In recent years, health and/or medical information management systems have been established all over the world. Managing patients' health information and privacy among these health information management systems has become a very important issue. After the Health Insurance Portability and Accountability Act (HIPAA) was enacted by US Congress in 1996, researchers, physicians and medical centers became more careful to deal with the data of patients, including patients' health information and privacy.
According to ISO, anonymization is the process that removes the association between the identifying data set and the data subject. Pseudonymization is a particular type of anonymization that removes the association between the identifying data set with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms. Pseudonymization is recognized as an important method of protecting the privacy of patients. ISO/TC 215 is developing a new specification “Pseudonymization practices for the protection of personal health information and health related service” (ISO/DTS 25237), which focuses on principles and requirements using the pseudonymization service for the protection of personal health information.
Based on ISO/DTS 25237, HITSP (Healthcare Information Technology Standards Panel) developed architecture, illustrated in FIG. 1, for implementing pseudonymization. In the architecture 100, four entities are included, namely the patient, the hospital, the PIX (Patient Identifier Cross-reference) manager and the Pseudonymization service provider. In step 110, the hospital provides a registration service for the patient. In step 120, the hospital subsequently sends patient information to the PIX manager. The patient information may only include the patient's real identifier (patient's name and ID number) and the patient's record ID which can be used in this hospital, or it may include more information, such as the address, contact information, etc. In step 130, the PIX manager records the patient identifier. In this step, the PIX manager also associates the patient identifier with at least one of additional information components contained in the patient information sent from the hospital, such as the patient's health record ID, address, contact information, etc. In step 140, the PIX manager sends a request for a pseudo identifier to the pseudonymization service provider. Upon receiving the request, the pseudonymization service provider assigns, in step 150, a pseudo identifier for the patient and, in step 160, returns the pseudo identifier to the PIX manager. Then the PIX manager stores and associates the pseudo identifier with the patient's identifier. Optionally, the PIX manager can also associate the pseudo identifier with the patient information received from the hospital, e.g. the patient's ID, address and contact information, etc. In step 180, the PIX manager prepares a pseudo certificate for the patient and sends it to the hospital. In step 190, the hospital records the certificate and, in step 195, sends the certificate to the patient. After receiving the certificate, the patient can use this certificate in this hospital and other hospitals understanding the format of this certificate. By using this certificate, the patient can obtain service from the hospitals understanding the format and content of this certificate and avoid disclosing his real identifier.
However, with the precondition of a unique pseudonymization service available for all the entities in different hospitals, the architecture 100 can only be used in one health/medical information management system/domain, in which all the hospitals can recognize this certificate including pseudo identifiers issued by a common pseudonymization service provider. Currently, people have more and more possibilities to visit different hospitals in different cities, or even different countries. It is unreasonable to assume that different hospitals in different cities and different countries adopt a common pseudonymization service. The patient therefore has to re-register a new identifier or certificate in each health/medical service provider system. Since there is no method of interoperability between different systems, it is difficult for patients to re-use their previous health/medical information stored in different systems.
Therefore, there is a need to provide methods that are capable of interchanging health/medical information among different health/medical information management systems, which adopt different pseudonymization services.