Patient privacy and consent management in health

Alpay, Erdem
Health information of patients are preserved either in Electronic Health Records (EHR) repositories which are generally managed in national level or in local hospital systems. However, the real owners of the data are always the patients themselves, without depending where or by whom the data is preserved. Patients should have the rights to permit or deny the access of modification of their information to whoever they want. Here comes the concept of Consent. Consent means provision of approval or agreement, after thoughtful consideration. Decisions of patients about sharing their information are collected and preserved in consent documents. These consent documents can be stored in different formats. The eXtensible Access Control Markup Language (XACML) defines the policy language for this purpose. Also there is another language defined by XACML called Request/Response Language for creating request to access information and response to reply requests. Even though XACML is the most appropriate standard for conserving consent documents, it has some weak points when used in practical systems. In the first part of this study, a new model based on XACML is designed. This model is easily convertable to XACML and vice versa. Then a Consent Management tool is designed using the new model. This tool has two parts, Basic Consent Editor and Consent Manager. Basic Consent Editor is aiming to provide a practical user interface for creating and managing consent documents. Consent Manager on the other hand plays a decision mechanism role which handle requests and create decision responses according to already created consent documents. In this study, three different tools are implemented based on the Consent Management tool, each for different purposes on different projects. Throughout these implementations, usability and possible extensibility of Consent Management tool is analysed.