Patient control over electronic protected health information (ePHI) is one of the major concerns in the Health Insurance and Accountability Act (HIPAA). In this paper, a new key management scheme is proposed to facilitate control by providing two functionalities. First, a patient can authorize more than one healthcare institute within a designated time period to access his or her ePHIs. Second, a patient can revoke authorization and add new authorized institutes at any time as necessary. In the design, it is not required to re-encrypt ePHIs for adding and revoking authorizations, and the implementation is time- and cost-efficient. Consent exception is also considered by the proposed scheme.
Keywords: Cryptography; Health Insurance and Accountability Act (HIPAA); Key management; Revocation.
Copyright © 2014 Elsevier Ireland Ltd. All rights reserved.