Auditable Trust Framework – Patient Privacy Rights

Session Topics: Auditable Framework for Privacy Policies

Wednesday 4I

Convener: Adrian Gropper

Notes-taker(s): Karen Sollins

Work done about 5 years ago on Patient Privacy rights by Microsoft and healthcare provider

15 principles used for privacy policies – not listed here. (http://patientprivacyrights.org)

Many groups at IIW, each associated with privacy policies. Could be made “better”, how dynamic, for each criterion – yes, no, doesn’t apply. Not a service provider, so how is it supported? Auditors, standards organization, license to a group such as Kantara (assessments and certifications and develop profiles (FICAM and SAML), field working groups that may lead to work in standards organizations.

Business models (elements)


 * SDO (AAFP)
 * Assessment/certification (Kantara)
 * Auditors (Big 5)
 * WG – best Practices (e.g. UMA, move to IETF)

Question: how does one deal with unintended consequences? How can one manage the situation in which a mortgage company wants health information to know that won’t die tomorrow. Problem is that the more information is available, the more organizations will demand it. Perhaps social norms are key to changing these behaviors. If have an exposable privacy policy, can begin to have a conversation about it. By focusing on a particular framework, may develop norms and can begin to concentrate on the basis on which decisions about privacy/exposure/control can be had.

The point of the meeting is to figure out a business model if privacy policies exist and is associated with the data and that provenance and accountability can be tracked, then the question is how to make a business model of this.

Who is the “source” of the privacy policies. Apparently, the only way the individual can be in control of the definition of the policies can reside with the individual, if they can take the data away. So, in this regime, the holder of the data (the healthcare provider) gets to define the privacy policies.

What would we all like to see in terms of a privacy policy that would allow the doctor to do his or her work, within the bounds of the privacy policy

Clarification: “Framework for Auditable Privacy Policies” – the policies must be auditable, not the framework itself.

Could we come up with a standard policy that is used everywhere, and then perhaps minor additions could be made and identified.

Policies can be controlled contractually, by regulation, social pressure (voluntary). If the latter, then maybe do it by creating a trust label of some sort. Australia has made such a choice with respect to identity in order to give citizens more confidence

and happier with what is being done for them.

Another possibility is a Registry with rating of how positive or negative particular corporate policies. Question of how to do and how to fund. Crowdsourcing may not be the great alternative because of managing the possibilities of gaming the system.

Need to “put something out”, but not sure what or what to propose to make something happen.

Patient privacy rights in the middle of transformation of healthcare delivery and big data. Needs something to be done that is productive, concrete and feasible.

What are the items that want to be able to audit? Have 75 items from big company and auditor company. Not much pushback on the actual items, as much as how to make the system work.

Who benefits from good results of the audit? Data holder benefits by not showing up on registry or putting gold star on website, or whatever.

Two kinds of registries – service – those sneaky bastards vs. crowdsourcing. If label doesn’t change the end user’s behavior then there is no point. What behavior will change how? Want data holders, for example, to make data available to patients.

Patients are happy to share data for research if asked, but furious if shared without their permission.

Organizations that are very good about this are MD Anderson and the VA, but in general since consumers and doctors can’t control the choice of who manages the data and therefore they have no interest in better privacy policies.

Regulation as a control mechanism has the problem that it will be controlled by the organizations with the money.

The only way to enforce HIPPAA is to bring a lawsuit.