James G. Boram Kim*, Biomedical Knowledge Engineering Laboratory, Seoul National University, Seoul, Korea, Republic Of Sungin Lee, Biomedical Knowledge Engineering Laboratory, Seoul National University, Seoul, Korea, Republic Of Hong-gee Kim, Biomedical Knowledge Engineering Laboratory, Seoul National University, Seoul, Korea, Republic Of Track: Research Presentation Topic: Personal health records and Patient portals Presentation Type: Rapid-Fire Presentation Submission Type: Single Presentation Building: Joseph B. Martin Conference Center at Harvard Medical School Room: B-Bray Room Date: 2012-09-15 05:30 PM – 06:15 PM Last modified: 2012-09-13

If you are the presenter of this abstract (or if you cite this abstract in a talk or on a poster), please show the QR code in your slide or poster (QR code contains this URL).

Background: Recent Web-based, personally controlled health record (PCHR) services, such as Dossia and Microsoft HealthVault, are bringing control of health records to their patients, offering them active roles in their healthcare. There remain, however, some technical drawbacks in the current PCHR landscape: (1) lack of cross-service identity resolution scheme workable in both current and any foreseeable Web-based PCHR solutions, and (2) absence of trust mechanism among healthcare ecosystem participants residing within a single or multiple PCHR services. These shortcomings block seamless access to one’s lifetime health history. Objective: The aim of this study is to address the aforementioned shortcomings by presenting an architecture for secure PCHR portability, based on technologies from the emerging Web of Data. Methods: We introduce a WebID-based cross-service identity resolution scheme along with the WAC (Web Access Control) vocabulary for describing user-controlled disclosure of personal health records, enforced by a FOAF (Friend of a Friend) profile-based trust network in which connections between a user and other participants of PCHR ecosystems are represented. In this scheme, each user of PCHR services has a WebID, the URI (Uniform Resource Identifier) of the user's public FOAF profile exposed by one of the PCHR services the user has participated in. The user's public FOAF profile contains only information needed for authentication via the WebID protocol, and his or her personal health records are securely stored in separate and private resources in multiple PCHR services. PCHR resources have links to their access control list (ACL) resources that hold information, expressed in the WAC vocabulary, as to which agent or a group of agents has access rights to the resources it governs. Using the vocabulary, one can freely say who has rights to read, write, append, or control his or her resources, and if the PCHR service provides separate resources for each part of the health records, granularity in access control can be boosted without any modifications. In addition, we can extend this architecture to support role, or trust network,-based access control, thanks to the FOAF vocabulary that has the terms for describing groups and relationships between people. Our approach enhances current PCHR practices with maximized user control over health information. Results: With the proposed solutions embedded in PCHRs, the drawbacks mentioned above can be solved. Assume that a patient has a WebID that identifies her. It can be used to log in to multiple PCHR services. And when she needs to obtain a holistic view of her health records, she can navigate from one PCHR service to another through links between them without compromising privacy. Conclusions: Since it is relatively easy to integrate our approaches with existing authentication and/or authorization mechanisms, such as OpenID and OAuth, there exist no significant technical barriers for current PCHR services to adopt our approaches, which empower patients with maximized control over their health records, facilitating streamlined access to disparate health record silos.