JP2009245367A - Information management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To disclose data accumulated by a plurality of service providing facilities except personal information, and to provide a new service. <P>SOLUTION: The information management system composed of a plurality of first apparatuses each installed in each of service providing facilities and equipped with a first database for registering personal information; and a second apparatus for receiving data representing the content of service from the first apparatus and registering it to a second database. The second apparatus includes: a means for registering data on the content of service received from the first apparatus to the second database in association with service content identification information, and registering user identification information in association with the service content identification information; and a means for retrieving any one or combinations of the service content data corresponding to a retrieval condition of a retrieval request received from the first apparatus, the service content identification information, and the user identification information. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an information management system that enables a service provider that implements a health management service, an inspection service, etc. to refer to the results of the service performed by other service providers without disclosing personal information. is there.

Biological information such as health management information such as height, weight, blood pressure, blood glucose level, and genetic information such as gene sequence and type, is very valuable information for knowing one's own state. However, if they are combined with personal information other than biometric information such as name, address, telephone number, and e-mail address that can identify an individual, it will be treated as sensitive information.
According to the Act on the Protection of Personal Information, “In this law,“ Personal information ”refers to information about a living individual, and identifies a specific individual based on the name, date of birth, and other descriptions contained in the information. (Including those that can be easily collated with other information, thereby identifying a specific individual). ".

  On the other hand, regarding sensitive information, according to JIS Q 15001, (1) Matters concerning philosophy, creed, and religion, (2) Race, ethnicity, gate, permanent address (excluding information on the prefecture where it is located), body and spirit. Disability, criminal record and other matters that cause social discrimination. (3) Matters concerning workers' right to organize, collective bargaining and other acts of collective action. (4) Matters concerning participation in group demonstrations, exercise of petition rights, and exercise of other political rights. (5) Some items such as health care and sex life are listed. There are other things that can be sensitive information (sensitive information), and genetic information, appearance, and hobbies may also be applicable, but there is currently no clear definition.

  However, leakage of sensitive information may cause serious damage to the person's social life based on the information. In addition, when personal information is acquired together with information that does not change throughout the life, such as genetic information, it may lead to providing information with a tremendous risk for individuals to businesses, and such information is handled. In particular, you need to be careful.

  From this point of view, the “Guidelines for the Protection of Personal Information in the Business Fields Using Personal Genetic Information in the Economic and Industrial Fields” prohibits the acquisition or use of sensitive information, unless it is based on personal genetic information used in the business and laws. However, many local governments with personal information protection regulations have established regulations on sensitive information. In addition, the “European Parliament and EU Council Directive (EU Directive) on the protection and free distribution of individuals concerning the processing of personal data” states that “Member states are racial, ethnic, political views, religions, thoughts. , Processing of personal data that leaks information about the feelings and membership of the labor union, or data processing of health or sex life is prohibited. " As described above, since there are various restrictions on handling of sensitive information, it is not only a big burden to deal with these, but it may be difficult to provide a service using sensitive information.

As a document related to the present invention, there is the following Patent Document 1.
JP 2003-216740 A

  As described above, in order to provide a confidential and secure service using sensitive information, “personal information” and “information that becomes sensitive information when associated with personal information (quasi-sensitive information)” are separated. However, it is important to manage the data so that it does not correspond. In actual operation, it is preferable to separate the first database for storing personal information from the second database for storing semi-sensitive information. In addition, by controlling the information that can be browsed for each viewer, and by preventing personal information and semi-sensitive information from corresponding to each other, providing necessary services without handling sensitive information that can identify individuals It is necessary to be able to do that.

  However, even if personal information and semi-sensitive information are actually separated, the service provided by the service providing mechanism remains within the range of data accumulated by the individual service providing mechanism. For example, refer to data accumulated by other service providing organizations. As a result, there is a problem that a new service cannot be provided to the user.

  The object of the present invention is to provide a new service by making it possible to refer to data accumulated by a plurality of service providing organizations without disclosing personal information when providing various services such as health management, inspection, and health consulting. It is to provide an information management system that enables provision.

In order to achieve the above object, an information management system according to the present invention is installed in each of a plurality of service providing organizations, accepts service provision requests from users, and registers personal information such as user names in a first database. A plurality of first devices, and a second device that receives data representing service contents provided to users by each of the plurality of service providing organizations from the first device and registers the data in a second database. A configured information management system comprising:
The first device comprises:
When registering service content data to be provided to a user in the second database of the second device, user identification information and service content identification information relating to the service content data are added to the second device. And means for transmitting a search request for data registered in the second database to the second device,
The second device comprises:
Means for registering service content data received from the first device in association with service content identification information in the second database and registering the user identification information and service content identification information in association with each other; An information management system comprising: means for retrieving any one or a combination of service content data, service content identification information, and user identification information corresponding to a search condition of a search request received from the first device. .
In addition, the second device is
In response to the search request from the first device, the browsing control table is referred to, and the item of the service content data corresponding to the browsing prohibition item set in advance in the browsing control table is excluded, and the first device of the search request source It is further characterized by further comprising means for replying to
In addition, the second device is
In response to the search request from the first device, when the semi-sensitive information is returned to the first device, the user identification information associated with the semi-sensitive information is imitated and returned to other user identification information. The apparatus further comprises means.
Further, the browsing control table is provided for each of the plurality of service providing organizations.
In addition, the first device is
When registering service content data for semi-sensitive information received from the second device in the second database, the service content identification information and the forged user identification information are added to the service content data. Means for transmitting to two devices,
The second device comprises:
Of the service content data received from the first device and the forged user identification information, the forged user identification information is restored to the user identification information before forgery, and the restored user identification information and service content identification information are restored. The apparatus further comprises means for associating the service content data and registering it in the second database.
Alternatively, in order to achieve the above object, an information management system according to the present invention is installed in each of a plurality of service providing organizations, receives service provision requests from users, and stores personal information such as user names in a first database. A first device for registering information other than the personal information in a second database, and a third device for registering data representing service contents to a user by a service provider And an information management system comprising a fourth device for transmitting data other than the personal information of the user,
When the data transmitted from the third device and the fourth device is registered in the second database of the second device, the data is associated with the user identification information and the service content identification information in the second database. With means to register,
The third device comprises:
The service content data received from the third device and the fourth device is registered in the second database in association with user identification information and service content identification information, and the user identification information and service content identification are registered. Means for associating and registering information; means for searching for data other than service content data and personal information corresponding to a search condition of a search request received from the first device; and the second device,
An information management system comprising means for controlling items that can be browsed for each service providing organization.
In addition, the second device is
In the case where the semi-sensitive information is returned to the third device, the information processing apparatus further includes means for forging and returning the user identification information associated with the semi-sensitive information to other user identification information.
In addition, the third device is
When registering service content data for semi-sensitive information received from the second device in the second database, the counterfeit user identification information and service content identification information are added to the service content data. Means for transmitting to two devices,
In addition, the second device is
Of the service content data and the counterfeited user identification information received from the third device, the counterfeited user identification information is restored to the user identification information before forgery, and the restored user identification information and service content identification information are restored. The apparatus further comprises means for associating the service content data and registering it in the second database.

According to the present invention, when a service providing organization provides various services such as health management, inspection, and health consulting, service content identification information is added and registered for each service content data, and each service content is identified. Since information is registered in association with user identification information, by specifying user identification information or service content identification information as a search condition, each of a plurality of service providing organizations can register service contents registered by other service providing organizations. It can be searched and referred to, and a new service can be provided from the service content.
The service in the present invention refers to accepting data such as specimens or health check results from the user, performing inspection, analysis, appraisal, evaluation, etc. on the accepted goods or data, and obtaining the results from the user. Is provided as a service for Specific examples include a service for testing genes and body measurement information, and a service for acquiring and storing body measurement information via devices, etc. The form used for is considered.
Further, the service content identification information may be generated each time on the system side or may be generated in advance, but any form may be used in the present invention.

The best mode for carrying out the present invention will be described below in detail with reference to the drawings.
FIG. 1 is a system configuration diagram showing the overall configuration of an embodiment of an information management system according to the present invention.
This system includes a user computer 102 composed of a personal computer used by a user 101 who receives a service such as physical information measurement, and a personal information DB 1031, and accepts a test request (service request) for a specimen from the user 101. An information management organization that includes a service provider server 103 and a management information database 1041 respectively owned by a plurality of service providers that perform inspections, and stores inspection result data separately from personal information such as user names 104 and a plurality of inspection devices 105, which are connected via a network.

FIG. 2 is a block diagram showing the configuration of the service provider server 103 and the management provider server 104.
The service provider server 103 is a service ID issuing unit 1032 for issuing a service ID for each service content in response to an identification information issuance request for each service content from a user computer or the like, and personal information for managing personal information in the personal information DB 1031 The management unit 1033, the data display unit 1034 that displays the retrieved sub-sensitive information, the data output unit 1035 that transmits data such as advice for the sub-sensitive information, etc. to the management company server 104, and the management information DB 1041 according to the search conditions. The data search unit 1036 for searching for data and the test data input unit 1037 for inputting test data from the test room 1038 are configured. At this time, the service provider server may have the personal information management unit 1033 portion separated.

  The management company server 104 transmits and receives data to and from the user management unit 1042 and service management unit 1043 that manage the user ID and password, service ID and service password for each user registered in the management information DB 1041, and the user computer 102. The user side data input / output unit 1044, the information management unit 1045 for managing the service content data registered in the management information DB 1041, and the semi-sensitive information when providing the semi-sensitive information to the service provider side or the user side. In order to conceal who the information belongs to, the ID conversion information management unit 1046 that forges the user ID added to the semi-sensitive information to another user ID, and data transmission / reception with the service provider server 103 An operator side data input / output unit 1047 is provided.

FIG. 3 is a block diagram showing the internal configuration of the user computer 102 and the measuring device 105.
The user computer 102 includes a data input unit 1021 that inputs a user ID, a user password, and the like to the management company server 104, and a display unit 1022 that displays data such as search results received from the management company server 104. Yes.
The measuring device 105 includes a data output unit 1051 that transmits semi-sensitive information such as the height and weight of the measurement result to the management company server 104.

FIG. 4 shows an example of user personal information registered in the personal information DB 1031 of the service provider server 103. Each user is given a unique user ID 401, and a name 402 is assigned to each user ID. , Information such as an address 403, a telephone number 404, and other information 405 is registered.
This personal information is input by the user himself or his / her staff from the window terminal when making a service provision request to the window organization of the service provider server 103.
The user ID is automatically generated by the user management unit 1042 of the management company server 104 at the stage when the input of personal information such as the user's address and name is completed, and is displayed on the window of the window terminal to notify the user. It is. The user management unit 1042 registers the personal information in the personal information DB 1031 in association with the user ID.

FIG. 5 shows an example of a user ID and a user password registered in the management information DB 1041 of the management company server 104, and an example of a service ID and a service password.
The user ID and the user password are obtained by transmitting the user ID and the password determined by the user from the user computer 102 to the service provider server 103 after the user acquires the service ID from the service provider server 103. The management unit 1042 is registered in the management information DB 1041. This user ID and user password are used when user authentication of the user computer 102 is performed.
The service ID and service password are used when registering inspection results such as height and weight using the inspection device 105.

The service provider server 103 generates a service ID and a service password for each inspection device. The generated service ID and service password are transmitted to the service management unit 1043 of the management provider server 104 and registered in the management information DB 1041. At this time, the service ID may be generated by the management company server.
The user registers the service by associating the service ID corresponding to the corresponding user ID. The user performs inspection or measurement using the inspection device 105 and transmits the result together with the service ID to the management company server 104. The management company server 104 searches the user management unit 1042 to find out whether the corresponding service ID is registered, and if it is registered, registers the measurement result in the management information DB 1041. The registered result can be browsed on the screen of the user computer 102. Thereby, the user can continuously accumulate measurement results using the inspection device 105 in the management information DB 1041. The service ID may be used together with the device unique ID. In addition, a device unique ID may be used instead of the service ID.

FIG. 6 shows an example of the user ID and service ID registered in the management information DB 1041 and the service ID and service information.
In the present invention, a unique service ID is assigned to each service provided to the user. The service ID is associated with the user ID of the user who provides the service and registered in the management information DB 1041.
In addition, service information as service contents is registered in the management information DB 1041 in association with the service ID.
In the example of FIG. 6, it is shown that three services are provided to the user with the user ID = 100001, and the contents are found by browsing the service information associated with the service ID.

FIG. 7 is a diagram showing the contents of the conversion ID table 70 used when the user ID is forged.
This conversion ID table 70 is a user added to semi-sensitive information in order to conceal who the semi-sensitive information belongs when providing semi-sensitive information to the service provider side or the user side. It is used to forge an ID to another user ID.
In this example, the user ID = 1003 is converted to the conversion ID = 1137454 and forged.

FIG. 8 shows an example of semi-sensitive information registered in the management information DB 1041.
This example shows that semi-sensitive information such as age, genetic information, and height is registered for each service ID.
This semi-sensitive information is data of service contents that provide the result of the examination of the user's sample as a service to the user.

FIG. 9 is a diagram illustrating an example of a browsing control table for controlling data that can be browsed by user and by service provider.
In the per-user browsing control table 90 of FIG. 9A, items for prohibiting browsing of genetic information, body measurement information, and other information are set for each user ID.
For example, it is set to prohibit browsing of “gene information 3” for the user with user ID = 100001.
Which items are prohibited from being browsed is designated from the user computer 102 by each user 101 from the viewpoint of self-defense.
In the browsing control table 91 for each service provider in FIG. 9B, items for prohibiting browsing of gene information, body measurement information, and other information are set for each provider ID.
For example, for the service provider with the provider ID = J00001, it is set to prohibit browsing of “gene information 3” and “sight”.
Which items are prohibited from being browsed is set by the administrator of the management company server 104. For example, an operation is performed in which the number of browsing prohibited items is increased or decreased according to a contract between the management company and the service company.

Here, when the user 101 intends to receive a service such as physical information measurement, the user 101 requests an examination request from a staff of a window terminal (not shown) of the service provider server 103. Then, the clerk causes the user 101 to operate the window terminal and input personal information such as the subject's address and name. When the input of personal information is completed, the window terminal automatically generates unique identification information (hereinafter referred to as user ID), displays it on the screen, notifies the subject, and associates the user ID with the personal information. Register in the management information DB 1041.
When the user registration is completed, the attendant at the window terminal gives a sample collection device (not shown) for measuring physical information to the user 101. Service content identification information (service ID) is preprinted on the sample collection device.
The user stores the sample in the sample collection device and submits it to the service provider's window. The service provider transfers the sample collection instrument containing the sample to the examination room 1038, performs the examination, adds the service ID as semi-sensitive information, and transmits the result to the management company server 104.

In the above configuration, the process from when the user 101 makes a service provision request (inspection request) to browsing the inspection result will be described with reference to the sequence diagram of FIG.
First, the user 101 makes a service provision request for body measurement information such as his / her own gene to the counter staff of the service provider server 103 (step 1001).
Upon receipt of the service provision request, the window clerk performs user registration processing (step 1002) and causes the user 101 to operate the window terminal (not shown) to input personal information such as the user's address and name. When the input of personal information is completed, the service provider server 103 automatically generates a unique user ID, displays it on the screen and notifies the user, and associates the user ID with the personal information and stores the personal information. Register in the DB 1031.
FIG. 4 shows an example of registration of personal information.

When the user registration is completed, the window clerk hands the sample collection device for measuring physical information to the user 101 (step 1003). A service ID for identifying the service contents is printed in advance on this sample collection device.
The user stores the sample in the sample collection device and submits it to the service provider window staff (step 1004). The clerk transfers the sample collection device containing the sample to the examination room 1038 and performs the examination (step 1005).
The inspection apparatus in the inspection room 1038 adds the service ID to the inspection result data and transmits it to the management company server 104 (step 1006).

The management company server 104 registers the inspection result data (service content data) and the service ID in the management information DB 1041 (step 1007). The registered contents of the management information DB 1041 at this time are as shown in FIG.
Next, if a user ID and a service ID are input by the user by a browsing operation (result confirmation operation) in the user computer 101 and transmitted to the management provider server 104 (step 1008), the input service ID Is additionally registered in the group having the same user ID as the input user ID (step 1009).
In this case, if a service ID group having the same user ID as the input user ID does not exist, a new group is created.
As a result, for example, when the service ID group with the user ID = 10001 is not present, a new registration area for the service ID group with the user ID = 10001 is secured as shown in FIG. The service ID = 900001 input from the user computer 102 is registered.

Thereafter, when registering other inspection result data of the same user ID, the service ID of the inspection result data is additionally registered in the service ID group of the same user ID. An example of this is shown in FIG.
When the registration of the service ID is completed, the management company server 104 searches the inspection result data registered in the management information DB 1041 in association with the same service ID as the service ID (step 1010), and the user It transmits to the computer 102 (step 1011).
The user computer 102 displays the received inspection result data on the display screen (step 1012).

Thus, the user can sequentially add and register a plurality of types of inspection result data to the initially registered inspection result data.
When browsing, if only a user ID is specified, inspection result data corresponding to all service IDs registered in association with the user ID are retrieved and displayed.
When only the service ID is designated, the inspection result data corresponding to only the service ID is retrieved and displayed.

FIG. 12 is a sequence diagram showing a process when the measurement result of the inspection device 105 is registered as semi-sensitive information (service data) in the management information DB 1041.
When registering the measurement result of the inspection device 105 as service data in the management information DB 1041, first, measurement objects such as weight and height are measured (step 1201), and the service ID is added to the measurement result data to check the inspection device 105. To the user-side data input / output unit 1044 of the management provider server 104 (step 1202).
The user-side data input / output unit 1044 of the management company server 104 transfers the received measurement result data to the information management unit 1045 and registers it in the management information DB 1041 in association with the service ID (step 1203).
Note that, as described above, authentication is performed as to whether or not the inspection device 105 is registered in advance by the service password.

FIG. 13 is a sequence diagram showing processing in the case where user semi-sensitive information (service data) is registered in the management information DB 1041 from the user computer 102.
When registering semi-sensitive information of a user from the user computer 102 in the management information DB 1041 as service data, first, a user ID and user password are input to the user side input / output unit of the management provider server 104 by a login operation (step 1301). It transmits to 1044 (step 1302).
The user side input / output unit 1044 transfers the received user ID and user password to the user management unit 1042 (step 1303).
The user management unit 1042 performs user authentication by checking whether the received user ID and user password are registered in advance in the management information DB 1041 (step 1304).
Then, the authentication result is returned to the user side input / output unit 1044 (step 1305). If the user ID and the user password are not registered in advance, the user side input / output unit 1044 transmits an error message to the user computer 102 (steps 1306 and 1307) to display an error ( Step 1308).

If the user ID and user password are registered in advance, a user authentication success message is transmitted to the user computer 102 (step 1309).
Therefore, the user computer 102 transmits semi-sensitive information measured by the user (step 1310). In this case, the semi-sensitive information is transmitted with the service ID and user ID added.
The user side input / output unit 1044 transfers the received semi-sensitive information to the information management unit 1045 (step 1311).
The information management unit 1045 registers the received semi-sensitive information in the management information DB 1041 in association with the service ID, and registers the service ID in association with the user ID (steps 1312 and 1313).

FIG. 14 is a sequence diagram showing search processing when searching for data registered in the management information DB 1041 from the user computer 102.
When retrieving data registered in the management information DB 1041 from the user computer 102, first, a user ID and a user password are transmitted to the user side input / output unit 1044 of the management provider server 104 by a login operation (step 1401) ( Step 1402).
The user side input / output unit 1044 transfers the received user ID and user password to the user management unit 1042 (step 1403).
The user management unit 1042 performs user authentication by checking whether the received user ID and user password are registered in advance in the management information DB 1041 (step 1404).
Then, the authentication result is returned to the user side input / output unit 1044 (step 1405). If the user ID and the user password are not registered in advance, the user side input / output unit 1044 transmits an error message to the user computer 102 (steps 1306 and 1307) to display an error ( Step 1408).

If the user ID and user password are registered in advance, a search condition input screen is transmitted to the user computer 102 (step 1409).
Therefore, the user computer 102 inputs a desired search condition on the displayed search condition input screen (step 1411) and transmits it to the user side input / output unit 1044 (step 1412).
The user side input / output unit 1044 transfers the received search condition to the information management unit 1045 (step 1413).
The information management unit 1045 searches the management information DB 1041 for data corresponding to the search condition (step 1414), and transfers the result data to the user side input / output unit 1044 (step 1416).
The user input / output unit 1044 refers to the browsing control information table 90 in FIG. 9 (step 1417), and checks whether there is data of items that are prohibited from browsing in the search result data. Is masked to make the corresponding data invisible (step 1418) and transmitted to the user computer 102 (step 1420).
Instead of performing the masking process, data that is prohibited from being viewed may be excluded from the search condition and searched.

FIG. 15 is a diagram showing an example of the inspection result, and FIG. 15A shows an example in which a search is made to search for a service ID associated with user ID = 100001 as a search condition. A plurality of corresponding service IDs are displayed on the result screen.
As a result, the service ID already provided by the user with the user ID = 100001 is determined.
Therefore, when a search is performed using the service ID as a search condition, as shown in FIG. 15B, the quasi-sensitive information associated with the service ID is searched and displayed on the search result screen.

FIG. 16 is a sequence diagram showing search processing when searching for data registered in the management information DB 1041 from the service provider server 103 side.
When searching for data registered in the management information DB 1041 from a terminal (not shown) attached to the service provider server 103, first, a search condition input screen is displayed (step 1601), and a desired search condition is input (step 1601). Step 1602), and transmits it to the provider side input / output unit 1047 (Step 1603).
The provider side input / output unit 1047 transfers the received search condition to the information management unit 1045 (step 1604).

The information management unit 1045 searches the management information DB 1041 for data corresponding to the search condition (step 1605), and transfers the result data to the provider side input / output unit 1047 (step 1416).
The provider side input / output unit 1047 checks whether or not the search result data includes the user ID (step 1607), and if included, the user ID is set according to the setting of the conversion table 70 of FIG. It is converted into a conversion ID and forged (step 1608).
Next, the provider-side input / output unit 1047 refers to the browse control information table 91 for each provider in FIG. 9 (step 1609), and whether there is data of items that are prohibited from browsing in the search result data. If there is, mask processing for making the corresponding data invisible is performed (step 1610) and transmitted to the user computer 102 (step 1611).
Instead of performing the masking process, data that is prohibited from being viewed may be excluded from the search condition and searched.

FIG. 17 is a diagram showing an example of the inspection result, and FIG. 17A shows an example in the case where it is designated as a search condition to search for the service ID associated with the user ID = 100001. A plurality of corresponding service IDs are displayed on the result screen.
As a result, the service ID already provided by the user with the user ID = 100001 is determined.
The search result in this case also includes a service ID registered by another service provider. Therefore, when a search is performed using the service ID as a search condition, as shown in FIG. 17B, semi-sensitive information associated with the service ID is searched and displayed on the search result screen. That is, it becomes possible to refer to services provided to users by other service providers.
FIG. 17C shows an example when “user ID having semi-sensitive information whose blood glucose level is xxx or more” is designated as a search condition.
According to this example, a plurality of user IDs having semi-sensitive information whose blood sugar level is xxx or more are searched.

  The service provider creates product advertisement data for the user having the user ID of the search result, and transmits it to each service provider server 103. Each service provider server 103 searches whether the user ID added to the advertisement data is registered in its own personal information DB 1031. If it is registered, the corresponding personal information is extracted and specified by address and name. Advertising data is sent by post or e-mail to users.

FIG. 18 is a sequence diagram illustrating an advice information input process when providing, as a service, advice information such as dietary habits improvement for semi-sensitive information registered in the management information DB 1041 from the service provider server 103.
When inputting advice information such as dietary habits improvement for semi-sensitive information registered in the management information DB 1041, the data output unit 1035 of the service provider server 103 displays an advice information input screen on the data display unit 1034 (step 1801). Then, the service ID of the advice information is input on the advice information input screen (step 1802), and advice information such as dietary improvement for the sensitive information of the service ID is input to a doctor or a dietitian (step 1803).
In this case, the service ID of the advice information that has been issued in advance by the service ID issuing unit 1032 is used.

The data output unit 1035 adds the service ID to the input advice information and transmits it to the provider side data input / output unit 1047 of the management provider server 104 (step 1804).
In this case, when the semi-sensitive information of the user to be advised is the user ID forged by the conversion ID, the conversion ID is added and transmitted.
The provider side data input / output unit 1047 transfers the received data to the information management unit 1045 (step 1805).
When the conversion ID is added, the information management unit 1045 restores the original user ID (step 1806), registers the service ID in the management information DB 1041 in association with the user ID, and provides advice information in the service ID. The association is registered (step 1807).
If the registration is completed, a registration completion notification is returned to the service provider server 103 via the provider data input / output unit 1047 (steps 1808 and 1809), and a registration completion message is displayed.

FIG. 19 shows an example of a browsing screen displayed on the user computer 102.
The browsing screen is displayed after the subject logs in with the user ID 201 and the password. On this screen, in addition to semi-sensitive information such as genetic information of users, service information advised by consulting service providers is displayed as a list, and detailed advice information can be viewed by selecting each item. Can be done.
It is also possible to display an optimal recommended service from genetic information and health management information.
The initial value of the evaluation result displayed in the health management information is set by genetic information and the current health management data. However, by changing the evaluation according to the degree of improvement, the health management willingness will be enlightened. Is possible.

FIG. 20 shows an example of a printed matter as a consulting result. As a result of printing, genetic information and health management information corresponding to the user ID are printed, and the printed matter itself is configured according to a specified format.
In this example, an example conforming to the format of the confirmation document is shown.
In the confirmation form, firstly, a consent statement regarding provision is described, and genetic information and health care information are described below. After that, there is a date, a signature of the provider and the recipient, and a seal column, and the person confirmation means is also filled in. There is also a statement that shows the origin of the printed matter. At this time, the user ID is not displayed because information obtained by combining the personal information and the ID is formed. The printed matter can be used for diagnosis in a medical institution, and can itself be used as evidence based on the format. In other words, the provider is responsible for providing the results shown in the confirmation.
By adopting such a method, it is not always necessary to verify the identity of the genetic information and health management information in the confirmation document. In this example, the means for providing information to a medical institution or the like as a printed matter in writing has been exemplified, but a one-time password or the like may be issued and viewed from a computer of the medical institution or the like.

  As described above, according to this embodiment, when a service provider provides various services such as health management, inspection, and health consulting, service content identification information is added and registered for each service content data. In addition, since each service content identification information is registered in association with the user identification information, each of the plurality of service providing organizations can be designated as another service providing organization by specifying the user identification information or the service content identifying information as a search condition. It is possible to search and refer to the registered service content, and to provide a new service from the service content.

By the way, in the above embodiment, the inspection result data is disclosed to the user computer 102 via the network. However, the inspection result data is printed in a tabular form and posted at the window of the inspection organization. The inspection result data corresponding to the service ID known only by itself can be viewed.
Moreover, when browsing a test result or using service ID, it can comprise so that user authentication may be implemented as needed, such as whether the user is the regular user who registered the user beforehand. The technique of user authentication is not limited to that using IDs or passwords, and techniques such as electronic tally and finger vein authentication may be used.
Moreover, although the example in the case of test | inspecting a sample was demonstrated, it can apply also when accepting the test result data of a medical examination and providing services, such as a doctor's health guidance data and dietary life improvement data with respect to this.
In addition, the method of providing the sample collection device and device to the user may be a method of directly applying to a service providing organization or a method of purchasing at a store or the like.
In addition, a user who has been provided with a service from a service provider in the A district moves to the B district for reasons such as relocation, and changes the service provider so that the service provider in the B district can receive the service. In that case, the user can use the service history and accumulated data before moving as it is by replacing the service ID of the service received in the A area with the user ID assigned by the service company in the B area. Is possible. In addition, by managing the user ID regardless of the service provider, the service provider manages the service using the service history and accumulated data only by selecting the service to be received without depending on the service provider. Can receive.

1 is a system configuration diagram showing an embodiment of an information management system according to the present invention. It is a block diagram which shows the structure of a service provider server and a management provider server. It is a block diagram which shows the structure of a user computer and a test | inspection apparatus. It is a figure which shows the example of the registration data of personal information DB. It is a figure which shows the example of the user ID, user password, service ID, and service password which were stored in management information DB. It is a figure which shows the example of the user ID and service ID which were stored in management information DB, service ID, and service information. It is a figure which shows the example of the conversion table for imitating a user ID. It is a figure which shows the example of the semi-sensitive information stored in management information DB. It is a figure which shows the example of the browsing control information table stored in management information DB. It is a sequence diagram which shows the process in the case of registering semi-sensitive information from a service provider server. It is a figure which shows a mode that several service ID is linked | related with user ID. It is a sequence diagram which shows the process in the case of registering semi-sensitive information from a test | inspection apparatus. It is a sequence diagram which shows the process in the case of registering semi-sensitive information from a user computer. It is a sequence diagram which shows the process in the case of searching the data stored in management information DB from the user computer. It is a figure which shows the example of the search result screen by a user computer. It is a sequence diagram which shows a process in the case of searching the data stored in management information DB from the service provider server. It is a figure which shows the example of the search result screen by a service provider server. It is a sequence diagram which shows the input process of the advice information by a service provider server. It is a figure which shows the example of the browsing screen in a user computer. It is a figure which shows the example of the printed matter on which the genetic information and health management information were printed.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 User 102 User computer 103 Service provider server 104 Management provider server 105 Inspection equipment 1031 Personal information database 1041 Management information database

Claims (5)

A plurality of first devices installed in a plurality of service providing organizations, receiving service provision requests from users, and registering personal information such as user names in a first database; and the plurality of service providing organizations An information management system comprising a second device that receives data representing service contents provided to a user from the first device and registers the data in a second database,
The first device comprises:
When registering service content data to be provided to a user in the second database of the second device, user identification information and service content identification information relating to the service content data are added to the second device. And means for transmitting a search request for data registered in the second database to the second device,
The second device comprises:
Means for registering service content data received from the first device in association with service content identification information in the second database and registering the user identification information and service content identification information in association with each other; An information management system comprising: means for retrieving any one or a combination of service content data, service content identification information, and user identification information corresponding to a search condition of a search request received from the first device. . The second device comprises:
In response to the search request from the first device, the browsing control table is referred to, and the item of the service content data corresponding to the browsing prohibition item set in advance in the browsing control table is excluded, and the first device of the search request source The information management system according to claim 1, further comprising means for replying to The second device comprises:
In response to the search request from the first device, when the semi-sensitive information is returned to the first device, the user identification information associated with the semi-sensitive information is imitated and returned to other user identification information. The information management system according to claim 1, further comprising means.   The information management system according to claim 1, wherein the browsing control table is provided for each of the plurality of service providing organizations. The first device comprises:
When registering service content data for semi-sensitive information received from the second device in the second database, the service content identification information and the forged user identification information are added to the service content data. Means for transmitting to two devices,
The second device comprises:
Of the service content data received from the first device and the forged user identification information, the forged user identification information is restored to the user identification information before forgery, and the restored user identification information and service content identification information are restored. 4. The information management system according to claim 3, further comprising means for associating the service content data and registering it in the second database.

Images