides the necessary mechanisms to satisfy the security requirements related to healthcare data management in the Italian scenario. In particular, the architectural features and capabilities have been built following the national level guidelines for EHR creation⁶⁰ and international standards such as IHE.⁶¹ Therefore CHINO satisfies the requirements according to Articles 31 and 33ff of the Italian Data Protection Code,⁶² and the release of a Privacy Impact Assessment.⁶³ It implements technical and organisational features to avoid loss or unauthorised alteration, processing and access to data. Furthermore it respects data protection general principles from the Directive 95/46/EC, and in particular the principles of purpose limitation, proportionality, data quality, necessity and the data subject’s rights.

CHINO is able to enforce the explicit consent policy that is defined as the data subjects’ explicit consent on the processing of their data and it is an exemption to the general prohibition to personal data processing, according to European legislation (Art. 8, Directive 95/46/EC).⁶⁴ CHINO access right policies and the assurance mechanism enable data subjects to freely express explicit, specific and informed consent about data sharing. According to the legislation, in special cases data can be processed without consent (e.g. compliance with legal obligations, protect vital interest of data subject, public interests). This is possible in CHINO by defining special conditions on the Check Access Right modelling element. Processes can be also defined to delegate the disclosure of data to data subjects’ personal doctors. Data subjects could also delete and block data sharing (as required for instance by Art. 7, Italian Data Protection Code). Moreover the involved actors are able to receive notifications about the process status, including the requests of access. The updates of wrong data to assure data quality policy according to Italian, European and HIPAA legislations, are done through the Push Record task.