The Process of Policy Authoring of Patient-Controlled Privacy Preferences

Discussions about appropriate security controls to protect medical records led to the understanding that the patient her-/himself plays a crucial role in networked electronic health-care. Patients have individual privacy concerns and may want to execute their personal right of self-determination on access and usage of their medical records. The ability for patients to have control over their personal medical data is the essence of patient-centric networked electronic health-care, but poses challenges regarding its tool support. Since patients can be generally treated as non-security experts as well as non-health-care domain experts, usability-supporting factors of authoring tools for privacy preferences have to receive major attention by implementers. Additionally, domain characteristics have to influence the design of such authoring applications. Finally expressed privacy preferences have to be analysed to inform the patient-author and guide her/him in the policy authoring process. In this paper we discuss the process of authorization policy authoring for shared electronic health records which we use to implement patient-controlled access control authoring tools. Further a use-case in the context of a specific health-care infrastructure is presented.