Abstract
Health care information systems provide crucial advantages for the improvement of health systems. The harmonization of international policies creates new opportunities to interleave such systems on a global scale. However, technical challenges have to be confronted with existing privacy regulations. Both the European Union (EU) and the United States (US) have attempted to reconcile the rights of individuals with those of society through specific legislation. However, an optimal balance is yet to be realized. New methods to comply with the existing legal frameworks are needed. Privacy by design and privacy performance assessment used in the BIRO and EUBIROD projects represent ways to respond to this challenge. A joint action at both legislative and point of care levels is necessary to achieve an optimal balance between the right to privacy and the right to the highest attainable level of health.
Keywords
- European Union
- Data Protection
- Privacy Protection
- Severe Acute Respiratory Syndrome
- Protected Health Information
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For instance, in Sweden (Swedish Association of Local Authorities and Regions 2007), currently there are eight health and population registries held by the National Board of Health and Welfare and Statistics Sweden, plus 55 quality registries receiving funds from a National Executive Committee. Health databases include inpatient, outpatient, birth, death, cancer and prescription registries. They contain individual-based data on diagnoses, treatments, interventions and outcomes, managed by groups of professionals who are usually located at university hospitals. Population databases include the total population and multi-generation registries. All databases are regulated by the law and provide very high coverage. Quality registries are jointly administered by the National Committee, which includes representatives from the county Council, the Swedish Association of Local Authorities and Regions, the National Board of Health and Welfare, the Swedish Society of Medicine and the Swedish Society of Nursing. An important element of the Swedish system is that population-based data and quality registries are used in combination to permit an active use of health information. Population data may be used to validate and integrate individual records included in quality registries that are routinely used by caregivers to generate a continuous loop of quality improvement. Tools are available for any unit that wants to participate to continuously monitor their effectiveness and the benefits for patients. Clinicians involved also have the main responsibility for developing the system and its contents, and the databases are spread out among different clinical departments, so that health information is continually validated in different ways by managers and users.
- 2.
The Council of Europe is an international organization created after the second world war to foster co-operation in Europe. Whose main objectives are the promotion of human rights, democracy and the rule of law. All Member States of the European Union are Contracting States of the Council of Europe. The Council of Europe and the European Union (EU) have a long tradition of co-operation. Now that the Treaty of Lisbon has entered into force, the Council of Europe is encouraging the European Union (EU) to accede to the European Convention for the Protection of Human Rights and Fundamental Freedoms. If this step will be taken, the EU will be subject to the authority of the European Court of Human Rights.
- 3.
The Article 29 Working Party specified that “to determine if a person is identifiable account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. Therefore, all the factors at stake should be taken into account according to the state of the art in technology. The criterion is also to be considered dynamic, involving the whole lifetime of the information. Article 29 Working Party also provided useful guidance on the definition of anonymization, considered as part of the identifiability concept. WP 29 specified that data are anonymous if they cannot be linked to a specific individual, or even if they were linked to such an individual, they are now no longer related to that person. Thus, the subject of “anonymous” data is not identifiable; the subject of “anonymised” data is no longer identifiable. Anonymisation should depend:
-
On the quality and effectiveness of the measures used, and in particular on the level of encryption
-
On the likelihood of re-identificatiion.
-
- 4.
The selection process was performed through the production of dedicated tools: data flow tables, PIA questionnaire and overall consensus table. Data flow tables depicted the data flow occurring in each of the system architectures identified in the previous step, envisaging different options of data sharing among BIRO partners: individual data sharing, aggregation by group of patients and aggregation by region. Within each option, various sub-options were also identified. The PIA questionnaire was constructed to both perform the privacy analysis of the information system and to select partners’ preferences for data sharing in terms of privacy protection, information content and technical complexity. PIA questionnaire responses were then grouped and summarized in the overall consensus table. These materials were submitted to a large expert panel (Delphi consensus panel) that jointly discussed the topic at a dedicated meeting aimed at reaching a final consensus. The consensus panel performed the ranking of the alternative architectures and, within the best scoring one, of the sub-options therein contained.
- 5.
The system can be described as follows. In BIRO, each region maintains a local diabetes database using its own specifications. To comply with the set of common definitions agreed by all partners, a common “export” was defined so as to map all the original data towards a European standard “BIRO database”. Open source software was specifically developed by the project team to build the BIRO database and process, analyze, and deliver statistical reports according to the same sets of rules and algorithms. Using the software, an extensive set of summary tables is created autonomously by each partner and subsequently transmitted to a server that periodically compiles the overall report for the entire collaboration. The statistical engine exploits known statistical properties to provide the fundamentals for the construction of all aggregate tables (BIRO Consortium 2009, p.135). This way international reports avoid many potential risks and restrictions imposed by privacy legislation, with no exchange of individual records. Aggregate tables are transmitted as encrypted, compressed bundles of comma-delimited text files (.csv) according to the standard protocol ISO/OSI 7498-2. The BIRO server includes a “central engine”, run by a unique administrator in charge of loading all aggregates on a central BIRO database, which perform on demand the overall analysis and produce the European report. The central administrator ensures compliance with all national and international security rules for the maintenance of the server. All reports are transmitted to a web portal that delivers results to the public, together with proper explanations and methodological references.
- 6.
The key elements of data protection, classified as factors, are:
-
Accountability of Personal Information (custody/control of personal information, third parties involvement, etc.)
-
Collection of Personal Information (authority to collect, necessity of the information collected or “minimality principle”, use of information for secondary purposes, provision of anonymisation for planning, management and/or evaluation purposes)
-
Consent, related to the necessity of gathering informed consent for the collection and processing of data in the registry and how it is obtained (clear, unambiguous, adequately considered)
-
Use of Personal Information (authority to use information, application of the purpose specification principle, use of personal identifiers for data linkage)
-
Disclosure and Disposition of Personal Information, (consent/authority to disclose personal information, to personal identifiers disclosure, etc.)
-
Accuracy of Personal Information (possibility for individuals to access, assess, discuss or dispute the accuracy of his/her record)
-
Safeguarding Personal Information (security measures and processes applied)
-
Openness (provision of communication processes on the way personal information is managed/protected)
-
Individual Access to Personal Information (practical implementation of access rights)
-
Challenging Compliance (availability of complaint procedures and mechanisms to ensure accountability
-
Anonymization Process for Secondary Uses of Health Data (compliance with international technical standards and principles)
-
- 7.
The online PPA system is designed to automatically collect further data on privacy factors: through a simple interface, each user can get credentials from the Coordinating Centre and fill in the questionnaire at his/her own convenience. After user confirmation, an email is sent to the PIA administrator, who is requested to validate the questionnaire after eventually recoding the initial responses as required. Specialized statistical software written in R (R Development Core Team 2010) computes all factor scores automatically and produces a range of outputs. A web interface allows each user to visualize a graph presenting the average of the specific centre against that of the target sample, with the related 95% confidence intervals. The comparison is made available for each factor and for the overall privacy score achieved by the user.
- 8.
Premption of State law does not occur if the State law:
(1) Is necessary: (i) To prevent fraud and abuse related to the provision of or payment for health care; (ii) To ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation; (iii) For State reporting on health care delivery or costs; or (iv) For purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification under part 164 of this subchapter is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
(2) Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.
(3) The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.
(4) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.
(5) The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.
- 9.
Covered agencies are, for instance, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.
References
Armstrong D, Kline-Rogers E, Jani S, Goldman E, Fang J, Mukherjee D, Nallamothu B, Eagle K (2005) Potential impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome. Arch Intern Med 165(10):1125–9
Calcutt DQC (1990) Report of the committee on privacy and related matters. Cmnd, London, p 11027
Di Iorio CT, Carinci F, Azzopardi J, Baglioni V, Beck P, Cunningham S, Evripidou A, Leese G, Loevaas KF, Olympios G, Orsini Federici M, Pruna S, Palladino P, Skeie S, Taverner P, Traynor V, Massi Benedetti M (2009) Privacy impact assessment in the design of transnational public health information systems: the BIRO project. J Med Ethics 35(12):753–61
Di Iorio et al. (2010) Privacy impact assessment report, EUBIROD Consortium. http://www.eubirod.eu/deliverables.htm. Accessed 15 December 2011
Duquenoy P, George C, Solomonides A (2008) Considering something “else”:ethical, legal and socio-economic factors in medical imaging and medical informatics. Comput Meth Programs Biomed 92:227–237
Gostin LO, Bayer R, Fairchild AL (2003) Ethical and legal challenges posed by severe acute respiratory syndrome: implications for the control of severe infectious disease threats. JAMA 290(24):3229–37
Holman CD, Bass AJ, Rosman DL, Smith MB, Semmens JB, Glasson EJ, Brook EL, Trutwein B, Rouse IL, Watson CR, de Klerk NH, Stanley FJ (2008) A decade of data linkage in Western Australia: strategic design, applications and benefits of the WA data linkage system. Aust Health Rev 32(4):766–77
Ingelfinger J, Drazen J (2004) Registry research and medical privacy. N Engl J Med 350:1452–53
Liang L (2010) Connected for Health. Using electronic health records to transform care delivery. Wiley, San Francisco
MacCormick DN (1974) Privacy: a problem of definition? Br J Law Soc 1(1):75–78. http://www.jstor.org/stable/1409694. Accessed 16 November 2010
McClelland R et al (2006) European standards on confidentiality and privacy in healthcare. EuroSOCAP Project (2003–2006). http://www.orpha.net/testor/doc/july05/EuroSOCAP.pdf. Accessed 28 July 2010
Peckham S, Wallace A (2010) Pay for performance schemes in primary care: what have we learnt? Qual Prim Care 18(2):111–6
R Development Core Team (2010) R: a language and environment for statistical computing. http://cran.r-project.org/doc/manuals/refman.pdf. Accessed 29 July 2010
Rahu M, McKee M (2008) Epidemiological research labelled as a violation of privacy: the case of Estonia. Int J Epidemiol 37:678–682. http://ije.oxfordjournals.org/cgi/reprint/37/3/678. Accessed 16 November 2010
Roos LL, Gupta S, Soodeen RA, Jebamani L (2005) Data quality in an information-rich environment: Canada as an example. Can J Aging 24(1):153–70
Roos LL, Menec V, Currie RJ (2004) Policy analysis in an information-rich environment. Soc Sci Med 58(11):2231–41
Smith P et al (2010) Performance measurement for health system improvement. Experiences, challenges and prospects. Cambridge University Press, Cambridge
Smith RD (2006) Responding to global infectious disease outbreaks: lessons from SARS on the role of risk perception, communication and management. Soc Sci Med 63(12):3113–3123
Verschuuren M, Badeyan G et al (2008) The European data protection legislation and its consequences for public health monitoring: a plea for action. Eur J Public Health 18(6):550–551. http://eurpub.oxfordjournals.org/cgi/reprint/18/6/550.pdf. Accessed 16 November 2010
Warren S, Brandeis L (1890) The Right to privacy. Harvard Law Rev 4:193–220
Wolf M, Bennett C (2006) Local perspective of the impact of the HIPAA privacy rule on research. Cancer 106(2):474–9
Documents
Article 29 Working Party (2007) Opinion 4/2007 on the concept of personal data. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf. Accessed 24 November 2010
BIRO Consortium (2009) Best information through regional outcomes: a shared European diabetes information system for policy and practice, Università di Perugia, Perugia, Italia. http://www.eubirod.eu/documents/downloads/BIRO_Monograph.pdf. Accessed 29 July 2010
BIRO Consortium (2009) Privacy Impact Assessment Report. http://www.biro-project.eu/documents/downloads/D5_4_PIA_%20step4_Final_Report.pdf. Accessed 22 November 2010
Center for Disease Control (2010) CDC Emergency Preparedness and Response Website, http://www.bt.cdc.gov. Accessed 29 July 2010
Council of Europe (1950) Convention for the Protection of Human Rights and Fundamental Freedoms, (ETS no: 005) open for signature November 4, 1950, entry into force September 3, 1950. http://conventions.coe.int/treaty/en/treaties/html/005.htm. Accessed 16 November 2010
Council of Europe (1981) Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. Strasbourg: The Council, 1981. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm. Accessed 16 November 2010
Council of Europe (2005) Additional Protocol to the Convention on Human Rights and Biomedicine, concerning Biomedical Research. Strasbourg, 25.I.2005. http://conventions.coe.int/Treaty/EN/Treaties/Html/195.htm. Accessed 16 November 2010
Council of Europe (1997) Convention on Human Rights and Biomedicine. http://conventions.coe.int/Treaty/EN/Treaties/Html/164.htm. Accessed 16 November 2010
Department of Health and Human Services (2000) Standards for Privacy of Individually Identifiable Health Information; Final Rule, Federal Register Vol. 65, No. 250, Regulations 82481, 45 CFR Parts 160 and 164. http://aspe.hhs.gov/admnsimp/final/PvcFR01.pdf. Accessed 29 November 2010
DG SANCO (2008) DG SANCO Task Force of Major and Chronic Diseases, Major and Chronic diseases in the European Union - Report 2007, European Commission, Luxembourg. http://ec.europa.eu/health/ph_threats/non_com/docs/mcd_report_en.pdf. Accessed 28 July 2010
EUBIROD Consortium (2008), European Best Information through Regional Outcomes in diabetes, University of Perugia, Perugia, Italy, The EUBIROD project website, http://www.eubirod.eu/. Accessed 15 December 2011
European Commission (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities, L 281/31. http://ec.europa.eu/justice/policies/privacy/law/index_en.htm. Accessed 16 November 2010
European Commission (2004) European Union Public Health Information Portal, Developing European Union health indicators. http://ec.europa.eu/health/ph_information/indicators/indic_data_en.htm. Accessed 29 July 2010
European Commission (2007) DG SANCO Task Force of Major and Chronic Diseases, Major and Chronic diseases in the European Union - Report 2007, European Commission, Luxembourg, 2008. http://ec.europa.eu/health/archive/ph_threats/non_com/docs/mcd_report_en.pdf. Accessed 16 November 2010
European Commission (2010) Comparative Study on Different Approaches to new Privacy Challenges, in particular in the light of technological Developments, Working Paper No 2: Data protection laws in the EU: The difficulties in meeting the challenges posed by global social and technical developments. http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_working_paper_2_en.pdf. Accessed 16 November 2010
European Commission (2010) A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, COM(2010) 609 final. http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf. Accessed 16 November 2010
European Commission (2012) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final. http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. Accessed 21 March 2012
European Court of Human Rights (1992/1997) Niemietz v. Germany judgment of 16 December 1992, Series A no. 251-B, pp. 33-34, § 29; HCHR, Halford v. the United Kingdom judgment of 25 June 1997, Reports 1997-III, pp. 1015-16, §§ 42-46
European Parliament (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities No.L 281/31. http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm. Accessed 29 July 2010
European Parliament (2002) Programme of Community action in the field of public health (2003-2008). http://ec.europa.eu/health/ph_programme/programme_en.htm. Accessed 29 July 2010
European Parliament (2006) Decision No 1982/2006/EC of the European Parliament and of the Council of 18 December 2006 concerning the Seventh Framework Programme of the European Community for research, technological development and demonstration activities (2007-2013). http://ec.europa.eu/research/fp7/index_en.cfm?pg=documents#FP7EC. Accessed 29 July 2010
European Union (2000) Charter of Fundamental Rights of the European Union (2000/C 364/01), Art. 8. http://www.europarl.europa.eu/charter/pdf/text_en.pdf. Accessed 16 November 2010
European Union (2004) Treaty Establishing a Constitution for Europe. Official Journal of the European Union C 310, Volume 47, 16 December 2004. http://eur-lex.europa.eu/JOHtml.do?uri=OJ:C:2004:310:SOM:EN:HTML. Accessed 16 November 2010
European Union (2007) Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, 13 December 2007. Official Journal of the European Union, 2007/C 306/01. http://eur-lex.europa.eu/JOHtml.do?uri=OJ:C:2007:306:SOM:EN:HTML. Accessed 16 November 2010
Office of the United Nations High Commissioner for Human Rights (1966) International Covenant on Civil and Political Rights, adopted and opened for signature, ratification and accession by General Assembly resolution 2200A (XXI) of 16 December 1966, entry into force March 23rd 1976, art. 17. http://www2.ohchr.org/english/law/ccpr.htm. Accessed 16 November 2010
Office of the United Nations High Commissioner for Human Rights (1990) International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families, adopted by General Assembly resolution 45/158 of December 18, 1990. http://www2.ohchr.org/english/law/cmw.htm. Accessed 16 November 2010
Office of the United Nations High Commissioner for Human Rights (1990) Convention on the Rights of the Child, adopted and opened for signature, ratification and accession by General Assembly resolution 44/25 of November 20, 1989, entry into force September 2, 1990. http://www2.ohchr.org/english/law/crc.htm. Accessed 16 November 2010
Organization for Economic Cooperation and Development (OECD) (1980) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html. Accessed 16 November 2010
R Development Core Team (2010) R: A Language and Environment for Statistical Computing. http://cran.r-project.org/doc/manuals/refman.pdf. Accessed 29 July 2010
Swedish Association of Local Authorities and Regions (2007) National Health Care Quality Registries in Sweden, Edita, Stockholm, Sweden. http://www.gynop.org/doc/pdf/english/2007_qr.pdf. Accessed 29 July 2010
United Kingdom Information Commissioner's Office (2008) Privacy By Design. http://www.ico.gov.uk/upload/documents/pdb_report_html/privacy_by_design_report_v2.pdf. Accessed 16 November 2010
United Kingdom Parliament (1988) Data Protection Act 1998, S.33. http://www.legislation.gov.uk/ukpga/1998/29/contents. Accessed 18 November 2010
United Nations (1948) Universal Declaration of Human Rights, adopted and proclaimed by General Assembly resolution 217 A (III) of December 10 1948, http://www.un.org/Overview/rights.htm Accessed 28th July 2010
United States Bill of Rights (1791) Amendments to the Constitution, First through Tenth Amendments. http://www.gpoaccess.gov/constitution/pdf2002/018.pdf. Accessed 16 November 2010
United States Constitutional Convention (1787) The United States Constitution. http://www.usconstitution.net/const.html. Accessed 16 November 2010
US Congress (1996). Health Insurance Portability and Accountability Act 1996. Public Law 104-191. https://www.cms.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf. Accessed 28 July 2010
US Department of Health and Human Services (2002) Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information; Final Rule, Parts 160 and 164. http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf Accessed 28 July 2010
US Senate (2002) Analysis and Interpretation of the ConstitutionAnnotations of Cases Decided by the Supreme Court of the United States, Senate Document No. 108-17. http://www.gpoaccess.gov/constitution/pdf2002/032.pdf. Accessed 22 November 2010
US Supreme Court (1965) Griswold v. Connecticut, 381 U.S. 479. http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=CASE%26court=US%26vol=381%26page=479. Accessed 23 November 2010
Treasury Board of Canada Secretariat (2002) Privacy Impact Assessment Guidelines: A framework to Manage Privacy Risks. http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paipg-pefrld-eng.asp. Accessed 16 November 2010
Verschuuren M, Badeyan G et al (2008) The European data protection legislation and its consequences for public health monitoring: a plea for action, Eur J Public Health, 18(6): 550–551. http://eurpub.oxfordjournals.org/cgi/reprint/18/6/550.pdf. Accessed 16 November 2010
World Health Organization (2009), Georgia Health System Performance Assessment 2009. http://www.euro.who.int/__data/assets/pdf_file/0012/43311/E92960.pdf. Accessed 29 July 2010
World Health Organization Europe (2008) The Tallinn Charter: Health Systems for Health and Wealth, WHO Ministerial Conference on Health Systems, Tallinn, Estonia, 27 June 2008. http://www.euro.who.int/document/E91438.pdf. Accessed 29 July 2010
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Di Iorio, C.T., Carinci, F. (2013). Privacy and Health Care Information Systems: Where Is the Balance?. In: George, C., Whitehouse, D., Duquenoy, P. (eds) eHealth: Legal, Ethical and Governance Challenges. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22474-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-22474-4_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22473-7
Online ISBN: 978-3-642-22474-4
eBook Packages: Humanities, Social Sciences and LawLaw and Criminology (R0)