CHEO Research Institute develops secure protocol for data disclosure
It is important for health care providers to report health issues, such as influenza outbreaks, to public health authorities. But there is evidence of a reluctance to share patient data for public health purposes due to concerns for both patient privacy and provider confidentiality. Dr. Khaled El-Emam and his research team at the CHEO Research Institute have developed a secure protocol and system that would solve this problem.
The new system would protect the identity of patients and health care providers while providing effective disease surveillance and meet the needs of public health to detect and investigate disease outbreaks. The new system and associated research findings are published in this month's edition of the Journal of American Medical Informatics.
Providers have an obligation to report diseases to public health authorities, but new research shows that under-reporting by hospitals and physicians is common and can hinder effective disease control. Concern for patient privacy is a causal factor, but even when this concern is addressed, physicians feel themselves to be at risk when making such disclosures. For example, many are concerned that the data they report could be used to evaluate their compliance with clinical practice guidelines. Others fear an increased possibility of litigation, due to breach of confidentiality.
"Health care providers are less likely to make accurate reports if they feel the information could be used to evaluate them," says Dr. El-Emam. "The new protocol can provide confidence that the identity of healthcare providers is protected, and removes one more barrier to effective disease surveillance."
The secure protocol would encourage full disclosure from health care providers enabling public health officials to accurately track such things as influenza outbreaks and the spread of infection in hospitals. The system also has a "break the glass" mechanism which would allow public health to identify and contact individual patients in case of an outbreak requiring an investigation.
The protocol uses special cryptographic techniques that allow one to perform computations on the encrypted data themselves. Providers share encrypted data and the public health authorities can still compute infection rates over time and detect abnormalities. This gives strong guarantees that patient and provider identity are hidden.
Systems like this will also make it easier for other entities to automatically report to public health. For example, retail pharmacies can report over-the-counter sales data without worrying about revealing competitive store information, and schools can report absenteeism data. With the ability to access more data sources, public health will be in a better position to detect disease outbreaks at their earlier stages.