EP1226524A2 - System zum ermöglichen eines informierten datenkonsensus für datengeheimhaltung und sicherheit in datenbanksystemen und in vernetzten kommunikationen - Google Patents

System zum ermöglichen eines informierten datenkonsensus für datengeheimhaltung und sicherheit in datenbanksystemen und in vernetzten kommunikationen

Info

Publication number
EP1226524A2
EP1226524A2 EP00990451A EP00990451A EP1226524A2 EP 1226524 A2 EP1226524 A2 EP 1226524A2 EP 00990451 A EP00990451 A EP 00990451A EP 00990451 A EP00990451 A EP 00990451A EP 1226524 A2 EP1226524 A2 EP 1226524A2
Authority
EP
European Patent Office
Prior art keywords
consumer
data
informed consent
information management
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00990451A
Other languages
English (en)
French (fr)
Inventor
Terry Knapp
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Privacomp Inc
Original Assignee
Privacomp Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Privacomp Inc filed Critical Privacomp Inc
Publication of EP1226524A2 publication Critical patent/EP1226524A2/de
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/60ICT specially adapted for the handling or processing of patient-related medical or healthcare data for patient-specific data, e.g. for electronic patient records
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H40/00ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices
    • G16H40/20ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the management or administration of healthcare resources or facilities, e.g. managing hospital staff or surgery rooms

Definitions

  • This system relates to the fields of database management systems and networked electronic communications and, in particular, to a system for managing the authorization of parties to access data contained in databases and transmitted in a networked environment.
  • the consumer should have the ability to authorize the conditions under which the consumer's personal data is exchanged among third parties.
  • Existing database management systems fail to provide a consumer who has data stored in the database system the ability to participate in the management of the authorization of parties to access the consumer's data contained in the database, or to grant transaction authorization among parties using the consumer's data.
  • the typical data access management paradigm is to require the consumer to provide blanket data access and transaction authorization to broad classes of users, without the consumer having the ability to define the authorization to a finer degree of granularity, or being able to revoke authorization to access the consumer's data in a simple manner.
  • Health and Human Services regulations imposes significant new burdens of expense and liability relative to the management of health care information.
  • the proposed regulations force health care businesses that transact, hold or distribute personalized health care data for treatment, payment, research, or other purposes to each obtain the consent of each consumer (patient) who may be the subject of such data.
  • the consent must be informed - i.e., the consumer must know what information is to be used, for what purposes, with whom it is to be shared, etc.
  • each health care business must manage the consumer's informed consent to comply with the wishes of the consumer regarding disclosure of the data.
  • Each health care business must maintain a log and an audit trail of disclosures, with the log containing time and date stamp data, assuring that the disclosure is authorized, that the purpose for which the data is disclosed is authorized, and that the minimum data set to serve the intended purpose is disclosed.
  • the audit trail must be maintained for the life of the record and must be made available to the consumer on request. Failure of the business to manage consumer personalized health care data as described in the proposed regulations subjects the business to official sanctions and penalties, and to liability and legal action for redress.
  • Choice The individual has the right to choose not to have the data collected.
  • Use The individual has the right to know how data is expected to be used and to restrict its use.
  • Correction - The individual has the right to challenge the accuracy of the data and to provide corrected information.
  • a technology-based solution to ensure privacy and confidentiality for individually identifiable electronic information must take into account all six conditions, and thereby must reveal the conditions upon which disclosure is authorized and allow for changes in authorization over time, hence the concept of dynamic data informed consent.
  • the above described problems are solved and a technical advance achieved by the present system for providing dynamic data informed consent which enables consumers to govern the flow of their personal data regardless of the nature of the information.
  • the goal of the Dynamic Data Informed Consent system is to create a mechanism by which Data Informed Consent obtained from a consumer can govern a transaction environment for the exchange of consumer (e.g. health care, financial, and the like) information by and among client organizations (e.g. health care businesses, banks and credit bureaus, and the like).
  • client organizations e.g. health care businesses, banks and credit bureaus, and the like.
  • the further objective of the Dynamic Data Informed Consent system is to provide the data access transaction environment (including Data Informed Consent) in its entirely, in order to reduce its client businesses' development and administrative costs, and to assure compliance with legal requirements for data exchange re: privacy and confidentiality.
  • Various means of securing the data are available, such as symmetric and asymmetric encryption key systems and protected lists.
  • Various means of authentication of users are available, including digital signatures, passwords, biometrics and smart cards.
  • the security of data is addressed through the means of a public key infrastructure and digital certificate issuance to authorized and authenticated users.
  • Each transaction participant consists of a client company that holds a general Digital Certificate to authenticate that company, as well as sub-Digital Certificates for various classes of authorized workers employed by that company.
  • Each Digital Certificate bears a unique identifier to ensure that it can be tracked.
  • Each Digital Certificate issued to client companies is accompanied by a set of requirements governing its use that are designed for compliance with regulations and the data access limitations defined by the consumer. Each client company specifically attests to its compliance with those stipulations. Each consumer is authenticated and issued a Digital Certificate or other means of authentication to use in the generation of a Dynamic Data Informed Consent and for use in the event of electronic changes to the Data Informed Consent in the course of the Dynamic Data Informed Consent system's service as agent for the consumer.
  • the consumer can define a set of data access rules which designate the client companies, and classes of employees within those companies, who have access to the consumer's personal data (termed “proprietary consumer specific data” herein) and the particular segments of that proprietary consumer specific data to which each client company is entitled.
  • the Data Informed Consent is dynamic in that the consumer can use their Digital Certificate (or other authenticated means) at any time to access and modify their Data Informed Consent provided to the Dynamic Data Informed Consent system.
  • the medium for data transmission among the parties served by the Dynamic Data Informed Consent system is any electronic data communication system, such as: the Internet, Intranet, Virtual Private Network (VPN), Wide Area Network, Public
  • the Dynamic Data Informed Consent system acts as a compliance clearinghouse for the data flow (i.e., as traffic cop, not as custodian). In providing compliance assurance, the Dynamic Data Informed Consent system maintains for each Data Informed Consent a log of users, category of proprietary consumer specific data, purpose for which the proprietary consumer specific data is used, which log is time and date stamped. The Dynamic Data Informed Consent System maintains the audit trail of all uses of proprietary consumer specific data, together with audit analysis software to determine if any breach of the System's authorization structure occurs.
  • the components of the Dynamic Data Informed Consent system by which dynamic Data Informed Consent modulates a security structure for the transmission and exchange of personal electronic data include:
  • PKI public key infrastructure
  • Encryption modalities other than PKI may be employed to implement this function.
  • Digital certificates to provide ongoing authentication of approved parties, and associated constraints on use and attestations provided by the parties to whom they are issued. Other means of authentication such as passwords, biometrics and smart cards may be used to implement this function.
  • a data center and service center managed by a controlling entity to manage both the issuance of digital certificates to participants (client companies and consumers), and the management of Data Informed Consent.
  • the Data Informed Consent module and methods of management as a governor of the transaction environment.
  • the Data Informed Consent module consists of a rules-driven (inference engine-driven) database management system (DBMS) with lookup tables corresponding with the authorizations, or revocations thereof, placed by each consumer executing Data Informed
  • DBMS database management system
  • the Data Informed Consent module itself consists of the following essential elements: A cross-platform compatible, scalable data base management system (DBMS) such as Oracle or Sybase. A graphic user interface to allow consumer interaction with the Dynamic
  • a component to enable the consumer to segmentalize (compartmentalize) proprietary consumer specific data Look-up tables with reference to individual consumers that list authorizations and similar tables that consist of revocations of authorizations.
  • the Dynamic Data Informed Consent system enables consumers to govern the flow of their proprietary consumer specific data regardless of the nature of the information.
  • the consumer can define a set of data access rules which designate the client companies who have access to the consumer's proprietary consumer specific data and the particular segments of that proprietary consumer specific data to which each client company is entitled.
  • the Data Informed Consent is dynamic in that the consumer can use their Digital Certificate at any time to access and modify their Data Informed Consent provided to the Dynamic Data Informed Consent system.
  • Figure 2 illustrates additional details of the Dynamic Data Informed Consent system and provides an indication of a typical data flow therein;
  • FIGs 3 and 4 illustrate in flow diagram form the operation of the Dynamic Data Informed Consent system of Figure 2 in processing a typical transaction
  • Figure 5 illustrates in block diagram form the structure of the Dynamic Data
  • Figure 6 illustrates the communication pathways that are used in the processing of an institution query to an information management system IMS, using the Dynamic Data Informed Consent system as an authorizing agency to enable the institution to access a consumer's proprietary consumer specific data;
  • FIG. 7 illustrates in flow diagram form the operation of this information management system IMS, using the Dynamic Data Informed Consent system as an authorizing agency to enable the institution to access a consumer's proprietary consumer specific data.
  • the Dynamic Data Informed Consent system enables consumers to govern the flow of their proprietary consumer specific data regardless of the nature of the proprietary consumer specific data.
  • the goal of the Dynamic Data Informed Consent system is to create a mechanism by which Data Informed Consent can govern a transaction environment forthe exchange of consumer (e.g. health care, financial, and the like) information by and among client organizations (e.g. health care businesses, financial institutions, and the like).
  • the further objective of the Dynamic Data Informed Consent system is to provide the transaction environment (including Data Informed Consent) in its entirely, in order to reduce its client businesses' development and administrative costs, and to assure compliance with legal requirements for exchange of proprietary consumer specific data re: privacy and confidentiality.
  • Figure 1 shows in block diagram form the overall architecture of the Dynamic
  • the Dynamic Data Informed Consent system 101 is interconnected via a data transmission medium 102 (such as the Public Telephone Switched Network) to a consumer's terminal device 104, such as a personal computer, and via a data transmission medium 103 (such as the Internet) to a client's terminal device 105, such as a personal computer.
  • the Dynamic Data Informed Consent system 101 itself comprises an interface element 111 , such as a WEB server, to interconnect the Dynamic Data Informed Consent system 101 with the respective data transmission medium 102, 103, thereby enabling both the consumer and clients to interconnect with the Dynamic Data Informed Consent system 101.
  • the Dynamic Data Informed Consent system 101 also includes a Data Informed Consent domain module 112 as is described in additional detail below.
  • the Dynamic Data Informed Consent system 101 can optionally include a data storage manager 113 and its associated data storage devices 114, 115 which store the proprietary consumer specific data, or, alternatively, the proprietary consumer specific data can be stored in whole or in part in one or more external data storage system(s) 106.
  • the external data storage system 106 includes a data storage manager 121 , administrator interface terminal 122 and its associated data storage devices 123, 124, which stores the proprietary consumer specific data.
  • the Dynamic Data Informed Consent system 101 functions to provide a data access transaction environment for proprietary consumer specific data, including but not limited to the typical steps of: receiving requests for proprietary consumer specific data from clients, authentication of clients, maintaining security of the proprietary consumer specific data, issuance of digital certificates to authorized and authenticated users to enable clients to access the proprietary consumer specific data, under the terms and conditions specified by the consumer.
  • the confidential exchange of information implies that the information is exchanged or shared with the trusted other who is trusted to keep the information secret, i.e. the trusted other will not disclose the information to others.
  • Privacy This comprises the state of being free from unsanctioned intrusion. Privacy is often confused with security. Security implies safety from intrusion, while privacy invokes the ability of a person to avoid intrusion unless that person authorizes the intrusion.
  • Security This comprises the level to which data is safe from unauthorized use. Security requires mechanisms which protect the data from unauthorized use.
  • the dynamic process of authorization or revocation of authorization via operation of a security mechanism is the exercise of privacy.
  • Data Informed Consent The process by which a consumer is informed about their rights under the law, and the responsibilities of parties who use their personalized information (“General Advisory” ), as well as the manner in which their data is used, managed and protected (“Specific Advisory”). This process provides for interactive consumer control of disclosure authorization and the revocation thereof (“Dynamic Consent”).
  • Data Informed Consent dictates what client companies can do with the consumer's data - hence a two-way interaction:
  • the present system informs the consumer of the various options; consumers consent to client companies accessing their data via the present system pursuant to the parameters specified by the consumer. Health Care Example
  • the description that follows pertains to the current challenge of managing security and privacy for health care information. While the example is focused on the use of electronic apparatus to implement the data storage, data exchange, data security, and privacy components of the Dynamic Data Informed Consent system, it is expected that portions of this Dynamic Data Informed Consent system may entail the use of traditional paper-based forms and processes. The present example is used due to its pertinence to the present needs of the health care industry and is intended to be illustrative of the concepts embodied in the Dynamic Data Informed Consent system and is not intended to limit the scope of the Dynamic Data Informed Consent system as embodied in the claims appended hereto. The concepts illustrated herein are directly applicable to numerous other Dynamic Data Informed Consent applications, including but not limited to: banking, credit agencies, employment, education, taxing agencies, government and their regulatory agencies, and the like.
  • the proposed regulations force health care businesses that transact, hold or distribute personalized health care data for treatment, payment, research, or other purposes to each obtain the consent of each consumer (patient) who may be the subject of such data.
  • the consent must be informed - i.e., the consumer must know what information is to be used, for what purposes, with whom it is to be shared, etc.
  • each health care business must manage the consumer's informed consent to comply with the wishes of the consumer regarding disclosure of the proprietary consumer specific data.
  • Each health care business must maintain a log and an audit trail of disclosures, with the log containing time and date stamp data, assuring that the disclosure of the proprietary consumer specific data is authorized, that the purpose for which the proprietary consumer specific data is disclosed is authorized, and that the minimum data set to serve the intended purpose is disclosed.
  • the audit trail must be maintained for the life of the record and must be made available to the consumer on request. Failure of the business to manage consumer personalized health care data as described in the regulations subjects the business to official sanctions and penalties, and to liability and legal action for redress.
  • the Dynamic Data Informed Consent system interactively manages the wishes of the consumer regarding all elements of disclosure of proprietary consumer specific data (personalized electronic health care data).
  • the management of Data Informed Consent pertaining to paper-based records is a manual administrative process designed to reflect the principles embodied in dynamic, electronic Data Informed Consent management system described herein.
  • the general provisions that the Dynamic Data Informed Consent system must accommodate in deploying Data Informed Consent typically include the following:
  • Clients are permitted to use the health information only for purposes compatible with and directly related to the purposes for which the information was collected or received, or for which they are authorized to disclose the information.
  • the Dynamic Data Informed Consent system ensures the integrity and confidentiality of health information; and b.) The Dynamic Data Informed Consent system protects against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information. 4.) All uses and disclosures are restricted, to the extent practicable, to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed.
  • Clients are required to prepare a written notice to inform patients of their information practices and of patients' rights regarding the health information.
  • Patients are allowed to inspect and copy health information about them held by providers and payers (and by) public health authorities, and by oversight agencies in any situation in which an oversight agency has made an adverse decision about the rights, benefits, or privileges of the patient. 7.) Patients are permitted to seek correction or amendment of health information about them held by any entity obliged to permit patients to inspect health information about them. 8.) Clients (providers and payers) are required to retain a history of all disclosures of health information made for treatment, payment, research, oversight, public health, emergencies, to State data systems, for law enforcement, in judicial proceedings, and with the authorization of the patient.
  • the record includes the date and purpose of the disclosure; the name and address to whom the disclosure was made or the location to which the disclosure was made; and where practicable, a description of the information disclosed. Patients are permitted to see this record and the disclosure history is maintained for the life of the record to which it relates.
  • Clients are permitted to disclose information pursuant to the authorization of a patient under the following conditions: a.) The authorization is in writing, is dated, and is signed or otherwise authenticated; b. ) The authorization states an expiration date, or event, and is received by that date or event; c.) The authorization specifies the information to be disclosed; d.) The authorization specifies the entity or entities which are to disclose the information; e.) The authorization specifies the person or persons or entity or entities to receive the information; f.) The authorization states that the patient has received a statement of the intended use of the information by the recipient; and g.) The authorization is not on the same form on which a patient consents to health care.
  • Clients who request a patient to authorize disclosure of health information are required to give the patient a copy of the authorization.
  • a consumer is permitted to revoke an authorization to disclose information except to the extent that action has been taken in reliance on the authorization.
  • Entities disclosing information pursuant to an authorization are required to retain a copy of the authorization, and a record of the disclosure.
  • a person who requests a consumer to authorize disclosure of health information is required to provide a statement for retention by the patient, not on the same form as the authorization for treatment, specifying the purposes for which the information is sought and the uses and disclosures to be made of it.
  • the use or disclosure of the health information inconsistent with the statement is the basis for a civil action for damages.
  • Data Informed Consent articulates what the Dynamic Data Informed Consent system client companies will do (under the Dynamic Data Informed Consent system watchfulness), and does what the Dynamic Data Informed Consent system's consumers authorize be done with their proprietary consumer specific data - hence a two-way interaction: the Dynamic Data Informed Consent system informs; consumers consent. It is the consent side that involves the interactive programming and the functionality of Data Informed Consent to monitor and authorize the completion of health care data transactions by third parties that involve Data Informed Consent subject proprietary consumer specific data.
  • Elements that proscribe a duty to inform include 1 - 5.
  • Elements that proscribe a duty to manage consent include 8 - 13.
  • the Dynamic Data Informed Consent system intends to provide its consumer customers with services that allow the Dynamic Data Informed Consent system to act as consumers' agent in gaining such access.
  • the Data Informed Consent module application itself is both explanatory and interactive, taking into account the functionality dictated by the proposed regulations.
  • the components of the Dynamic Data Informed Consent system by which dynamic Data Informed Consent modulates a security structure for the transmission and exchange of personal electronic data include:
  • PKI public key infrastructure
  • Digital certificates to provide ongoing authentication of approved parties, and associated constraints on use and attestations provided by the parties to whom they are issued.
  • Other means of authentication such as passwords, biometrics and smart cards may be used to implement this function.
  • a data center and service center managed by a controlling entity to manage both the issuance of digital certificates to participants (client companies and consumers), and the management of Data Informed Consent.
  • the Data Informed Consent module and methods of management as a governor of the transaction environment.
  • the Data Informed Consent module consists of a rules-driven (inference engine-driven) database management system (DBMS) with lookup tables corresponding with the authorizations, or revocations thereof, placed by each consumer executing Data Informed Consent.
  • DBMS database management system
  • the Data Informed Consent module itself consists of the following essential elements: A cross-platform compatible, scalable data base management system (DBMS) such as Oracle or Sybase.
  • DBMS scalable data base management system
  • a component to enable log all instances of authorized use of proprietary consumer specific data and unauthorized attempts to use proprietary consumer specific data
  • FIG. 2 illustrates additional details of the Dynamic Data Informed Consent system 101 in conceptual block diagram form to illustrate the functionality of this system.
  • the Dynamic Data Informed Consent system 101 is shown interconnected by a data communication medium 201 with a plurality of clients and consumers.
  • a plurality of consumers can access the Dynamic Data Informed Consent system 101 via their data terminal devices 211 -213 to subscribe to the services of the
  • Dynamic Data Informed Consent system 101 establish a data informed consent for storage therein and optionally to dynamically update the data informed consent.
  • the clients represent various users, such as Information Management System (IMS2), who store proprietary consumer specific data for the consumers, as well as clients who request access to the stored proprietary consumer specific data.
  • IMS2 Information Management System
  • these clients can be: physicians at their data terminal devices 202; institutions, such as health care businesses, via their computer systems 280; and the like.
  • the Dynamic Data Informed Consent system 101 functions to regulate the exchange of proprietary consumer specific data among the plurality of clients served by the Dynamic Data Informed Consent system 101.
  • the Dynamic Data Informed Consent system 101 in a typical embodiment, itself comprises one or more servers 221 , 222 which interface the Dynamic Data Informed Consent system 101 to the data communication medium 201.
  • the Dynamic Data Informed Consent system 101 can be viewed as a plurality of components, which can be implemented as an integrated facility or portions thereof can be outsourced to other vendors.
  • the data storage function can optionally be implemented within Dynamic Data Informed Consent system 101 as an Information Management System (IMS1 ), and the Public Key Infrastructure (PKI) can optionally be implemented within Dynamic Data Informed Consent system 101.
  • IMS1 Information Management System
  • PKI Public Key Infrastructure
  • the Information Management System includes a data storage manager 251 , administrator interface terminal 254 and its associated data storage devices 252, 253, which stores the proprietary consumer specific data.
  • the core element of the Dynamic Data Informed Consent system 101 is the dynamic Data Informed Consent Management system (DIC Management).
  • the Public Key Infrastructure (PKI) comprises a subscriber manager 220 and a key management element 230, shared between the Data Informed Consent Management system (DIC Management) and the Public Key Infrastructure (PKI). in addition, the Public Key Infrastructure (PKI) includes a digital certificate processing element 240.
  • the Data Informed Consent Management system (DIC Management) typically comprises one or more servers 221 , 222 to manage interactions with the data communication medium 201.
  • the Data Informed Consent Management system includes a consumer/client subscription module comprising the RA Control Center 225, an associated administrator data terminal device 226 and data storage elements 227.
  • a digital certificate module comprising the CA Control Center 223, an associated administrator data terminal device 224 and data storage elements 228, is provided.
  • the Data Informed Consent Management system includes a data informed consent module 260, comprising DIC Control Center 261 , an associated administrator data terminal device 262 and data storage elements 263, 264. The operation of these elements is described below.
  • Dynamic Data Informed Consent Transaction For clients and consumers to be served by the Dynamic Data Informed Consent system 101 , their identity must be verified and ensured in future transactions. This is typically accomplished by use of the well known paradigm of Digital Certificates.
  • a consumer or client wishes to avail themselves of the services of the Dynamic Data Informed Consent system 101 , they establish a communication connection via data communication medium 201 to the Dynamic Data Informed Consent system 101 and interconnect with servers 221 , 222.
  • the Dynamic Data Informed Consent system 101 then executes a script via RA Control Center 225 and certificate processing system 240, to identify the consumer/client and record their identity and set of permissions in the registration database stored in memory 227.
  • the Dynamic Data Informed Consent system 101 in well known fashion issues a Digital Certificate via certificate processing system 240, which Digital Certificate is transmitted via servers 221 , 222 and data communication medium 201 to the customer/client to thereby authorize future access to the Dynamic Data Informed Consent system 101.
  • Digital Certificates are issued by the Dynamic Data Informed Consent system 101 to clients (Transacting Party A and Transacting Party B, both members of the class of clients shown in Figure 1 )
  • these parties can access the Dynamic Data Informed Consent system 101 to assure compliance with a consumer's dynamic data informed consent when accessing consumers' proprietary consumer specific data.
  • the consumers are also provided with Digital Certificates, which they use to access the Dynamic Data Informed Consent system 101 to create the Data Informed Consent for the consumer's personal data.
  • the consumer via data communication medium 201 , accesses the Dynamic Data Informed Consent system 101 and, in particular, the Data Informed Consent module 260 to create a Data Informed Consent file for the consumer's proprietary consumer specific data which is stored in informed consent database memory 263.
  • This data informed consent data created by the consumer is the basis of empowering the clients to access, exchange and process the consumers' proprietary consumer specific data. It is apparent that the consumer can create the data informed consent data via the submission of a paper form, which is then input into the Dynamic Data Informed Consent system 101 by clerical staff. In either case, the data informed consent stored in Dynamic Data Informed Consent system 101 is the basis for the transactions described herein.
  • a Transacting Party A such as a physician at data terminal device 202, wishes to send consumer-specific data stored in Information Management System IMS2 to Transacting Party B, such as the health care business served by computer system 280.
  • Transacting Party B such as the health care business served by computer system 280.
  • Transaction Party A receives a Digital Certificate issued by the Dynamic Data Informed Consent system 101 and at step 301 B
  • Transaction Party B receives a Digital Certificate issued by the Dynamic Data Informed Consent system 101 to thereby authorize their access to the proprietary consumer specific data managed by Dynamic Data Informed Consent system 101.
  • Transaction Party A (the sender, often a provider) batches a plurality of customer billings for transmission to Transaction Party B (the recipient, often a payer), with attachments comprising proprietary consumer specific data stored in Information Management System IMS2, and/or requiring the Transaction Party B to access consumer medical history data stored in Information Management System IMS2.
  • the data regardless of application, is encrypted at step 303 under the PKI, by the Transaction Party A with digital signature attached.
  • the data is packaged (encrypted, digital signature attached, along with statement of purpose and description of data type) by the sender Transaction Party A at step 304. Under PKI security, the data package is routed at step 305 via data communication medium 201 or other suitable medium to the Dynamic Data Informed Consent system 101.
  • the Dynamic Data Informed Consent system 101 Certificate Processing module 240 verifies the authorization of Transaction Party A at step 306, and the validity of Transaction Party B as a client of the Dynamic Data Informed Consent system 101.
  • the verified request is then reviewed at step 307 to ensure that the digital signature appended to the data is correct.
  • the data package is then routed at step 308 through the Data Informed Consent module 260 to be processed.
  • the received request is reviewed at step 309 as to content and use requested and compared to the permissions provided by the consumer's dynamic data informed consent stored in informed consent database 263.
  • the Dynamic Data Informed Consent system 101 can optionally be a need to access proprietary consumer specific data which is stored in an Information Management System IMS2, which can be located external to the Dynamic Data Informed Consent system 101.
  • the Dynamic Data Informed Consent system 101 must issue a Digital Certificate to the Information Management System IMS2 to enable the Transaction Party A and/or B to retrieve the consumers' proprietary consumer specific data and provide same to the Transaction Party B.
  • the Dynamic Data Informed Consent system 101 could easily be used to validate the request for appropriate authorizations, though the transaction including "wrapped" data would also need to go through the Dynamic Data Informed Consent system 101 for final validation and audit trail construction.
  • Information Management System Data Access Example There are numerous clients that can access the information management system IMS2.
  • the block diagram of Figure 6 illustrates an access of Information Management System 2, absent the interposed function the Dynamic Data Informed Consent system 101 described above to regulate access to the proprietary consumer specific data. This description is intended to illustrate a typical implementation of an Information Management System IMS2 which can be cooperatively operative with the Dynamic Data Informed Consent system 101 as described above.
  • the data accessing clients include health care providers at their terminal equipment or servers S1 -Sm, institutions via their terminal equipment and servers 11 - Ij, and the like.
  • the various users each can use the communication network PTSN to access the information management system IMS and its analysis function based upon the predefined class of "users" which classes can include consumers, medical practitioners, health care providers, institutions, and the like.
  • the database 400 is architected in a hierarchical manner to enable the users to access only the relevant, prepartitioned segment of the collected proprietary consumer specific data that the particular class of user is authorized to receive. Thus, the privacy of the proprietary consumer specific data is maintained by prohibiting access to this individual's proprietary consumer specific data except to users who are specifically authorized by the consumer.
  • the granularity of the proprietary consumer specific data made available to the various classes of users is selected to prevent the users from deriving information about the consumer population that they are not entitled to receive.
  • This access control is enforced by the use of a plurality of filters 403-406, each of which is architected to provide customized access to a selected one of the classes of users that can access the information management system IMS, as described below.
  • the information management system IMS comprises a database 400 that stores and manages the proprietary consumer specific data collected from the consumers.
  • the proprietary consumer specific data is typically stored in database 400 on a mass storage system to enable the associated database processors to have efficient shared access to this data.
  • the database processors include data processing algorithms 408 that operate on the proprietary consumer specific data that is collected from the individual consumers to produce additional data that is indicative of consumer specific or user specific statistics.
  • the proprietary consumer specific data may serve a multitude of inquisitors. Assigning a user-access code to each class of inquisitor easily controls level of access and interpretation.
  • the interpretation filters 404-406 are specific to each class of user-access code. The users who are entitled to access to the system are:
  • the system database includes various data segments including, but not limited to:
  • the database management system that is operational on the database 400 comprises analytical software that includes both the commercially available database software and custom software for the specific data analysis task.
  • the software routines include but are not limited to: Access Code Recognition Software 401 - verifies that the inquiring user has an operative access code, confirms the code classification and routes the user's request to an Initial Output Filter
  • Download Acceptance Software 402 - accepts data for storage in the database, places the received data in a buffer file until the received data can be screened and processed for inclusion in the database
  • Initial Output Filter 403 segregates the possible array of outputs as a function of access code and query.
  • Pattern Recognition Software 407 an artificial intelligence routine that takes the elements of a pattern and compares the pattern against known patterns to produce an analysis result within certain confidence limits.
  • Institution Query Output Filter 406 this routine delimits the nature of the output report to the institution.
  • FIG. 6 illustrates the communication pathways that are used in the processing of an institution query to the information management system IMS
  • Figure 7 illustrates in flow diagram form the operation of this information management system IMS.
  • the institution activates the telecommunications software resident in the institution's personal computer 500 to establish a communication connection to the Web Site Router 200 over a standard communication connection via path (a).
  • the personal computer 500 identifies itself by transmitting the institution's Institution Access Code and a request for information to the information management system IMS.
  • the Web Site Router 200 receives the request and forwards the received query over path (b) to the database 400.
  • the database system 400 activates the access code recognition process 401 which compares the received institution access code data with institution data stored in the database 400 to verify the both the nature of the requesting party (institution) and the authorization of this institution to access the services and data provided by the database 400. Once the institution is validated, the access code recognition process 401 forwards the received request over path (c) to the initial output filter 403.
  • the initial output filter 403 at step 704 determines the nature of the query, which can be a query that was selected from a set of standard queries or one constrained to a predefined format to ensure privacy of the consumer-specific data, and approves the generation of a demographic report to the institution.
  • The is accomplished at step 705 by transmitting the query that is received from the institution in the proper format to the Al Pattern Recognition Subroutines 407 via path (d).
  • the Al Pattern Recognition Subroutines 407 process the data resident in the Data Tables, Files and Records portion 408 of the database 400, which data is accessed via path (e).
  • the data processing retrieves the demographic data and processes the raw data that is stored in the database 400 and the Al Pattern Recognition Subroutines 407 produces a result that typically comprises a set of composite statistics.
  • the Al Pattern Recognition Subroutines 407 transmits this information via path (f) to the Institution Query Output Filter 406 which at step 708 determines the proper formatting and additional data that is needed to produce a report for the institution.
  • the Institution Query Output Filter 406 verifies that the data retrieved is not consumer-specific or of such limited scope as to compromise the privacy of the consumer-specific data.
  • This process includes a determination of the size of the sample cohort, its respective size with respect to the overall target population, the topic areas that this institution is authorized to access, the specifics of the query, and the like.
  • the Institution Query Output Filter 406 transmits this final report via path (g) to the Web Site Router 200 which forwards the report at step 710 to the institution's personal computer 500 via path (h) for viewing.
  • the information management system IMS includes a download acceptance process 402 that receives data that is transmitted to the information management system IMS and stores the data via path (x) in a temporary file termed "data on hold 409" until the data can be validated.
  • the validation process comprises a review of the format and content of the data to prevent bogus data from corrupting the integrity of the database 400.
  • the user identification information as well as the associated data is screened for data usability and associated demographic information. The proper formatting of the data is verified and then the received data is stored in the data on hold file 409.
  • FIG. 5 illustrates in block diagram form the structure of the Dynamic Data Informed Consent Domain.
  • the consumer has a one to one mapping to a Data Informed Consent, since the Dynamic Data Informed Consent system maintains a single Data Informed Consent for each consumer.
  • the Data Informed Consent is mapped to up to n clients, although at any time there may be no clients authorized under the consumer's Data Informed Consent.
  • the consumer has a one to one correspondence to an audit trail file maintained by the Dynamic Data Informed Consent system.
  • the audit trail file is mapped to up to n Data Informed Consent Updates, although at any time there may be no Data Informed Consent Updates authorized under the consumer's Data Informed Consent.
  • the Data Informed Consent Updates are mapped to up to n clients, although at any time there may be no clients authorized under the consumer's Data Informed Consent Updates.
  • the consumer's audit trail file is mapped to up to n Health Information Transactions, although at any time there may be no Health Information Transactions authorized under the consumer's Data Informed Consent.
  • each Health Information Transaction is mapped to up to n transmitting and n receiving clients, although at any time there may be no clients authorized under the consumer's Data Informed Consent.
  • Client use cases are uses that may require internal dynamic Data Informed Consent controls.
  • each consumer via the Dynamic Data Informed Consent system's Data Informed Consent mechanism, has authorized a health care company (e.g., a hospital) to use their proprietary consumer specific data internally.
  • uses may include sending clinical laboratory or X-ray data to the patient's record, compilation of admission, discharge and transfer (ADT) data for billing purposes (ICD-9 and CPT codes), sending clinical data for in-house pharmacy use, providing clinical data to and for exchange among treating physicians under hospital contract, etc.
  • ADT admission, discharge and transfer
  • Consent management examples include those entities that provide partially or fully integrated health care delivery (e.g., when a physician group owns a hospital and associated laboratory, surgical center, clinic, etc., under the umbrella of a single business entity; or a fully integrated [payer + provider] entity).
  • Data Informed Consent is a given, though internal granularity of authorized data movement may be governed under a broader Data Informed Consent, together with a PKI/Digital Certificate set of controls and with appropriate security/privacy policy and procedures. Also, any proprietary consumer specific data transferred out of the entity to any other party would automatically default to full PKI/Data Informed Consent compliance monitoring by the Dynamic Data Informed Consent system's external, Web-based system. Different levels of authorization are likely to be operative in the integrated delivery environment. For example, separate Digital Certificate and Data Informed Consent constraints might be applied to: Provider to provider exchange of clinical data; Other client company personnel processing of personalized health care data; New uses of data such as outcome research or pharmacy benefits analysis. Uses That Involve Dynamic Data Informed Consent Controls
  • the Dynamic Data Informed Consent system's Data Informed Consent manages the traffic on the PKI by checking data for Data Informed Consent compliance as it is routed through the Dynamic Data Informed Consent system Data Center.
  • the actual processing performed by the Data Informed Consent module is transparent to the transacting parties (provider and payer). Each of them uses the Dynamic Data Informed Consent system PKI and their respective Digital Certificate's to package, encrypt and then unlock the data. Data Informed Consent management takes place en route.
  • Dynamic Data Informed Consent Controls by Clients Personalized health care data may legitimately be used outside the scope of health care operations for research, for market assessment, for direct marketing, for public health reporting, for law enforcement purposes, for quality assessment of care delivery, etc. Aside from public health reporting and law enforcement where separate disclosure is mandated by law, every use of personalized health data beyond the context of healthcare operations must be sanctioned (authorized) by those to whom the data pertains.
  • the Dynamic Data Informed Consent system accommodates these special use cases via its dynamic Data Informed Consent offering.
  • the Dynamic Data Informed Consent System Administrative Use Cases Typical examples of the use of the Dynamic Data Informed Consent system include, but are not limited to the functions listed herein:
  • the consumer's component of the Data Informed Consent application is installed in a manner similar to common consumer applications for personal computers. Default values for all installation parameters are provided to effect a correct installation on a personal computer with sufficient disk space, an Internet connection, and no other application programs running on the computer at the time of installation.
  • a program for uninstalling the Data Informed Consent application is also installed on the personal computer during the Data Informed Consent application's installation. The consumer is able to remove the Data Informed Consent application from the computer using this program.
  • the installation program removes all installed and partially installed components of the Data Informed Consent application from the computer.
  • the client workers' component of the PKI/Data Informed Consent application is installed in a manner similar to common business-office software. It is possible for system administrators to install the application on workers' computers from a central server, or on the target computer directly. Installation and uninstallation may require administrative privileges.
  • the Dynamic Data Informed Consent system enables consumers to govern the flow of their personal data regardless of the nature of the information. The consumer can define a set of data access rules which designate the client companies who have access to the consumer's personal data and the particular segments of that personal data to which each client company is entitled.
  • the Data Informed Consent is dynamic in that the consumer can use their Digital Certificate at any time to access and modify their Data Informed Consent provided to the Dynamic Data Informed Consent system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
EP00990451A 1999-10-29 2000-10-26 System zum ermöglichen eines informierten datenkonsensus für datengeheimhaltung und sicherheit in datenbanksystemen und in vernetzten kommunikationen Withdrawn EP1226524A2 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US43033199A 1999-10-29 1999-10-29
US430331 1999-10-29
PCT/US2000/041623 WO2001033936A2 (en) 1999-10-29 2000-10-26 System for providing dynamic data informed consent to provide data privacy and security in database systems and in networked communications

Publications (1)

Publication Number Publication Date
EP1226524A2 true EP1226524A2 (de) 2002-07-31

Family

ID=23707076

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00990451A Withdrawn EP1226524A2 (de) 1999-10-29 2000-10-26 System zum ermöglichen eines informierten datenkonsensus für datengeheimhaltung und sicherheit in datenbanksystemen und in vernetzten kommunikationen

Country Status (4)

Country Link
EP (1) EP1226524A2 (de)
AU (1) AU2747801A (de)
CA (1) CA2389443A1 (de)
WO (1) WO2001033936A2 (de)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11423052B2 (en) 2017-12-14 2022-08-23 International Business Machines Corporation User information association with consent-based class rules
DE102023109178B3 (de) 2023-04-12 2024-08-29 Roche Diagnostics Gmbh System und Verfahren zur Speicherung von Daten, insbesondere von personenbezogenen Daten

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6829591B1 (en) 1999-04-12 2004-12-07 Pitney Bowes Inc. Router instruction processor for a digital document delivery system
AU2001255859A1 (en) * 2000-04-18 2001-10-30 Wayport, Inc. System and method for managing user demographic information using digital certificates
GB2366051B (en) * 2000-05-02 2005-01-05 Ibm Method, system and program product for private data access or use based on related public data
GB0101131D0 (en) * 2001-01-16 2001-02-28 Abattia Group Ltd Data protected database
EP1417555A2 (de) 2001-06-18 2004-05-12 Daon Holdings Limited Ein elektronischer datentresor zur bereitstellung von biometrisch gesicherten elektronischen unterschriften
EP1428102A4 (de) * 2001-09-06 2009-08-26 Mastercard International Inc Verfahren und einrichtung für kontrolle durch verbraucher über persönliche daten
CA2358129A1 (en) * 2001-10-02 2003-04-02 Wmode Inc. Method and system for delivering confidential information
FI114956B (fi) * 2001-12-27 2005-01-31 Nokia Corp Menetelmä palvelun käyttämiseksi, järjestelmä ja päätelaite
JP4509930B2 (ja) 2002-10-17 2010-07-21 ヴォウダフォン・グループ・ピーエルシー トランザクションの容易化および認証
US7921020B2 (en) 2003-01-13 2011-04-05 Omnicare Inc. Method for generating medical intelligence from patient-specific data
GB2406925B (en) * 2003-10-09 2007-01-03 Vodafone Plc Facilitating and authenticating transactions
US7522751B2 (en) 2005-04-22 2009-04-21 Daon Holdings Limited System and method for protecting the privacy and security of stored biometric data
US8560456B2 (en) 2005-12-02 2013-10-15 Credigy Technologies, Inc. System and method for an anonymous exchange of private data
WO2008144532A1 (en) * 2007-05-18 2008-11-27 Securities Reports Streamlined Llc Managing sales of securities and financial data
US8935804B1 (en) 2011-12-15 2015-01-13 United Services Automobile Association (Usaa) Rules-based data access systems and methods
US9582680B2 (en) 2014-01-30 2017-02-28 Microsoft Technology Licensing, Llc Scrubbe to remove personally identifiable information
FR3021140B1 (fr) * 2014-05-15 2017-10-13 Conseil Nat De L'ordre Des Pharmaciens Connexion securisee a un systeme d'information partage de sante
US10754932B2 (en) * 2017-06-29 2020-08-25 Sap Se Centralized consent management
US11232403B2 (en) 2017-12-08 2022-01-25 Beatrice T. O'Brien Computerized network system for initiating, facilitating, auditing, and managing communications and documents involving professional expertise
US10637900B2 (en) 2017-12-08 2020-04-28 Beatrice T. O'Brien Computerized network system for initiating, facilitating, auditing, and managing communications and documents involving professional expertise
EP3644246A1 (de) 2018-10-26 2020-04-29 Tata Consultancy Services Limited Verfahren und system zur erzeugung von zustimmungsempfehlungen
JP2022553883A (ja) 2019-10-21 2022-12-26 ユニバーサル エレクトロニクス インコーポレイテッド クライアント動作を有する同意管理システム

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB9010603D0 (en) * 1990-05-11 1990-07-04 Int Computers Ltd Access control in a distributed computer system
US5758257A (en) * 1994-11-29 1998-05-26 Herz; Frederick System and method for scheduling broadcast of and access to video programs and other data using customer profiles
WO1997026729A2 (en) * 1995-12-27 1997-07-24 Robinson Gary B Automated collaborative filtering in world wide web advertising
WO1999001834A1 (en) * 1997-07-02 1999-01-14 Coueignoux, Philippe, J., M. System and method for the secure discovery, exploitation and publication of information
US6253203B1 (en) * 1998-10-02 2001-06-26 Ncr Corporation Privacy-enhanced database

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0133936A2 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11423052B2 (en) 2017-12-14 2022-08-23 International Business Machines Corporation User information association with consent-based class rules
DE102023109178B3 (de) 2023-04-12 2024-08-29 Roche Diagnostics Gmbh System und Verfahren zur Speicherung von Daten, insbesondere von personenbezogenen Daten

Also Published As

Publication number Publication date
WO2001033936A2 (en) 2001-05-17
WO2001033936A3 (en) 2001-12-13
CA2389443A1 (en) 2001-05-17
AU2747801A (en) 2001-06-06

Similar Documents

Publication Publication Date Title
US20190258616A1 (en) Privacy compliant consent and data access management system and methods
Seol et al. Privacy-preserving attribute-based access control model for XML-based electronic health record system
WO2001033936A2 (en) System for providing dynamic data informed consent to provide data privacy and security in database systems and in networked communications
Smith et al. Security in health-care information systems—current trends
US20060004588A1 (en) Method and system for obtaining, maintaining and distributing data
US7788700B1 (en) Enterprise security system
Arbabi et al. A survey on blockchain for healthcare: Challenges, benefits, and future directions
US8607332B2 (en) System and method for the anonymisation of sensitive personal data and method of obtaining such data
US20090307755A1 (en) System and method for facilitating cross enterprises data sharing in a healthcare setting
CN111444533B (zh) 一种基于区块链的医疗管理平台
WO2002052480A1 (en) Dynamic electronic chain-of-trust document with audit trail
US20060163340A1 (en) Blinded electronic medical records
KR20130045902A (ko) 익명화 건강 관리 및 기록 시스템
KR20070115107A (ko) 의료 정보를 제공하는 방법 및 그 방법이 실행되는 장치,시스템
Ateniese et al. Medical information privacy assurance: Cryptographic and system aspects
Ateniese et al. Anonymous e-prescriptions
CN116595502A (zh) 基于智能合约的用户管理方法及相关装置
Makarim Privacy and personal data protection in indonesia: the hybrid paradigm of the subjective and objective approach
Martínez et al. A Comprehensive Model for Securing Sensitive Patient Data in a Clinical Scenario
WO2001086479A2 (en) System for providing information prescriptions
Piliouras et al. Impacts of legislation on electronic health records systems and security implementation
Wyne et al. HIPAA compliant HIS in J2EE environment
López Martínez et al. A Comprehensive Model for Securing Sensitive Patient Data in a Clinical Scenario
AU2015201813A1 (en) Privacy compliant consent and data access management system and method
Chi et al. Baseline Technical Measures for Data Privacy INthe Cloud (Updated)

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020424

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

17Q First examination report despatched

Effective date: 20080320

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20090501