Balancing Health Information Exchange and Privacy Governance from a Patient-Centred Connected Health and Telehealth Perspective.

OBJECTIVES: Connected healthcare is an essential part of patient-centred care delivery. Technology such as telehealth is a critical part of connected healthcare. However, exchanging health information brings the risk of privacy issues. To better manage privacy risks we first need to understand the different patterns of patient-centred care in order to tailor solutions to address privacy risks.
METHODS: Drawing upon published literature, we develop a business model to enable patient-centred care via telehealth. The model identifies three patient-centred connected health patterns. We then use the patterns to analyse potential privacy risks and possible solutions from different types of telehealth delivery.
RESULTS: Connected healthcare raises the risk of unwarranted access to health data and related invasion of privacy. However, the risk and extent of privacy issues differ according to the pattern of patient-centred care delivery and the type of particular challenge as they enable the highest degree of connectivity and thus the greatest potential for privacy breaches.
CONCLUSION: Privacy issues are a major concern in telehealth systems and patients, providers, and administrators need to be aware of these privacy issues and have guidance on how to manage them. This paper integrates patient-centred connected health care, telehealth, and privacy risks to provide an understanding of how risks vary across different patterns of patient-centred connected health and different types of telehealth delivery. Georg Thieme Verlag KG Stuttgart.

1 Introduction

Societal and demographic changes coupled with rising costs of healthcare delivery have challenged us to design innovative new models of care delivery to support health and social care in the community. Community-based care delivery is complex due to the need to manage patient care across multiple settings and providers. Thus, a recent focus of health systems research has been the development of new models of care delivery that support the exchange and integration of patient data across providers and settings. 1 2 3 Central to these new models of care delivery is an emphasis on patient-centred care. Health transformation cannot be viewed solely from a technical or economic perspective but needs to be viewed from a patient-centred perspective where care delivery tasks are coordinated according to relevant patient's needs. 4

However, patient-centred care delivery introduces new challenges. Foremost is the need to integrate patient data across multiple providers and settings. This integration is referred to as connected health, defined as “the delivery of process-driven collaborative health management and healthcare practice by individuals, healthcare professionals, patients and/or carers through the support of technology (software and/or hardware)”. 5 Connected health is not a system or a technical infrastructure but rather describes the conceptual underpinning of what is needed for care delivery in different combinations of settings and care delivery models. The basis of connected healthcare delivery is sending and receiving health information (HI) across multiple touchpoints to enable and monitor patient-centred community care delivery over time. However, this introduces several issues including organizational, social, literacy, interoperability, and security and privacy issues. 6 7 8 9 Each of these issues presents a unique system design challenge and while research exists on all of them a shortcoming is that many solutions are at a macro level and do not always scale down to the micro level where care delivery is provided. 10 11 A failure to account for contextual differences in translating from macro solutions to micro implementation is what leads to unintended consequences such as impaired communication, patient safety, or workflow issues. 8

Telehealth, broadly defined as the provision of health care delivery, resources, and education through electronic information and communication technologies, 12 is a fundamental part of connected healthcare delivery as it enables the connection of people, processes, and information across different settings. Telehealth is especially important for rural and remote communities where in-person access to services may be limited. 13 Over time, the use of telehealth has evolved and there exist several different ways that telehealth can enable connected healthcare delivery including education, service delivery, care monitoring, and training. 12

However, the governance of telehealth has not followed the pace of evolution of the different ways used to support healthcare delivery. One example is privacy governance. The protection of patient privacy is a key concern with telehealth-enabled connected healthcare delivery. Privacy and telehealth have been well studied at the macro level such as the frameworks for the Internet of Things, mobile technologies, or population level frameworks for protecting data privacy. 14 15 However, these macro level approaches do not always scale down effectively to front line micro level care delivery. Li et al. point out that clinicians using telehealth at a micro level often encounter challenges at organizational (meso) or policy (macro) levels because of a lack of alignment between the telehealth policy level and the micro level where front care delivery is provided. 16

While integrating different sources of data (e.g., demographic, lifestyle, and behavioural data) can support both person-centred care delivery and public health decision-making, we also know that achieving this vision can pose serious challenges and threats to security and privacy. 17 To address these challenges and support the translation of macro level policy into micro care delivery settings, health information technology (HIT) designers need to better nderstand the unique workflow and data requirements in different healthcare contexts. 18 A first step to achieving this is to develop a business model of patient-centred telehealth delivery in order to understand the variations in how health information (HI) exchange differs across various telehealth delivery models. Some of these differences are related to the specific telehealth functions being utilized (e.g., viewing versus editing data, and education versus service delivery) while organizational and location contexts also impact the manner in which telehealth is used.

For the first time in the IMIA Yearbook , we examine the above challenge from the combined perspective of two working groups. The Organizational and Social Issues Working Group focuses on socio-technical, organizational, social, and ethical issues surrounding the introduction and use of informatics applications, whereas the Telehealth Working Group has a mandate to collaborate and disseminate research on the use of technology to foster the delivery of telehealth, particularly in low-resource or community-based settings.

The contribution of this paper is to propose the integration of patient-centred connected health, telehealth, and privacy issues in order to develop a business model of patient-centred care via telehealth. Our paper is outlined as follows. Section 2 describes patient-centred connected health. Section 3 describes telehealth and privacy standards. Section 4 integrates the two previous sections to develop a business model for patient-centred connected health via telehealth. Section 5 describes how to operationalize this business model by linking telehealth types, patient-centred HI patterns, and privacy issues and solutions. We conclude with a summary and present the next steps following our findings.

2 Patient-Centred Connected Health

In patient-centred care, practitioners put the patient in the centre of care planning. Donald Berwick coined three slogans about this practice: “patient's need is the only need”, “every patient is the only patient”, and “nothing about me without me”. 19 These slogans suggest the primacy of patients in patient-centred care and the duty of practitioners to remove barriers to patients' access to their personal HI. Patient-centred care is a broad term that encompasses different types of interactions that vary from one patient to the other based on individual circumstances. Patient-centred care has been defined as care that is “respectful and responsive to individual patient preferences, needs, and values and ensuring that patient values guide all clinical decisions”. 20 Patient-centred care typically involves asking patients about their goals and priorities related to their health and care, giving patients information about their health situation and care options, including them in decisions about care, and working with them after decision making to ensure that their needs are being addressed appropriately.

Some general scenarios (use cases) in which patients can benefit from being able to access personal HI from their medical record include, but are not limited to:

Checking laboratory and other test results rather than requesting results from a health care provider by telephone or waiting until the next appointment. Results should also be available in a more fruitful physical interaction 21

Checking prescriptions to ensure that they are using medication correctly 22

Reviewing information in EHRs to identify inaccuracies and inform providers about corrections (e.g., missing symptoms, incorrect dates/dosages) 23

Reviewing treatment protocols and schedules for follow-up appointments and related activities 24

Checking EHRs to ensure that electronically submitted patient-reported outcomes and patient-generated health data (e.g., motion sensor data) were received and integrated completely and accurately 25

For non-custodial parents, regularly checking the EHR for awareness of children's health problems in case they become ill during visitation or at times the custodial parent cannot be reached 26

For caregivers/custodians of vulnerable adults (e.g., dementia patients, individuals with intellectual disabilities, persons with severe mental health conditions), checking the EHR to plan and manage medication use, appointment scheduling, and other functions. 27

The above use cases highlight that patient-centred connected health is not one type of connectivity but rather that there are several different contexts of connectivity ranging from one-to-one HI retrieval, to view data, to many-to-many interactions that send and receive data multiple times. Telehealth support for these different contexts of connected health and the governance of these different contexts will also be varied.

3 Telehealth and Privacy Standards

Telehealth arose from telemedicine which tried to create access for care processes for those unable to physically access healthcare processes. In telehealth, information created for clinical care may be further utilized for data analytics to enable evaluation and planning of health strategies and achieve other organizational objectives. However, health information has the potential of being misused and the creation and dissemination of information through telehealth can undermine the privacy and confidentiality of patient information. The International Standards Organization (ISO) has created a variety of standards for the protection and management of health information. One has to ensure not only that such information is managed responsibly, but also that the access to health information is allowed to accountable persons who can maintain information security as noted by ISO Standards # ISO/IEC 2382-8:1998 & ISO/IEC 27000:2009. 28 29

Several privacy standards and protocols exist that pertain to the exchange of HI via telehealth such as ISO Standards 62304, 82304, and 80001, 30 31 32 which specifically target health data security as a concern with mention of various stakeholders, whether vendors, hospitals, or patients. These standards are linked to existing standards for specific aspects, for example the Risk Management Process of medical devices, which is addressed by ISO 14971. 33 Protocols for information security described in ISO 27799 34 describe the rules for information governance and privacy guidelines for the entire life cycle of information from creation to its eventual destruction, whether entered physically or through electronic means. Unfortunately, increasing amounts of memory, faster speeds, and better methods of access mean that governance and ensuring compliance are both very challenging. Cloud-based systems have eased the access to information but they have also increased privacy risks. Rules and processes concerning pseudonymization of data for analytics have also been created which contain principles for privacy protection of patient health information. 35

Although ISO rules provide a standard to regulate health information collection and dissemination, there is a noticeable difference between various parts of the world in how privacy standards are created, valued, or used. For example, in the United States, in addition to the utilization of ISO standards, the Healthcare Insurance Portability and Accountability Act (HIPAA) (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was created to ensure that all health information – not only technology-based information – available to insurance providers is governed properly. Within developing countries, however, privacy is not regarded as a primary concern by healthcare service organizations or professionals because meeting population basic health needs is more important than maintaining high levels of patient privacy and confidentiality. 36

4 Business Model for Patient-Centred Connected Health via Telehealth

While there exist numerous technologies and methods to support connected healthcare delivery, there is a considerable lack of guidance and an inability to establish effective business models to support the design and evaluation of connected health delivery. 37 The previous two sections described patient-centered care delivery and privacy standards relevant for telehealth. Figure 1 shows our business model integrating the two sections. The model illustrates that patient-centered connected care delivered by telehealth encompasses different patterns of HI exchange that will result in different privacy issues and governance implications.

Fig. 1

Business model for patient-centred connected health via telehealth including privacy considerations.

In the two sections below we articulate the two components of the model. First, we define a set of patient-centred connected health patterns and then we describe privacy implications of the patterns.

4.1 Patient-Centred Connected Health Patterns

Section 2 described several different use cases for how technology can support patient-centred connected health. While the different use cases are well described in the literature, the governance of the different use cases is far less described. 38 39 Privacy is one area where governance needs to be better articulated. A first step to developing privacy governance is to formalize the various ways in which HI is provided during patient-centred connected healthcare delivery. To that end, Rutenberg and Oberle 40 have proposed a supportive care model (SCM) with four different levels of activity: (a) connecting with patients, where practitioners establish a rapport with patients; (b) empowerment of patients, where practitioners provide timely information and help patients engage in the clinical workflow; (c) “doing for”, where practitioners conduct a skilled assessment of patients' situation and become advocates for patients, and (d) “finding meaning”, where practitioners enable patients to understand the significance of the care process and integrate the care plan in their own lives. Others have suggested similar categories of HI exchange and interaction that ranges from information gathering, discussion and empowerment, and engagement . 41 42

Drawing upon the above literature, we define three main patient-centred connected health patterns:

Pattern 1 is one-way HI exchange such as a patient viewing her/his HI through a telehealth application;

Pattern 2 is a more extensive 2-way HI exchange where communication or messaging occurs between patients and providers over time;

Pattern 3 expands upon pattern 2 and includes 2-way patient HI exchange and communication but also integrates multiple connection points such as EHRs, social media platforms, smartphone applications and Fitbits or other tracking applications.

4.2 Privacy Issues with Connected Health Patterns

The three different connected health patterns present different degrees of privacy issues. At a broad level, Kvedar et al. 43 contend that for telehealth to be effective, it needs to remove the barriers of patient access to HI by putting patients in the centre of the practice and by using connected health tools including mobile devices to connect and share information with patients in real time. Traditional telehealth tools that connect patients and providers in a virtual face to face environment where patients can connect using a tablet or a cell phone would be an illustration of connected health in the context of telecare. 43 However, as telehealth usage moves from connected health pattern 1 to 2 to 3, it increases the degree of HI exchange between patients and care teams (e.g., physicians, nurses, other members of the care-giving team) which also raises the risks of data breach during transmission. The greater the degree of HI exchange, the greater the potential for unauthorized persons gaining access. 44 Privacy issues become more significant when we move from raditional telehealth systems to consumer health and social media platforms (e.g., pattern 3).

Overall, the use and subsequent governance of connected health delivery are very different across these three patterns. Blanket solutions to govern privacy and access will not work as we run the risk of over or under governing connected health delivery depending on the degree of access that is needed. Rather, specific tailoring of privacy solutions to support specific usage patterns are required. In the next section, we start addressing that challenge by operationalizing the three connected health patterns according to different types of telehealth and privacy implications.

5 Operationalizing the Business Model

Our main contribution in this paper is to describe how to operationalize the business model presented in the previous section. Table 1 summarizes our findings as a framework of different types of telehealth delivery, the patent-centred connected health patterns supported, potential privacy issues, and possible solutions for the issues.

Table 1

Framework of telehealth types, patient-centred care patterns, privacy issues, and possible solutions

	Telehealth Types	Supported Patient-Centred Connected Health Pattern	Potential Privacy Issues	Possible Solutions
1	Telehealth – Direct	1, 2, 3	Direct transmission to unwanted locations. Leakage or hacking.	Controlled access. Creation only as per need and early destruction ISO 27799.
2	Telehealth –Indirect	1	Possibility of access beyond requirements for usage.	Awareness and adherence of ISO protocols such as 62304/82304.
3	Telehealth/EHR	1, 2	Security and privacy requirements of EHR systems for use in conformity assessment.	Adherence to standards for privacy and security of EHRs that also offer asynchronous telehealth (e.g., ISO 14441).
4	Telehealth - Unregulated	1, 2, 3	Telehealth usage is at the behest of the patient making regulation a challenge and offering potential for privacy issues.	Wide publicity of this issue to raise the awareness of the risks involved. Provision of applicable privacy guidelines.
5	Consumer Health	1, 2, 3	Patients sharing data inappropriately resulting in App providers having access to more information than required.	Better patient awareness of the risks of inappropriate disclosure and licensing system for Apps. (e.g., ISO 25238, 62304, 80001, 82304).

As Table 1 shows, there is a wide spectrum of modalities for how telehealth can be delivered and many types of connected health that can be supported. The biggest shift we are seeing in telehealth support of connected healthcare is the move from direct or “traditional” telehealth systems to the use of smartphone applications, social media, and other online platforms. Direct telehealth systems were designed with a dedicated purpose (e.g., to support Pattern 1–viewing of patient HI for chronic disease management). Design requirements for direct telehealth are well bounded and privacy risks can be identified and managed as part of systems design. As telehealth usage expands into indirect usage, through EHRs and unregulated modes of delivery, it creates privacy complications due to the unknown extent of the type of HI interaction that could occur and the potential for patient HI disclosure beyond what is needed for connected health delivery.

Online consumer health telehealth tools (telehealth Type 5 in Table 1 ) pose a much bigger privacy risk because they were not designed or evaluated specifically for the purpose of HI exchange and therefore the relevant privacy considerations, as well as training and patient awareness of privacy issues, were less likely to be considered at the time of systems design. Further, online or social media tools enable connected health Pattern 3 (viewing and communication using multiple data sources) which provides the highest degree of connectivity and thus the highest potential for privacy breaches. Connected health Pattern 3, which utilizes multiple data touch points, has stimulated an increased demand for online health information through websites, blogs, wikis, social media, instant messaging, mobile health applications, and telemedicine technologies. 45 Many privacy and confidentiality concerns have surfaced as a result of the increasing use of social media and internet and thus there is an increase in: (a) risks of privacy and confidentiality breaches for patient information shared through unregulated social media and internet platforms and (b) a deficiency in communication between health providers and patients. 46 Denecke et al., discuss the ethical implications of sharing health information through social media platforms where patients share clinical information with other patients and with healthcare providers without giving any informed consent. 47 The authors also cite the example of a crowdsourcing health platform site breaching the confidentiality and privacy of health information concerning vulnerable populations such as children by posting their picture as well as their clinical information. 47 Furthermore, Asiri et al. 48 and Househ 49 investigated the sharing of sensitive health information online and found that Facebook users posted sensitive health information related to sexually transmitted diseases, genetic disorders, and psychological issues.

Overall, there is a need to better understand the implications of telehealth-enabled connected health delivery to ensure that telehealth systems undergo appropriate privacy evaluation. To that end, we need to provide guidance according to the level of data that needs to be disclosed for different connected health needs. Figure 1 offers a spectrum of how data can be used for different healthcare tasks with the privacy characteristics of the different tasks. Operational direct patient care (e.g., telehealth Type 1 from Table 1 ) requires the most disclosure of individual patient records which exposes to the greatest risk of privacy breaches. Tasks such as service planning, policy design, or research (e.g., telehealth Type 2 from Table 1 ) require less than full data disclosure through pseudo-anonymized or fully anonymized data.

The biggest need moving forward is to inform all relevant parties about different telehealth types and the privacy risks attached to each of them. As connected health and telehealth use shifts from traditional telehealth systems to consumer health and social media platforms, we run the risk of losing control of the balance between HI exchange and necessary privacy considerations. On one hand, patients become empowered and engaged with Internet, iPhone smartphone applications, and social media platforms. But on the other hand, these online telehealth tools pose substantial risks because they enable connectivity without due consideration of the unintended consequences of that connectivity. Balancing privacy considerations with the online sharing and use of clinical and/or health information will be a challenging task for policy makers, health consumers, and developers of healthcare platforms. Raising the public's awareness and intensifying informational and educational campaigns on the risks and harmful impacts of sharing clinical and/or health information online are also needed.

While privacy and confidentiality laws exist for traditional telehealth systems, laws that prevent health consumers from sharing their personal clinical information on social media or other online tools (e.g., Twitter, Facebook) with other patients or healthcare practitioners are almost non-existent. Househ recommends that a health consumer e-awareness assessment model be created where patients are educated about the sharing and use of health information online. 50 Calling the attention of internet-based health platforms to share their privacy regulations openly with health consumers is needed in addition to government oversight. While protecting privacy and confidentiality in unregulated online platforms ia a major challenge for western countries, for developing countries where health care access may be limited, a bigger challenge would be to ensure that health consumers and/or patients do not fall prey to unscrupulous individuals and healthcare organizations. 51 The creation of international policies to protect and inform health consumers on how to use and share clinical and/or health information online is needed as more health consumers use online platforms in the search for advice and health information.

“Different types of information use” taken from ISO/TS 29585:2010, Health informatics – Deployment of a clinical data warehouse, reproduced with the permission of the International Organization for Standardization, ISO. This standard can be obtained from any ISO member and from the website of the ISO Central Secretariat at the following address: www.iso.org .

In summary, this paper helps address the above challenges by developing a business model of patient-centered care via telehealth and using it to identify three patterns of patient-centered connected health. The three patterns help informaticians, practitioners, government, and policy makers to understand how different types of telehealth can support different connected health patterns of HI exchange and the privacy issues and possible solutions that emerge from telehealth-enabled connectivity.

6 Conclusion

Telehealth can play a vital role in enabling patient-centred connected healthcare delivery. However, while telehealth delivery has expanded through different types of modalities, the implications for data sharing and privacy have not kept pace with the technological innovation. By integrating patient-centred connected health care, telehealth, and privacy risks, we can understand how risks vary across different patterns of patient-centred connected health and different types of telehealth delivery. Future work must focus on educating patients about the risk of sharing health information and on building a better understanding and governance of unregulated telehealth modalities and consumer health applications.