Secondary Use of the EHR via Pseudonymisation



Similar documents
Secondary Use of the EHR via Pseudonymisation

Patient Records: Challenges for and Approaches to Safety and Security

Annette Pollex-Krüger, Johannes Drepper, Sebastian C. Semler. Telematikplattform für Medizinische Forschungsnetze (TMF) e.v.

The Blood Donor BIOBANK

De-identification of Data using Pseudonyms (Pseudonymisation) Policy

Continuity of Care Record (CCR) in Germany? PROREC activities on the way to EHR interoperability

Pseudonymization for Secondary Use of Cloud Based Electronic Health Records

Payment authorization Payment capture Table 1.3 SET Transaction Types

ECRIN (European Clinical Research Infrastructures Network)

Evaluation of the Secondary Use approach

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

A Survey on Untransferable Anonymous Credentials

Anonymisation Standard for Publishing Health and Social Care Data Specification

IMPROPER USE OF MEDICAL INFORMATION

SWABIK Project. Software Tools for DICOM Media Exchange in Clinical Research: the. SWABIK Project

Biometrics, Tokens, & Public Key Certificates

Mandatory Reporting of National Clinical Trial (NCT) Identifier Numbers on Medicare Claims Qs & As

In-house performance review of salaried GPs

Recognition and Privacy Preservation of Paper-based Health Records

Index. Registry Report

UK Biobank. Integrating electronic health records into the UK Biobank Resource. Version

Information Governance and Risk Stratification: Advice and Options for CCGs and GPs

Data Analytics in Health Care

Modes of Operation of Block Ciphers

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Informatics: Opportunities & Applications. Professor Colin McCowan Robertson Centre for Biostatistics and Glasgow Clinical Trials Unit

THE EHR PRIVACY APPROACH AND LEGAL ISSUES AROUND THE RE-USE OF DATA

Privacy and Security within an Interoperable EHR

Does my project require review by a Research Ethics Committee?

Information Sharing Policy

Social care and hospital use at the end of life. Martin Bardsley, Theo Georghiou and Jennifer Dixon

Borough of Poole Staff (Adult Social Care) Encryption: Sending secure, encrypted e- mails & attachments

A Note on the Security in the Card Management System of the German E-Health Card

HOW WILL BIG DATA AFFECT RADIOLOGY (RESEARCH / ANALYTICS)? Ronald Arenson, MD

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

What Makes IDI Great

CMS is requesting information to aid in the planning and implementation of the MIPS in the following areas:

Personal Data Handling and Sharing Policy

From metabiobanks to translational research platforms: Integrating Big Data through CRIP Tools

Information & Communication Security (SS 15)

Avastin in Metastatic Breast Cancer

Council of the European Union Brussels, 15 January 2015 (OR. en) NOTE German delegation Working Party on Information Exchange and Data Protection

Use of Electronic Health Records in Clinical Research: Core Research Data Element Exchange Detailed Use Case April 23 rd, 2009

Electronic Health Record Infostructure (EHRi)

Administering Microsoft SQL Server Databases

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Introduction to Public Health Informatics and their Applications

Project esanté Architecture & Security. National ehealth Platform

Microsoft Administering Microsoft SQL Server Databases

Electronic Health Record Systems and Secondary Data Use

Single Source Information Systems to Connect Patient Care and Clinical Research

Single Sign-On: Reviewing the Field

I n t e r S y S t e m S W h I t e P a P e r F O R H E A L T H C A R E IT E X E C U T I V E S. In accountable care

How To Protect Your Privacy On The Net

Medweb Telemedicine 667 Folsom Street, San Francisco, CA Phone: Fax:

Registries: An alternative for clinical trials?

Course 20462C: Administering Microsoft SQL Server Databases

This is a controlled document. The master document is posted on the JRCO website and any print-off of this document will be classed as uncontrolled.

REPRESENTATION AGREEMENT (SECTION 9)

Online Voting Project. New Developments in the Voting System an Consequently Implemented Improvements in the Representation of Legal Principles.

Administering Microsoft SQL Server Databases

Transcription:

Secondary Use of the EHR via Pseudonymisation Klaus Pommerening, Mainz Michael Reng, Regensburg TMF = Telematikplattform für die medizinischen Forschungsnetze [Telematics Platform for the German Health Research Networks ] Pommerening, Reng 1

Contents 1. EHR and Pseudonyms 2. 5 Scenarios for Secondary Use 3. Results 4. Discussion Pommerening, Reng 2

Uses of the EHR Primary use: Treatment context. Secondary uses: Disease specific clinical or epidemiological research projects, Health care research, assessment of treatment quality, health economy. Typical aspects of secondary uses: Outside of treatment context and professional discretion (of the treating physician), The identity of the patient doesn't matter. Pommerening, Reng 3

For secondary use of the EHR: Protect the identities of the patients. Anonymisation whereever possible. Drawbacks of anonymisation: No association between data from distinct sources... or from distinct points of time. No way back to the patient for feedback... or for recruiting suitable patients for a new research project. Pommerening, Reng 4

Pseudonyms The golden mean between anonymous data and identity (or identity revealing) data. Almost as good as anonymity, depending on context one-way pseudonyms can t be reversed, reversible pseudonyms allow re-identification of the individual. Written informed consent necessary for reversibility! Pommerening, Reng 5

Basic Types of Pseudonyms Untraceable pseudonyms (Chaum ca 1980) Based on blind digital signature, Under control of owner, Not suited for secondary uses of the EHR. TTP-generated pseudonyms Trusted Third Party =»Vertrauensstelle«or»Datentreuhänder«(e. g. a notary). Example: Cancer registry (Michaelis/Pomm. 1993). Pommerening, Reng 6

TTP-generated Pseudonyms (Basic Model) Individual Identity TTP Pseudonym Data base Leaking data Reference list, strongly secret or secret key...... Maier, Johannes 6AZCB661 Maier, Josef KY2P96WA Maier, Jupp L85FD23S...... L85FD23S Eavesdropper Pommerening, Reng 7

Contents 1. EHR and Pseudonyms 2. 5 Scenarios for Secondary Use 3. Results 4. Discussion Pommerening, Reng 8

(1) Single Data Source, One-Time Secondary Use Typical application case for anonymisation. Example: A simple statistical evaluation of EHR data. Pommerening, Reng 9

(2) Overlapping Data Sources, One-Time Secondary Use Data from diverse sources must be linked together. Examples: Multicentric study, Follow-up data. Typical application case for one-way pseudonyms. Pommerening, Reng 10

Pseudonymisation for One-Time Secondary Use Data Source(s) MDAT IDAT PID encrypted Pseudonymisation Service PID PSN Secondary Use MDAT PSN encrypt (one-way) MDAT = Medical Data IDAT = Identity Data PID = Unique Patient Identifier PSN = Pseudonym Pommerening, Reng 11

Properties of Scenario (2) Medical data (MDAT) are encrypted with public key of secondary user The TTP cannot read the MDAT. Only the secondary user can decrypt them. The pseudonym (PSN) is the encrypted PID With a secret key, known only to the TTP, By a one-way procedure. The TTP doesn t store anything (except the key). Pommerening, Reng 12

(3) One-Time Secondary Use with Re-Identification Use the»basic TTP«model, But no reference list, only secret TTP key. PSN service performs reversible encryption procedure. Use a non-public (project specific) PID Generated by a separate TTP service. PID service stores association between IDAT and PID (»Patient List«). Re-identification involves PSN service and PID service. Pommerening, Reng 13

Pseudonymisation with Possible Re-Identification MDAT IDAT IDAT PID encrypted PID PSN encrypt/ decrypt MDAT PSN MDAT = Medical Data IDAT = Identity Data PID = Patient Identifier PSN = Pseudonym Pommerening, Reng 14

(4) Pseudonymous Research Data Pool Same procedure as in (3), But the secondary user builds a (disease specific) registry. Long term data accumulation needs special organisational and technical security measures. Quality management of data should precede pseudonymisation. Yet another TTP service.»model B«of the generic concept of the TMF. Pommerening, Reng 15

(5) Central Clinical Data Base, Many Secondary Uses Data pool = central»clinical«data base. Access for treating clinician (decentral). No identity data, only PIDs. Access by temporary tokens. Implemented as (yet another) TTP service. No online access by secondary users. Secondary users get exported data set (anonymised or pseudonymised). Pommerening, Reng 16

TTPs for Central Clinical Data Base Central Database Pseudonymisation Service Local Database MDAT MDAT PID Export PID PSN IDAT MDAT = Medical Data IDAT = Identity Data IDAT PID Patient List PID = Patient Identifier PSN = Pseudonym MDAT PSN Secondary Use Pommerening, Reng 17

Advantages: Properties of Scenario (5) Better support for long-term observation of patients with chronic diseases. Useful for the data producing clinician. Individual feedback of research results easy. Fits well into EHR architecture. Drawback: Sophisticated communication procedures. More TTPs and secret keys involved.»model A«of the generic concept of the TMF Pommerening, Reng 18

Contents 1. EHR and Pseudonyms 2. 5 Scenarios for Secondary Use 3. Results 4. Discussion Pommerening, Reng 19

Results I TMF models A and B [(5) and (4)] approved by the German Data Protection Commissioners (Arbeitskreis Wissenschaft der Datenschutzbeauftragten des Bundes und der Länder) Scenario (2) in routine use since 2002 in a health care research project of the TMF. Scenario (5) implemented in a research network. KN CED (Chronic Inflammatory Bowel Disease). Further implementations in progress. Pommerening, Reng 20

Results II Scenario (4) adapted by several research networks Implementations in progress. TMF offers software tools for the TTP services. Corresponding policies, sample contracts, forms for patient s consent available from TMF (free for members). Pommerening, Reng 21

Contents 1. EHR and Pseudonyms 2. 5 Scenarios for Secondary Use 3. Results 4. Discussion Pommerening, Reng 22

Discussion I The TMF model architecture (variants A and B) provides ways for building central data pools for medical and health care research, that conform to the German and European data protection rules, respect the patients rights, and cover a wide range of situations. The pseudonymisation scenarios look complex, but once established, work transparently. Pommerening, Reng 23

Discussion II The transfer to other applications in health care is possible and recommended. We could and should build TTP services for secondary uses into the EHR architecture (suitably adapted from the TMF services). Pommerening, Reng 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information