This is the author’s version of a work that was submitted/accepted for pub-

lication in the following source:

Gajanayake, Randike, Iannella, Renato, & Sahama, Tony R.

(2011)
Sharing with care : an information accountability perspective.
IEEE Internet Computing, 15(4), pp. 31-38.

This file was downloaded from: https://eprints.qut.edu.au/42103/

c Copyright 2011 IEEE

Personal use of this material is permitted. However, permission to reprint/republish this

material for advertising or promotional purposes or for creating new collective works for
resale or redistribution to servers or lists, or to reuse any copyrighted component of this
work in other works must be obtained from the IEEE.

Notice: Changes introduced as a result of publishing processes such as

copy-editing and formatting may not be reflected in this document. For a
definitive version of this work, please refer to the published source:

https://doi.org/10.1109/MIC.2011.51
 Sharing with Care: An Information Accountability Perspective
Randike Gajanayake1, Renato Iannella2, 1 and Tony Sahama1
1
Queensland University of Technology,
Brisbane, Australia
2
Semantic Identity,
Brisbane, Australia.
[email protected], [email protected], [email protected]

Abstract information interoperability standard Health Level 7

(HL7) when health information is shared through
Health information sharing has become a vital part of electronic media among healthcare participants. We
modern healthcare delivery. E-health technologies propose a solution for sharing and interoperability of
provide efficient and effective ways of sharing medical health information through the use of a healthcare social
information, but give rise to issues that neither the network which uses HL7 as the communication method
medical professional nor the consumers have control over. between health information systems.
Information security and patient privacy are key
impediments that hinder sharing information as sensitive 2 Information Technology and Healthcare
as health information. Health information interoperability
Information Technology adoption in healthcare known
is another issue which hinders the adoption of available e-
as e-health can be better highlighted through the use of
health technologies. In this paper we propose a solution
personal health records (PHR). In the e-health context
for these problems in terms of information accountability,
this can be subdivided into electronic medical records
the HL7 interoperability standard and social networks for
(EMR) and electronic health records (EHR). The proper
manipulating personal health records.
implementation of e-Health systems that manipulate
EMRs and EHRs is essential to keeping pace with the
Keywords: information accountability, healthcare
exponential growth of health information and to applying
interoperability, e-health, HL7, RIM, EHR, EMR,
this knowledge to resolving world health problems.
personal health records, social networks.
People have become more and more interested in
1 Introduction knowledge of their health and many patients as a result
Sharing and proper use of information is an important are using the Internet as a means of gaining information
aspect in modern electronic healthcare. The needs of the about their medical conditions. By doing so they expose
present-day medical practitioner, as well as the consumer (share) their health information to other Internet users
(patient), are different from what we have seen and who may or may not have the same interests. This creates
experienced in the past. Medical professionals want tools an entirely different set of issues for the patients other
enabling them to connect and share information with than their medical conditions.
other specialists to help make better decisions towards the
2.1 Information Privacy and Security in
improvement of the quality of care, and the public
(patients) want to be more involved in their own Healthcare
healthcare processes and want control over their health The Internet and other communication media often let
information (health records). Both specialists and patients information be vulnerable to disclosure resulting in
can benefit from linking family health profiles so that all security issues and infringement of consumer privacy.
relevant information is available for reference when the Privacy concerns are significant in health informatics and
need arises. Information sharing is a part of healthcare must be addressed at the initial stages of any of its
that can alter the way in which care is being delivered. processes. Because of the open architecture of the
But the flow and visibility of health related information Internet, special organisational policies and procedures
among people has to be controlled and monitored to need to be implemented to guarantee the privacy and
ensure the information will not be misused. reliability of e-health systems. These special policies need
In order to fulfil these needs, we need to consider two to be focused on data security as well as other ethical
aspects regarding information use in healthcare. Firstly, issues pertaining e-health to gain the trust and consent of
the patients have to be confident that their sensitive consumers. As Goldman and Hudson (2000) state,
information is safe from being disclosed to unwanted without trusting that their most sensitive health
parties. Secondly, healthcare interoperability needs to be information will be safeguarded, patients are reticent to
well understood and properly defined. Information fully and honestly disclose their personal information and
Accountability is a concept that allows the use of may avoid seeking care altogether.
information by a person to be monitored and if misused According to Ann Cavounkian (2010), if privacy is
hold that person accountable for the ramifications for his taken into consideration during the development process,
actions. The lack of use of a common healthcare there is great potential that these technologies can
interoperability standard is one barrier to the success of actually increase the privacy of the individual, by
information sharing in healthcare. This paper investigates providing them with greater choice and personal control
the role of information accountability and the health over how their data is managed. Meingast et al. (2006)
says defining clear attributes for role-based access, policy possible, but violators can be identified and held
development, rules on patient privacy at home, data accountable (Weitzner, Abelson et al. 2008)
mining rules and technological measures will be needed
to ensure the security and privacy of medical data. In 3.1 Information Accountability in Healthcare
their effort to solve the privacy problem, Naqvi et al. Accountability has become a major factor in
(2010) has considered a context-aware access control healthcare. Emanuel et al. (1996) focus on three factors
model for assuring privacy of medical records in an that need to be considered to better understand the
Internet based open environment. concept of information accountability in healthcare. It is
As a means of overcoming privacy and security issues important to clearly identify the different parties in
related to healthcare, information accountability could healthcare that can be held accountable, the issues for
prove to be the answer. Transparency and accountability which a party can be held accountable and the appropriate
will be critical in helping the society to manage the mechanisms for accountability, in other words, who, what
privacy risks that accumulate from the expeditious and how. These can be referred to as the components of
progress in communication, storage and search information accountability. According to Ferreira et al.
technology. (2003), the main objective of accountability systems is to
provide a means to verify, analyse and investigate users’
3 Information Accountability actions. Information about parties accountable should be
Accountability is when someone is held answerable made usable by many stakeholders, each of whom have a
for their actions and its outcomes. In other words, different purpose and, therefore, should have different
accountability focuses on the ramifications after a levels of accessibility to the information. The presence of
decision is made. In the context of information an accountability system tends to ensure procedures are
accountability, this refers to when one party is held liable correctly followed.
to explain, justify or answer for their use of information Figure 1 illustrates the process of information
belonging to another party. exchange in a general e-health scenario. It illustrates how
Information is widely available and the use of that health information is exchanges between patients and
information needs to be controlled. Rather than enforcing health professionals and between health professionals
rigid up-front control over the use of information, there is themselves. Whenever information is used by a health
a need to accommodate “fair use”. The control over the professional they are accountable for the way they used
use of information is imperfect and exceptions are the information. This can be further explained in detail
using an e-health scenario.

Figure 1: e-Health Scenario of sharing health information

 Consider the following e-health scenario. A patient, 3.2 IA and Interoperability
Gary, who has a personal health record, allows his doctor, One such standard which is currently in use is the
Peter, to access his entire health record. Gary also allows Health Level 7 (HL7) standards for health
his mother to access a portion of the health record, given interoperability. The latest version of HL7 is Version 3
that she allows Doctor Peter access to related family which is based on an Object-Oriented development
health information. Doctor Peter participates in methodology and a Reference Information Model (RIM).
discussions with other medical professionals and The RIM provides an explicit representation of the
discusses issues related to Gary without his identity being semantics and lexical connections that exist between the
compromised. This involves sharing Gary’s information information carried in the fields of HL7 messages.
across many different networks. The “Link” shown in The RIM has a backbone structure consisting of three
Figure 1 indicates where there is a correlation between main classes namely Act, Role, and Entity and three
interests of both Doctor Peter and another specialist associations namely ActRelationship, Participation and
Doctor Claudia. They connect and Doctor Peter exchange RoleLink linked with a number of permitted
further information about Gary with Doctor Claudia. The relationships. The RIM defines a set of Attributes for
Accountability system detects that Doctor Claudia has each class and these are the only ones allowed in HL7
accessed Gary’s information and informs him. Since this messages. Each attribute has a specific Data Type. These
is for his own wellbeing, Gary allows Doctor Claudia become tags in HL7 XML messages. A subset of the RIM
complete access to his health information. Next, Doctor consisting of the six backbone classes with their structural
Peter refers Gary to a dermatologist, Doctor Sandra. She attributes is show in Figure 3.
is granted access to Gary’s health record and also his
mother’s health records to assist treating a genetic skin
condition.
Granting various parties the access to information
Gary allows the management and sharing of personal
information with his consent and involvement. The need
for complex privacy policies is reduced and the policies
can be made known to all engaging parties. A use case
diagram of this scenario is shown in Figure 2.

Figure 3: HL7 V3 RIM backbone

Put in plain words, the basic functionality of the RIM

backbone classes is as follows; Act represents the actions
that are executed and these actions must be documented
as healthcare is provided. Participation expresses the
context for an act such as who performed it, for whom
was it done, where was it done, etc. Entity represents the
physical things and beings that are of interest to, and take
part in healthcare. Role establishes the roles that entities
play as they participate in health care acts.
ActRelationship represents the binding of one act to
Figure 2: Use Case diagram: e-Health scenario another, such as the relationship between an order for an
The Accountability agent is responsible for monitoring observation and the observation event as it occurs. And
and keeping logs on the access to and the use of health RoleLink represents relationships between individual
records. When sharing patient information, all parties roles.
should seek the consent of the patient to do so. The
patients will be notified of the use of their information at
all times by the Accountability Agent. Alterations to the
health records can be done by the patient and/or any other
party who has consent of the patient.
Even in an environment with information
accountability mechanisms in place, health
interoperability to some extent restricts the use of e-health
technologies in terms of information exchange between
health information systems which is useful when sharing
information. Health interoperability arises due to the fact
that not all systems use the same format and architecture.
This has given rise to many predicaments that has
directed the e-health community to seek interoperability
standards.
.
 doctor. This information and the results of the test can be
used to generate an HL7 V3 message as shown in Figure
4.
In this scenario the patient information will flow from
the reception to the doctor and to the nurse who performs
the blood test. Since the receptionist, the doctor and the
nurse would gain some knowledge about the patients’
medical condition; there need to be some mechanism to
monitor and record the flow of information and to record
the use of information that has been sent to particular
entities. The information accountability components
which can perform these tasks can be integrated into the
HL7 messages that are sent and received from each
location. By having these new components integrated
within messages, the use of any data element that is sent
via an HL7 message will be constantly monitored and
recorded. This will require introducing new classes and
attributes to the current version of the RIM.
It is important to understand, however, that the RIM,
although healthcare specific, is not a model of healthcare.
It is also not a model of any message even though it is
used in messages.

3.3 Information Accountability and Social

Networks in Healthcare
Social networking has become one of the most popular
and widely used web applications around the world.
Sharing information through a social network and giving
patients the control over their information could prove to
be very effective in future healthcare needs. According to
Domingo (2010), at the moment, healthcare social
networks provide an attractive platform for sharing ideas,
discussing symptoms and debating treatment options. By
allowing medical professionals access to electronic
medical records of their patients, this can be taken to the
next level and healthcare can be made more efficient and
more effective.
According to Harrison and Lee (2006), 86% of people
who have access to the Internet have used it to search
health related information, 50% of consumers have
shown interest in accessing their information through the
Internet and 33% considered switching providers so that
they can communicate electronically with their
physicians. The word ‘patient’ is slowly transformed into
‘consumer’ because of the Internet and the demand for a
more active role in their own care. Patients do not receive
Figure 4: HL7 V3 message test results snippet information about their medications. They, therefore, take
To understand the use of the RIM classes in a real life the matter into their own hands. In her article Domingo
physician patient encounter, consider the process of a (2010) states that 61% of US citizens have looked online
simple measurement of the blood glucose level of a for health information in 2008. With this increased
patient. The patient is represented as an instance of class interest the demand for better e-health solutions have also
Person and an instance of class Patient, which is a increased. Sharing health information through social
subclass of Role (a Person with the role of Patient). The networks can provide the consumer as well as the health
physician visit is an instance of class PatientEncounter (a professionals with better and effective means of
subclass of Act). The blood glucose level is an instance of healthcare capabilities.
class Observation (a subclass of Act). The patient is Personal health records (PHRs), which can be used to
linked to the visit by an instance of Participation; the facilitate sharing health information of patients can be
blood glucose measurement is linked to the visit through integrated in to the structure of the social network itself.
an instance of ActRelationship. The patient details are These documents can be shared using the HL7 v3
recorded at the time the patient registers at the reception standards to eliminate incompatibility concerns.
of the clinic. Assume that the test is being done by a Information privacy will be the greatest barrier that will
nurse not the doctor himself using a small hand held need to be overcome. To address this, the best approach,
device. After the test the results are sent back to the
as discussed earlier, is to introduce an information 4 Conclusion and Future Work
accountability framework for the proposed PHRs. With proper design and implementation, an integrated
Even in popular social networks, privacy is an ongoing solution of the concepts of information accountability and
subject for debate. In regular social networks the user has health interoperability in a secure healthcare social
the capability to filter the information such that what is network could prove to be the ultimate solution to the
displayed can be rigidly controlled by the user. But in impediments that have hindered the progress of e-health
healthcare there must be a different mechanism for as a solution for better patient healthcare. We are
ensuring privacy since health information must be fully currently working on implementing the proposed
and completely disclosed to the health professionals to information accountability framework for health
allow them to make better decisions. Information information sharing with the use of HL7 as the medium
accountability can assure the user of secure information of communication in a healthcare social network. This
sharing and the proper use of information in healthcare. will give us the opportunity to validate the framework in
The way information is used has to be monitored and a real world information sharing scenario.
patients as well as the information user must be informed
of how information is being used and by whom. This will 5 Acknowledgements
allow the patients to hold people accountable for The Authors would like to thank the National ICT
inappropriate misuse. Figure 5 illustrates the basic Australia (NICTA) for the funding provided for this
components and the functionality of an information ongoing research project.
accountability framework that will allow the above
operations to be performed. 6 References
Patients are not health professionals. For example they Cavoukian, A., A. Fisher, et al. (2010). "Remote home
are incapable of interpreting an X-ray, a blood test report health care technologies: how to ensure privacy?
etc. They also do not have the capability to decide which Build it in:Privacy by Design." Identity in the
information is needed for diagnosis purposes and decision Information Society 3(2): 363-378.
making. Hence when health professionals request access Domingo, M. C. (2010). "Managing Healthcare through
to certain health information the patients have to grant Social Networks." Computer 43(7): 20-25.
them access for that information. But they have to be
confident that the information will not be used for any Emanuel, E. J. and L. L. Emanuel (1996). "What Is
other purpose than what is required. The presence of the Accountability in Health Care?" Annals of
information accountability mechanism will make the Internal Medicine 124(2): 229-239.
patients more confident and at the meantime make the Ferreira, A., S. Shiu, et al. (2003). Towards
information users more aware of the consequences of accountability for Electronic Patient Records.
information misuse. Computer-Based Medical Systems, 2003.
Proceedings. 16th IEEE Symposium.
Goldman, J. and Z. Hudson (2000). "Virtually exposed:
Privacy and e-health." Health Affairs 19(6): 140.
Harrison, J. P. and A. Lee (2006). "The role of e-health in
the changing health care environment." Nursing
Economics 24(6): 283-289.
Meingast, M., T. Roosta, et al. (2006). Security and
Privacy Issues with Health Care Information
Technology. Engineering in Medicine and
Biology Society, 2006. EMBS '06. 28th Annual
International Conference of the IEEE.
Naqvi, S., G. Dallons, et al. (2010). Assuring Privacy of
Medical Records in an Open Collaborative
Environment - A Case Study of Walloon
Region’s eHealth Platform. Privacy and Identity
Figure 5: Components of Accountability Management for Life. M. Bezzi, P. Duquenoy,
In modern social networks these operations are not in S. Fischer-Hübner, M. Hansen and G. Zhang,
place. With the introduction of these capabilities Springer Boston. 320: 146-159.
healthcare social networks can benefit both the patients Weitzner, D. J., H. Abelson, et al. (2008). "Information
and the health professionals. The public will own their accountability." Commun. ACM 51(6): 82-87.
health records and be responsible for the control of their
health profiles in the social network. They will be given
the opportunity to grant access to the health information
to specialists that they feel are suitable for a specific task.
The specialists will make further linkages with other
medical professionals that will support the ultimate goal
of sharing of information, which would leads to better
healthcare delivery.
Authors
Tony Sahama
Randike Gajanayake Dr. Tony Sahama is a Senior Lecturer in the
Randike is a postgraduate research student at the Faculty Computer Science discipline at the Faculty of Science
of Science and Technology at Queensland University of and Technology (FaST). He holds a PhD in Computer
Technology, Brisbane, Australia. He holds a degree of Simulation and Modeling. He is an active member of the
Bachelor of Science (Special in Computer Science) from Computer Science discipline on teaching and research.
the University of Peradeniya, Sri Lanka. His research Tony’s research contribution is not limited to his research
interests lie in the fields of e-health, medical image area of interest in the Medical Informatics domain. He
processing and Algorithms. also spends a considerable time on Teaching and
Learning research as well. Currently he is supervising
Postal Address: several Medical Informatics related HDR student
Queensland University of Technology, projects. Since 2009, Tony holds the SCEPTrE (UK)
Teaching fellowship as part of his Work Integrated
Level 10, 126 Margaret Street,
Learning (WIL) industry collaborative work.
Brisbane, 4001,
AUSTRALIA. Postal Address:
Queensland University of Technology,
Phone: +61-7-3191 8821
Level-10, 126 Margret Street,
Mobile: +61-4-5833 3320
Brisbane, 4001,
Email: [email protected]
AUSTRALIA.

Renato Iannella Phone: +61-7-3138 1131

Renato is an independent Semantic Web Science Fax: +61-7-3138 9390
Technology Strategist and Adjunct Professor at the Email: [email protected]
Queensland University of Technology (QUT). His
research and technologies experience covers the Semantic
Web, Web Science, Social Networks, & Rights and
Privacy Management. Renato also has extensive
experience in Information Standards for Internet, Web
and Mobile platforms. Renato was also the Founder and
is the Convener of the ODRL Initiative which develops
and promotes industry strength rights languages for open
and commercial sectors.
Renato also is a Visiting Professor at the University of
Hong Kong, Adjunct Associate Professor at the
University of Queensland, and Technology Strategist at
Peepel. He previously was Principal Scientist at the
National ICT Australia (NICTA) research laboratory,
Chief Scientist at IPR Systems & LiveEvents Wireless,
Principal Research Scientist at the Distributed Systems
Technology Centre (DSTC), and was a former member of
the World Wide Web Consortium (W3C) Advisory
Board.

Postal Address:
Semantic Identity,
316 Brisbane Corso, Yeronga,
Queensland, 4104,
AUSTRALIA.

Phone: +61-7-3892 6961

Mobile: +61-4-1313 2206
Email: [email protected]