HL7 SPIA Cookbook Project
Healthcare today has some of the most diverse needs with regard to sharing of patient data and the need to protect and preserve the privacy of the data as it moves among systems. Increasingly, healthcare organizations and technology vendors are performing assessments (privacy impact assessments, threat risk assessments, business impact assessments, etc.) to ensure installed healthcare technology will have a positive impact on healthcare delivery. These assessments are even mandated for healthcare delivery organizations in some countries. Unfortunately, key decision makers often have difficulty understanding the relevance of the privacy impacts identified, and often overlook them when writing standards.
Contents
The Goal
This Standards Privacy Impact Assessment (SPIA) Cookbook is intended to enable HL7 standards developers to publish standards that have taken privacy considerations and impacts into account. This guide introduces a process to facilitate completing a privacy impact assessment for a specific standard. Using this process will facilitate the identification of gaps in a standard’s baseline privacy. This will lead to standards that include privacy as part of their base, reducing the need to “bolt” privacy on later. As a result, the HL7 standards will better protect and preserve patient privacy, which in turn will lead to improved patient outcomes.
Scope
This SPIA Cookbook guides HL7 standards developers through a 10-step process that helps ensure they consider the privacy impacts that the implementation of their standard will have on individuals. It encourages all HL7 standards developers to add a “Privacy Considerations” section to their standard, a section which will address if actions involving PII are in scope of the standard. If so, HL7 standards developers are encouraged to recommend that implementers reference jurisdictional laws, regulations, and policies when performing actions involving PII.
Specific instructions or guidelines for implementing standards involving PII are out of scope of this SPIA Cookbook. It is up to individual implementers to determine how they will handle and protect PII.
The Need for a Privacy Impact Assessment
A privacy impact assessment is the “overall process of risk identification, risk analysis and risk evaluation with regard to the processing of personally identifiable information (PII).” (Source: ISO/IEC 29100 Information technology — Security techniques — Privacy framework)
Organizations strive to protect PII for many reasons, such as safeguarding an individual’s privacy, meeting legal and regulatory requirements, and increasing consumer trust. To determine the privacy implications of their systems which process PII, organizations regularly conduct a privacy risk management process. A privacy impact assessment is a common deliverable of this process. (Source: ISO/IEC 29100)
Privacy Considerations Section
See the "Working Space" area on this Wiki page to open the latest SPIA Cookbook draft document. Section 2 of this document provides questions that HL7 standards developers should address and provide responses to in the “Privacy Considerations” section of their standard. Following the questions in the document is a diagram that graphically illustrates the order and flow of questions and possible responses for standards developers as they fill out the Privacy Considerations section.
Privacy Risk Management Approach
For the final part of the Privacy Considerations section, HL7 standards developers are encouraged to write:
"We recommend implementers refer to the privacy risk management approach for guidance on how to address and mitigate any privacy risks associated with the collection, storage, use, processing, disclosure, dissemination, et. al. of PII before implementation of our standard."
The privacy risk management approach outlined in Appendix C of the SPIA Cookbook closely follows the “Methodology for Privacy Risk Management” produced by Commission Nationale de l’Informatique et des Libertés (CNIL).
- CNIL's Methodology for Privacy Risk Management
- This methodology has been accepted and incorporated in the “Privacy- and Security-by-Design Methodology Handbook” published by PReparing Industry to Privacy-by-design by supporting its Application in Research (PRIPARE).
- The PRIPARE Handbook harmonizes and integrates the existing standards, practices and research proposals on privacy engineering.
- PRIPARE Handbook
Working Space
Mitigation Tools
It is up to individual organizations to choose and follow a strategy that best suits their needs. However, HL7 implementers should mitigate risks as often as possible in order to decrease the risk to an acceptable level. Privacy by Design (PbD) principles should be referenced for this purpose.
ISO/IEC 29100 describes the following PbD principles:
- Consent and choice
- Purpose legitimacy and specification
- Collection limitation
- Data minimization
- Use, retention and disclosure limitation
- Accuracy and quality
- Openness, transparency and notice
- Individual participation and access
- Accountability
- Information security
- Privacy compliance
Download the ISO/IEC 29100 standard for guidance on how to meet each of the 11 principles above.
OASIS Privacy by Design Documentation for Software Engineers (PbD-SE) describes PbD principles as well:
- Proactive not Reactive; Preventative not Remedial
- Privacy by Default
- Privacy Embedded into Design
- Full Functionality: Positive Sum, not Zero-Sum
- End-to-End Lifecycle Protection
- Visibility and Transparency
- Respect for User Privacy
Browse the OASIS Privacy by Design document repository and the latest PbD-SE working draft specifically for guidance on how to meet each of the 7 principles above.
In addition, the Information and Privacy Commissioner of Ontario has a vast selection of PbD white papers and other PbD documents available on its website. Go here and click on “Discussion Papers.”
Finally, several “best practices” specifications for incorporating PbD principles are available on the Web, including:
