Consent based privacy for eHealth systems




Habibi, Ryan

Journal Title

Journal ISSN

Volume Title



Access to Personal Health Information (PHI) is a valuable part of the modern health care model. Timely access to relevant PHI assists care providers in making clinical decisions and ensure that patients receive the highest quality of care. PHI is highly sensitive and unauthorized disclosure of PHI has potential to lead to social, economic, or even physical harm to the patient. Traditional electronic health (eHealth) tools are designed for the needs of care providers and are insufficient for the needs of patients. Our research goal is to investigate the requirements of electronic health care systems which place patient health and privacy above all other concerns. Control of secure resources is a well established area of research in which many techniques such as cryptography, access control, authentication, and organizational policy can be combined to maintain the confidentiality and integrity of data. Access control is the dominant data owner facing privacy control. To better understand this domain we conducted a scoping literature review to rapidly map the key concepts underpinning patient facing access controls in eHealth systems. We present the analysis of that corpus as well as a set of identified requirements. Based on the identified requirements we developed Circle of Health based Access Control (CoHBAC), a patient centered access control model. We then performed a second scoping review to extend our research beyond just access controls, which are insufficient to provide reasonable privacy alone. The second review yielded a larger, more comprehensive, set of sixty five requirements for patient centered privacy systems. We refined CoHBAC into Privacy Centered Access Control (PCAC) to meet the needs of our second set of requirements. Using the conceptual model of accountability that emerged from the reviewed literature we present the identified requirements organized into the Patient Centered Privacy Framework. We applied our framework to the Canadian health care context to demonstrate its applicability.



Access Control, eHealth, Consent, Privacy