Journal of Medical Systems

, Volume 36, Issue 1, pp 291–300 | Cite as

Emergency Access Authorization for Personally Controlled Online Health Care Data

  • Tingting Chen
  • Sheng Zhong
Original Paper


Personally controlled health records (PCHR) systems have emerged to allow patients to control their own medical data. In a PCHR system, all the access privileges to a patient’s data are granted by the patient. However, in many emergency cases, it is impossible for the patient to participate in access authorization on site when immediate medical treatment is needed. To solve the emergency access authorization problem in the absence of patients, we consider two cases: a) the requester is already in the PCHR system but has not obtained the access privilege of the patient’s health records, and b) the requester does not even have an account in the PCHR system to submit its request. For each of the two cases, we present a method for emergency access authorization, utilizing the weighted voting and source authentication cryptographic techniques. Our methods provide an effective, secure and private solution for emergency access authorization, that makes the existing PCHR system frameworks more practical and thus improves the patients’ experiences of health care when using PCHR systems. We have implemented a prototype system as a proof of concept.


Electronic health record Personally controlled health records Access authorization Emergency 


  1. 1.
    The American Recovery and Reinvestment Act of 2009 (ARRA), P.L. 111C5, 6. 123 Stat 115, 17 February 2009.Google Scholar
  2. 2.
    Agrawal, D., and Srikant, R., Privacy-preserving data mining. In: Proc. ACM SIGMOD. pp. 439–450, 2000.Google Scholar
  3. 3.
    Grimson, W., Jung, B., van Mulligen, E. M., van Ginneken, A. M., Pardon, S., and Sottile, P. A., Extensions to the HISA standard—The SynEx computing environment. Methods Inf. Med. 41:401–10, 2002.Google Scholar
  4. 4.
    Blobel, B., Authorization and access control for electronic health record systems. Int. J. Med. Inform. 73(3):251–257, 2004.CrossRefGoogle Scholar
  5. 5.
    Brickell, J., and Shmatikov, V., Efficient anonymity-preserving data collection. In: Proc. of ACM KDD, 2006.Google Scholar
  6. 6.
    Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., and Pinkas, B., Multicast security: A taxonomy and some efficient constructions. In: Proceedings of IEEE INFOCOM ’99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE. Vol. 2, pp. 708–716, 1999.Google Scholar
  7. 7.
    Chen, K., and Liu, L., Privacy preserving data classification with rotation perturbation. In: Proceeding of ICDM’05. pp. 589–592. Washington: IEEE Computer Society, 2005.Google Scholar
  8. 8.
    Du, W., and Zhan, Z., Using randomized response techniques for privacy preserving data mining. In: Proceeding of SIGKDD’03. pp. 505–510, 2003.Google Scholar
  9. 9.
    France, R., Security of health care records in Belgium application in a university hospital. Int. J. Med. Inform. 73(3):235–8, 2004.CrossRefGoogle Scholar
  10. 10.
    Grimson, W., Berry, D., Grimson, J., Stephens, G., Felton, E., Given, P., and O’Moore, R., Federated healthcare record server—The synapses paradigm. Int. J. Med. Inform. 52:3–27, 1998.CrossRefGoogle Scholar
  11. 11.
    Grimson, J., Grimson, W., Berry, D., Stephens, G., Felton, E., Kalra, D., Toussaint, P., and Weier, O. W., A CORBA-based integration of distributed electronic healthcare records using the synapses approach. IEEE Trans. Inf. Technol. Biomed. 2:124–138, 1998.CrossRefGoogle Scholar
  12. 12.
    HIPPA, National Standards to Protect the Privacy of Personal Health Information, [Online]. Available at:, 2006.
  13. 13.
    Haaka, Mvd, Wolffa, A. C., Brandnera R, Dringsb P, Wannenmacherc M, and Wetter T., Data security and protection in cross-institutional electronic patient records. Int. J. Med. Inform. 70(2–3):117–130, 2003.Google Scholar
  14. 14.
    Lindell, Y., and Pinkas, B., Privacy preserving data mining. J. Cryptol. 15(3):177–206, 2002.MathSciNetMATHCrossRefGoogle Scholar
  15. 15.
    LeFevre, K., Dewitt, D. J., and Ramakrishnan, R., Incognito: Efficient full-domain k-anonymity. In: Proceedings of the 2005 ACM SIGMOD, 12–16 June 2005.Google Scholar
  16. 16.
    Motta, G., and Furuie S., A contextual role-based access control authorization model for electronic patient record. IEEE Trans. Inf. Technol. Biomed. 7(3):202–7, 2003.CrossRefGoogle Scholar
  17. 17.
    Narayanan, A., and Shmatikov, V., Obfuscated databases and group privacy. In: Proc. of ACM CCS, 2005.Google Scholar
  18. 18.
    The Personal Health Working Group, The personal health working group final report. Washington, DC: Connecting for Health: A Public–Private Collaborative, 2003.Google Scholar
  19. 19.
    Committee on Data Standards for Patient Safety, Board on Health Care Services, Key capabilities of an electronic health record system. Washington, DC: Institute of Medicine of the National Academies, 2003.Google Scholar
  20. 20.
    Sandhu, R. S., Coyne, E. J., and Youman, C. E., Role-based access control models. IEEE Comput. 29(2):38–47, 1996.CrossRefGoogle Scholar
  21. 21.
    Simons, W. W., Mandl, K. D., and Kohane, I. S., The PING personally controlled electronic medical record system: Technical architecture. J. Am. Med. Inform. Assoc. 12(1):47–54, 2005.CrossRefGoogle Scholar
  22. 22.
    Teng, Z., and Du, W., Comparisons of K-anonymization and randomization schemes under linking attacks. In: Proceedings of the 2006 ICDM. pp. 1091–1096, 2006.Google Scholar
  23. 23.
    Tannenbaum, T., Excursions in modern mathematics, 6th Ed. Upper Saddle River: Prentice Hall, 48C83, 2006.Google Scholar
  24. 24.
    Thompson, T. G., and Brailer, D. J., The decade of health information technology: Delivering consumer-centric and information-rich health care. Available at:, Accessed 24 August 2004.

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringState University of New York at BuffaloAmherstUSA

Personalised recommendations