Business & Legal Framework for Health Data Privacy Assessment: Example of Ambient Assisted Living Online Care Coordination

Abstract

Online health data sharing and transfer has become easier and more efficient than ever before, but at the same time this has brought about new challenges for the privacy and protection of personal data. Transfer of sensitive health as well as personal data between organizations and countries requires high level of protection and privacy and any breach in that can result in considerable damage to an organization's reputation. In spite of existing methodologies for privacy impact assessment(PIA) for developing privacy-by-design processes, none of them combine the business as well as legal aspects for assessing the technological requirements before or during the development of privacy and security platforms. e-Authentication and e-Authorization techniques are used by various organizations to address privacy related issues. Using a combined business and legal framework in addition to existing PIAs can simplify the analysis of as-is and to-be business processes and this can be used by business or legal analysts as well as organizations to assess the privacy requirements as well as legislations before developing service-by-design platforms . In this paper we propose a unique framework that combines business and legal aspects of any health related business process pertaining to protection and privacy of sensitive data exchange. To be able to map the privacy requirements in the context of data sharing across organizations, a general conceptual framework involving a combination of business process as well as legal components has been developed. This framework provides organizations a comprehensive approach for considering legal regulations as well as factors that may affect privacy and security of sensitive data like health data in their business processes. In this paper, we have provided an example of an as-is healthcare customer registration process for German Red Cross and how the framework can be used to assess the requirements for a to-be customer registration process in the context of European privacy laws.