Privacy-aware access to Patient-controlled Personal Health Records in emergency situations

Patient-controlled Personal Health Record (PHR) systems may facilitate a patient not only to share her health records with healthcare professionals but also to control her health privacy, in a convenient and easy way. Governed by privacy protection laws, explicit consent/permission of the respective patient is a prerequisite for sharing personal health records. However, in emergency situations, when the patient becomes unable to give consent on her PHRs, healthcare professionals of emergency care units may need to access her health history for better and safer care. In this paper, we have introduced a novel privacy-aware protocol for handling access to patient-controlled PHR by healthcare professionals in emergency situations. The protocol is for the Privacy-aware Patient-controlled Personal Health Record (P³HR) system. It uses strong authentication using health IC cards, authorizes healthcare professionals and embeds emergency access report into the patients health IC card by which we achieve non-repudiation. Use of a dynamic access token in the authorization process protects replay attack. Intuitive privacy analysis shows that the proposed solution can preserve patients privacy from unauthorized parties while granting traceable access to personal health records by authorized healthcare professionals in emergency situations.