Compliance aware cross-organization medical record sharing

Data sharing about Electronic Health Records (EHRs) across healthcare organizations is still a challenging task due to compliance requirements with regulatory policies that can vary across states and countries, and organizations´ internal business requirements. Even when adopting the same regulatory policies, each organization can interpret and implement these policies and requirements differently in its internal IT environments. This paper proposes a compliance-aware data management solution for EHR systems. It allows healthcare organizations to define their own security and regulatory compliance requirements for accessing and sharing healthcare data, and enables policy enforcement while sharing data with other organizations. The policy requirements are expressed in form of business processes that govern the access and sharing of data between people and systems. The business process operations are mapped into low-level operations on internal and remote record stores and policy enforcement points. We have implemented the prototype system that supports the proposed approach and integrated it with an open source electronic medical record system called OpenMRS, using which we have defined and enforced some realworld regulations and organizations´ policies for data sharing.