440 likes | 451 Views
LEFIS – Legal Framework for the Information Society --- Privacy and identity management in a European e-health system: an experience in the making Cesare Maioli CIRSFID and University of Bologna cesare.maioli@unibo.it Rovaniemi, January 1 9 , 200 7. An overview. Legislation on privacy.
E N D
LEFIS – Legal Framework for the Information Society --- Privacy and identity management in a European e-health system: an experience in the making Cesare Maioli CIRSFID and University of Bologna cesare.maioli@unibo.it Rovaniemi, January 19, 2007
An overview Legislation on privacy e-Europe and e-health Code of the Digital Public Administration Enterprise Application Integration Business Process Reengineering I-Care project and S2I system Interfaces and performance Identity management Software reuse
Integrated Care Shared data Application software Change management Education Compliance to processes of the organization (Cedaf)
I-Care project - I • The project is designed to support local government bodies (city administrations, provinces, the region, and health-care organisations) in providing community services, and the service of care delivery at home in particular • A collaborative project entrusted to a group of university research centres, local agencies, and private companies, designed to provide online access to health and social services, chief among which the service of providing care, medical or otherwise, at home • It was launched in 2004 by municipal, county and health authorities of a number of cities in co-operation with a few technical partners, with the financing support of Emilia-Romagna Region • It was finished on January 15, 2007
I-Care project - II • The ICT system necessary to this end will have to support a number of functions, including processing and assessing service requests, putting together a work plan and the team entrusted to it, and providing the service itself • Interaction is designed for users (health medical practitioners, health social workers and social operators) and provides a responsive set of health and welfare services to citizens; usersare provided with new tools such as cooperative interfaces and wireless palm pilots • The mission is to integrate social and health services, and to do so reversing the model on which basis this kind of care is typically provided, which means setting up a situation in which the citizens in need of care become the focal point around which revolves the entire organisational system, rather than the other way around
Reference view for e-society services Key elements Citizens Enterprises National Service Card, Digital Identity Card Digital recognition • Communication metaphor • Levels of users authentication • Priority services • Measures of the service levels • Process re-engineering • Privacy issues • International issues • Commercial issues • From As is to To be Health Local Nazional Web (Portals P.A.) Call center One-stop- shop Cellulars, palm pc ISP (Post offices, Banks, …) Access channels Application Integration Supply Organizations … Munici- palities Regions PAC Back office Interoperability System of application co-operation National networks, RUPA, RUPAR Telecommunication infrastructure (modification from Minister of Innovation)
Projects and institutional cooperation in e-government • The projects and initiatives of e-government (quorum I-Care) are the result of a joint and coordinated effort among local, regional, and national government bodies and were preceded by long negotiations undertaken to reach formal definitions and agreements • It was felt that the systems should be designed and implemented only upon establishing a common willingness to jointly give shape to the projects according to user expectations; • The existence of wide-area plans, such as the European initiatives for the information society and the national e-government plans was a guarantee • Legislative bodies and financial institutions offered a set of innovative and open-ended solutions to the problem of drawing up rules and regulations and the problem of co-financing
European e-health issues • 1990, definition of telemedicine by EU • 1991, definition of telemedicine by WHO “...supply of assistance and care, where distance is a critical factor, by any health operator through ICTs... useful for diagnosis, medical treatment, information exchange...on behalf of the health of citizens and society...” • 2004, Action plan e-Health; sharing plans for the growth of health system in the EU • Vision: citizen centred approach (importance of privacy issues) • Objectives: strategies and methods, common action for e-health, diffusion of best practices • Central involvement of the Regions and the territorial authorities • Social perspective: integration of social and health services • 2005, i2010 initiative, a comprehensive strategy for the information society 2005-2010
Italian e-health initiatives • E-government national plan, Phase I, 2001-2004 Architectures; new services; priority actions and projects • E-government national plan, Phase II, 2004-2006 Federal e-government; reuse of solutions • National health plan, 2003-2005 “...an integrated network of online services for the socio-sanitary support to the elderly, the disabled, the chronic invalids...” • Emilia-Romagna Region initiative for the growth of online service, 2005-2006
Enterprise Application Integration and the e-health sector • The non-integrated nature of Healthcare Information Systems is strongly associated with a reduction in the quality of care and the medical errors that occur. There is therefore a real need to integrate the Information Technology infrastructures, to improve the quality of care provided • In the attempt to integrate these systems many healthcare organizations have adopted integrated technologies (e.g. EDI), standards (e.g. HL7, CENT/TC 251) and projects. • During the last years much emphasis has been given on Enterprise Application Integration (EAI) technology to bridge heterogeneous systems and to enable seamless movement of information from one application to the other • EAI combines a variety of integration technologies (e.g. message broker and application servers) to build a centralized integration infrastructure • The integration is achieved through four layers: • connectivity; creation of points of access between the applications and the EAI infrastructure • transportation; transfer of data elements • transformation; translation and reformatting of the application elements into a recognisable format for the target system • process automation; business process automation and integration
Business Process Re-engineering - I • The success of the design and distribution of information services depends on the rationalization of the procedures and, many time, the re-engineering of the process one needs to activate and implement • Phases: • definition of the application field • detailed survey of the processes, documents and relations in use and diagnosis of the current status (so-called as-is) followed by the identification of the improvement lines • re-design of the processes according to the problems arisen in the diagnosis phase (so-called to be) • The purpose of the analysis is to identify the needs to change and to adopt more advanced ICT solutions, measuring the costs and estimating the benefits, thus modifying and rationalizing the organizational processes
Business Process Re-engineering and public administration • When the application software deals with the supplying of a service by a public administration, the reengineering usually brings either the re-organization of the data flows and streams and the new definition of the administrative process • The mission and the tasks performed by the public administration must conform to a detailed normative discipline and are under the control and supervision of control bodies and political bodies • Therefore: • any intent of BPR in the public sector must assume the law in force as a constraint • the design of BPR and the initiatives of ITC application may bring to the proposal of modification to the law in force that usually develop into the activation of so-called administrative simplification procedures
Participation to the administrative procedure through ICTs Customer satisfaction. Personnel education and training Digital document and probative value Electronic signature and Registration Authority Certified electronic mail Interoperability and reuse of software The perspective of the Code for the digital public administration
Privacy law in Italy • European Directive 1995/46/CE • Law 31-12-1996, n. 675 • European Directive 2002/58/CE • Legislative Decree 30 - 6- 2003, n. 196; a.k.a. Code on the matter of the protection of personal data or Code on Privacy General principle: any person has the right to protect personal data pertaining to him/her Requirements for the management (treatment) of personal data: • correct and lawful, exact and updated • clear and declared purposes • pertinent, complete, not in excess of the purpose of original collection and treatment • conserved as long as they are necessary Community laws have set up a general prohibition against processing data suited to revealing a person’s state of health: prohibition subject only to exception framed to allow national law to provide for adequate security measures and data-access authentication
The category of health data The health professionals and the public health offices Data processing: the aim/purpose of the tutelage of people’s health The protection of public welfare and people’s health The consent of the dependents and health emergency Simplified formalities Specific security measures Legislative decree n. 196, 2003
Code on Privacy highlights - I Title V, Processing of personal data in the health area Sections from 75 to 94 • the protection of privacy of the patient’s data are not any longer a matter of professional secret of the physician nor a matter under administrative measures, but there is a full new legislation • personal data “suitable to reveal” the health condition and not just data “which” directly “reveal” that condition • health data may include any kind of information about a person’s physical, psychic, relational condition • health as a person’s general condition • qualification and legitimation of the operators (health, auxiliary health, social) who deal with health data • the notification document • formal consent and simplified consent (e.g. oral consent recorded by a designated operator)
Code on Privacy highlights - II Title V, Processing of personal data in the health area Sections from 75 to 94 • Sections 75, 76 - General principles • Sections 77 to 84 – Information to data subject and agreement • Sections 85, 86 - Purposes in the public interest • Sections 87 to 89 - Medical prescriptions • Section 90 - Genetic data • Sections 91 to 94 - Various: data on magnetic cards, clinical records, certification of birth, health data bank and files
Personal data processing Data collected in violation of the Code can not be used Data processing concerns: • collection • organization • consulting • modification • extraction • usage • block • diffusion • destruction • registration • conservation • computation • selection • comparison • interconnection • communication • cancellation
Privacy Security: minimum security measures, security planning document Federal governance, subsidiarity, public law Interoperability and applicative cooperation Deontological codes I-Care as a research project in legal informatics
Appropriate classification of the data: personal, sensitive, health Data integrity Qualification of the socialhealth operator Proper level of management of the clinical records Encryption of sensitive data Administrative and health data processing Security aspect connected to the dignity of the beneficiary The consent of the dependent I-Caremain legal issues
I-Care normative frame - I • Legislative Decree No. 196/2003, on the Protection of personal data • Legislative Decree No. 82/2005 on national e-government plans, Code of the Digital Administration • Legislative Decree No. 445/2000, Single Text on the Laws and Regulations pertaining to the Use of Administrative Documents • Legislative Decree No. 502/1992 (restating health legislation) • Legislative Decree No. 229/1999 (on rationalizing the national health system) • Law No. 328/2000 (Framework law – an integrated system for social services) • Decree of the President of the Council of Ministers No. 129/2001 (setting out policy and coordination for social and health services)
I-Care normative frame - II • Constitutional Law No. 3/2001 (amending Title 5 of Part Two of the Italian Constitution) • Regional Law No. 5/1994 (protecting the elderly and for social dependents) and relative deliberations • Regional Health Plan for 1999-2001 and 2002 Action Plan in Favour of the Elderly • Regional Law No. 2/2003 (promoting citizen participation and providing for integrated social services) and Regional Law No. 29/2004 (framing the organization and functioning of the region’s health services) • Regional Plan for Online Development - 2004 Operative Program: Strategies for the Information Society in Emilia-Romagna • Legislative Deliberation No. 134/04 (Emilia-Romagna) – Regional Development of the Information Society
I-Care legal frame • The legal issues concerning the planning and allocation of online socio-sanitary services are: • protection of privacy • information security • The legal research which started from the individuation and classification of the data under treatment and of the operations executed by the different health and social service organizations made it possible: • to identify the main legal issues connected with the protection of data privacy during the various phases of the processing of personal, sensitive and health data and in relation with the security measures to adopt for their lawful usage • to make clear to any person involved in the procedure that the sections from 75 to 94 of the Code on Privacy regulate the processing of health data only in those cases where such processing is aimed at health protection and only if this is done by professionals, at the different levels, of the health sector • to specify that the regulation by the above mentioned articles applies only in case the purpose of the treatment is the tutelage of the health of the interested person, of third party and of the general public
I-Care legal problems • the project being designed for delivery of both medical and social services, it will accordingly make it necessary to process two types of personal data, medical and non-medical • we thus needed to set up two standards (a double set of regulations) according as the data to be processed is classified as medical (under art. 76 of the Italian code on privacy) or otherwise • the same problem applies to the personnel themselves: under the above-mentioned art. 76, only medical personnel can handle medical data. Again a a double set of regulations is needed, one for medical personnel and the other for social workers • assigning a legal and administrative status to the document being processed and affixing a digital signature accordingly. This kind of specification will make it necessary to work closely with the administrations involved, and it will also require a back-office apparatus capable of supporting the new document-management system and protocol
I-Care codes of conduct A basis for drawing up a code of conduct setting out rules for all the operations required in carrying out the online service • the right to privacy: here it will be necessary to publish a legal notice setting out the responsibilities and obligations of those in charge of processing the data and obtaining the user’s consent to go ahead with such processing • data-processing techniques: here it will be necessary to set out requirement for cryptography and digital signatures and the responsibilities of the individual whose signatures these are • authenticating the system operators: here, we need access codes and digital signatures for all documents needing to be underwritten for administrative purposes
Framework Framework (logical) (technological) Manager Local Health Organizations Authorities Other Integrator systems Data . Data Field sources users I-Care framework Communication (Cedaf)
I-Care architecture Other Systems (Cedaf)
S2I as an EAI system The part dealing with the support of organizational and managerial activities by the political and health authorities An EAI component specific for the different domains; it coordinates and certifies le data streams among the application components (S2I-Manager, S2I-Field and other external and legacy systems) Other Systems The systems supporting the activities of the organisations serving the patients, either at the field level (through portable systems with good usability interfaces) and in the back-office (Cedaf)
S2I manager A system to support the activities of the companies which manage the project; its functions include: • to register and validate the requests for assistance service • to collect and consolidate the information on the services allocated and executed • to extract and load into a data warehouse all the activities performed and registered by the connected S2I-Field components • to control and report the assistance service supplied • to trace and maintain the welfare and health history of the citizens, perform statistics and build benchmarks • to act as an interface toward legacy and specific back-office systems
S2I Integrator A system to coordinate and certify the information flows among the components; its function is to give assurance for : • the integrity of data exchanges, either in synchronous and asynchronous way • the observance of security constraints (e.g. access rights, respect of privacy, encryption) • the mapping of communication protocols and information ontologies in the information interchange with external systems • the management of communication protocol with S2I-Manager e S2I-Field
S2I field A system to support the operator giving field assistance (through Personal Digital Assistant or Tablet-PC); its functions include: • planning and optimizing of the resources to be distributed according to specified standards • managing interactions for exceptions and unforeseen situations; (scalability aspects) • automatic reporting of time, treatment, materials used and supplied to the patients • reporting on access to medical extempore data, upon specific call • accessing special services, upon request • producing reports and statistics
S2I functionalities Reservations Personal data from Health organizations Discharge from hospitals Reports from house assistance Personal data Admissions (ordinary and emergency) from municipal registries Field reports (Cedaf)
list of the processing operations kind of professionals involved: health and non-health operators kind of processed data: health, sensitive, personal, none kind of interaction: mono-directional and bi-directional kind of documents involved in the processing need of digital authentication and digital authorization access points to the information systems tools used by the information systems files and digital archives used in the information systems A grid for the legal and organizational analysis
As-is for the Municipalities (reduced example) - I 1. Front office: not well defined ways to point out the needs 2. Protocolling: it was not always clear how to identity the exact time when the protocol procedure takes into account an incoming document and when the citizen makes a request for a welfare service; for some kind of requests the protocol procedure is not defined 3. Data Processing: the was not always clear between sensitive data and personal data in the health care sector nor was the juridical qualification of the different operators (social assistant, welfare operator, social health operator) 4. Consent: a few misunderstanding between consent and information to data subject. In the forms distributed to the citizens the distinction among data controller, data processor, and person in charge of the processing was blurred 5. Filing: mainly based on paper document with some redundancies and lack of integrity; the security measures of the Code on Privacy about paper archives were sometimes poorly applied
As-is for the Municipalities (reduced example) - II 6. Administrative process: sometimes administrative procedures lacked rules for tracking applications or the application was not properly protocolled. Lacks were detected in regard to: transparency, right to access the administrative documents by the applicants, respect of the time due to close a procedure 7. Communications between organizations: sometimes they were quite informal through electronic mail 8. Observance of privacy legislation: delay in implementing the Regulation on sensitive data and the drafting of the Security Policy Document 9. Codes of conduct: they were almost absent and an education and adoption of effective privacy measure were poor. Sometimes personnel lacked a full knowledge and insight into deontological norms of their professional body or trade.
To-be for the Municipalities (reduced example) - I • Front office: in keeping with e-government guidelines by Italian ministerial decrees, redefinition and restructuring of the services have been implemented. Significant work on the back-office integration to promote a orientation toward citizens’ needs. Devising of new forms including online procedures • Protocolling: in keeping with Legislative Decree No. 445/00 and Legislative Decree No. 82/05, as soon as a document enters IT Document Processing system it is univocally accepted and distributed to proper Homogeneous Application Area. General introduction of the management handbook and clear responsibility assigned to the head of the service • Data Processing: in keeping with the Code on Privacy, a clear distinction was introduced between sensitive data and health data, in particular between sensitive data with health content and health data, according to the norms of pertinence, when they belong to different kind of public organization. The distinction among the juridical qualifications of the different operators (social assistant, welfare operator, social health operator) was made stricter • Consent: in keeping with the Code on Privacy, it was clearly established a clear prediction of the cases when there is a need of consent and which cases only needed the information to data subject. The simplified arrangements concerning information and consent were implemented together with the re-design of the forms with a clear distinction between the different responsible persons. Implementation of the different ways for the citizens to give different options for receiving health communications
To-be for the Municipalities (reduced example) - II • Filing:in keeping with the technical indications of the Minister of Innovation, the digital formatting of the documents and their filing are saved following the rules of the Code on Privacy • Administrative process: in keeping with the Law 241/1990 on the rules to access to administrative documents, a clearer configuration of the administrative procedures was implemented in accordance with the Code on Privacy. The participation of the citizen to the decision process is encouraged while there is full respect of the principles of transparency, accountability, explanation and completion in due time • Communications between organizations. in keeping with the Legislative the Decree DPR 68/2005 on the certified electronic mail, a more reliable and dependable way of communication was introduced • Observance of privacy legislation: a new regulation on sensitive data was adopted and the Security Policy Document was drafted. A new set of conventions between administrative and health organizations was undertaken. • Codes of conduct: in keeping with the Code on Privacy, an effort is going on to foster a stronger care of privacy issues. The adoption of deontological norms for the different categories of operators has been promoted
A user is a welfare or health professional; a user is authenticated through name, userid, password, operator status For any user identified the authenticationprocess defines one or more roles Domain of visibility: access allowed, for any organizational entity, to the functions or applications. The options are: operator; limited and specific set of entities operative unit; set of operators view and permissions service; set of operative units total A role includes a set of authorizations Identity management - I
Identity management - II • An authorization is made up of: • enabled functions • actions (e.g.insert, modify, cancel in relation to the function) • accessible and operable sets of data • domain of visibility • The configuration system for authorizations implemented in I-Care includes the set of users, the functions and actions allowed, the set of data upon which the functions are allowed to operate
Reuse of software and open formats Directive of the Minister of Innovation and Technology, December 19, 2004 aka Development and use of computer programs from Public Administrations • Public Administration must follow these criteria when buying software applications: • Transferability of acquired solutions to other public administrations • Interoperability between administrations • Independency from unique supplier and unique proprietary technology • Availability of source code at least for inspection and traceability • Exportability of data, documents in many formats (at least one must be open) • Public Administration must follow also these suggestions when buying software applications: • Administration must consider any software solution included OSS • Administration must own the software developed under its own specifications and it can be able to transfer software licences to other administrations without any further cost • Public Administration must allow the reuse of software whenever it is possible Emilia-Romagna Region, Law 24/05/2004, n.11
An overview Legislation on privacy e-Europe and e-health Code for the Digital Public Administration Enterprise Application Integration Business Process Reengineering I-Care project and S2I system Interfaces and performance Identity management Software reuse
Main conclusions • A part of the project aimed at working out all the legal issues involved in setting up and running an e-health service • There are at least three questions that we needed to addressed in the regard of issue of the privacy of medical data : • the question of the right to privacy: here it was necessary to publish a legal notice setting out the responsibilities and obligations of those in charge of processing the data and obtaining the user’s consent to go ahead with such processing; being the project designed for delivery of both medical and social services, we accordingly had to process two types of personal data, medical and non-medical, with the need to set up two standards (a double set of regulations) according as the data to be processed is classified as medical (under the Italian Code on Privacy) or otherwise • the question of data-processing techniques: here it was necessary to set out requirement for cryptography and digital signatures and the responsibilities of the individual whose signatures these are • the question of authenticating the system operators: here, we needed access codes and digital signatures for all documents needing to be underwritten for administrative purposes