Cited By
View all- Tsegaye TFlowerday S(2020)A Clark-Wilson and ANSI role-based access control modelInformation & Computer Security10.1108/ICS-08-2019-0100ahead-of-print:ahead-of-printOnline publication date: 14-Jun-2020
PoPI Compliance through Access Control of Electronic Health Records
Article No.: 21, Pages 1 - 9
Abstract
The electronic health record (EHR) has revolutionised the manner in which healthcare is delivered by providing clinicians with electronic access to patients' complete medical history. Countries such as South Africa aim to take advantage of the EHR by implementing a national EHR system. While this has a number of benefits that are in the best interests of the patient, it also creates security and privacy risks to patients' information. Patient information has been identified as the most sensitive type of personal information. Unlike other types of personal information, it contains confidential information about the patient that cannot be changed such as the patient's medical history. Thus, the EHR needs to be protected from both unauthorised entities and misuse by authorised clinicians. This can be achieved through the regulation of the national EHR system. Although regulations state that personal information must be protected, they do not specify what processes must be followed in order to comply with them. This paper proposes a model to address this problem by indicating the components that are needed in order to assist compliance. The proposed model, which was informed by a scoping review and thematic analysis, is discussed in the context of South Africa's future national EHR system with the focus on the Protection of Personal Information (PoPI) Act.
References
[1]
Patrick Kierkegaard. 2011. Electronic health record: Wiring Europe's healthcare. Computer Law and Security Review 27, 5 (2011), 503--515.
[2]
Richard V. Weeks. 2014. The implementation of an electronic patient healthcare record system: a South African case study. Journal of Contemporary Management 11, 1 (2014), 101--119.
[3]
eHealth Ontario. 2017. Auditing and Monitoring Guide: Electronic Health Record. (August 2018). Retrieved August 10, 2018 from https://www.ehealthontario.on.ca/images/uploads/support/Privacy_Toolkit/08_EHR_Auditing_and_Monitoring_Guide_v_1.0.pdf
[4]
South African Government Gazette. 2013. Protection of Personal Information Act. (March 2018). Retrieved March 31, 2018 from http://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf
[5]
Michael E. Whitman and Herbert J. Mattord. 2016. Principles of Information Security (5th. ed.). Cengage Learning, Boston, Massachusetts, USA.
[6]
Hilary Arksey and Lisa O'Malley. 2005. Scoping studies: towards a methodological framework. International Journal of Social Research Methodology 8, 1 (2005), 19--32.
[7]
Danielle Levac, Heather Colquhoun and Kelly K. O'Brien. 2010. Scoping studies: advancing the methodology. Implementation Science 5, 1 (2010), 1--9.
[8]
Moira Maguire and Brid Delahunt. 2017. Doing a Thematic Analysis: A Practical, Step-by-Step Guide for Learning and Teaching Scholars. AISHE-J: The All Ireland Journal of Teaching and Learning in Higher Education 9, 3 (2017), 3351--33514.
[9]
Christina Tikkinen-Piri, Anna Rohunen and Jouni Markkula. 2018. EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law and Security Review 34, 1 (2018), 134--153.
[10]
DLA Piper. 2018. Data Protection Laws of the World: Full Handbook. (March 2018). Retrieved March 8, 2018 from https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country=all
[11]
Data Protection Act. 2018. Data Protection Act 2018. (February 2019). Retrieved February 1, 2019 from http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf
[12]
Ministry of Justice. 2006. Personal Data Protection: Information on the Personal Data Act. (May 2018). Retrieved May 5, 2018 from https://www.government.se/information-material/2006/12/personal-data-protection/
[13]
Travis D. Breaux and Annie I. Antón. 2008. Analyzing Regulatory Rules for Privacy and Security Requirements. IEEE Transactions on Software Engineering 34, 1 (2008), 5--20.
[14]
Nicolas Terry. 2017. Existential challenges for healthcare data protection in the United States. Ethics, Medicine and Public Health 3, 1 (2017), 19--27.
[15]
Law Commission. 2010. Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4. (April 2018). Retrieved April 29, 2018 from http://www.lawcom.govt.nz/UploadFiles/Publications/Publication_129_460_W hole Document.pdf
[16]
Wilhelm Peekhaus. 2008. Personal health information in Canada: A comparison of citizen expectations and legislation. Government Information Quarterly 25, 4 (2008), 669--698.
[17]
Office of the Privacy Commissioner of Canada. 2015. Privacy Toolkit: A Guide for Businesses and Organizations. (May 2018). Retrieved May 1, 2018 from https://www.priv.gc.ca/media/2038/guide_org_e.pdf
[18]
Michael D. Birnhack. 2008. The EU Data Protection Directive: An engine of a global regime. Computer Law and Security Report 24, 6 (2008), 508--520.
[19]
Johnny Botha, M. M. Eloff and Ignus Swart. 2015. Evaluation of Online Resources on the Implementation of the Protection of Personal Information Act in South Africa. In Proceedings of the 10th. International Conference on Cyber Warfare and Security. Academic Conferences and Publishing International, Reading, England, 39--48.
[20]
European Parliament and Council. 1995. Directive 95/46/EC. (May 2018). Retrieved May 17, 2018 from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN
[21]
Steven A. Eisenberg. 2001. Primer on the HIPAA Privacy Regulations. (May 2018). Retrieved May 17, 2018 from https://hrxperts.org/pdf/library/hr/143_-_hipaa_privacy_regulations.pdf
[22]
European Parliament and Council. 2016. General Data Protection Regulation. (May 2018). Retrieved May 17, 2018 from http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
[23]
Ministry of Justice. 1993. Privacy Act 1993. (May 2018). Retrieved May 17, 2018 from http://www.legislation.govt.nz/act/public/1993/0028/232.0/096be8ed816fed6f.pdf
[24]
Anna F. Svensson and Hellström Advokatbyrå. 2018. Data protection in Sweden: overview. (May 2018). Retrieved May 5, 2018 from https://uk.practicallaw.thomsonreuters.com/8-502-0348
[25]
Leonie Reins (Ed.). 2019. Regulating New Technologies in Uncertain Times. Information Technology and Law Series, Vol. 32. T.M.C. Asser Press, The Hague.
[26]
Bocong Yuan and Jiannan Li. 2019. The Policy Effect of the General Data Protection Regulation (GDPR) on the Digital Public Health Sector in the European Union: An Empirical Investigation. International Journal of Environmental Research and Public Health 16, 6 (2019), 1--15.
[27]
Bernold Nieuwesteeg. 2016. Quantifying Key Characteristics of 71 Data Protection Laws. Journal of Intellectual Property, Information Technology and E-Commerce Law 7,3 (2016), 182--203.
[28]
Antonio Bartolini, Roberto Cippitani and Valentina Colcelli (Ed.). 2019. Dictionary of Statuses within EU Law. Springer, Cham.
[29]
ISO/IEC. 2011. ISO/IEC 29100 - Information technology - Security techniques - Privacy framework. ISO/IEC, Geneva, Switzerland.
[30]
Jaap-Henk Hoepman. 2013. Privacy Design Strategies. Radboud University, Nijmegen, Netherlands.
[31]
ISO/IEC. 2013. ISO/IEC 27001:2013 - Information technology - Security techniques - Information security - management systems - Requirements. ISO/IEC, Geneva, Switzerland.
[32]
Christo Coetzer. 2015. An investigation of ISO/IEC 27001 adoption in South Africa. Master's thesis. Rhodes University, Grahamstown, South Africa.
[33]
Michael Gregg. 2017. CISSP Exam Cram (4th. ed.). Pearson Education.
[34]
INCITS. 2012a. INCITS 359-2012 Information Technology - Role Based Access Control. ANSI, New York, NY, USA.
[35]
Ed Coyne and Timothy R. Weil. 2013. ABAC and RBAC: Scalable, Flexible, and Auditable Access Management. IT Professional 15, 3 (2013), 14--16.
[36]
INCITS. 2012b. INCITS 494 Information Technology - Role Based Access Control - Policy-Enhanced. ANSI, New York, NY, USA.
Index Terms
- PoPI Compliance through Access Control of Electronic Health Records
Recommendations
Understanding the Level of Compliance by South African Institutions to the Protection of Personal Information (POPI) Act
SAICSIT '16: Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information TechnologistsPrivacy entails controlling the use and access to place, location and personal information. In South Africa, the first privacy legislation in the form of the Protection of Personal Information (POPI) Act was signed into law on 26 November 2013. The POPI ...
Building a National Electronic Medical Record Exchange System - Experiences in Taiwan
Electronic medical record (EMR) can support a secure, real-time, point-of-care, patient centric information resource for clinical care.Taiwan's government has been promoting the EMR adoption since 2000.We describe the EMR adoption strategies, current ...
EEMI-An Electronic Health Record for Pediatricians: Adoption Barriers, Services and Use in Mexico
The use of paper health records and handwritten prescriptions are prone to preset errors of misunderstanding instructions or interpretations that derive in affecting patients' health. Electronic Health Records EHR systems are useful tools that among ...
Comments
Information & Contributors
Information
Published In
September 2019
352 pages
ISBN:9781450372657
DOI:10.1145/3351108
- Conference Chair:
- Carina de Villiers,
- Program Chair:
- Hanlie Smuts
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 17 September 2019
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
SAICSIT '19
SAICSIT '19: Conference of the South African Institute of Computer Scientists and Information Technologists 2019
September 17 - 18, 2019
Skukuza, South Africa
Acceptance Rates
Overall Acceptance Rate 187 of 439 submissions, 43%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 200Total Downloads
- Downloads (Last 12 months)30
- Downloads (Last 6 weeks)5
Reflects downloads up to 10 Nov 2024
Other Metrics
Citations
Cited By
View all- Tsegaye TFlowerday S(2020)A Clark-Wilson and ANSI role-based access control modelInformation & Computer Security10.1108/ICS-08-2019-0100ahead-of-print:ahead-of-printOnline publication date: 14-Jun-2020
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in