Documente Academic
Documente Profesional
Documente Cultură
ABSTRACT 1. INTRODUCTION
In this paper, we consider the challenge of preserving patient Healthcare information technology (IT) has huge poten-
privacy in the context of mobile healthcare and home-care tial to improve healthcare quality, improve efficiency, and
systems, that is, the use of mobile computing and commu- reduce cost, and is currently on the cusp of major innova-
nications technologies in the delivery of healthcare or the tions and widespread deployment in the US and elsewhere.
provision of at-home medical care and assisted living. This In this paper, we specifically examine the role of mobile
paper makes three primary contributions. First, we compare computing and communications technologies. Such mHealth
existing privacy frameworks, identifying key differences and technology [25] appears promising in many ways: enabling
shortcomings. Second, we identify a privacy framework for physicians to remotely monitor their patients health and
mobile healthcare and home-care systems. Third, we ex- improve the quality of healthcare, enabling patients to man-
tract a set of privacy properties intended for use by those age their health more easily, enabling home-care providers
who design systems and applications for mobile healthcare to provide better quality at-home medical care to elders and
and home-care systems, linking them back to the privacy reducing the cost of care by allowing patients to spend more
principles. Finally, we list several important research ques- time out of the hospital. Furthermore, the UN Foundation
tions that the community should address. We hope that has recently formed the mHealth Alliance specifically to ex-
the privacy framework in this paper can help to guide the plore and promote the value of mobile computing technolo-
researchers and developers in this community, and that the gies in improving healthcare in developing nations [35].
privacy properties provide a concrete foundation for privacy- In mHealth, personal mobile devices (such as smart phones)
sensitive systems and applications for mobile healthcare and accompanied by wearable, portable, and even embeddable
home-care systems. sensors, will enable long-term continuous medical monitor-
ing [5, 21, 36] for many purposes: for outpatients with
Categories and Subject Descriptors chronic medical conditions (such as diabetes), individuals
seeking to change behavior (such as losing weight), physi-
A.1 [General]: Introductory and Survey; J.3 [Computer cians needing to quantify and detect behavioral aberrations
Applications]: Life and Medical SciencesMedical Infor- for early diagnosis (such as depression), home-care providers
mation Systems, Health; K.4.1 [Computers and Society]: needing to track movements of elders under their care in or-
Public Policy IssuesPrivacy der to respond quickly to emergencies (e.g., an elder may
have fallen down) or athletes wishing to monitor their con-
General Terms dition and performance. In this paper, we use the term Pa-
Security, Legal Aspects, Human Factors tient to describe the subject of sensing in all such use cases.
We expect that tomorrows personal mobile devices will con-
Keywords tain the technology and applications needed to process sen-
sor data and enable their appropriate use. The resulting
privacy framework, medicine, electronic health record, home data may be used directly by the Patient [1, 2, 37] or may
healthcare, mobile healthcare, mhealth, e-health, HIPAA be shared with others: with a physician for treatment [33],
with an insurance company for coverage, with a home-care
Acknowledgements provider for elder-care, with a scientist for research [12, 30],
Supported by Intel Corporation and by NSF Trustworthy with a coach for athletic training [4], or with family mem-
Computing award 0910842. Thanks also to the reviewers. bers and friends in social-networking communities targeted
towards health and wellness.
Although mHealth systems have huge potential to im-
prove quality of healthcare and to improve quality of life,
Permission to make digital or hard copies of all or part of this work for they also generate new security and privacy issues [23]. The
personal or classroom use is granted without fee provided that copies are technology goal should be to develop usable devices that re-
not made or distributed for profit or commercial advantage and that copies
spect patient privacy while also retaining the data quality
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific and accessibility required for the medical uses of the data.
permission and/or a fee. In this paper, we focus on privacy; specifically, we wish to
SPIMACS09, November 13, 2009, Chicago, Illinois, USA. give the patient control over the data that is collected and
Copyright 2009 ACM 978-1-60558-790-5/09/11 ...$10.00.
to whom it is disclosed, and enable the patient to recognize
that different situations may require different responses. In- ecosystem support:
policymakers
deed, we note that control, not possession or ownership, is certification bodies
manufacturers
fundamental to privacy. Privacy means that the patient re- distribution & management
public-key infrastructure
tains some control even when the data is owned by another
party (as is common in medical records maintained by a hos-
pital) and even after a copy of the data has been provided
to another party (as when billing records are shared with an Health
Records
insurance company). Security issues generated by mHealth System(s)
Patient
systems are beyond the scope of this paper.
Although the term mHealth applies broadly to the use of Server Consumer
HPP8. Health care organizations should use an objective BP4. Employees control access to and use of the
and balanced process to review the use and disclo- PHR. A. Employees should control who is al-
sure of personally identifiable health information lowed to access their PHRs. Employers should not
for research. access or use employees individually-identifiable
health information from the PHR. B. Employ-
HPP9. Health care organizations should not disclose per- ees should choose, without condition, whether to
sonally identifiable health information to law en- grant access to personal health information within
forcement officials, absent a compulsory legal pro- their PHRs for any secondary uses. An audit
cess, such as a warrant or court order. trail that shows who has accessed the PHR should
be easily available to employees.
HPP10. Health privacy protections should be implemented
in such a way as to enhance existing laws prohibit- BP5. Employees can designate proxies to act on
ing discrimination. their behalf. Employees should determine who,
including family members and caregivers, should healthcare information exchange [24]. The Common Frame-
have direct access to their PHRs on their behalf. work (CF) describes both policy and technical principles for
Where possible, employees should be able to grant healthcare information exchange, and provides concrete pro-
proxy access to full or partial information in their totypes of each: everything from patient consent forms to
PHRs, including access in emergency circumstances. data-interchange formats and information architecture. The
Employees should also have the ability to revoke Center for Democracy & Technology later endorsed the pol-
access privileges. icy aspects of the Common Framework in their own policy
document [8]. We quote the top-level description of the CF
BP6. Chain of trust: Information policies ex- principles here.
tend to business partners. The information
policies and practices of employer-sponsored PHRs CF1. Openness and transparency: Consumers should
should follow the data through chain of trust agree- be able to know what information has been col-
ments that require business partners to adhere to lected about them, the purpose of its use, who
the employers applicable policies and practices. can access and use it, and where it resides. They
BP7. Data security. Employers should provide a strong should also be informed about how they may ob-
level of security to safeguard the information in tain access to information collected about them
the PHR systems. A robust authentication pro- and how they may control who has access to it.
cess for access to PHRs should be required, in
CF2. Purpose specification: The purposes for which
addition to an audit trail that shows who has ac-
personal data are collected should be specified at
cessed information and when.
the time of collection, and the subsequent use
BP8. Data management. Employers should ensure should be limited to those purposes, or others
that the PHR systems they provide have compre- that are specified on each occasion of change of
hensive data management strategies that protect purpose.
the integrity of the data and include data reten-
CF3. Collection limitation and data minimiza-
tion policies.
tion: Personal health information should only be
BP9. Enforcement and remedies. Employers should collected for specified purposes and should be ob-
establish oversight and accountability mechanisms tained by lawful and fair means. The collection
for adhering to their PHR policies and practices. and storage of personal health data should be lim-
Employers should put into place a mechanism to ited to that information necessary to carry out
promptly notify employees of any inappropriate the specified purpose. Where possible, consumers
access to or use of information contained in an em- should have the knowledge of or provide consent
ployees PHR, identify the steps which have been for collection of their personal health information.
taken to address the inappropriate activity, and
make resources available to employees to assist CF4. Use limitation: Personal data should not be dis-
them in addressing the effects of the inappropri- closed, made available, or otherwise used for pur-
ate activity. poses other than those specified.
BP10. Portability. Employers should offer PHRs that CF5. Individual participation and control: Con-
are portable, to the extent feasible, allowing em- sumers should be able to control access to their
ployees to maintain or move the PHR and/or the personal information. They should know who is
data it contains even after employment or cover- storing what information on them, and how that
age ends or changes. information is being used. They should also be
able to review the way their information is being
We note that the ONC Framework largely covers these used or stored.
practices. There are some aspects specific to PHR systems,
such as Patient-entered data (BP3) and portability (BP10). CF6. Data quality and integrity: All personal data
There are some aspects specific to employer-provided sys- collected should be relevant to the purposes for
tems, such as Education (BP2). BP5 mentions the concept which they are to be used and should be accurate,
of a proxy, which is not mentioned by any of the other complete, and up-to-date.
frameworks, except ONC4 (in the details). The chain of
trust concept (BP6) is more explicit than in any of the pri- CF7. Security safeguards and controls: Reason-
vacy frameworks, except the HPPs own earlier framework able safeguards should protect personal data against
(see HPP2). There is explicit mention of the requirement to such risks as loss or unauthorized access, use, de-
notify the Patient of any inappropriate disclosure (BP9); the struction, modification, or disclosure.
ONC Framework only mentions such notice in its detailed CF8. Accountability and oversight: Entities in con-
comments, and only as an example of a reaction and not as trol of personal health information must be held
a requirement. The Common Framework (below) mentions accountable for implementing these principles.
a similar requirement in its detailed comments about CF7.
CF9. Remedies: Remedies must exist to address se-
3.4 Markle: Common Framework (2008) curity breaches or privacy violations.
The Markle Foundation launched a project Connecting
for Health, which brought together a wide range of stake- The ONC Framework covers all these principles. CF1 is
holders in developing a Common Framework, a model for covered by ONC3 (Openness and transparency), and ONC1
(Individual access). CF2 is covered by ONC5 (Collection, low you to decide if your data can be collected,
use, and disclosure notification) and ONC1. CF3 is covered displayed, accessed, stored, released or disclosed.
by ONC5 and ONC4 (Individual choice). CF4 is covered by
ONC5. CF5 is covered by ONC1 and ONC4. CF6 is cov- CCHIT2. Controlling Access to your Information. Your
ered by ONC6 (Data quality and integrity). CF7 is covered PHR should give you the ability to decide what
by ONC7 (Safeguards). CF8 is covered by ONC8 (Account- information is private and to restrict access to it.
ability). CF9 is covered by ONC8 and ONC2 (Correction). Your PHR provider must get your permission to
Furthermore, we see little in the ONC principles that is gather or disseminate any information about you.
not covered in the Common Framework, except that ONC1 You also decide who else can view information in
provides more explicit statement that Patients should have your PHR, and limit the types of information that
an easy method to obtain their PHI, ONC2 provides an can be viewed.
explicit statement that Patients should be able to correct
CCHIT3. Conditions of Use. The conditions for using
mistakes in their records, ONC3 explicitly states openness
your PHR should be explicitly explained to you,
about policies and technologies, and ONC4 emphasizes that
and you have the right to challenge your PHR
Patients should be able to make informed choices.
provider if it does not comply with the conditions
[As an aside, we note that it may be difficult to decide
of use. If conditions of use are changed, your PHR
how and whether to provide Patients with the capability to
provider is required to notify you of the changes.
edit, annotate, and delete PHI in their record. The right
policy depends on the type of record; a PHR, for example, CCHIT4. Amending the Record. You should have the
allows a Patient to upload their own PHI, may allow them to ability to change or request changes to your health
annotate PHI give by a healthcare provider, and may allow record via email or telephone, and the telephone
them to delete data they have entered or whole sections of number of customer service must be posted on the
data (e.g., all the data from a given provider). An EHR, Web site of your PHR provider.
however, forms part of the official records of a healthcare
organization and must necessarily be more strict. A Patient CCHIT5. Account Management. Your PHR provider
might request annotations or even deletions; such changes must have a way for you to terminate your ac-
would be subject to provider approval and be marked as count, if you wish, and to confirm that all your
Patient-initiated; deleted data may be retained for recovery personal data has been deleted from the system.
under certain override conditions (such as an audit). The
right policies are a delicate balance of Patient rights, legal CCHIT6. Document Import. Your PHR system should
limits, and provider operational necessities. In general, our be able to retrieve health records, explicitly label
position is that providers should honor such requests unless and manage your personal health information and
there is a good reason not to do so.] be able to distinguish between data entered by
In a few cases, the ONC framework allows more flexibility, you and data retrieved from other sources.
suggesting rather than requiring. For example, CF5 bluntly
CCHIT7. Data Availability. Your system should allow
states that consumers should be able to control access to
you to view or print your health information when-
their personal information; ONC4 (individual choice) al-
ever you need it.
lows significant flexibility, only requiring that individuals
should be provided a reasonable opportunity for choice,
It is instructive to compare these criteria with the HPP
and (in the details) that the degree of choice available may
Best Practices for PHR systems, since both attempt to cover
vary. . . .
the same ground. CCHIT1 (consent) is covered by BP3
We believe that the Common Framework is a crisper state-
(choose which content), BP4 (control access), and BP1 (trans-
ment of the important principles; it is also more explicit in
parency). CCHIT2 (control) is similar to BP4 (control).
emphasizing that data should be used only for the purpose
CCHIT3 (conditions of use) is similar to BP1 (transparency
for which it was collected, and that Patients should have
and notice). CCHIT4 (amending) is mentioned by BP3, al-
control over what is collected and to whom the data may be
though BP3 calls it annotating rather than amending,
disclosed.
which in some contexts may be an important difference.
3.5 CCHITs certification criteria (2008) CCHIT5 (the ability to delete your account) is not cov-
ered by any HPP Best Practice, which is an interesting
The Certification Commission for Healthcare Information
omission. CCHIT6 (document import) is about capabil-
Technology (CCHIT) is a non-profit organization that cer-
ity (ability to import documents) and about distinguishing
tifies healthcare information systems, and they recently re-
user-entered data from provider data (which is mentioned
leased their certification criteria for PHRs. Although it ap-
by BP3). CCHIT7 (availability) is not covered by any HPP
pears that they have a process in place to determine these
Best Practice, even BP8 (data management).
criteria, and that the process may enable and encourage up-
There are many of HPPs Best Practices that do not ap-
dates to the criteria, we quote the current list of criteria as
pear in the CCHIT criteria. In particular, BP1 is more spe-
published in a booklet copyrighted in 2008 [7].
cific than CCHIT3 about the presentation and quality of the
CCHIT1. Consent. You should be in control of your per- terms and notification, BP2 (education of the user) is not
sonal health information and how it is used. PHRs covered, BP3 is more clear that sources of data should be
that meet certification requirements must include clearly identified, BP4 precludes employer use of employee
safeguards that require you to give your explicit PHR data, BP4 requires an audit trail and that the au-
consent before your account is opened, or allow dit trail be easily available, BP5 allows the designation of
you to opt out of the service. It also must al- proxies, BP6 requires the chain of trust in which privacy
policies follow the data to other business partners, BP7 re- principles. These definitions build on their earlier work, a
quires strong mechanisms for security, access control, and Privacy Framework [17], although that document is mostly
access logs, BP8 requires data-integrity policies and mech- focused on an architecture for services and capabilities in
anisms, BP9 requires notice and assistance in the event of handling personal information throughout its life cycle. It
a data breach, and BP10 requires PHR portability to new does little, specifically, to generate a precise set of principles.
employers. None of these aspects many of which we be- The Health Information Trust Alliance (HITRUST) re-
lieve are important properties are covered by the CCHIT leased a security framework for healthcare in March 2009,
criteria, leading us to the opinion that the CCHIT Criteria but it is available only to member organizations and only for
are too weak and should be strengthened. a fee [19]. Little information is available about this frame-
Similarly, the CCHIT criteria fall short of the ONC frame- work and it is not clear whether it includes a comprehensive
work. ON3 (openness and transparency) is covered some- set of privacy principles.
what by CCHIT3 (conditions of use), but not the require-
ment (stated in the details) for access to an audit log. ONC4 4. AN MHEALTH PRIVACY FRAMEWORK
(individual choice) says (in the details) that a Patient should
So, after reviewing all those conceptual privacy frame-
be able to designate a proxy, which is not mentioned in the
works, which one do we recommend as the basis for re-
Criteria. ONC5 (collection, use, and disclosure) limits the
search and development in mHealth systems? Both the ONC
collection, use, and disclosure of PHI to the minimum neces-
Framework and the Common Framework (CF) are appeal-
sary for a particular purpose and the Criteria have no such
ing, because both are recent (2008), both are fairly complete,
concept; of course, a PHR is intended to collect PHI more
and both were developed by diverse groups of experts and
widely than an EHR, at the discretion of the Patient, but
stakeholders. We chose to use the Common Framework for
this concept should still apply to the disclosure and use of
four main reasons.
PHR information. ONC6 (data quality and integrity) states
First, the CF more clearly states the fundamental pri-
the obligation of providers to ensure records are complete
vacy principles for healthcare information systems. The
and correct; no such requirement appears in the Criteria.
ONC Framework leaves many important issues to the de-
ONC7 (safeguards) describes security and data-integrity re-
tails, rather than expressing them in the main bullets. In-
quirements, which do not appear in the Criteria. Although
deed, the ONC Framework leaves certain issues implicit.
CCHIT1 says the Patient should be able to challenge the
When privacy is at stake, it is important to be explicit. Sec-
PHR provider if they do not follow their terms of use, the
ond, the ONC Framework is less concrete, leaving flexibility
Criteria have nothing like ONC8 (accountability) that re-
on several principles. We believe it is important to state the
quires the PHR provider to have mechanisms for monitor-
core principles, clearly and simply, and to aim implemen-
ing internal compliance, and for notifying Patients if there
tations at them. Third, the CF has a more Patient-centric
is a data breach. Again, it is our opinion that the CCHIT
viewpoint. Finally, concrete materials accompany the CF
Criteria are too weak and should be strengthened.
principles: everything from patient consent forms to data-
interchange formats and information architecture.
3.6 Others We restate CF principles for completeness.
We have insufficient space here to describe in depth all of
the relevant privacy frameworks. CF1. Openness and transparency
We note with interest an earlier, detailed survey of privacy
principles for healthcare, by Buckovich et al. [6]. Although CF2. Purpose specification
interesting, this 1998 survey pre-dates all of the documents CF3. Collection limitation and data minimiza-
we survey here, even pre-dating HIPAA. tion
The Organization for Economic Co-operation and Devel-
opment (OECD) Guidelines on the Protection of Privacy CF4. Use limitation
and Transborder Flows of Personal Data [27] is an old list
of eight principles that, although not specific to healthcare, CF5. Individual participation and control
has inspired all of the above frameworks.
CF6. Data quality and integrity
The Asia-Pacific Economic Community (APEC) published
a privacy framework, a set of information privacy princi- CF7. Security safeguards and controls
ples, in 2005 [3]. This framework is not specific to health-
care, and is meant more generally for the commercial use CF8. Accountability and oversight
of personal information. One analyst, however, shows that
there are too few details and far too much flexibility in CF9. Remedies
the APEC Framework for it to be useful [31].
The International Security, Trust, and Privacy Alliance We cannot resist the temptation to incorporate a few im-
conducted a 2007 analysis and comparison of several impor- portant principles best described by other frameworks:
tant privacy frameworks from around the world [18]. The From BP3: Patients should be able to annotate the
committee that developed the ONC Framework considered records submitted by others, as well as to enter their
this document in their work. Although not specific to health- own information, with employee-entered data marked
care, this document is helpful because it brings a broad, in- as such.
ternational perspective to privacy frameworks, and attempts
to provide uniform definitions for common terms. Although From BP5: Patients can designate proxies to act on
their final list of definitions are not a set of principles, im- their behalf. [Patients] should determine who, includ-
plicit in these terms are the core concepts of many privacy ing family members and caregivers, should have direct
access to their PHRs on their behalf. Where possible, d. Who has access to their PHI, and under what circum-
[Patients] should be able to grant proxy access to full or stances
partial information in their PHRs, including access in e. When PHI collection purpose (why) changes or access
emergency circumstances. [Patients] should also have (who) changes
the ability to revoke access privileges.
f. How their PHI is used
From BP6: The information policies and practices. . . g. About risks of data collection or disclosure
should follow the data through chain of trust agree- h. About security breaches or PHI misuse
ments that require business partners to adhere to the. . .
applicable policies and practices. P2. Enable patients to review storage and use of their PHI
(CF5)
From ONC1: Patients should have an easy method to a. Review historical records of all information in prop-
obtain their PHI in a readable electronic format. erty P1.
From ONC2: Patients should be able to correct mis- P3. Enable patients to control, through informed consent
takes in their records. (CF1, CF3, CF5, ONC4, BP5),
From ONC3: The system should be open about the a. What PHI will be collected and stored, and in what
policies and technologies in use. contexts
b. When PHI will be collected and stored (allowing pa-
From ONC4: Patients should be able to make informed tients to stop and restart data collection)
choices about what data is collected, how it is used, c. Who will have access to their PHI (including Patient
and to whom it is disclosed. proxies), and in what context
New: the presence of medical sensing devices, or of d. How their PHI may be used, and in what circum-
sensor-data collection, should not be observable by stances
nearby parties (this privacy threat is unique to mHealth). P4a. Enable patients to access their PHI (CF1, ONC1, BP3).
In summary, there are several existing conceptual privacy P4b. Honor patients requests to add, annotate, correct and
frameworks. Each has been developed by experts in the delete their PHI (CF6, ONC2, BP3), where possible.
field, usually by large bodies of diverse stakeholders who
have worked for months or years to examine relevant laws, P5. Provide easy-to-use interfaces for all of the above, in-
documents, and current practices. Many of the above frame- cluding clearly defined terms and a layered presenta-
works have been developed after studying the others, and tion that allows interested users to dig into the details.
thus there is a significant degree of overlap. On the other
P6. Limit collection and storage of PHI (CF3)
hand, there is a surprising degree of difference in the princi-
ples, and some frameworks have notable omissions. There is a. As needed for specified purpose
fairly broad agreement about general principles, but there b. Per limitations of patient consent
is room for reasonable disagreement about the details, in c. Using lawful and fair means
part because there are difficult trade-offs between protect-
ing privacy and providing efficient, effective healthcare. The P7. Limit use and disclosure of PHI to those purposes pre-
NCVHS discussed several of these issues in 2006 [11], and viously specified and consented (CF4, CF7)
revisited some of them in 2008 [26]. We chose the Com- a. Policies should follow PHI as it flows to other entities
mon Framework (CF) as our own working framework for (BP6)
the purpose of research and development, albeit with some
appendages drawn from some of the other frameworks. P8. Ensure quality of PHI (CF6)
a. Ensure data freshness and accuracy when collected
5. PRIVACY PROPERTIES b. Ensure data integrity and completeness during trans-
A high-quality mHealth system should protect privacy mission, processing, and storage
and data integrity, remain available, and be auditable. We c. Ensure authenticity of patient providing input or wear-
derive the following properties from the above privacy prin- ing sensor
ciples (as specified in parentheses below), and add the neces- d. Ensure authenticity and quality of sensors
sary integrity, availability, and auditability properties. (See
Table 1 to cross-reference with the above frameworks.) Fi- P9. Hide patient identity, sensor presence and data-collection
nally, we list the functional properties for completeness. activity from unauthorized observers
P10. Support accountability through robust mechanisms (CF8)
Security and privacy properties.
A high-quality mHealth system should: a. Include audit logs for all access, addition, deletion, and
modification of PHI (the MN, too, should log its ac-
P1. Inform patients (CF1, CF2, ONC1, ONC4) tions with respect to collection, upload, and access to
PHI, and pairing with SNs and other devices)
a. What PHI is collected and stored
b. Why PHI is collected and stored P11. Support mechanisms to remedy effects of security breaches
or privacy violations (CF9)
c. Where PHI is stored and at which organization
Table 1: Comparison of our security and privacy properties with other major frameworks; a framework item
is mentioned if it covers some, though not necessarily all, of our property.
Property ONC HPP BP CF CCHIT
P1 Inform patients ONC1,3,4 HPP4,6 BP1 CF1, CF2 CCHIT3
P2 Review storage and use ONC1 HPP3 CF5
P3 Informed consent ONC4 HPP4,6 BP5 CF1, CF3 CCHIT1,3
P4 Access, annotate, correct ONC1, ONC2 HPP3 BP3 CF1, CF6 CCHIT4,5,6,7
P5 Usable interfaces other frameworks do not emphasize usability
P6 Limit collection and storage ONC5 HPP6 BP3 CF3 CCHIT2
P7 Limit to specified purposes ONC5 HPP2 BP4, BP6 CF4, CF7
P8 Ensure quality ONC6, ONC7 BP7, BP8 CF6, CF7
P9 Hide from observers this property is specific to mHealth
P10 Accountability ONC8 BP4 CF8
P11 Remedies BP9 CF9
not related to privacy HPP1,8,9,10 BP2,BP10