Skip to main content

Advertisement

SpringerLink
Log in

What electronic health records don’t know just yet. A privacy analysis for patient communities and health records interaction

  • Original Paper
  • Published:
Health and Technology Aims and scope Submit manuscript

Abstract

The advent of Web 2.0 has resulted in the emergence of a new generation of user-centric applications. Healthcare too follows this trend and a whole range of health-related applications are being introduced. Electronic health record (EHR) systems are being developed to enable electronic storing and sharing of medical data between health practitioners. Recently, initial steps have been taken to evolve toward cross-border sharing of EHR data. Patients also become more involved in their healthcare and start storing their health data online in personal health record (PHR) systems or look for online support and medical advice from other patients with similar diseases or treatments. The consolidation of these different systems is described as a promising approach to bring healthcare to a higher level. A consequence of this evolution is the rise of new privacy threats to the patient’s medical data, as more data becomes easily accessible to more people. Not only the treating physicians have access to the health data, the patient himself will have direct access to it and even be in control of his data and the access to it. As a first step in the answer to this trend, this paper presents a legally-founded analysis of the privacy issues emerging from the integration of EHR and patient communities. First, a taxonomy of health data types and user roles that have a key role in integrated health record systems is proposed. Second, privacy-preserving access rights are discussed and a set of privacy-aware access levels are suggested. Finally, ethical, legal, and technically challenges are highlighted, and a set of high-level privacy-enhancing technical requirements are presented.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. www.epsos.eu

  2. http://www.nhscarerecords.nhs.uk/

  3. www.medhelp.org

  4. www.epsos.eu

  5. http://www.nhscarerecords.nhs.uk/

  6. https://www.childrenshospital.org/mychildrens/index.cfm

  7. http://www.microsoft.com/en-us/healthvault/

  8. http://www.dossia.org

  9. For more information see www.medischegegevens.nl.

  10. www.google.com/health/

  11. www.patientslikeme.com

  12. www.sugarstats.com

  13. www.mdjunction.com

  14. www.medhelp.org

  15. Art 8 Data Protection Directive [24]

  16. HIPAA [22], 42 U.S.C. §1302d; 45 C.F.R. §146.103.

  17. Art 2 (a) Data Protection Directive [24]

  18. Recommendation No. (97) 5 of the Committee of Ministers to Member States on the Protection of Medical data, 13 February 1997.

  19. European Court of Justice, Judgment of 6 November 2003, Case C-101/01—Bodil Lindqvist.

  20. Doctor of medicine is the doctoral degree for physicians granted by medical schools (from http://en.wikipedia.org/wiki/Doctor_of_Medicine)

  21. http://www.interrai.org/

  22. https://www.ehealth.fgov.be/nl/application/applications/BELRAI.html

  23. article 7,2. (a), (c), (e) and 7,3. Data Protection Directive [24].

  24. The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act.

  25. http://www.oracle.com/technetwork/middleware/coherence/overview/index.html

  26. www.epsos.eu

  27. http://www.nhscarerecords.nhs.uk/

  28. https://www.childrenshospital.org/mychildrens/index.cfm

  29. http://www.ibbt.be/en/projects/overview-projects/p/detail/share4health

  30. http://www.interrai.org/

  31. https://www.ehealth.fgov.be/nl/application/applications/BELRAI.html

  32. http://www.medibridge.be

  33. http://www.corilus.be/documents/segments/general-practitioners/software.xml?lang=nl

  34. https://www.childrenshospital.org/mychildrens/index.cfm

  35. www.google.com/health/

  36. http://www.microsoft.com/en-us/healthvault/

  37. http://hellohealth.com/

  38. www.izip.cz

  39. http://www.patientslikeme.com/

  40. http://www.medhelp.org/

  41. http://www.mdjunction.com/

  42. http://www.sugarstats.com/

  43. http://www.webmd.com/

  44. also on http://www.youtube.com/user/IBMResearchZurich#p/u/4/RhHjOxPlSgY and http://www.youtube.com/user/IBMResearchZurich#p/u/3/YFRjOB39hvA

References

  1. Sunyaev A, Chornyi D, Mauro C, Kremar H. Evaluation framework for personal health records: Microsoft HealthVault vs. Google Health. In: 43th Hawaii International Conference on System Sciences; 2010.

  2. Cabrnoch M, Hasic B. Electronic Health Book—a unique Czech solution for eHealth. Health and Technology; July 2011.

  3. Eysebach G. Medicine 2.0: Social networking, collaboration, participation, apomediation, and openness. Medicine 2.0 Proceedings, in Journal of Medical Internet Research 10(3);2008.

  4. IBM. Made in IBM Labs: IBM Reinvents the Patient Portal, New healthcare portal offers increased patient safety and empowerment. In: IBM Press Releases. (Accessed March 3, 2011) Available at: http://www-03.ibm.com/press/us/en/pressrelease/33944.wss.

  5. European Network and Information Security Agency: Security Issues and Recommendations for Online Social Networks; 2007.

  6. O’Reilly T. What Is Web 2.0: design patterns and business models for the next generation of software. Commun Strateg. 2007;65:17–37.

    Google Scholar 

  7. Bos L, Marsh A, Carroll D, Gupta S, Rees M. Patient 2.0 empowerment. In: Arabnia H, Marsh A, editors. Proceedings of the 2008 International Conference on Semantic Web & Web Services (SWWS08); 2008.

  8. Van De Belt T, Engelen L, Berben S, Schoonhoven L. Definition of Health 2.0 and Medicine 2.0: a systematic review. J Med Internet Res (JMIR). April–June 2010; 12(2).

  9. Gunter T, Terry N. The Emergence of National Electronic Health Record Architectures in the United States and Australia: models, costs, and questions. J Med Internet Res. 2005.

  10. US Department of Health and Human Services: The National Alliance for Health Information Technology Report to the Office of the National Coordinator for Health Information Technology on Defining Key Health Information Technology Terms; 2008.

  11. Waegemann C. Status Report 2002: Electronic Health Records. 2002.

  12. ISO/TR 20514:2005 Health informatics—Electronic health record—Definition, scope and context; 2005.

  13. Nyssen M, Thomeer K, Buyl R. Generating and transmitting ambulatory electronic medical prescriptions. In: XII Mediterranean Conference on Medical and Biological Engineering and Computing 2010 29. Springer Berlin Heidelberg; 2010.

  14. Markle Foundation: Connecting for Health. The personal health working group final report; 2003.

  15. U.S. Department of Health & Human Services: Personal Health Records (PHRs) and the HIPAA Privacy Rule. http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf.

  16. Weihl A. An update on Google Health and Google PowerMeter. In: The Official Google Blog. (Accessed June 24, 2011) Available at: http://googleblog.blogspot.com/2011/06/update-on-google-health-and-google.html.

  17. McGee M. 5 Reasons Why Google Health Failed. In: InformationWeek. (Accessed June 29, 2011) Available at: http://www.informationweek.com/news/healthcare/EMR/231000697.

  18. Schonfeld E. Google Health Creator Adam Bosworth On Why It Failed: “It’s Not Social”. In: TechCrunch. (Accessed June 24, 2011) Available at: http://techcrunch.com/2011/06/24/google-health-bosworth-social/.

  19. Leimeister JM, Daum M, Krcmar H. Mobile communication and computing in healthcare—designing and implementing mobile virtual communities for cancers patients. In: Tokyo Mobile Business Roundtable, Tokyo; 2002.

  20. Narayanan A, Shmatikov V. Myths and fallacies of “personally identifiable information”. Communications of the ACM; 2010.

  21. Kuner C. European Data Protection Law. Oxford University Press; 2007.

  22. U.S. Department of Health and Human Services: Health Insurance Portability and Accountability Act (HIPAA); 1996.

  23. Bygrave L. Data Protection Law, Approaching its rationale, logic, and limits. Kluwer Law International; 2002.

  24. European Communities: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; 1995.

  25. Wong R. Data Protection online: alternative approaches to sensitive data. J Int Commer Law Technol. 2007;2(1):9–16.

    Google Scholar 

  26. Simitis S. Review of the answers to the Questionnaire of the Consultative Committee of the. 1999.

  27. Gossum K, Verhenneman G. Privacy and digital homecare, allies not enemies. In: Handbook of Digital Homecare, Series in Biomedical Engineering. Berlin: Springer-Verlag; 2009.

  28. De Hert P. Titel VI Persoonsgevevens en beroepsgeheim. In: Privacy en persoonsgegevens. Antwerpen: Politeia; 2010. p. 114–118.

  29. Graux H, Dumortier J. Privacywetgeving in de praktijk. Antwerpen: UGA; 2009.

    Google Scholar 

  30. Jenkins P, Potter S. No more “personal notes”? Data protection policy and practice in Higher Education counselling services in the UK. Br J Guid Counsel. 2007;35(1):131–46.

    Article  Google Scholar 

  31. Vansweevelt T, Dewallens F. Het patiëntendossier. Antwerpen: Intersentia; 2011.

    Google Scholar 

  32. Baldwin, G. To scan or not to scan. In: Health Data Management. (Accessed 2011) Available at: http://www.healthdatamanagement.com/issues/19_5/to-scan-or-not-to-scan-42391-1.html?pg=3.

  33. Congdon K. Meaningful use: what about the specialists? In: Healthcare Technology Online. (Accessed October 7, 2010) Available at: http://www.healthcaretechnologyonline.com/article.mvc/Meaningful-Use-What-About-The-Specialists-0001.

  34. McCarthy C. Paging Dr. Google: personal health records and patient privacy. William and Mary Law Review. 2010;51(6):2243(26)

  35. Safer Social Networking Principles for the EU. http://ec.europa.eu/information_society/activities/social_networking/docs/sn_principles.pdf. 2009.

  36. Sophos: Sophos Facebook ID probe shows 41 % of users happy to reveal all to potential identity thieves. In: Sophos Press Releases. (Accessed August 14, 2007) Available at: http://www.sophos.com/en-us/press-office/press-releases/2007/08/facebook.aspx.

  37. Santana S, Lausen B, Bujnowska-Fedak M, Chronaki C, Kummervold P, Rasmussen J, Sorensen T. Online communication between doctors and patients in Europe: status and perspectives. J Med Internet Res. 2010;12(2).

  38. Xerox: patients need Assurance that Electonic Health Records are Secure, Xerox Survey Says. In: Xerox News Room. (Accessed July 26, 2011) Available at: http://news.xerox.com/pr/xerox/Xerox-Survey-Shows-Impact-of-Electronic-Health-Records.aspx.

  39. Pelino D. The social media doctor is in. In: The health care blog. (Accessed July 12, 2011) Available at: http://thehealthcareblog.com/blog/2011/07/12/the-social-media-doctor-is-in/.

  40. Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services: Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information. 2008.

  41. Beaver K, Herold R. The practical guide to HIPAA privacy and security compliance. Auerbach Publications; 2004.

  42. Wuyts K, Scandariato R, Verhenneman G, Joosen W. Integrating patient consent in e-Health access control. Int J Secure Softw Eng. 2011;2(2).

  43. Fang L, LeFevre K. Privacy Wizards for Social Networking Sites. In: 19th international conference on World wide web (WWW’10); 2010.

  44. Pfitzmann B, Waidner M. Federated identity-management protocols. In: Security Protocols, Lecture Notes in Computer Science 3364. Springer Berlin/Heidelberg; 2005.

  45. De Borde D. Two-factor authentication. Siemens Enterprise Communications UK-Security Solutions; 2008.

  46. Neamatullah I. Automated de-identification of free-text medical records. BMC Medical Informatics and Decision Making. 2008;8(1).

  47. El Emam K. Methods for the de-identification of electronic health records for genomic research. Genome Med. 2011;3(4).

  48. Lederer S, Hong J, Dey A, Landay J. Personal privacy through understanding and action: five pitfalls for designers. Pers Ubiquitous Comput. 2004;8:440–54.

    Article  Google Scholar 

  49. Liu H, Maes P, Davenport G. Unraveling the taste fabric of social networks. International Journal on Semantic Web and Information Systems (IJSWIS) 2(1).

  50. Nguyen D, Mynatt E. Privacy mirrors: understanding and shaping socio-technical ubiquitous computing systems; 2001.

  51. Jernigan C, Mistree B. Gaydar: Facebook friendships expose sexual orientation. First Monday. October 2009;14(10).

  52. Williams J. Social networking applications in health care: threats to the privacy and security of health information. In: Software Engineering in Health Care (SEHC 2010), Cape Town, South Africa; 2010.

  53. Asim M, Petkovic M, Que M, Wang C. An interoperable security framework for connected healthcare. In: 7th IEEE International Workshop on Digital Rights Management Impact on Consumer Communication (DRM 2011); 2011.

Download references

Acknowledgments

This research is partially funded by the FP7 BraveHealth project and CONTRACT project, the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, and by the Research Fund K.U. Leuven.

Author information

Authors and Affiliations

  1. IBBT-DistriNet, Computer Science Department, Katholieke Universiteit Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Kim Wuyts, Riccardo Scandariato & Wouter Joosen

  2. IBBT-ICRI, Faculty of Law, Katholieke Universiteit Leuven, Tiensestraat 41, 3000, Leuven, Belgium

    Griet Verhenneman & Jos Dumortier

Authors
  1. Kim Wuyts
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Griet Verhenneman
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Riccardo Scandariato
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jos Dumortier
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kim Wuyts.

Appendices

Appendix A: Classification of existing systems

This section briefly discusses a number of existing systems and applications that were classified according to the taxonomy presented in this paper. The classification is visualized in Table 5. The summary of this classification is presented in Section 3.3.

Table 5 Categorization of existing systems (R: read; W: write; RW: read+requests modification; X: owner/controller; XO: only accessible by owner/controller)
Full size table

EHR/HIS systems

Currently no full-fledged EHR systems exist. Some initiatives that focus on a specific document type are running, like the EPSOS projectFootnote 26 which focuses on patient summaries and electronic prescriptions. NHS introduces care recordsFootnote 27 which also contain the patient’s summary. Recip-e Footnote 28 is another local initiative that allows online transfer of prescriptions between prescriber and care provider. All these systems can be classified as storage and exchange of medical EHR data between doctors of medicine. Recip-e and EPSOS also allow medical staff (like pharmacists, physiotherapists, etc.) to access prescriptions. Also, several projects exist that try to bridge the gap between existing HIS and EHR systems. For example, the local Share4Health projectFootnote 29 aimed at combining data from different hospitals, GP offices, and pharmacies into one big virtual record, accessible by treating doctors and pharmacists. Other projects focus on the collection of data from both doctors and medical staff, like InterRai Footnote 30 and BelRai Footnote 31 which aim at integrating all health data to improve (home) care for elderly and disabled patients. In this case, medical staff is considered a subtype of doctors as they can access and update the patient’s EHR data.

Of course, also basic medical software solutions should be considered. As so many suppliers exist, we only considered two locally well-known software packages. The first one is MediBridge,Footnote 32 which focuses on hospitals and GP practices and their collaboration and which can also be used by medical staff to exchange doctor-controlled health data. A second one is MediDoc,Footnote 33 which is developed explicitly for GPs and provides a complete package to store both medical and administrative data. Note that, whenever medical, raw or administrative data are involved, also the corresponding biographical data should be considered.

As an example of patients who get access to their EHR data, we examined the Boston Children’s Hospital patient portal,Footnote 34 where patients can access their medical data, manage their demographics (biographical data) and maintain their billing and appointment data (administrative data). The portal also enables the access for trustees.

PHR systems

Even though the main purpose of PHR systems is the patient’s personally maintained health history, systems nowadays support more functionalities. If the patient allows additional services or extensions to be integrated in his PHR, not only will a patient be able to keep track of his own health, he can also share it with trusted friends and treating doctors and content can be updated and extended by these treating doctors. Both Google HealthFootnote 35 and Microsoft HealthVaultFootnote 36 support all these extensions and broaden the meaning of PHR to an integrated view on health data created by both the patient himself as his treating doctors.

Google Health’s main purpose was to store and manage the patient’s own medical data. It could also be used to share data with others on a read-permission basis (entire profile can be shared with someone the patient trusts, e.g. friend, physician, semi-medical staff). When adding “services” to your Google Health profile, you could add applications of your health providers (hospitals, GPs, pharmacies, etc.) which in their turn could access and sometimes even update your information. Additional data generated by the patient’s doctor (medical EHR data) could also be accessed via the application. When medical staff generates additional data, it was assumed these are stored in the PHR (although in the future this might merge with EHR data). Trustees were only very limitedly supported. A Google Health user had the possibility to create a profile for other users (e.g. children, elderly parents, etc.) but no further support was provided for trustees. Sharing data with physicians was supported in three ways: when the physician supports Google Health and data is shared through a service; when the physician is invited as a friend to the patient’s profile; and when the patient simply prints out his PHR and brings this paper version to his consultation. Updating PHR data was also supported in three ways: the patient fills it out manually; a registered service (e.g. connected to the patient’s hospital or treating physician) alters the data; or the patient can upload and integrate medical files from supported formats (e.g. if the treating physician mails a lab report in a supported digital format to the patient). Unfortunately, Google has decided to discontinue this service.

Microsoft HealthVault has access settings which are more advanced than those in Google Health. When a patient creates PHR data, he can decide to completely share or partially share his data (determined by record type). Possible sharing rights are: view (corresponding to friends access rights), view+modify (corresponding to medical staff access rights), and custodian: same rights as patient (corresponding to trustee access rights). It is also possible to classify a record as personal. This means that it will not be shared with anyone else. Similar to Google Health, it is also possible to integrate parts of the patient’s EHR (like prescription/medication history) in his HealthVault profile by including the appropriate services.

A more elaborate comparison between Google Health and Microsoft HealthVault is described by Sunyaev et al. [1].

An application that combines EHR and PHR systems is HelloHealth.Footnote 37 It combines online doctor-patient communication, practice management and health record storage. In summary, doctors can store and maintain their patients’ EHR records and manage their appointments and billing. Patients can make doctor appointments, either a classical consultation or an online consultation via chat or webcam, and manage their PHR. The platform allows the patient to access his EHR data from his treating doctor(s), as well as it keeps the doctors informed on the patients’ updates.

Also, the Czech Electronic Health Book (EHB) Footnote 38 [2] can be seen as a combination of EHR and PHR systems. D7octors add medical data as in EHR systems; however, the patient is fully in control of the access rights toward the doctors. He can either share his data with all doctors in the system or can create a set of confidential healthcare professionals. The patient can also alter administrative data and certain medical data, or request (partial) removal of a certain item. Similar to PHR systems, patients can add their own (subjective) entries in the system which can be shared with the doctor as well.

Patient communities

When examining patient communities for this paper, we only focused on the data produced by the patient himself. Clearly, when a patient posts a message on a discussion board, the responses can also be relevant to the patient. We however do not consider these responses as “input” to the health data about the patient. In our classification, only the patient himself (or his trustee) will create non-structured patient data.

Patientslikeme Footnote 39 is a highly popular patient community site with over 100 000 users.

It is focused on sharing health data with the entire community and even non-members. Sharing with friends or trustees is not explicitly supported as the website has an openness philosophy. Patientslikeme believes that sharing healthcare experiences and outcomes results in collaboration on a global scale. Privacy is thus of less importance. Two privacy settings are supported: visible (for community members), and public. Although users are not obliged to fill in any personal identifiable data, they are encouraged to do so. Medical, lifestyle and biographical data is all combined into one patient profile. Registered users also have access to the online forum.

MedHelp Footnote 40 is another online patient community, which calls itself “the world’s largest online community with over 12 million monthly visitors”. MedHelp connects people with medical experts and others who have similar experiences. They provide forums (both support groups and ask-a-doctor forums) and health related tools (e.g. weight tracker, sleep tracker, PHR, …). Any information shared in a personal page, message board, or online discussion is by design open to the public. Some features however, such as journals, photos, and personal pages can have their access set by the patient. Three privacy settings are supported: private, friends, and public.

MDJunction Footnote 41 is also a patient community site, although less advanced than the previously discussed ones. It contains several online support groups in a forum-like fashion and allows each user to keep a diary and post articles (and thus only represent non-structured data). MDJunction supports 4 privacy settings: private, friends, members, public (although forum posts always are public).

SugarStats Footnote 42 is a community aimed at diabetes patients. As stated on its homepage, it provides online diabetes management, community support and collaborative sharing to motivate and improve health. It allows the patient to visualize his progress, meet other diabetics with community groups and discussion forums, share statistics with family, friends or doctors, and track and manage medication, food and activities. Four privacy settings are supported for an account: private, friends only, members only, and public. The default setting for all new accounts is "members only". Although SugarStats claims that it supports sharing with treating doctors, this is just a specific implementation of the “friends only” sharing property. Therefore, we did not include this application in the table for doctor-PHR access.

One example of a patient community where doctors and medical staff are more involved is WebMD.Footnote 43 This website provides useful information in the form of blogs and allows patients to ask questions in the corresponding health forums. These questions can be answered by other patients, medical staff and doctors. As indicated earlier, this paper does not focus on communities moderated by healthcare personnel. We consider these users merely a subgroup of community members, as they are not the patient’s “treating” doctors or medical staff. Therefore WebMD is only included in Table 5 between brackets for medical staff and doctors.

Finally a very promising application is the IBM patient empowerment portal [4].Footnote 44 It is a good representation of how IHR systems should work. It combines medical and social data as it allows patients to share their medical data with other patients. It is beneficial for the patient as he gets an integrated overview of all his medical data and he can communicate with his treating doctors. Doctors can also use the system to keep their patients informed on medical-related events. Also trustees are supported, for example, a mother can use the system both for herself and her children. As it is currently an ongoing R&D project, no technical information is available yet, and it is unclear how EHR is integrated in this portal and who is responsible for the creation and maintenance of the data. It is therefore not included in the overview table.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wuyts, K., Verhenneman, G., Scandariato, R. et al. What electronic health records don’t know just yet. A privacy analysis for patient communities and health records interaction. Health Technol. 2, 159–183 (2012). https://doi.org/10.1007/s12553-012-0026-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12553-012-0026-3

Keywords

Search

Navigation