HL7 PIA Cookbook Project

Back to CBCC Wiki: Meetings

Healthcare today has some of the most diverse needs with regard to sharing of patient data and the need to protect and preserve the privacy of the data as it moves among systems. Increasingly, healthcare organizations and technology vendors are performing assessments (privacy impact assessments, threat risk assessments, business impact assessments, etc.) to ensure installed healthcare technology will have a positive impact on healthcare delivery. These assessments are even mandated for healthcare delivery organizations in some countries. Unfortunately, key decision makers often have difficulty understanding the relevance of the privacy impacts identified, and often overlook them when writing standards.

The Goal

This Standards Privacy Impact Assessment Cookbook is intended to enable HL7 standards developers, domain committees and working groups to publish standards that have taken privacy considerations and impacts into account. This guide introduces privacy impact assessments and a process to facilitate completing a privacy impact assessment for a specific standard. Using this process will facilitate the identification of gaps in a standard’s baseline privacy, allowing the working group to either update the standard on its own or to send a request to the CBCC Working Group for assistance in filling the gap. This will lead to standards that include privacy as part of their base, reducing the need to “bolt” privacy on later. As a result, the HL7 standards will better protect and preserve patient privacy, which in turn will lead to improved patient outcomes.

The Need for a Privacy Impact Assessment

A privacy impact assessment is the “overall process of risk identification, risk analysis and risk evaluation with regard to the processing of personally identifiable information (PII).” (Source: ISO/IEC 29100 Information technology — Security techniques — Privacy framework)

Organizations strive to protect PII for many reasons, such as safeguarding an individual’s privacy, meeting legal and regulatory requirements, and increasing consumer trust. To determine the privacy implications of their systems which process PII, organizations regularly conduct a privacy risk management process. A privacy impact assessment is a common deliverable of this process. (Source: ISO/IEC 29100)

This HL7 PIA Cookbook is intended to be used to identify privacy considerations in each standard developed by HL7 and categorize them using a standard and accepted risk framework. During this process a gap may be identified that needs to be brought to the attention of the CBCC WG.

The privacy risk management approach outlined in this PIA Cookbook closely follows the “Methodology for Privacy Risk Management” produced by Commission Nationale de l’Informatique et des Libertés (CNIL).

• CNIL's Methodology for Privacy Risk Management
• This methodology has been accepted and incorporated in the “Privacy- and Security-by-Design Methodology Handbook” published by PReparing Industry to Privacy-by-design by supporting its Application in Research (PRIPARE).
  • The PRIPARE Handbook harmonizes and integrates the existing standards, practices and research proposals on privacy engineering.
  • PRIPARE Handbook

Working Space

• HL7 GForge folder with resources
• Draft PIA Cookbook document

Mitigation Tools

It is up to individual organizations to choose and follow a strategy that best suits their needs. However, HL7 should mitigate risks as often as possible in order to decrease the risk to an acceptable level. Privacy by Design (PbD) principles should be referenced for this purpose.

ISO/IEC 29100 describes the following PbD principles:

1. Consent and choice
2. Purpose legitimacy and specification
3. Collection limitation
4. Data minimization
5. Use, retention and disclosure limitation
6. Accuracy and quality
7. Openness, transparency and notice
8. Individual participation and access
9. Accountability
10. Information security
11. Privacy compliance

Download the ISO/IEC 29100 standard for guidance on how to meet each of the 11 principles above.

OASIS Privacy by Design Documentation for Software Engineers (PbD-SE) describes PbD principles as well:

1. Proactive not Reactive; Preventative not Remedial
2. Privacy by Default
3. Privacy Embedded into Design
4. Full Functionality: Positive Sum, not Zero-Sum
5. End-to-End Lifecycle Protection
6. Visibility and Transparency
7. Respect for User Privacy

Browse the OASIS Privacy by Design document repository and the latest PbD-SE working draft specifically for guidance on how to meet each of the 7 principles above.

In addition, the Information and Privacy Commissioner of Ontario has a vast selection of PbD white papers and other PbD documents available on its website. Go here and click on “Discussion Papers.”

Finally, several “best practices” specifications for incorporating PbD principles are available on the Web, including:

• IETF RFC 6973, “Privacy Considerations for Internet Protocols”
• IETF RFC 3552, “Guidelines for Writing RFC Text on Security Considerations”
• W3C Working Group Note, “Device API Privacy Requirements”
• W3C Working Group Note, “Web Application Privacy Best Practices”