Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services Jens Weber, PhD, PEng James Williams, JD, Msc, Phd (cand)

Slides:

Advertisements

Similar presentations

Mobile Payments and the FTC Manas Mohapatra Director of Mobile Policy Mobile Technology Unit Federal Trade Commission The views expressed are not necessarily.

Advertisements

Engineering Medical Information Systems

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

MY SMART PHONE DOES WHAT WITH MY BLOOD PRESSURE DATA ??? Anita Fineberg, LL.B. CIPP/C Barrister & Solicitor President, Anita Fineberg & Associates Inc.

Pillsbury Winthrop Shaw Pittman LLP Social Currency and Virtual Currency: What You Need to Know Prepared for The Mobile Payment Conference September 9,

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

SMART GRID: Privacy Awareness and Training – A Starting Point for Utilities October 2011 SGIP-CSWG Privacy Group 1.

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

Promoting Excellence in Family Medicine Enabling Patients to Access Electronic Health Records Guidance for Health Professionals.

BIG DATA AND THE HEALTHCARE REVOLUTION FORD+SSPG 2014.

SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.

“Privacy Implications of RFID Technology in Health Care Settings” Marc Rotenberg President EPIC Dept. of Health & Human Services Washington, DC 11 January.

By: Dr. Mohammed Alojail College of Computer Sciences & Information Technology 1.

Cloud Enabled Healthcare Presented by: Ron Parker and Stanley Ratajczak Emerging Technology Group Canada Health Infoway Inc. May 28, 2013Copyright © 2013.

Creating a service Idea. Creating a service Networking / consultation Identify the need Find funding Create a project plan Business Plan.

LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.

Whilst the pharmaceutical industry plays a key role in developing and producing medicines, there is a tension between industry’s need to expand product.

Meredith Carr, JD J. Stan Lehman, MPH David W. Purcell, JD, PhD Division of HIV/AIDS Prevention Centers for Disease Control and Prevention July 25, 2012.

Assistive Technology Clinical Outcomes Research Management System (AT-CORMS) Tool Utilizing the International Classification of Functioning (ICF) Cognitive.

The Use of Health Information Technology in Physician Practices

Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October

Privacy risks of direct to consumer genetic testing Emily Christofides and Kieran O’Doherty University of Guelph OPC Contributions Grant

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

E-commerce Vocabulary Terms. E-commerce Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the Internet.

E-commerce Vocabulary Terms By: Laura Kinchen. Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the.

The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,

OCR Cambridge National ICT Mr Conti 10X 25 th April 2014.

Copyright © 2008 Delmar Learning. All rights reserved. Unit 8 Observation, Reporting, and Documentation.

Standard 4: Medication Safety Advice Centre Network Meeting Margaret Duguid Pharmaceutical Advisor February 2013.

Data Protection Act AS Module Heathcote Ch. 12.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

1 HIPAA Compliance Strategies for Pharmaceutical Manufacturers, PBMs and Pharmacies Jean-Paul Hepp, Ph.D. Director, Global Privacy HIPAA Colloquium Harvard.

FIRMA April 2010 SOCIAL NETWORKING Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

1 The Effect of Primary Health Care Orientation on Chronic Illness Care Management Julie Schmittdiel, Ph.D., Stephen M. Shortell, Ph.D., Thomas Rundall,

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Chapter 19 Manager of Information Systems. Defining Informatics Process of using cognitive skills and computers to manage information.

Yes. You’re in the right room.. Hi! I’m David (Hi David!)

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Health Management Information Systems Unit 3 Electronic Health Records Component 6/Unit31 Health IT Workforce Curriculum Version 1.0/Fall 2010.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Evaluate Human Resources Service Delivery – Element 3.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.

Chapter Dental Public Health & Research Contemporary Practice for the Dental Hygienist Copyright ©2011 by Pearson Education, Inc. All rights reserved.

1 The Privacy Impact Assessment Guidelines Guy Herriges Manager, Information and Privacy Office of the Corporate Chief Strategist, MBS November 2000.

Managing Marketing Information 4 Principles of Marketing.

Privacy and Security Considerations in Research and Clinical Trials February 28, 2013 Joanna K. Napp, J.D., M.P.H. Chief Privacy Officer and Compliance.

© 2016 Cengage Learning ®. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Consumer Health Informatics

Chapter 20 Additional Assurance Services: Other Information

Data Protection Legislation

Move this to online module slides 11-56

General Data Protection Regulation

American Health Information Management Association

Chapter 20 Additional Assurance Services: Other Information

CLINICAL INFORMATION SYSTEM

Managing Privacy Risk in Your Commercial Practices

SOCIAL NETWORKING Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Move this to online module slides 11-56

Introduction to the PACS Security

Colorado “Protections For Consumer Data Privacy” Law

School of Medicine Orientation Information Security Training

Presentation transcript:

Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services Jens Weber, PhD, PEng James Williams, JD, Msc, Phd (cand)

Context Work performed for the Privacy Commissioner of Canada. Examining consumer health informatics applications. Contributions: 1)Taxonomy of offerings 2)Ratings tools from a consumer perspective 3)Evaluation of certification regimes.

Overview What are consumer health applications? What schemes exist to rate privacy/security concerns? A new rating methodology.

Consumer Health Applications prime objective of CHI: “to empower consumers by putting health information into their hands..... such as diagnoses, lab results, personal risk factors, and prescribed drugs.” Not necessarily electronic.

Consumer Health Applications Taxonomy: (1) information aids (2) decision aids (3) education aids (4) management aids (5) health sales services (6) meta/ratings services

CHA – Information Aids Information aids provide consumers with services to: (a) access (b) store (c) control (d) distribute their PHI.

CHA – Information Aids

CHA – Decision Aids computer-supported services that take into account PHI in order to aid consumers in making health-related decisions. Eg: telemediated or automated clinics, questionnaires.

CHA – Education Aids Services that promote health literacy. Eg, medical blogs, serious games, story collections, static websites.

CHA- Management Aids Applications that support consumers in the ongoing longterm management of aspects of their health Support group services: forums, chat rooms, etc. Telemonitoring.

CHA- Rating Services Provider rating services: allow consumers to rate care providers. Application rating services. Special case: application certification. ie. HONcode.

Rating Schemes What about rating privacy risks? Most privacy risk assessment methods are designed for organizations that manage PHI. (i.e., IPC Ontario, David Flaherty).

Rating Schemes Buffet and Kosa: assess consumer privacy risk using assignment of probability and utility values to statements in privacy policies. the probability represents the degree that users agree with a particular policy statement Utility represents the degree that the users endorse a particular policy statement.

Rating Schemes Patient Privacy Rights (PPR) foundation. Uses 'report card' metaphor to assess how well privacy policies cover criteria from sources like common law, statutory law, etc.

Rating Schemes Policy-based risk assessment methods are effective tools for assisting consumers to assess the privacy risks that are apparent from privacy policies. Do not address the inherent risks of an entire spectrum of different service types. Do not catch more subtle privacy threats, such as indirect information disclosure due to targeted advertisements and social computing

Rating Schemes Our approach: a complementary tool to aid consumers in gauging the inherent privacy risks associated with consumer health services. The tool was developed based on a systematic review of the types of services and their associated privacy risks.

Our Approach How did we come up with this? Risk identification based on CSA model code. Systematic literature review. Legal research (case law, admin law)

Our Approach Example: Identifying Purposes and OPPs OPPs are often not prominently presented to users of CHI applications. OPPs are often presented as lengthy “fine print”, written in a language and structure that may obscure important aspects. OPPs are often ‘hidden’ as part of even longer legal documents on the general terms of agreement for use of the online service.

Our Approach four main risk criteria are determined by: (1) the business model of the CHI application (2) the CHI service types provided within the application (3) the service delivery model (4) the company ownership

Risks – Business Model Marketing funded: (high) revenue depends on exploiting PHI. Poss. for leaks, misuse. Research funded: (high) possibility for secondary use. (PatientsLikeMe) Employer/insurer: (med) secondary uses, data portability. Consumer funded: (low) vendor profits from subscription fees.

Risks – Service Type App ratings services, education aids: low Provider ratings: moderate Decision/management aids: high, since they use PHI. Telemonitoring, etc. Support service (social networks): highest. Information aids: high. PHRs include comprehensive information.

Risks – Delivery Model Locally installed: (user's pc) lowest Mobile device: elevated risk due to possibility for theft or loss. Hosted services: high risk. Breaches affect multiple consumers. Cloud-based: highest. Third party service providers in other jurisdictions.

Risks – Company Ownership Canadian companies: subject to legislation, relatively easy to challenge. Foreign controlled Canadian companies: elevated risk. Entirely foreign: highest risk.

Future Work Implications of CHA: privacy law, law of evidence. Much to be done. Empirical studies: use our model. Focus groups, case studies, or in practice. Risk levels: much more to be done in refining our risk assessment.