Researchers Submit Patent Application, “Privacy Compliant Consent And Data Access Management System And Methods”, for Approval (USPTO 20190258616)

2019 SEP 05 (NewsRx) -- By a News Reporter-Staff News Editor at Hospital & Nursing Home Daily -- From Washington, D.C., NewsRx journalists report that a patent application by the inventors AWARAJI, Christian (London, CA); AWARAGI, Pierre (Montreal, CA), filed on May 2, 2019, was made available online on August 22, 2019.

The patent’s assignee is PrivIT Inc. (London, Canada).

News editors obtained the following quote from the background information supplied by the inventors: “In response to concerns regarding information privacy and security (including, but not limited to, security breaches leading to identity theft, leaked or lost personal information), and recognizing the benefits achieved by keeping certain information private, a number of jurisdictions have enacted or proposed legislation to regulate the protection of, and access to, the personal, medical and financial information of individuals.

“By way of example, the United States has enacted provisions under the Health Insurance Portability and Accountability Act to protect the confidentiality of individually identifiable health information, and new legislation has been introduced in the Senate (‘The Specter-Leahy Personal Data Privacy and Security Act of 2005), to protect the confidentiality of personal information in general,

“The concern for the protection of personal information is not limited to the United States. For example, the Parliament of the European Union issued a directive in 1995 (‘Directive 95/46 EC of the European Parliament and of the Council of 24 Oct. 1995’) regarding the protection of individual privacy in the processing of personal data, which included the following (inter alia) recitals: ‘Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals’; and ‘Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community.’

“Furthermore, by way of example, Canada has enacted legislation, referred to as Personal information Protection and Electronic Documents Act (‘PIPEDA’). PIPEDA’s stated purpose is to ‘establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.’

“Even state, territory, and local governments are recognizing the need to address privacy issues. For example, Alberta, Canada, has passed the Health Information Act, which provides individuals with the right to request access to their health records in the custody or under the control of a custodian, while providing custodians with a framework within which they must conduct the collection, use and disclosure of health information. Similarly, Manitoba, Ontario and Quebec, Canada’s Health Privacy Information Acts provide rights for individuals to access their personal health information and protects individual privacy rights based on the Canadian Standards Association ‘Fair Information Practices’.

“Common to the laws enacted or proposed by the jurisdictions referred to above, are a number of fundamental provisions regarding the collection, use or disclosure of personal information including, but not limited to: requirements that entities maintaining personal data establish policies to protect such data; requirements that entities maintaining personal data establish policies to regulate access to such data; requirements permitting individuals access to, and the opportunity to correct, any personal information held by entities; and requirements that entities maintaining personal data give notice to individuals regarding a breach involving such personal data.

“By way of example, the privacy of personal health information is of fundamental importance to individuals.

“Health plans, hospitals, pharmacies, doctors and other health care entities generally have used a wide array of systems to process and track health care bills and other information. Hospitals and doctors’ offices may treat patients with many different types of health insurance and would have to spend time and money ensuring that each claim contains the format, codes and other details required by each insurer. Similarly, health plans spend time and money to ensure their systems can handle transactions from various health care providers and clearinghouses.

“Enacted in August 1996, the Health Insurance Portability and Accountability Act (‘HIPAA’) was designed to make health insurance more affordable and accessible. With support from the health care industry, Congress also included provisions in HIPAA to require the Department of Health and Human Services (‘HHS’) to adopt national standards for certain electronic health care transactions, code sets, identifiers and the security of health information. HIPAA also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. When Congress did not meet this deadline, HIPAA required HHS to issue health privacy regulations.

“In August 2000, HSS issued final electronic transaction and code sets standards to streamline the processing of health care claims, reduce the volume of paperwork and provide better service for providers, insurers and patients. HHS adopted modifications to some of those standards in final regulations published on Feb. 20, 2003. Overall, the regulations establish standard data elements, codes and formats for submitting electronic claims and other health care transactions. By promoting the greater use of standardized electronic transactions and the elimination of inefficient paper forms, these standards are expected to provide a net savings to the health care industry of $29.9 billion over 10 years. All health care providers will be able to use the standardized transactions to bill for their services, and all health plans will be required to accept these standard electronic transactions.

“All covered entities must be in compliance with the electronic transaction and code set standards as of Oct. 16, 2003. However, HHS’ Centers for Medicare & Medicaid Services (CMS)--the agency charged with overseeing the implementation of these standards--issued guidance in July 2003 regarding the enforcement of the HIPAA transactions and code set standards after Oct. 16, 2003. The guidance clarified that covered entities, which make a good faith effort to comply with the standards, may implement contingency plans to maintain operations and cash flow. Specifically, as long as a health plan demonstrates a good-faith effort to come into compliance through active outreach and testing efforts, it can continue processing payments to providers using non-standard transactions.

“In December 2000, HHS issued a final rule to protect the confidentiality of individually identifiable health information. The rule limits the use and disclosure of certain individually identifiable health information; gives patients the right to access their medical records; restricts most disclosure of health information to the minimum needed for the intended purpose; and establishes safeguards and restrictions regarding the use and disclosure of records for certain public responsibilities, such as public health, research and law enforcement. Improper uses or disclosures under the rule may be subject to criminal or civil sanctions prescribed in HIPAA.

“After reopening the final rule for public comment, HHS Secretary Tommy G. Thompson allowed it to take effect as scheduled, with compliance for most covered entities required by Apr. 14, 2003. (Small health plans have an additional year.) In March 2002, HHS proposed specific changes to the privacy rule to ensure that it protects privacy without interfering with access to care or quality of care. After considering public comments, HHS issued a final set of modifications on Aug. 14, 2002. Most covered entities were required to comply with the privacy rule by Apr. 14, 2003; small health plans had until Apr. 14, 2004 to come into compliance, as required under the law. Detailed information about the privacy rule is available at http://www.cms.gov/hipaa/hipaa2/enforcement.

“In February 2003, HHS adopted final regulations for security standards to protect electronic health information systems from improper access or alteration. Under the security standards, covered entities must protect the confidentiality, integrity and availability of electronic, protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care. The standards use many of the same terms and definitions as the privacy rule to make it easier for covered entities to comply. Most covered entities must comply with the security standards by Apr. 21, 2005, while small health plans have an additional year to come into compliance.

“Privacy and security standards promote higher quality care by assuring, consumers and/or patients that their health information will be protected from inappropriate uses and disclosures. In addition, uniform national transaction and code set standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions.”

As a supplement to the background information on this patent application, NewsRx correspondents also obtained the inventors’ summary information for this patent application: “What is needed is a comprehensive electronic data management system that allows entities concerned with improving information privacy or impacted by privacy legislation, such as, but not limited to, the HIPAA, PIPEDA and other privacy or security rules and regulations, to readily address privacy concerns. Although such a system will be of special advantage to those in the healthcare industry, the disclosed system has application in other fields as well. By way of example, without intending to limit the present invention, the system can be deployed in the banking, financial and insurance industries. Also by way of example, without intending to limit the present invention, it can be used to deploy or bring to compliance database systems where extensive and accurate audit trails are mandatory due to legislation, insurance, industry trade groups, or motivators other than privacy, e.g. Sarbannes-Oxley in the Securities industry. Accordingly, the present invention is directed to a data access management system that substantially obviates one or more of the problems due to limitations and disadvantages of the related art.

“In one embodiment the invention provides an information management system for restricting access to personal data in compliance with law or regulation. The system includes a database having restricted records stored therein, at least one of the records including an identification of a client or group of clients about whom said record concerns. A computer system under the control of a trusted information broker is configured to receive via a communication medium a request initiated by a requestor for access to at least one of the restricted records in the database, the request including an identification of the requestor. The computer system is further configured to transmit a request for consent to the client and receive an indication from the client that the client consents or does not consent to access to the restricted record by the requestor. The computer system grants or denies access to the restricted records based upon the indication from the client.

“An embodiment of the invention is preferably directed to the creation of a trusted information broker, also referred to herein as a ‘TIB’, which gives patients, or others about whom private information is collected, the ability to give express consent and the power to control access to the information, and to review and edit the information. An extension of the role of the TIB would be to become a trusted information custodian (TIC); in this role, the TIB/TIC would also host the private information gathered by health care providers and other authorized individuals. Hospitals, health care providers, and other information sources can transmit information collected locally by them at the TIC to the trusted information broker, where it is made available to other health care providers and authorized individuals based on the patient’s preferences.

“Another embodiment of the invention is directed to the creation of a local TIB and/or TIC within the settings of health care providers and other authorized individuals. Hospitals, health care providers, and other information sources can collect and store information locally by them, where it is made available to other health care providers and authorized individuals based on their local legislations and practices.

“As patients or other types of clients are entered into the system, and as various events occur, they can pre-authorize certain entities, such as health insurance companies, hospitals, emergency room physicians, or the like to have access to some or all portions of the client’s confidential records. For example, patients can give their family doctor and emergency room physicians easy access to all healthcare related information, while restricting an endocrinologist’s access to only certain records, or records from certain sources. By giving patients the control over their data, patients can make more informed healthcare choices. At the same time, because the system in one embodiment can provide a central repository for all healthcare related information, the present invention can aid health care providers in giving their patients better care by giving the providers access to a wider range of information, and by making certain information available in a real-time manner.

“It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.”

The claims supplied by the inventors are:

“1. A medical record information management system, comprising: a database having stored therein a plurality of medical records, each including an identification of a corresponding client; a computer system under the control of a trusted information broker, said computer system being configured to receive via a communication medium a request initiated by a service provider for access to at least one of said medical records in said database, said request including an identification of the service provider; said computer system being further configured to transmit a request for consent to said client and receive an indication from said client that said client consents or does not consent to access to said medical record by said service provider; said computer system being further configured to grant or deny access to said at least one client record based upon said indication from said client.”

For additional information on this patent application, see: AWARAJI, Christian; AWARAGI, Pierre. Privacy Compliant Consent And Data Access Management System And Methods. Filed May 2, 2019 and posted August 22, 2019. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220190258616%22.PGNR.&OS=DN/20190258616&RS=DN/20190258616

(Our reports deliver fact-based news of research and discoveries from around the world.)