Automated Policy: VUMC TEST BED

Lead Institution: Vanderbilt University

Project Leader: Mark Frisse

Research Progress

  • Abstract
    The goal of this project was to build a test bed upon which to evaluate the performance of our overall approach. Significant changes in HIE approaches and standards led to multiple changes to our test bed approach over the course of the work. Our current test bed is based on simulations and feasibility of certain proposed and required HIE data standards. We find that some important requirements (e.g., authentication, authorization) must be addressed “outside” of the current standards-based approach while others (e.g., specific data elements) can be addressed if conventions are held. Our thorough review of database systems used for ACO and CIN efforts confirms they tend to resemble older RHIO models and have fairly limited flexibility to enforce privacy preferences outside of global agreements among parties.

  • Focus of the research/Market need for this project
    Development and implementation of systems to meet rapidly increasing demands for health information exchange and integration for broadening sources and uses of data is proceeding with insufficient regard for the nuances of varying privacy policies. Privacy and security considerations are often an afterthought addressed only by data sharing agreements, coarse role-based access controls, and often cumbersome auditing mechanisms. Early stage RHIOs did not allow for granular privacy policy enforcement and newer point-to-point models require external resources to enforce policies. Secondary data use (e.g., PCORI) will also require new means of assuring privacy preferences.

  • Project Aims/Goals
    The goal of this project was to understand the limitations of policy enforcement within current and proposed systems and to understand the essential attributes for any engineered, systems-based approach to policy management and enforcement. Our test bed efforts include both an evaluation of current HIE systems and creation of an operational test bed within our control.

  • Key Conclusions/Significant Findings/Milestones reached/Deliverables

    • Monolithic models are insufficient and some current systems to support ACO initiatives seem to have similar limitations. Our proposed approach was based on a monolithic model similar to what we had created for the Memphis RHIO. We found we could model rules and policies, encode these in Drools or iLog, and (in theory) create a gateway that would allow consistent enforcement. We confirmed that monolithic systems have technical / governance attributes that limit robust data sharing required for care and secondary use. Collapse of these approaches and the introduction of cCDA, Direct, and other approaches forced us to change our approach.
    • Implementations required a great degree of data granularity and rich ontologies. Disclosure of certain types of especially sensitive information – notably HIV, mental health, domestic violence, and substance abuse – require rich ontologies if one is to attempt to isolate and exclude specific data elements. Where mental health information is concerned, policies differ among states both in how such information is defined and, at times, on the source of data (e.g., mental institution).
    • HIE is constrained not by a single policy but instead by what we call a “policy pipeline.” Our explorations suggest that the primary impediment to effective HIE are the at times reactive and ad hoc policies created by many institutions. Transmission of data is governed by the policies of senders, state laws and ACO policies (if applicable), as well as federal rules. Since policies are subject to interpretations and the consequences of unauthorized release are greater than the consequences of sub-optimal data release, risk-averse institutions may create policies with higher barriers than those allowed by public policy. Hence the optimal ROC curve for HIE is not realized.
    • Authorization trumps all. A rich system for explicit authorization can obviate the need for additional computation. But authorization does not eliminate the need for representing the scope, use limitations, temporal limitations and other boundary conditions, and involves additional work processes for health care consumers and/or provider organizations. Furthermore, our own experience reinforces the trade-offs.
    • A systems-based engineered policy approach is essential. We concluded that the only way to enforce privacy policies is to engineer these policies across an entire health care system. Piecemeal solutions don’t work. This does not mean there must be uniform consensus on policies, but only a consensus on how context and key data items are represented. Further, starting with the model-based system and then querying the policy-makers may be a superior approach. Ideally, one would use formalisms (such as models, formal languages or logic) to create the policies. Absent that, we use our tools in Policy Forge to create an embodiment of policy enforcement across use cases and allow policy-makers to determine if the overall system behaves as expected.
  • Materials Available for Other Investigators/interested parties
    The publication “Modeling privacy aware health information exchange systems.” describing the systems-based engineered approach to HIE systems and policies is available (see bibliography).

  • Market entry strategies
    Generalizing the application of formal modeling systems in health care is essential to wide-scale implementation of clinical decision support, coordination of care, and related complex multi-agent problems of consequence, as well as in privacy policy development and enforcement. We believe that there is an opportunity to foster more effective means of collaborating in the development of policies and the assessment of policies (as we have) by creating models and simulating these models against use cases to see if the policies achieve their intended consequences. Although we adopted a collaboration framework (PolicyForge) late in our work, we believe platforms such as these will become more prevalent as more robust policy management systems are introduced into general healthcare delivery environments.

PolicyForge: A Collaborative Environment for Formalizing Privacy Policies in Health Care
Andras Nadas, Laszlo Juracz, Janos Sztipanovits, Mark E. Frisse, and Ann J. Olsen
Software Engineering in Health Care (SEHC), 5th International Workshop, May 2013

Modeling Privacy Aware Health Information Exchange Systems
Andras Nadas, Mark E. Frisse, and Janos Sztipanovits
The 1st International Workshop on Engineering EHR Solutions (WEES) at Amsterdam Privacy Conference 2012, Amsterdam, the Netherlands; October 2012