SINTEF Health Research

1

• SINTEF Health Research
• Current IT solutions and challenges
• at the
• Norwegian patient register, NPR
• Lecture in Health informatics
• Dep of computer and information science
• 2005-10-26
• Bjørn Buan
• Director
• Morten Haugseggen
• Siv ing
• SINTEF Health Research
• Register and Classification

2
Content

• Part One (Bjørn Buan MD)
• Information technology issues at a health
  register
• Introduction What to learn ?Organisation,
  mission and tasks
• Overview of data collection, storage and
  publication
• Part Two (Morten Haugseggen, Siv ing) (presented
  in Norwegian)
• Registers, exchange of information and security
• IT-related issues on the Common denominator
  problem in hospital statistics Coding and
  registration of actual organisation RESH
• Health data filing systems and communication

3
Introduction-What to learn ?

• Introduction to one of the largest research
  foundations in Europe
• Introduction of new technology in an organisation
  may depend on - Leadership and employees
  acceptance for change - Dependence on external
  partners - Economy - Laws regulations -
  Personal interests and enthusiasm
• Examples on possible technical solutions to meet
  needs within and outside organisation

4
Introduction About SINTEF

• The SINTEF Group is the largest independent
  research organisation in Scandinavia. Every year,
  SINTEF supports the development of 2000 or so
  Norwegian and overseas companies via our research
  and development activity.
• The abbreviation SINTEF means The Foundation for
  Scientific and Industrial Research at the
  Norwegian Institute of Technology (NTNU).

5
Introduction More about SINTEF

• LocationsSINTEF has approximately 1700
  employees, 1300 of which are located in Trondheim
  and 350 in Oslo. We have offices in Bergen,
  Stavanger and Ålesund, in addition to offices in
  Houston, Texas (USA), Skopje (Republic of
  Macedonia) and a laboratory in Hirtshals
  (Denmark). SINTEF's head office is in Trondheim.
• OrganisationThe SINTEF Group consists of the
  SINTEF Foundation and five limited companies. On
  January 1, 2004 the SINTEF Group was restructured
  into six research divisions, which have been
  defined in terms of value chains and industrial
  market clusters.

6
Introduction About SINTEFA market oriented
organisation

• SINTEF Health Research
• SINTEF ICT
• SINTEF Marine - consists of MARINTEK and SINTEF
  Fishery and Aquaculture
• SINTEF Materials and Chemistry
• SINTEF Petroleum and Energy - consists of SINTEF
  Energy Research and SINTEF Petroleum Research
• SINTEF Technology and Society

7
Introduction About SINTEF Health Research

• SINTEF Health Research will conduct research and
  development with the aim of rising standards of
  health and quality of life, in close
  collaboration with the authorities, the health
  sector and users of the health and social
  services. About 130 people employed, most
  researchers. 33 at Ph D level.
• Departments
• Norwegian Patient Register
• Patient Classification and Financing
• Epidemiological research
• Health Services Research
• Hospital planning Living Conditions and Service
  Delivery
• Medical technology
• Mental Health Services Research
• Work Physiology

8
Introduction SINTEF Health ResearchNorwegian
Patient Register (NPR)

• NPR collects and verifies patient data from both
  inpatient and outpatient visits at all public
  somatic hospitals and all psychiatric
  institutions in Norway, as well as from most
  private owned hospitals.
• NPR is a national service organisation of 20
  employees providing high quality statistics and
  data from the Norwegian hospital sector. NPR
  offers services to public authorities such as the
  Ministry of Health as well as to hospitals,
  researchers, media and to the public.
• The tasks at NPR is mainly financed by the
  Norwegian Ministry of Health and Care
• NPR group patient data into DRGs (Diagnosis
  Related Groups, Nordic version) for financing and
  management purposes.
• Visit our website http//www.npr.no/english.asp

9
Introduction SINTEF Health ResearchPatient
Classification and Financing (PaFi)

• PaFi is conducting national programmes for the
  Norwegian Ministry of Health and Care Services,
  related to management and refinement of current
  DRG-system used for hospital financing.
• PaFi has been deeply involved in the developement
  and implementation of DRGs and hospital cost
  accounting in Norway since year 1986.
• Projects for patient classification systems for
  outpatients, rehabilitation and psychiatry are
  now planned.
• PaFi has experience in long term hospital
  planning
• 10 employees mainly educated in social economics
• For further information, visit the website
  http//www.drginfo.info/english.htm

10

Facts about Norway
Population 4.6 millions
84 somatic hospitals
32 psychiatric hospitals

• Somatic sector
• 13 000 beds
• 1 250 000 admissions
• 3 250 000 outpatient
• visits

11
Mission of NPR

• Collect, store and present patient data of high
  quality for management, financing, research and
  more without delay..
• That meansHigh quality of documentation at
  hospital level (coding, EHCR)
• Standardized use of common coding systems and
  administrative definitions and metadata
  (www.volven.no)
• Proper integration in IT-systems
• IT-solutions and routines for national
  collection, storage and publication of
  data/statistics at quarterly basis

12
Implementation of new solutions and routines

• How the use of modern technology and information
  systems plays a crucial part in running an
  efficient and high quality patient register

13
The past

• Floppy disks containing ASCII-files with hospital
  data
• Sent to the NPR 3 times a year
• One data record description for somatic hospital
  data, one for psychiatric hospital data and one
  for waiting list data.

Psychiatric
Waiting list
Somatic
14
Today

• ONE data record description
• Once a month
• XML technology
• Somatic hospitals
• Psychiatric hospitals
• Waiting list data

NPR
XML
15
The flow of data through NPR
16
www.npr.no

• We publish data on our website using OLAP cubes
• Waiting list data are published 2 weeks after
  receiving the data
• Activity data is published 8 weeks after
  receiving the data

17
What have we gained?

• Flexibility
• Better utilization of the data
• Better data quality
• Better use of resources
• Quick access to new data

18
The future

• Hospitals sending us data on XML-file via a
  dedicated network Norwegian Health Network
• Once a month? Once a week? Once every 24 hours?
• Sniffers at NPR will detect the data (packages)
  on the Health Net and automatically send them
  through the processing routines untouched by
  human hands
• Publishing new data on the Internet within a
  month after reception

19
Health data filing systems and law regulations

• The standard for ECHR by KITH is in accordance to
  40 laws
• Health data filing systems are regulated by
  Personel data act and the Personal Health Data
  Filing System Act
• The Data inspectorate is established to ensure
  enforcement Personal Data Act. The purpose of
  this Act is to protect persons from violation of
  their right to privacy through the processing of
  personal data. The Act shall help to ensure that
  personal data are processed in accordance with
  fundamental respect for the right to privacy,
  including the need to protect personal integrity
  and private life and ensure that personal data
  are of adequate quality.

20
Health data filing systems and law regulations
cont.

• The Ministry of Health and Care has proposed NPR
  to become an encrypted register with possibility
  for reidentification at individual level. A
  proposition will be sent to Norwegian Parlament
  spring 2006.
• NPR might be the most important health data
  filing system in the country
• Combination of information on individuals might
  be of interest for research. The Data
  inspectorate is responsible for licencing studies
  after recommendation of regional ethical
  committees.

21
Health data filing systems including personal
identity

• In the following personal health data filing
  systems , the name, personal identity number and
  other characteristics that directly identify a
  natural person may be processed without the
  consent of the data subject insofar as this is
  necessary to achieve the purpose of the filing
  system
• The Causes of Death Registry
• The Cancer Registry
• The Medical Birth Registry
• The System of Surveillance of Infectious Diseases
  
• The Central Tuberculosis Surveillance Registry
• The System for Immunization Surveillance and
  Control (SYSVAK)
• The King in Council may by regulations prescribe
  further rules regarding the processing of the
  personal health data in the personal health data
  filing systems.

22
Health registers and law regulations cont

• Data security is a serious issue for SINTEF and
  NPR
• NPR a fortress (policy, technical, organisational
  aspects)
• Physical zones
• Electronical zones
• Access control
• Logging of traffic and work operations
• Routines and roles well described, duty of
  confidentiality
• Logging and informing of Data inspectorate if
  deviation/violation of regulations
• Risk analyses/management

23
Content of NPR

• 20 mio records per year
• All somatic and psychiatric (adult/child)
  hospital admissions
• All hospital somatic and psychaitric outpatient
  visits
• Waiting lists and expected waiting time
• Plans for specialized drug abuse treatment and
  accidents
• Register for organisation of hospitals (RESH)

24
SINTEF Health ResearchQuality indicators
routineously collected

• Waiting time for first consultation and treatment
• Number of corridor patients
• Time for sending medical report after discharge
• Number/ of unexpected delay for surgery
• Waiting time for primary surgery for ca coli
• Use of forced treatment in psychiatry
• Percentage of ceasarean delivery
• Pre-surgery waiting time for fractura colli
  femoris
• Percentage use of long term individual medical
  plans for chronically ill patients
  (schizophrenia, ADHD, phys rehab

25
SINTEF Health Services ResearchPublishing
quality indicators

• Internet site Free Hospital Choice Norway
  http//www.frittsykehusvalg.no/
• The service offers patients, and clinical
  personnel up to date quality information
  concerning patients rights, waiting times and
  quality information about the different
  hospitals, as well as other relevant information
  i e patient satisfaction and more.

26
Publishing quality indicators-more examples
27
SINTEF Health Services ResearchSummary and
conclusions

• When it comes to all, documentation, data
  collections, data control, data processing and
  presentation/publishing are major tasks to
  handle.
• There is a demand for more automatic processing
  to keep up with increase of information retriveal
  and demand for immediate statistic use/descision
  suppor based upon collected data.
• Implementation of new technology involves
  organisational changes and new work patterns.
  These changes might take some time

28
Registers, exchange of information and security
Siv ing Morten Haugseggen SINTEF Health Research
29
Working areas

• Main focus on technical solutions.
• RESH
• TPF Trusted pseudonym manager
• Security

30
RESH
31
RESH

• RESH Database over units in the special health
  care.
• Will include data over many of the units in the
  national health care.
• Will offer these data to different organizations.
• Each organization can have different systems.

32
RESH

• The work has already been started by the Regional
  Health Enterprise Health Mid-Norway.
• Testing supposed to start in the beginning of
  2006.
• The plan is to make it to a national register
  during 2007.
• SINTEF NPR will have the final responsibility in
  running national RESH.

33
RESH organizational structure
34
RESH organizational structure

• The register will store a tree containing the
  organizational structure of the units in the
  special health care.
• The tree is estimated to contain about 4000 nodes.

35
RESH solution

• These are parts of the solution
• Database that contains organizational data.
• Database that contains user data.
• Smartclient that visualize and modify data.
• Web service that offers data to smartclients and
  other clients.
• Web server that offers the data in XML format.
• User authorization.
• Sertification of clients.

36
RESH - solution
37
RESH summing up

• A rather simple system
• No sensitive information is stored.
• Small amounts of data (25 50 MB).
• Simple user administration.
• Some challenges
• High number of clients means high load.
• Many requests per client means higher load.
• Uptime - 99 or more, perhaps as high as 99,8
  (average 1 h downtime each month).

38
TPFTrusted Pseudonym Manager
39
TPF

• TPF Tiltrodd pseudonym forvalter (trusted
  pseudonym manager).
• Duty Make personidentifiable information
  unreadable and personunambiguous.
• Forms a basis for a personunidentifiable
  personunambiguous register.
• Independent of the hospitals (providing the data)
  and the registers (storing the data).

40
TPF - model

• Ola Nordmann
• ID 01013012345
• Case A
• Kari Nordmann
• ID 02023212345
• Case A

• Ola Nordmann
• ID 01013012345
• Case B
• Kari Nordmann
• ID 02023212345
• Case B

TPF

• Pseudonym 1234567890
• Case A
• Case B
• Pseudonym 1234567891
• Case A
• Case B

41
TPF - model
42
TPF - model

• Hospitals have personidentifiable information (it
  contains national identity numbers)
• The hospitals split the data
• National identity numbers case numbers are sent
  to the TPF.
• Patient data case numbers are sent directly to
  the registers.
• TPF transforms national identity numbers into
  pseudonyms.
• TPF sends the pseudonyms case numbers to the
  register.
• Case numbers are matched in the registers and
  pseudonyms are used as a key and stored along
  with the correct patient data.

43
TPF - communication
44
TPF - communication

• Communicates large amounts of sensitive
  information.
• Nobody that is not supposed to have access to the
  information can have or gain access to it.
• Includes the personnel that has the
  responsibility of running the services (network,
  servers, etc.).
• TCP/IP insecure protocol.
• Encryption is mandatory.

45
TPF - encryption

• Public/private key distribution.
• Asymmetric algorithm for distribution of keys
  (RSA).
• Symmetric algorithm for sending data (TDES)
• Sending of data
• D data to be sent.
• RKPu RSA public key.
• RKPr RSA private key.
• TK TDES key.
• rsa(x, k) encryption of x with key k, using the
  RSA algorithm.
• tdes(x, k) encryption of x with key k, using
  the TDES algorithm.
• S sender.
• R receiver.

46
TPF - encryption

• RKPuR -gt S
• Rs public RSA key is sent to S
• TKS rsa(TKS, RKPuR)
• S encrypts TK with key RKPu using the RSA
  algorithm
• TKS -gt R
• Encrypted TK is sent from S to R
• TKS rsa-1(TKS, RKPrR)
• R decrypts TK with RKPr using the RSA algorithm
• DS tdes(DS, TKS)
• S encrypts D with TK using the TDES algorithm
• DS -gt R
• Encrypted D is sent from S to R
• DS tdes-1(DS, TKS)
• R decrypts D with TK using the TDES algorithm

47
TPF - organizational
48
TPF - organizational

• Many different units are involved.
• A simple interface is required.
• Only the national identity numbers case numbers
  are sent.
• Transferred in XML format

lt?xml version"1.0" encoding"utf-8" ?gt
ltPasientlistegt   ltPasient saksnr"1234567890"
id"01013012345" /gt   ltPasient
saksnr"1234567891" id"02023212345" /gt
lt/Pasientlistegt
lt?xml version"1.0" encoding"utf-8" ?gt
ltPasientlistegt   ltPasient saksnr"1234567890"
p1234567890" /gt   ltPasient saksnr"1234567891"
p1234567891" /gt lt/Pasientlistegt
49
TPF register to register

• A TPF will make register to register
  communication simpler (less bureaucracy,
  hopefully).
• Patient data will be selected by a set of
  criteria.
• The pseudonyms will be sent from a register,
  through the TPF and to another register.
• Patient data is sent directly from one register
  to another.
• Patient data is stored in a database with the
  pseudonyms used as keys.

50
TPF - advantages

• Easier communication of patient data.
• The process of storing the data will be simpler
  since no manual steps are needed.
• Personal information is more secure since fewer
  persons have access (only hospitals have access
  to personidentifiable data).

51
TPF - disadvantages

• A collection of personunidentifiable
  personunambiguous data can become
  personidentifiable.
• Have to rely on organization and routines to
  remove some security issues.
• By exploiting holes in the security, large
  amounts of data can be accessed.

52
TPF - disadvantages

• Many different organizations and systems have to
  cooperate.
• Deployment of smartclient can become an issue.
• Such a system will most likely force a change in
  the routines in the hospitals.

53
Security
54
Security

• Datasystems are often not the weakest link.
• The consequence of a breach in security can be
  severe.
• Access to a data system means access to large
  amounts of (sensitive) information.

55
Security

• Actions for improved security
• Encryption
• Sertification
• Organization
• Routines
• Quality control
• User identification
• User administration

56
Security

• Actions for improved security
• Logging
• Client administration and security (firewalls,
  antivirus, etc.).
• A dedicated network helsenett (directly
  translated health net).