Home
Patent Search
IMT Blog
REGISTER
|
SIGN IN
United States Patent Application
20020010679
Kind Code
A1
Felsher, David Paul
January 24, 2002
Information record infrastructure, system and method
Abstract
A method of maintaining electronic medical records, comprising the steps of receiving a medical transaction record, encrypted with an encryption key relating to a patient association of the file, accessing the encrypted medical transaction record according to a patient association; and further encrypting the encrypted accessed medical transaction record with an encryption key associated with an intended recipient of the medical record. The system and method according to the present invention presents a new business model for the creation, maintenance, transmission, and use of medical records, allowing financial burdens to be reallocated, for example more optimally or equitably, to decrease overall societal cost, or simply to provide a successful business model for a database proprietor. Secure entrusted medical records are held in trust by an independent third party on behalf of the patient, serving the medical community at large. Separately encrypted record elements may be aggregated as an information polymer.
Inventors:
Felsher; David Paul
(Trumbull, CT)
Correspondence Name and Address:
MILDE, HOFFBERG & MACKLIN, LLP Suite 460 10 Bank Street
Steven M. Hoffberg, Esq.
White Plains
NY
10606
US
Series Code:
899787
Filed:
July 5, 2001
U.S. Current Class:
705/51;
705/3
U.S. Class at Publication:
705/51;
705/3
Intern'l Class:
G06F 017/60
Claims
What is claimed is:
1. A method, comprising the steps of: receiving a record; referencing a set of access rules for the record; and applying an appropriate set of access rules to limit access to the record, the limitations being enforced one or more selected from the group consisting of a cryptographic method for selectively limiting record access based on possession of a cryptographic key, and a trustee applying the access rules to limit access to the record.
2. The method according to claim 1, further comprising the step of accounting for a decryption of the record.
3. The method according to claim 2, wherein said accounting is anonymous.
4. The method according to claim 1, wherein the record has a plurality of portions, each portion being encrypted with at least one cryptographic key, said portions being independently accessible, said access rules applying to selectively limit access to portions of the record.
5. The method according to claim 4, wherein said access rules limit access to portions based on an identity of an intended recipient.
6. The method according to claim 1, further comprising the step of supplying a decryption key for a respective record portion in accordance with the applied set of rules.
7. The method according to claim 1, further comprising the step of accounting for a decryption of a portion of the record.
8. The method according to claim 1, wherein the set of access rules are associated with an intended recipient of the record.
9. The method according to claim 1, further comprising the step of referencing an index to define a record.
10. The method according to claim 9, wherein the index further stores a set of access rules for qualifying an intended recipient with respect to each of the records.
11. The method according to claim 1, further comprising the step of using an index to identify a record potentially responsive to a query.
12. The method according to claim 1, further comprising the step of using an index comprising a set of associations of patient identities and medical transaction records to identify records relating to a respective patient.
13. The method according to claim 1, further comprising the step of using an index comprising a set of associations of record identification, record characteristic, and said access rules to identify records relating to a query and limiting access to portions thereof.
14. The method according to claim 1, wherein the record comprises a plurality of portions, the portions being separately encrypted and having associated sets of independent rules.
15. The method according to claim 1, wherein the access rules are role based access rules relating to a role of the intended recipient.
16. The method according to claim 1, wherein the access rules are context based access rules relating to a context of record access.
17. The method according to claim 1, wherein the access rules are defined by a rights-holder of the record.
18. The method according to claim 1, wherein a decryption of the record triggers a remotely-sensed transaction.
19. The method according to claim 18, wherein the remotely sensed transaction comprises a financial accounting transaction.
20. The method according to claim 18, wherein the remotely sensed transaction comprises an access audit trail transaction.
21. The method according to claim 2, wherein said accounting occurs upon supply of the respective decryption key.
22. The method according to claim 2, wherein said accounting occurs upon use of the respective decryption key.
23. The method according to claim 1, wherein the record comprises a medical record.
24. The method according to claim 1, wherein the record comprises a media content record.
25. The method according to claim 1, wherein the access rules comprise a database of jurisdictional trust laws.
26. The method according to claim 1, wherein the set of access rules comprises a database of jurisdiction-dependent privacy laws.
27. The method according to claim 1, further comprising the step of creating a virtual trust of the record implemented in accordance with the trust laws of an associated jurisdiction.
28. The method according to claim 1, wherein the records comprise separate articles within a digital publication.
29. The method according to claim 1, further comprising the step of receiving the set of access rules.
30. The method according to claim 1, further comprising the step of generating the set of access rules based on the record.
31. The method according to claim 1, wherein a record encryption is associated with a rolling code.
32. The method according to claim 1, wherein the trustee controls the records and implements the access rules without requiring access to a content of the record.
33. The method according to claim 1, wherein the trustee controls access to the records.
34. The method according to claim 1, wherein the trustee selectively processes the records.
35. The method according to claim 1, wherein the records comprise a type selected from the group consisting of legal information, government records, financial records, commercially valuable trade secret legal information, manufacturing information, banking information, consumer entertainment media, digital music files, video information, cinema information, consumer information, personal demographic information, credit card information, personal contact information, social security number information, publication information, separate articles within a digital publication, and investment account information.
36. The method according to claim 1, wherein the record comprises a patient file, placed in a privileged trust for the patient with an independent trustee, said trustee implementing the set of rules for access with respect to each transaction record within the patient file defined by the patient and legal jurisdiction, wherein said trustee interacts with the patient record information to maintain, process, receive, deliver, or transmit portions of the patient record in secure and verifiable fashion to authorized entities in compliance with the trust.
37. The method according to claim 1, wherein the record comprises a corpus of a medical information trust for holding medical records on behalf of patients, in an organization distinct from the caregiver; the trustee charging for access to the medical record, and maintaining a record of each access of the medical record.
38. The method according to claim 1, wherein access rules are applied to an identified intended recipient without communicating an identity of the intended recipient to the respective beneficiary.
39. A method, comprising the steps of: placing information in trust with a trustee on behalf of a beneficiary; permitting a user to access the information in the trust; and implementing a rule for selectively providing access to the information in trust, including requiring an electronic communication between the user and the trustee.
40. The method according to claim 39, wherein the rule comprises a compensation rule for obtaining a right to the information.
41. The method according to claim 40, wherein the electronic communication comprises an electronic funds transfer.
42. The method according to claim 40, wherein the compensation rule is integrally associated with the information, and wherein the implementing occurs as a result of user interaction with the information.
43. The method according to claim 39, wherein the information comprises a patient medical record.
44. The method according to claim 39, wherein the information comprises consumer entertainment media.
45. The method according to claim 39, wherein the trustee is interposed between a rights holder for the information and the user, the trustee maintaining an anonymity of the user while accounting to the rights holder.
46. The method according to claim 39, wherein the trustee is interposed between a rights holder for the information and the user, the trustee characterizing the user based on a classification of information usage, while accounting to the rights holder for the use, without specifically identifying information usage of a user.
47. The method according to claim 39, wherein a transfer of the information to the user requires an electronic transfer of value from the user to the trustee, further comprising the step of accepting the value by the trustee while stripping a retained transfer record of an identifier of the user.
48. The method according to claim 39, further comprising the steps of receiving an identification of desired information content from a user; and logging the access employing a digital signature of the user.
49. The method according to claim 48, wherein the digital signature is anonymous with respect to the beneficiary.
50. The method according to claim 48, wherein the permitting the access entails requiring the user to enter into a restrictive covenant.
51. The method according to claim 40, wherein the trustee manages access to the information and implements the access rules as an intermediary for, and communicates compensation information to, the beneficiary.
52. The method according to claim 40, wherein the information has an associated compensation value, and comprises digital media information, said digital media information being associated with subsidy content, further comprising the step of accounting with the user for use of the digital media information offset by a value for subsidy content.
53. A method, comprising the steps of: defining information content and associated access rules; transmitting the information content and associated access rules to a trustee; and implementing, by the trustee, the associated access rules with respect to the information content, to establish a virtual trust in accordance therewith.
54. The method according to claim 53, wherein the information content comprises media information, and the associated access rules comprise economic rules.
55. The method according to claim 53, wherein the information content comprises medical record information, and the associated access rules comprise restrictive access rules based on an identity or characteristic of the user.
56. The method according to claim 55, further comprising the step of transmitting, from the trustee, information content in accordance with the associated rules.
57. The method according to claim 53, wherein the trustee controls the information content and implements the rules without requiring access to the information content.
58. A database system, comprising a plurality of records, each record having an associated set of access rules, means for applying the appropriate set of access rules to limit access to the record, the limitations being enforced by one or more selected from the group consisting of a cryptographic method for selectively limiting record access based on possession of a cryptographic key and a trustee applying the access rules on behalf of a beneficiary.
59. The system according to claim 58, further comprising means for accounting for a decryption of the record.
60. The system according to claim 59, wherein said accounting is anonymous.
61. The system according to claim 58, wherein the record has a plurality of portions, each portion being encrypted with at least one cryptographic key, said portions being independently accessible, said access rules applying to selectively limit access to portions of the record.
62. The system according to claim 61, wherein said access rules limit access to portions based on an identity of an intended recipient.
63. The system according to claim 58, further comprising the step of supplying a decryption key for a respective record portion in accordance with the applied set of rules.
64. The system according to claim 58, further comprising an accounting system for accounting for a decryption of a portion of the record.
65. The system according to claim 58, wherein the set of access rules are associated with an intended recipient of the record.
66. The system according to claim 58, further comprising the step of referencing an index to define a record.
67. The system according to claim 66, wherein the index further stores a set of access rules for qualifying an intended recipient with respect to each of the records.
68. The system according to claim 67, further comprising the step of using an index to identify a record potentially responsive to a query.
69. The system according to claim 58, wherein an index of a set of associations of patient identities and medical transaction records is used to identify records relating to a respective patient.
70. The system according to claim 58, wherein an index of a set of associations of record identification, record characteristic, and said access rules to identify records relating to a query and limiting access to portions thereof.
71. The system according to claim 58, wherein the record comprises a plurality of portions, the portions being separately encrypted and having associated therewith sets of independent rules.
72. The system according to claim 58, wherein the access rules are role based access rules relating to a role of the intended recipient.
73. The system according to claim 58, wherein the access rules are context based access rules relating to a context of record access.
74. The system according to claim 58, wherein the access rules are defined by a rights-holder of the record.
75. The system according to claim 58, wherein a decryption of the record triggers a remotely-sensed transaction.
76. The system according to claim 75, wherein the remotely sensed transaction comprises a financial accounting transaction.
77. The system according to claim 75, wherein the remotely sensed transaction comprises an access audit trail transaction.
78. The system according to claim 59, wherein said accounting occurs upon supply of the respective decryption key.
79. The system according to claim 59, wherein said accounting occurs upon use of the respective decryption key.
80. The system according to claim 58, wherein the record comprises a medical record.
81. The system according to claim 58, wherein the record comprises a media content record.
82. The system according to claim 58, wherein the access rules comprise a database of jurisdictional trust laws.
83. The system according to claim 58, wherein the set of access rules comprises a database of jurisdiction-dependent privacy laws.
84. The system according to claim 58, further comprising the step of creating a virtual trust encompassing the record, implemented in accordance with the trust laws of an associated jurisdiction.
85. The system according to claim 58, wherein the records comprise separate articles within a digital publication.
86. The system according to claim 58, further comprising the step of receiving the set of access rules.
87. The system according to claim 58, further comprising the step of generating the set of access rules based on the record.
88. The system according to claim 58, wherein a record encryption is associated with a rolling code.
89. The system according to claim 58, wherein the trustee controls the records and implements the access rules without requiring access to a content of the record.
90. The system according to claim 58, wherein the trustee controls access to the records.
91. The system according to claim 58, wherein the trustee selectively processes the records.
92. The system according to claim 58, wherein the records comprise a type selected from the group consisting of legal information, government records, financial records, commercially valuable trade secret legal information, manufacturing information, banking information, consumer entertainment media, digital music files, video information, cinema information, consumer information, personal demographic information, credit card information, personal contact information, social security number information, publication information, separate articles within a digital publication, and investment account information.
93. The system according to claim 58, wherein a record comprises a patient file, placed in a privileged trust for the patient with an independent trustee, said trustee implementing the set of rules for access with respect to each transaction record within the patient file, said rules being defined by the patient and legal jurisdiction, wherein said trustee interacts with the patient record information to maintain, process, receive, deliver, or transmit portions of the patient record in secure and verifiable fashion to authorized entities in compliance with the trust.
94. The system according to claim 58, wherein a record comprises a corpus of a medical information trust for holding medical records on behalf of patients, in an organization distinct from the caregiver; the trustee charging for access to a medical record, and maintaining a record of each access of said medical record.
95. The system according to claim 58, wherein access rules are applied to an identified intended recipient without communicating an identity of the intended recipient to the respective beneficiary.
96. A system, comprising: a trust, formed by providing information to a trustee on behalf of a beneficiary along with a set of access rules to be applied by the trustee to selectively permit a user to access the information in the trust; and means for automatically providing selective access to the information, in accordance with the set of access rules, based on an electronic communication between the user and the trustee.
97. The system according to claim 96, wherein the rule comprises a compensation rule for obtaining a right to the information.
98. The system according to claim 97, wherein the electronic communication comprises an electronic funds transfer.
99. The system according to claim 97, wherein the compensation rule is integrally associated with the information, and wherein the implementing occurs as a result of user interaction with the information.
100. The system according to claim 96, wherein the information comprises a patient medical record.
101. The system according to claim 96, wherein the information comprises consumer entertainment media.
102. The system according to claim 96, wherein the trustee is interposed between a rights holder for the information and the user, the trustee maintaining an anonymity of the user while accounting to the rights holder.
103. The system according to claim 96, wherein the trustee is interposed between a rights holder for the information and the user, the trustee characterizing the user based on a classification of information usage, while accounting to the rights holder for the use, without specifically identifying information usage of a user.
104. The system according to claim 96, wherein a transfer of the information to the user requires an electronic transfer of value from the user to the trustee, further comprising the step of accepting the value by the trustee while stripping a retained transfer record of an identifier of the user.
105. The system according to claim 96, further comprising means for receiving an identification of desired information content from a user; and means for logging the access employing a digital signature of the user.
106. The system according to claim 105, wherein the digital signature is anonymous with respect to the beneficiary.
107. The system according to claim 96, wherein the user is required to enter into a restrictive covenant for access to the information.
108. The system according to claim 97, wherein the trustee manages access to the information and implements the access rules as an intermediary for, and communicates compensation information to, the beneficiary.
109. The system according to claim 97, wherein the information has an associated compensation value, and comprises digital media information, said digital media information being associated with subsidy content, wherein the user accounts to said selective access providing means for use of the digital media information offset by a value for subsidy content.
110. A virtual trust system, comprising a set of defined information content and associated rules; and a trustee, receiving the information content and associated rules and implementing a virtual trust in accordance therewith.
111. The system according to claim 110, wherein the information content comprises media information, and the associated access rules comprise economic rules.
112. The system according to claim 110, wherein the information content comprises medical record information, and the associated access rules comprise restrictive access rules based on an identity or characteristic of the user.
113. The system according to claim 112, further comprising the step of transmitting, from the trustee, information content in accordance with the associated rules.
114. The system according to claim 110, wherein the trustee controls the information content and implements the rules without requiring access to the information content.
115. The system according to claim 110, wherein the defined information content is provided as a set of records, each record having a plurality of portions, at least two such portions being associated with independent cryptographic keys, further comprising a database index providing an association between a record descriptor, a record identification, and a set of limiting access rules for each privileged database record; and a cryptographic key database, for storing cryptographic keys associated with portions of a record.
116. The system according to claim 110, wherein said rules are selected from the group consisting of role based access rules, and context based access rules.
117. The system according to claim 115, wherein each of the portions is encrypted with at least one cryptographic key, said portions being independently accessible.
118. The system according to claim 115, further comprising means for accounting for a decryption of an encrypted record or portion of a record.
119. The system according to claim 115, wherein the records comprise medical records.
120. The system according to claim 110, wherein the set of rules comprise a database of jurisdictional trust laws.
121. The system according to claim 110, wherein the rules are jurisdiction-dependent, further comprising an input for receiving an identification of a relevant jurisdiction.
122. The system according to claim 121, further comprising means for resolving inconsistencies between a plurality of relevant jurisdictions.
123. The system according to claim 121, further comprising a plurality of rule sets, each rule set being associated with a different jurisdiction, further comprising means for applying a set of rules relevant to an associated jurisdiction.
124. The system according to claim 110, further comprising a transaction log including a digital signature of a transactor, wherein the transaction log may be audited through use of a complementary digital signature.
125. The system according to claim 124, wherein the transaction log may be audited without revealing an identity of the transactor.
126. The system according to claim 124, wherein the transaction log audited reveals an identity of the transactor.
127. A transmitted medical information record, including patient-specific data, comprising at least one medical transaction information file, associated with the specific patient, each medical transaction information file being separately encrypted.
128. The record according to claim 125, wherein the record comprises at least two medical transaction information files, each file being separately encrypted.
129. The record according to claim 125, further comprising an access rule embedded in the medical transaction information file.
130. The record according to claim 125, wherein the access rule is not encrypted.
131. The record according to claim 125, wherein the medical transaction file encryption comprises public key encryption.
132. The record according to claim 125, wherein the medical transaction file encryption comprises multiple levels of public key encryption, employing differing keys.
133. The record according to claim 125, wherein the medical transaction file encryption comprises a first public key encryption employing a patient-specific public key, and a second public key encryption employing a recipient specific public key.
134. The record according to claim 125, wherein the medical transaction file encryption comprises a public key encryption employing a recipient-system interaction specific key.
135. The record according to claim 134, wherein the medical transaction file encryption further comprises a first public key encryption employing a patient-specific public key, and a second public key encryption employing a recipient specific public key.
136. The record according to claim 134, wherein said recipient-system interaction specific key interacts with an applet wrapper to decrypt the medical record.
137. A system for managing the record according to claim 125, comprising a database system for hosting the medical transaction information files, and an accounting system for accounting for access to a content of each of said encrypted medical transaction information files.
138. The system according to claim 137, wherein the accounting is a financial accounting.
139. The system according to claim 137, further comprising an audit trail.
140. A business method, comprising the steps of: establishing, in an organization distinct from the caregiver, a medical information trust to hold a medical record or associated access permission on behalf of a patient; charging for access to or permission to access the medical record; and maintaining a record of each access of or permission to access the medical record.
141. The method according to claim 140, wherein the access permission comprises a cryptographic key.
142. A business method, comprising the steps of: establishing, in an organization distinct from a rights holder, a virtual information trust to hold a content record or associated access permission on behalf of a rights holder; charging for access to or permission to access the content record; and maintaining a record of each access of or permission to access the content record.
143. The method according to claim 142, wherein the access permission comprises a cryptographic key.
Description
FIELD OF THE INVENTION
[0001] The present invention relates to the field of information records, repositories, systems and methods for the creation, use, processing, maintenance, transmission, querying and protection thereof.
BACKGROUND OF THE INVENTION
[0002] Computerized records and database are employed in many industries. Often, the information is made available subject to usage rights limitations. For example, copyright information is generally controlled by the copyright owner, such that copying is controlled or prohibited after publication. In a digital environment, each transmission of the content results in a form of copying, such that a copyright owner cannot impose a strict prohibition on all forms of copying while promoting digital use of the content. Thus, the publisher or content owner seeks to apply rules that provide appropriate compensation.
[0003] In other instances, the issue is not content, but rather security and privacy. In these cases, the rules limit access based on an authorization, which may be express or implied. Medical and legal records are examples of this form of content limitation.
[0004] Conceptually, implementation of an economic permission and security permission based access control systems are similar. In fact, security based access control systems often include logs and audit trails, which are similar to the accounting databases associated with economic permission systems. Thus, many issues raised by these systems are similar.
[0005] Medical Records
[0006] The art of medical record keeping has developed over centuries of medical practice to provide an accurate account of a patient's medical history. Record keeping in medical practice was developed to help physicians, and other healthcare providers, track and link individual "occurrences" between a patient and a healthcare provider. Each physician/patient encounter may result in a record including notes on the purpose of the visit, the results of physician's examination of the patient, and a record of any drugs prescribed by the physician. If, for example, the patient were referred to another clinic for additional testing, such as a blood analysis, this would form a separate medical encounter, which would also generate information for the medical record.
[0007] The accuracy of the medical record is of the utmost importance. The medical record describes the patient's medical history, which may be of critical importance in providing future healthcare to the patient. Further, the medical record may also be used as a legal document, as a research tool and to provide information to insurance companies or third party reimbursors.
[0008] Over the years, paper medical records have evolved from individual practitioners' informal journals to the current multi-author, medical/legal documents. These paper records serve as the information system on which modem medical practice is based. While the paper-based medical record system has functioned well over many decades of use, it has several shortcomings. First, while a paper-based record system can adequately support individual patient-physician encounters, it fails to serve as a source of pooled data for large-scale analysis. While the medical data in the paper-based records is substantial, the ability to adequately index, store and retrieve information from the paper-based mechanisms prevents efficient analysis of the data. Thus, paper medical records could be a rich source of information for generating new knowledge about patient care, if only their data could be accessed on a large scale. Second, each portion of the paper-based record is generated and kept at the site of the medical service. Hence, the total record may be fragmented among many sites. Consequently, access by off-site physicians is less than optimal. The inability to access a complete medical record in a short period of time presents problems both for individual care and group care of patients. Because of the shortcomings of the paper-based record, the electronic medical record (or "EMR") has been investigated for a number of years. An electronic medical record may be stored and retrieved electronically through a computer.
[0009] Clinical information as expressed by health care personnel is typically provided in natural language, e.g., in English. While phrases in natural language are convenient in interpersonal communication, the same typically does not apply to computerized applications such as automated quality assurance, clinical decision support, patient management, outcome studies, administration, research and literature searching. Even where clinical data is available in electronic or computer-readable form, the data may remain inaccessible to computerized systems because of its form as narrative text. Thus, while medical records may be maintained in electronic form, significant efforts are necessary in order to make the information available for automated analysis.
[0010] For computerized applications, methods and systems have been developed for producing standardized, encoded representations of clinical information from natural-language sources such as findings from examinations, medical history, progress notes, and discharge summaries. Special-purpose techniques have been used in different domains, e.g., general and specialized pathology, radiology, and surgery discharge reports.
[0011] Medical information poses significant challenges to knowledge management systems. Medical information presently includes multimedia file types, including numeric data, text, scanned text images, scanned graphic images, sound (e.g., phonocardiography and dictation), high resolution images (radiology) and video (ultrasonic imaging and fluoroscopy). The medical records for an individual may, over time, grow to multiple megabytes or even gigabytes of data, and advanced medical techniques promise to increase the available data. These records come from a number of different medical service providers, and may be stored in geographically disparate locations. Often, a new medical service provider will seek to review all appropriate previous medical records for a patient. Further, in third party reimbursement situations, the third party indemnity will seek to review records in connection with billed services.
[0012] On the other hand, medical records include data that is intensely personal, including personal data such as sexual habits, drug abuse, psychological disorders, family histories, genetics, terminal diseases, or other injuries, and the like. Thus, while there are legitimate reasons for transmitting medical information files, such transmission must be limited to appropriate circumstances and to authorized recipients.
[0013] In today's practice environment, the inability of healthcare providers, administrators, insurers, researchers and governmental agencies to rapidly access and/or extract information from paper-based medical records represents a serious limitation with significant scientific and economic ramifications. Electronic medical record systems are expected to improve healthcare delivery by enhancing case management capabilities, and by leading to clinical practice research databases that provide valuable information on patient outcomes and clinical effectiveness.
[0014] While there have been attempts to develop computer database architectures capable of storing and retrieving medical record information which reconcile physicians' desires for maintaining a format of unstructured medical information with database requirements for highly structured data storage, these systems fail to provide an infrastructure for the efficient transmission, use and security protection of the data.
[0015] Some approaches have been based on the development of categorical data structures and descriptive vocabularies that require translation of medical information into highly structured abstractions. This approach is problematic due to the enormous size of the overall translation task, the inability to accurately code all of the information contained within the free-text portion of the record, and the fact that normalizing data introduces additional abstraction, which may devalue its clinical worth.
[0016] Other approaches provide a full text database with a metadata header abstracting portions of the data record. However, searching this metadata may be difficult, and the existence of this metadata outside of the record itself may impair patient privacy. On the other hand, failure to index the data makes searching for a record difficult.
[0017] There has been a longstanding trend to computerize various forms of information, in order to make this information more accessible, to facilitate transmission, and to facilitate storage thereof. However, in the case of medical information, this has resulting in significant concerns for the privacy and security of the information. Indeed, while the information technically cannot be disclosed without the consent of the patient, since at least the time of Hippocrates, the medical institutions that hold this information guard it jealously. Thus, it may be difficult to obtain collaboration between medical institutions in the ongoing treatment of a patient. While there are important legitimate uses for medical data, there is also a substantial possibility for abuse of the data and the associated trust relationship between patient and medical care provider represented therein. In fact, recent federal legislative and regulatory initiatives (U.S. Department of Human Health Services) seek to regulate the creation, use, transmission and maintenance of medical information databases, and indeed may impose criminal sanctions.
[0018] The regulatory activities define mandates without defining implementing technologies nor providing funding for the burden imposed on federal, state, local and private entities.
[0019] Typically, in a hospital medical information system, information relating to patients in a database is generated and used by users having a variety of roles, including doctors of various specialties, nurses, therapists of various types, paraprofessionals, clinical laboratories, and bedside devices (which may automatically generate or receive patient information). In addition, medical information is used, but typically not generated by, pharmacies, administrators, lawyers, insurers or payors, and other parties.
[0020] Medical databases present a particular problem that has been difficult to address. On one hand, database architects seek to provide indexing of key fields of the database, allowing efficient retrieval. On the other hand, such indexes necessarily include information derived from the record. Thus, the existence of an index poses a security and privacy breach risk. One way to address this issue, as proposed in U.S. Pat. No. 5,832,450, is to avoid indexing, but rather to provide information contained only in the database record. While this preserves privacy, it makes locating a database record other than by patient identifier, or its accession identifier, very difficult.
[0021] Another method used to address this problem is the maintenance of anonymous medical records in addition to patient-specific records. Thus, a search for a record other than by patient identifier may be performed, but typically not for the treatment of the patient. Such techniques are useful in academic exercises. Often, the anonymization process is imperfect, or very costly.
[0022] One scheme for increasing the portability of medical records is to provide personal data storage devices, for example in credit card format optical storage medium. These devices, however, present a security risk, since it cannot be presumed that the patient will be able to provide consent to the use of the information when required; thus, access controls must necessarily be compromised. Further, the information carrier can be lost or destroyed.
[0023] Because of the many types of caregivers, the idea of role-based access has arisen; basically, medical professionals of different types will require access to various subsets of the medical record. For example, typically the primary care physician and certain consults will require full access.
[0024] Traditionally, medical records maintenance and upkeep have imposed a significant cost and burden. While enterprises have evolved for outsourcing of certain functions, these enterprises have not particularly represented the interests of the patient, and rather serve as agents for the medical record custodian.
[0025] One method for ensuring data security is encryption. Cryptographic systems employ secret keys to protect information. Key management systems for cryptographic keys are well known. One such system, by Entrust Technologies Limited is currently commercially available.
[0026] Media Content
[0027] One particular area of digital rights management involves the use and distribution of digital media, e.g., consumer entertainment in the form of audio, video, multimedia, and/or text. Computer software may be considered another form of media. In these systems, one significant purpose for digital distribution is to reduce the costs and increase convenience involved in communicating the information to the user. This, in turn, tends to reduce the actual or perceived cost of "consumption" of the media to the user. However, in a digital network, the content is readily replicated, and thus the owner risks loss of control and compensation. In order to retain control, the media is typically distributed in encrypted form. Alternatively, the media itself is unencrypted, but the available hardware for using the digital media requires permission for operation, in effect blocking the decoding to a usable form.
[0028] The existing systems seek to create an obligation by the recipient on behalf of the owner, to abide by the restrictions imposed. This obligation can be voluntarily or mandatory.
[0029] While on-line systems for browsing media may maintain privacy and confidentiality, on-line commercial transactions often waive privacy and confidentiality, by requiring disclosure of identity, electronic billing information, bill address, shipping address, and the association with the item being purchased. Further, databases are maintained which may then impair future privacy by associating the user's IP address or providing a browser cookie, which identify the user or associate with a prior detailed database record.
[0030] Thus, electronic commerce has the ability to eliminate the anonymity of cash. This is especially troublesome with respect to media content preferences and consumption, since these preferences and consumption were heretofore considered private.
[0031] Existing systems do not create a trust infrastructure, wherein an independent third party represents and serves as agent for the content owner, implementing a set of restrictive rules for use of the content, and interacting and servicing customers. In fact, these systems adopt a more traditional retail model, with independent resellers, or employ related entities.
[0032] In fact, the use of an intermediary, such as an Internet proxy server or payment service can protect user privacy. However, the Internet proxy cannot anonymize a direct electronic purchase transaction. Thus, existing intermediaries do not act in a representative capacity for the content owner, and do not integrate content management functions.
[0033] Personal Demographic Information
[0034] As stated above, many different electronic commerce systems have access to, and indeed maintain profiles and other information on customers. Even non-electronic retailers have adopted techniques to provide the same types of information, for example, supermarkets that provide "club cards", and otherwise may track credit/debit card purchases.
[0035] Retailers seek to gain valuable insight into their business and consumer habits and responsiveness to promotions by profiling consumers, and forming personal profiles and/or aggregate profiles from this information. Since the information often includes purchase information, the profiles are personally identifiable. Further, user profiling must be associated with the same user on an ongoing basis.
[0036] Intermediaries
[0037] In fact, the use of an intermediary, such as an Internet proxy server or payment service, can protect user privacy. However, the Internet proxy cannot anonymize a direct electronic purchase transaction, and use of an intermediary service results in a loss of rights with respect to credit card transactions.
[0038] Thus, existing intermediaries do not act in a representative capacity for the content owner, and do not integrate content management functions.
[0039] Computer Security
[0040] Computer security is currently an important issue. With the proliferation of computers and computer networks into all aspects of business and daily life--financial, medical, education, government, and communications--the concern over secure file access is growing. Using passwords is a common method of providing security. Password protection and/or personal identification numbers are employed for computer network security, automatic teller machines, telephone banking, calling cards, telephone answering services, houses, and safes. These systems generally require the knowledge of an entry code that has been selected by a user or has been preset. Preset codes are sometimes forgotten, as users have no reliable method of remembering them. Writing down the codes and storing them in close proximity to an access control device (i.e. the combination lock) results in a secure access control system with a very insecure code. Alternatively, the nuisance of trying several code variations renders the access control system more of a problem than a solution.
[0041] Password systems are known to suffer from other disadvantages. Usually, a user specifies passwords. Most users, being unsophisticated users of security systems, choose passwords that are relatively insecure, for example words that are found in a dictionary or within a personal wallet. As such, many systems protected by passwords are easily accessed through a simple (possibly automated) trial and error process.
[0042] Biometric authentication schemes, for example fingerprint, voice, iris, retina, hand, face, or other personal characteristics, may be used to identify a user. These either do not require a password or access code, or are used in conjunction with such passwords or codes, and may provide substantial system security. A biometric identification system accepts unique biometric information from a user and identifies the user by matching the information against information belonging to registered users of the system.
[0043] Though biometric authentication is a secure means of identifying a user, it is difficult to derive encryption keys from the information. In the first place, the information is different each time it is presented to a biometric information input device. Secondly, the biometric information is retrievable through, for example, extraction of latent fingerprints, and is therefore subject to "spoofing". When an encryption key is derived directly from biometric information, the extraction of latent biometric information or the interception of biometric information may allow others to derive the encryption key. Thirdly, since some biometric information is substantially unchanging, it is not well suited to encryption because once an encryption key or biometric authentication system is broken (i.e., knowledge exists to circumvent the security provided by the scheme), and its use should be discontinued; however, changing the biometric information on demand is a difficult procedure. In order to overcome this problem, key management systems exist wherein a plurality of keys are stored in a secure key database. A user authentication, such as a biometric authentication, is used to access the secure key database. Often the database is encrypted with a key that is accessible through user authentication.
[0044] Key management systems are well known. One such system, by Entrust Technologies Limited is currently commercially available. Unfortunately, current key management systems are designed for installation on a single computer and for portability between computers having a same configuration. As such, implementation of enhanced security through installation of biometric input devices is costly and greatly limits portability of key databases. Alternatively, password based protection of key databases is undesirable because of the inherent insecure nature of most user selected passwords. For example, when using Entrust.RTM. software to protect a key database, the database is portable on a smart card or on a floppy disk. The portable key database is a duplicate of the existing key database. User authentication for the portable key database is identical to that of the original key database. The implications of this are insignificant when password user authentication is employed; however, when biometric user authentication such as retinal scanning or fingerprint identification are used, the appropriate biometric identification system is required at each location wherein the portable key database is used. Unfortunately, this is often not the case. In order to avoid this problem, organizations employ password access throughout and thereby reduce overall security to facilitate portability. Alternatively, members of an organization are not permitted to travel with portable key databases and thereby have reduced mobility and are capable of performing fewer tasks while outside the office. This effectively counters many of the benefits available in the information age. Key databases, once created, should not decrypted, except during emergencies. This prevents keys from becoming vulnerable by existing in their decrypted state.
[0045] Prior Art
[0046] A number of fields of endeavor are relevant to the present invention, and exemplary prior art, incorporated herein by reference, are disclosed below. The references disclosed provide a skilled artisan with embodiments of elements of the present invention, and the teachings therein may be combined and subcombined in various manners in accordance with the present teachings. The topical headings are advisory only, and are not intended to limit the applicability of any reference.
[0047] Medical Record Systems
[0048] John D. Halamka, Peter Szolovits, David Rind, and Charles Safran, "A WWW Implementation of National Recommendations for Protecting Electronic Health Information", J. Am. Med. Inform. Assoc. 1997 4: 458-464 (expressly incorporated herein by reference).
[0049] Reid Cushman, "Serious Technology Assessment for Health Care Information Technology", J. Am. Med. Inform. Assoc. 1997 4: 259-265
(expressly incorporated herein by reference).
[0050] Suzy A. Buckovich, Helga E. Rippen, and Michael J. Rozen, "Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information", J. Am. Med. Inform. Assoc. 1999 6: 122-133 (expressly incorporated herein by reference).
[0051] Paul C. Tang, "An AMIA Perspective on Proposed Regulation of Privacy of Health Information", J. Am. Med. Inform. Assoc. 2000 7: 205-207 (expressly incorporated herein by reference).
[0052] Clement J. McDonald, "The Barriers to Electronic Medical Record Systems and How to Overcome Them", J. Am. Med. Inform. Assoc. 1997 4: 213-221 (expressly incorporated herein by reference).
[0053] U.S. Pat. No. 5,361,202 (Doue, Nov. 1, 1994, Computer display system and method for facilitating access to patient data records in a medical information system), expressly incorporated herein by reference, relates to a system and method to improve access to patient information in medical information system for a health care facility. A computer display system, and a method for such a display system, includes a displayed representation of the duration of the stay of an identified patient in the health care facility. In such a medical information system patient data is stored in data files in a database, wherein each data file in the database is comprised of a plurality of data records. A user positions a cursor on the displayed representation using an input unit and signals the computer of a desired date and time. The computer, in response to the signal determines the desired date and time from the position of the cursor and accesses a data record or records from the data file based on the desired date and time. The accessed data record or records may then be displayed. The data records may be time-stamped. In that case, the duration of the patient's stay is the time period between the earliest and latest time stamps.
[0054] U.S. Pat. No. 5,644,778 (Burks, et al., Jul. 1, 1997, Medical transaction system), expressly incorporated herein by reference, relates to a medical transaction system, which is capable of permitting a plurality of healthcare providers to communicate with a plurality of payors and financial institutions. The healthcare providers, payors, and financial institutions do not have to communicate in the same data message formats nor in the same communication protocols. Such a system facilitates not only the processing of medical claims submitted by the healthcare providers to the payors, but also permits the transfer of medical data records between healthcare providers. The system supports the processing of medical claims without requiring a centralized database or imposing a uniform claim format on the healthcare providers and payors. The preferred embodiment further includes a financial transactor that uses remittance information from the payors to generate the electronics funds transfer messages to credit and debit accounts. Additionally, the system supports a medical line of credit at financial institutions that may be used to pay portions of medical claims not covered by payors.
[0055] U.S. Pat. No. 5,832,450 (Myers, et al. Nov. 3, 1998), expressly incorporated herein by reference, provides an electronic medical record system that stores data about individual patient encounters arising from a content generator in free-form text. A header for each encounter-based record also uses text to store context information for that record. Each header comprises a plurality of attributes embodied as a field descriptor and a value, bound together as a text object. By binding the field descriptors to the values, each encounter record is complete in itself, without reference to database keys, thereby providing a self-validating record storage system. In this system, the security of the medical data is maintained, because the attribute values and the attribute descriptors are bound together as a text object, and because the values are not location dependent, the data is self-validating. Thus, templates, keys, or other lookup means employed by relational database are not required to find or interpret the data. Additional attributes may be added without a restructuring process, reducing a source of errors into the system. Access of the content and context information in the EMR system by external systems is possible without secondary tables or keys.
[0056] U.S. Pat. No. 5,546,580 (Seliger, et al., Aug. 13, 1996), expressly incorporated herein by reference, relates to a method and apparatus for coordinating concurrent updates to a medical information database, from different workstations and medical instruments. A first data value for a record is entered at a first workstation and a second data value for the record is entered at a second workstation without locking either workstation during data entry. The new data values are stored in the medical database after completion of data entry at each workstation, and a correction history is recorded. The correction history contains information as to the update of the record with the first data value and the second data value. The record is updated with the first and second data values without aborting user activities or notifying a user that an update conflict has occurred. After the new data values are stored in the medical database, all workstations containing a copy of the record are updated to reflect the current state of the record.
[0057] U.S. Pat. No. 5,832,488 (Eberhardt, Nov. 3, 1998), expressly incorporated herein by reference, relates to a computer system and method for storing medical histories using a smartcard to store data. A computer system and method is provided for programming it for storage of individual medical histories on a storage device, preferably about the size of a credit card, for adding new medical data about the individual to the device and for communicating with other computers to retrieve large data records about the individual; and for enabling a second computer to collate and sort data relating to selected medical fields from the data of such individual and from the data about other individuals transferred to the second computer.
[0058] U.S. Pat. No. 5,867,821 (Ballantyne, et al., Feb. 2, 1999), expressly incorporated herein by reference, relates to a method and apparatus for electronically accessing and distributing personal health care information and services in hospitals and homes, for the distribution and administration of medical services, entertainment services, electronic medical records, educational information, etc. to a patient's individual electronic patient care station (PCS) interconnected to a master library (ML) which stores data in digital compressed format, through a local medical information network. The patient/medical personnel interact with this medical information network through the unique PCS and receive the requested service or data from the master library. The data is then displayed either on the associated television set or video monitor or through wireless/IR communications to a peripheral personal data assistant (pen based computer technology) The data for text, audio, and video information is all compressed digitally to facilitate distribution and only decompressed at the final stage before viewing/interaction.
[0059] U.S. Pat. No. 5,899,998 (McGauley, et al., May 4, 1999), expressly incorporated herein by reference, relates to a method and system for maintaining and updating computerized medical records. A distributed database architecture stores medical information in a self-updating system that employs point-of-service stations disposed at convenient medical service locations. Each patient carries a portable data carrier such as a smart card that contains the patient's complete medical history. Interaction between the portable data carriers and the point-of-service stations effects a virtual communication link that ties the distributed databases together without the need for online or live data connections. The point-of-service stations are also interconnected over a communications network through a switching station that likewise does not rely on online, live communication. The database system uses an object-oriented update object to distribute data that has been generated when a portable data carrier is not physically present and to automatically distribute data without the necessity of accessing a masterfile.
[0060] U.S. Pat. No. 5,903,889 (de la Huerga, et al., May 11, 1999), expressly incorporated herein by reference, relates to a system and method for translating, collecting and archiving patient records. The system retrieves, modifies, and collects data records having a plurality of formats and distributed on a plurality of databases on a computer network. The system includes means for detecting various types, relationships, and classifications of data records and modifying them accordingly to support interactive, hypertext-linked display of, and organized access to, the data records. The system further includes means to store a related set of data records on a mass storage device such as a CD-ROM to provide non-network access to the data records. Adapted for use in a hospital environment, the system facilitates access by care providers, administrators, and insurance company agents to a patient's cumulative, and possibly extensive, record.
[0061] U.S. Pat. No. 5,911,132 (Sloane, Jun. 8, 1999, Method using central epidemiological database), expressly incorporated herein by reference, relates to a system in which patient disease is diagnosed and/or treated using electronic data communications between not only the physician and his/her patient, but via the use of electronic data communications between the physician and one or more entities which can contribute to the patient's diagnosis and/or treatment, such electronic data communications including information that was previously received electronically from the patient and/or was developed as a consequence of an electronic messaging interaction that occurred between the patient and the physician. Such other entities illustratively include a medical diagnostic center and an epidemiological database computer facility that collects epidemiological transaction records from physicians, hospitals and other institutions that have medical facilities, such as schools and large businesses. The epidemiological transaction record illustratively includes various medical, personal and epidemiological data relevant to the patient and his/her present symptoms, including test results, as well as the diagnosis, if one has already been arrived at by the e-doc. The epidemiological database computer facility can correlate this information with the other epidemiological transaction records that it receives over time in order to help physicians make and/or confirm diagnoses as well as to identify and track epidemiological events and/or trends.
[0062] U.S. Pat. No. 5,911,687 (Sato, et al., Jun. 15, 1999, Wide area medical information system and method using thereof), expressly incorporated herein by reference, relates to a wide area medical information system and a method using thereof comprising a wide area network, a plurality of doctor terminals and patient terminals connected to the wide area network, and a management server including at least an electronic case record file storing clinic information for patient's and a doctor database storing data of a plurality of doctors, wherein the system searches the doctor database on the basis of patient information including the condition of the disease of a certain patient input from the patient terminal, selects the corresponding doctor, requests that the selected doctor take charge of examination and treatment for the aforementioned certain patient, registers the correspondence between the approved doctor and the aforementioned certain patient in the electronic case record file, gives the right to access the clinic information of the patient to the approved doctor, and executes the online examination and treatment via the doctor terminal and patient terminal, so that a patient existing in a wide area can receive remote examination and treatment services of high satisfaction and medical treatment related services other than examination and treatment without depending on the location.
[0063] U.S. Pat. No. 5,915,240 (Karpf, Jun. 22, 1999), expressly incorporated herein by reference, relates to a computer system and method for accessing medical information over a network. The system partitions the functioning of the system between a client and server program optimized in a manner to assure synchronization of the master medical information databases on the servers with the local medical information database on the client, minimize the use of network resources, and allow new types of medical information to be easily included in the system. A server site on the network maintains a description of its medical information, as well as the most current and up-to-date medical reference information. The client program maintains a local database that is automatically synchronized over the network with revisions and new medical information, and provides a user with an interface to fully review the information in the database. The system also uses a context-sensitive call facility so that users of the Medical Lookup Reference program can easily get further expert assistance about the medical topic. The call feature uses the network connection to establish a conversation between the user and a person at a help site specified by the type of medical information they are currently referencing. Once a connection is established, the system allows the user to engage in a conversation with the person at the help site, and a record of the conversation can be saved in a database for auditing purposes.
[0064] U.S. Pat. No. 5,924,074 (Evans, Jul. 13, 1999), expressly incorporated herein by reference, relates to an electronic medical records system. The system captures patient data, such as patient complaints, lab orders, medications, diagnoses, and procedures, at its source at the time of entry using a graphical user interface having touch screens. Using pen-based portable computers with wireless connections to a computer network, authorized healthcare providers can access, analyze, update and electronically annotate patient data even while other providers are using the same patient record. The system likewise permits instant, sophisticated analysis of patient data to identify relationships among the data considered. Moreover, the system includes the capability to access reference databases for consultation regarding allergies, medication interactions and practice guidelines. The system also includes the capability to incorporate legacy data, such as paper files and mainframe data, for a patient.
[0065] U.S. Pat. No. 5,933,809 (Hunt, et al., Aug. 3, 1999), expressly incorporated herein by reference, relates to computer software for processing medical billing record information. Hospital or individual doctor Medicare billing records are processed using computer software. The software contains at least one set of instructions for receiving, converting, sorting and storing input information from the pre-existing medical billing records into a form suitable for processing. The software contains at least one set of instructions for processing the input medical billing record information, preferably to identify potential Medicare "72 hour billing rule" violations. This processing is preferably performed by comparing each input medical billing record containing dates of medical inpatient admission and discharge to each input medical billing record containing a date of medical outpatient service. The inpatient and outpatient billing records are first compared to determine if they contain matching patient identification codes to identify all the records originating from the same patient. If matching patient identification codes are found the inpatient and outpatient billing records are further compared to determine if the date of outpatient service fell within a preselected time period, preferably 72 hours, prior to the date of inpatient admission. If so, the matching inpatient and outpatient billing records are distinguished and stored separately for further processing. If not, the matching inpatient and outpatient billing records are compared to determine if the date of outpatient service fell between the inpatient admission and discharge dates. If this is the case, the matching inpatient and outpatient billing records are again distinguished and stored separately for further processing. If not, the program proceeds to the next set of billing records to repeat the sequence.
[0066] U.S. Pat. No. 5,974,389 (Clark, et al., Oct. 26, 1999, Medical record management system and process with improved workflow features) relates to a patient medical record system includes a number of caregiver computers, and a patient record database with patient data coupled to the caregiver computers selectively providing access to the patient data from one of the caregiver computers responsive to a predetermined set of access rules. The predetermined set of rules includes a rule that access to a predetermined portion of the patient data by a first caregiver must be terminated before access to the same predetermined portion by a second caregiver is allowed.
[0067] U.S. Pat. No. 5,991,758 (Ellard, Nov. 23, 1999), expressly incorporated herein by reference, relates to a system and method for indexing information about entities from different information sources. A system and method for indexing a data record from an information source into a database, the database containing a plurality of data records, is provided comprising receiving a data record from an information source, the received data record having a predetermined number of fields containing information about a particular entity, standardizing and validating the data in the received data record. A system and method is also provided for retrieving records that refer to an entity characterized by a specific set of data values by comparing a predetermined number of fields within the received data record with a predetermined number of fields within the data records already in the database, selecting data records already in the database as candidates having data within some of the predetermined fields that is identical to the data in the fields of the received data record, and scoring the candidates to determine data records having information about the same entity.
[0068] U.S. Pat. No. 5,995,943 (Bull, et al., Nov. 30, 1999), expressly incorporated herein by reference, relates to an information aggregation and synthesis system. An information aggregation and synthesis system and process, which provides aggregation and packaging of structured or unstructured information from disparate sources such as those available on a network such as the Internet. A user operates a network compatible/addressable interface device. The network interface device communicates with local datastores or network accessible datastores via an addressing scheme such as Uniform Resource Locator addresses (URLs) utilized by the Internet. Data passing between the network interface device and the datastores is accessed, polled, and retrieved through an intermediary gateway system. Such aggregated information is then synthesized, customized, personalized and localized to meet the information resource requests specified by the user via the network interface device.
[0069] U.S. Pat. No. 6,012,035 (Freeman, Jr., et al., Jan. 4, 2000), expressly incorporated herein by reference, relates to a system and method for supporting delivery of health care. Effectuation of a health care provision agency cooperative function is established through a communication network linking all the various entities of the cooperative. The entities include the third party payor members, the health providing individuals, clinics, or the like, along with secondary providers including pharmacies and laboratories, health care facilities such as hospitals, and the several entities associated with management of the cooperative and appropriate funds transfer functions. A coordinating interface system maintains data storage of the necessary information, and manages the entity intercommunications in accordance with the basic structure of the active and eligible elements of the agency cooperative.
[0070] U.S. Pat. No. 6,035,276 (Newman, et al., Mar. 7, 2000), expressly incorporated herein by reference, relates to a system and method for selectively generating provider application forms required to be submitted to health care provider organizations by physicians and related health care professionals. Physician credentialing profiles containing physician credentialing information are stored into a system database together with a plurality of different provider application formats associated with particular application forms which are completed and selected data extracted from the common information contained in the stored physician credentialing profiles. The method automatically inputs a subset of physician credentialing information required by a particular selected provider application format into the provider application form associated with that format and generates the particular provider application form.
[0071] U.S. Pat. No. 6,055,494 (Friedman, Apr. 25, 2000), expressly incorporated herein by reference, relates to a system and method for medical language extraction and encoding. In computerized processing of natural-language medical/clinical data including phrase parsing and regularizing, parameters are referred to whose value can be specified by the user. Thus, a computerized system can be provided with versatility, for the processing of data originating in diverse domains, for example. Further to a parser and a regularizer, the system includes a preprocessor, output filters, and an encoding mechanism.
[0072] U.S. Pat. No. 6,055,506 (Frasca, Jr., Apr. 25, 2000) expressly incorporated herein by reference, relates to an outpatient care data system dedicated to the transmission, storage and retrieval of outpatient data relating to care of outpatients is provided with a regional data system located at a regional location, a plurality of metropolitan area data systems operatively connected to the regional data system, each of the metropolitan area data systems being located at a different metropolitan location. Each metropolitan area data system may be provided with an electronic nursing station located within a hospital and first and second types of outpatient systems operatively coupled to the electronic nursing station on a real-time basis. The first type of outpatient system is situated at a first non-hospital location remote from the hospital and includes a medical device associated with an outpatient present at the first non-hospital location, and the second type of outpatient system is situated at a second non-hospital location remote from the hospital and includes a medical device associated with an outpatient present at the second non-hospital location.
[0073] U.S. Pat. No. 6,076,066 (DiRienzo, et al., Jun. 13, 2000), expressly incorporated herein by reference, relates to an attachment integrated claims (AIC) system formed by a combination of first, second and third storage media. The first storage medium stores computer readable instructions for permitting a first computer system to receive textual data as field data, where each of the field data is displayed on a predetermined portion of a first screen of the first computer system, to assemble the field data and a corresponding digitized image into a first file having an integrated file format and to transmit the first file to a second computer system via a communications channel. The second storage medium stores computer readable instructions permitting the second computer system to receive the first file via the communications channel, to display the corresponding digitized attachment on a second screen of the second computer system, and to transfer the field data to a third computer operatively connected to the second computer. In addition, the third storage medium stores computer readable instructions permitting the third computer system to receive the field data from the second computer, to display the field data on a third screen and to generate a second file including portions of the field data extracted from the first file. In other words, the AIC system permits transmission of a customizable claim form and integrated attachment to an insurance carrier via a non-clearinghouse communications channel. An AIC system including several computers connected via a communications channel, an electronic file, and an operating method therefore are also described. In an exemplary case, the first file follows a predetermined graphic image interchange file format and the field data is incorporated into comment blocks associated with the predetermined graphic image interchange file format.
[0074] U.S. Pat. No. 6,076,166 (Moshfeghi, et al., Jun. 13, 2000), expressly incorporated herein by reference, relates to a system and method for personalizing hospital intranet web sites. The server includes a layer for dynamically generating web pages and other data objects using scripts, such as graphic, audio and video files, in dependence on stored information indicating the user's needs and preferences, including those presumed from stored information as to the user's function, job, or purpose for being at the hospital, and logged usage profiles, the level of the user's access privileges to confidential patient information, and the computer and physical environments of the user. Notably, the content is generated in dependence on the display resolution and lowest bandwidth link between the server and browser to limit the waiting time for downloads as well as the server load.
[0075] See also, U.S. Pat. No. 5,319,543 (Wilhelm, Jun. 7, 1994, Workflow server for medical records imaging and tracking system); U.S. Pat. No. 5,465,082 (Chaco, Nov. 7, 1995, Apparatus for automating routine communication in a facility); U.S. Pat. No. 5,508,912 (Schneiderman, Apr. 16, 1996, Clinical database of classified out-patients for tracking primary care outcome); U.S. Pat. No. 5,546,580 (Seliger, et al., Aug. 13, 1996, Method and apparatus for coordinating concurrent updates to a medical information database); U.S. Pat. No. 5,592,945 (Fiedler, Jan. 14, 1997, Real-time event charting in an electronic flowsheet); U.S. Pat. No. 5,619,991 (Sloane, Apr. 15, 1997, Delivery of medical services using electronic data communications); U.S. Pat. No. 5,664,109 (Johnson, et al., Sep. 2, 1997, Method for extracting pre-defined data items from medical service records generated by health care providers); U.S. Pat. No. 5,772,585 (Lavin, et al., Jun. 30, 1998, System and method for managing patient medical records); U.S. Pat. No. 5,778,882 (Raymond, et al., Jul. 14, 1998, Health monitoring system); U.S. Pat. No. 5,845,253
(Rensimer, et al., Dec. 1, 1998, System and method for recording patient-history data about on-going physician care procedures), each of which is expressly incorporated herein by reference.
[0076] Memory Cards
[0077] U.S. Pat. No. 6,021,393 (Honda, et al., Feb. 1, 2000), expressly incorporated herein by reference, relates to a medical information management system. As a portable memory card carried by a patient to store the patient's personal medical information, a hybrid-type memory card is used which includes an optical information recording area, an integrated circuit memory area and a magnetic information recording area. A read/write drive for the memory card includes an optical head, a carrier mechanism for loading the memory card on a carrier table and moving the loaded memory card relative to the optical head, and a coupler section for coupling electronic information to be read and written from and to the integrated circuit memory area of the memory card, so that reading and writing of optical information from and to the optical information recording area can be conducted simultaneously with reading and writing of the electronic information from and to the integrated circuit memory area.
[0078] U.S. Pat. No. 6,031,910 (Deindl, et al., Feb. 29, 2000), expressly incorporated herein by reference, relates to a method and system for the secure transmission and storage of protectable information, such as patient information, by means of a patient card. The data stored on the patient card are protected by cryptographic methods. The data is decrypted only with the same patient card if a doctor is authorized and the patient has given his agreement. All information that the patient card needs in order to decide whether the doctor is authorized, and the key for protecting the control data and the random key are held on the chip. The patient data can be freely transmitted to any storage medium. The chip controls both the access to the data and the encryption and decryption functions. Random keys, which are themselves stored encrypted together with the data, ensure that every data record remains separate from every other data record, and that only authorized persons can access it. Every patient card has its own record key. The system and method are not directed exclusively to patient data but can be applied to any protectable data to which right of access is to be restricted.
[0079] U.S. Pat. No. 6,034,605 (March, Mar. 7, 2000), expressly incorporated herein by reference, relates to a system and method for secure storage of personal information and for broadcast of the personal information at a time of emergency. A sealed package contains a medium storing personal information associated with an individual. The sealed package is stored at a facility until an emergency occurs. At a time of emergency, a missing person report concerning the individual generated by a law enforcement agency is processed. The personal information in the individual's sealed package is accessed in response to the missing person report and then broadcast on an electronic bulletin board accessible via the Internet.
[0080] U.S. Pat. No. 6,042,005 (Basile, et al., Mar. 28, 2000), expressly incorporated herein by reference, relates to a personal identification system for children, that includes two forms of identification. An identification card carried by the user contains the user's personal and medical information in an electronic medium. The identification card includes photographs of the user and their parent or legal guardian, a unique identification number for the user, and a list of corporate sponsors. The second identification device is to be worn by the user and includes the user's unique identification number and an access telephone number. A user interface enables the users to update their stored personal and medical information.
[0081] Rights-Based Access to Database Records
[0082] U.S. Pat. No. 5,325,294 (Keene, Jun. 28, 1994), expressly incorporated herein by reference, relates to a medical privacy system. A method and apparatus for authorized access to medical information concerning an individual while preserving the confidentiality of, and preventing unauthorized access to, such information, is provided. A computer database receives and stores the individual's medical information, after the individual is tested to establish this information and the date on which such information was most recently obtained. The computer database does not contain the individual's name, address or any other similar information by which the individual can be identified. The individual is given an identification card containing a photograph or holographic image of the individual and containing a confidential first identification number that is unique for the individual, where both the image and the first identification number are visually perceptible and cannot be altered on the card without detection of such alteration. The individual is also given a confidential second identification number that is not contained on the card and need not be unique for that individual. The computer database can be accessed telephonically, and the individual's medical information, or a portion thereof, can be read only by an inquirer, if the inquirer or the individual first provides the individual's first and second identification numbers. The inquirer can use the image and first identification number on the individual's card to confirm the identity of that individual but need not be told the individual's second identification number. After inquirer establishes the identity of the individual, the inquirer, with the assistance of the individual, can obtain a telephonic readout of the individual's medical information.
[0083] U.S. Pat. No. 5,499,293 (Behram, et al., Mar. 12, 1996), expressly incorporated herein by reference, relates to a privacy protected information medium using a data compression method, which uses an efficient data compression/decompression scheme using a passive data storage media such as a card-based approach for storage of medical data information. The system operates on existing personal computer hardware in a medical center or doctors' offices, doing away with expensive investments in specialized technologies of central processing hardware. With the advent of inexpensive desktop computing, a number of inventions have been offered to improve medical information storage and retrieval. They include the development of portable medical card technologies such as SmartCards and optical cards, which are capable of storing medical information, and can be carried by the patient. This card-based system provides a methodology for storage and retrieval of medical information from a passive credit-card sized instrument. The card is manufactured with minimal expense using existing well-known optical scanning or magnetic tape reading or a data interrogation means in a SmartCard based system.
[0084] U.S. Pat. No. 5,987,440 (O'Neil, et al., Nov. 16, 1999), expressly incorporated herein by reference, relates to a personal information security and exchange tool. Utilization of the E-Metro Community and Personal Information Agents assure an effective and comprehensive agent-rule based command and control of informational assets in a networked computer environment. The concerns of informational privacy and informational self-determination are addressed squarely by affording persons and entities a trusted means to author, secure, search, process, and exchange personal and/or confidential information in a networked computer environment. The formation of trusted electronic communities wherein members command and control their digital persona, exchanging or brokering for value the trusted utility of their informational assets is made possible. The system provides for the trusted utilization of personal data in electronic markets, providing both communities and individuals aggregate and individual rule-based control of the processing of their personal data.
[0085] U.S. Pat. No. 6,029,160 (Cabrera, et al., Feb. 22, 2000), expressly incorporated herein by reference, relates to a system and method for linking a database system with a system for filing data. Extensions to a database system provide linkage between data in the database system and files in a system for filing data that is external to the database system ("the filing system"). The linkage includes an external file reference (EFR) data type, which is defined in the database system for reference to files that are stored in the filing system. When entries are made in the database system that include EFR data-type references to files in the filing system, control information is provided by the database system to the filing system. The control information causes the filing system to control processing of referenced files according to referential constraints established in the database system.
[0086] U.S. Pat. No. 6,038,563 (Bapat, et al., Mar. 14, 2000), expressly incorporated herein by reference, relates to a system and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects. An access control database has access control objects that collectively store information that specifies access rights by users to specified sets of the managed objects. The specified access rights include access rights to obtain management information from the network. An access control server provides users access to the managed objects in accordance with the access rights specified by the access control database. An information transfer mechanism sends management information from the network to a database management system (DBMS) for storage in a set of database tables. Each database table stores management information for a corresponding class of managed objects. An access control procedure limits access to the management information stored in the database tables using at least one permissions table. A permissions table defines a subset of rows in the database tables that are accessible to at least one of the users. The set of database table rows that are accessible corresponds to the managed object access rights specified by the access control database. A user access request to access management information in the database is intercepted, and the access control procedure is invoked when the user access request is a select statement. The database access engine accesses information in the set of database tables using the permissions tables such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
[0087] U.S. Pat. No. 6,041,411 (Wyatt, Mar. 21, 2000), expressly incorporated herein by reference, relates to a method for defining and verifying user access rights to computer information. A method is provided for minimizing the potential for unauthorized use of digital information, particularly software programs, digital content and other computer information, by verifying user access rights to electronically transmitted digital information. A second computer system transmits requested digital information to a requesting first computing system in wrapped form, which includes digital instructions that must be successfully executed, or unwrapped, before access to the digital information is allowed. Successful unwrapping requires that certain conditions must be verified in accordance with the digital instructions, thereby allowing access to the digital information. In one embodiment, verification includes locking the digital information to the requesting computer system by comparing a generated digital fingerprint associated with the digital information to a digital fingerprint previously generated which is unique to the requesting computer system.
[0088] U.S. Pat. No. 6,044,401 (Harvey, Mar. 28, 2000), expressly incorporated herein by reference, relates to a network sniffer for monitoring and reporting network information that is not privileged beyond a user's privilege level. Nodes in the network include a network sniffer and an access sniffer. The access sniffer includes an access element and an access interface. The access element preferably includes a memory and a database. The access element accesses the network sniffer and filters out unavailable information by using information such as address and port numbers gathered by the network sniffer. Unavailable information includes information which is non-public or beyond the privilege level of the particular user. The access element evaluates data streams that are public information to determine if the data streams meet a predetermined criterion. If the data streams meet the predetermined criteria, then the data is saved in the database. The access element transfers only the information available to the particular user to the access interface. The access element can time itself for a limited amount of time for execution. Once the predetermined time period has expired, the access element is complete and it can save and transfer the appropriate information to the access interface.
[0089] U.S. Pat. No. 6,052,688 (Thorsen, Apr. 18, 2000), expressly incorporated herein by reference, relates to a computer-implemented control of access to atomic data items. The method comprises the steps of initiating and maintaining data access nodes in a variable access structure. Each access node is provided with references to other access nodes and/or to data items representing an object, each data item carrying only the amount of information that is relevant for its purpose. The data items or the references are provided with a time parameter thus enabling version control and the possibility to handle static or slowly changing data and frequently changed and updated data in a corresponding manner. The access nodes comprise access control parameters for access control from a safety point of view as well as for enabling different views of the access structure and underlying data and objects.
[0090] U.S. Pat. No. 6,073,106 (Rozen, et al., Jun. 6, 2000), expressly incorporated herein by reference, relates to a method of managing and controlling access to personal information. A participant is prompted to provide a constant identifier and a selected password via Internet communications or via phone/fax/mail. Emergency and confidential categories of medical information are identified, and the participant is prompted to provide personal information in each of the categories and a different personal identification number (E-PIN, C-PIN) for each category. The participant is also prompted to provide an instruction to disclose or to not disclose the personal information in the emergency category in the event a requester of the information is an emergency medical facility and is unable to provide the participant's E-PIN. Alteration of any of the participant's medical information is enabled upon presentation of the participant's identifier and password by the requester. The emergency information or the confidential information is disclosed upon presentation of the participant's identifier and E-PIN or C-PIN. In addition, the emergency information is disclosed to an emergency medical facility verified as such by a service provider in the event the participant has provided an instruction to disclose the emergency information. Storage and access to health related documents such as healthcare power of attorney, consent for treatment, and eyeglass prescription is also provided.
[0091] U.S. Pat. No. 6,073,234 (Kigo, et al., Jun. 6, 2000), expressly incorporated herein by reference, relates to a device and method for authenticating user's access rights to resources. Both of a user side and a protect side such as a programmer of an application programmer need not handle a large number of inherent information such as authentication keys. An access ticket generation device generates an access ticket from user unique identifying information and access rights authentication feature information. As unique security characteristic information, there is used a secret key of an elliptic curve encryption or an ElGamal encryption. A proof data generation device receives the access ticket, converts authentication data received from a proof data verification device into proof data by use of the access ticket and the user unique identifying information, and returns the resultant proof data to the proof data verification device. The proof data generation device or the proof data verification device decrypts the above-mentioned encryption. The proof data verification device verifies the access rights as correct only when a combination of an access ticket and user unique identifying information used in the proof data generation device is correct.
[0092] Role-Based Access
[0093] U.S. Pat. No. 6,023,765 (Kuhn, Feb. 8, 2000; Implementation of role-based access control in multi-level secure systems), expressly incorporated herein by reference, relates to a system and method for implementation of role-based access control in multi-level secure systems. Role-based access control (RBAC) is implemented on a multi-level secure (MLS) system by establishing a relationship between privileges within the RBAC system and pairs of levels and compartments within the MLS system. The advantages provided by RBAC, that is, reducing the overall number of connections that must be maintained, and, for example, greatly simplifying the process required in response to a change of job status of individuals within an organization, are then realized without loss of the security provided by MLS. A trusted interface function is developed to ensure that the RBAC rules permitting individual's access to objects are followed rigorously, and provides a proper mapping of the roles to corresponding pairs of levels and compartments. No other modifications are necessary. Access requests from subjects are mapped by the interface function to pairs of levels and compartments, after which access is controlled entirely by the rules of the MLS system.
[0094] See also, U.S. Pat. No. 6,073,242 (Electronic authority server); U.S. Pat. No. 6,073,240 (Method and apparatus for realizing computer security); U.S. Pat. No. 6,064,977 (Web server with integrated scheduling and calendaring); U.S. Pat. No. 6,055,637 (System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential); U.S. Pat. No. 6,044,466 (Flexible and dynamic derivation of permissions); U.S. Pat. No. 6,041,349 (System management/network correspondence display method and system therefore); U.S. Pat. No. 6,014,666 (Declarative and programmatic access control of component-based server applications using roles); U.S. Pat. No. 5,991,877
(Object-oriented trusted application framework); U.S. Pat. No. 5,978,475
(Event auditing system); U.S. Pat. No. 5,949,866 (Communications system for establishing a communication channel on the basis of a functional role or task); U.S. Pat. No. 5,925,126 (Method for security shield implementation in computer system's software); U.S. Pat. No. 5,911,143
(Method and system for advanced role-based access control in distributed and centralized computer systems); U.S. Pat. No. 5,797,128 (System and method for implementing a hierarchical policy for computer system administration); U.S. Pat. No. 5,761,288 (Service context sensitive features and applications); U.S. Pat. No. 5,751,909 (Database system with methods for controlling object interaction by establishing database contracts between objects); U.S. Pat. No. 5,748,890 (Method and system for authenticating and auditing access by a user to non-natively secured applications); U.S. Pat. No. 5,621,889 (Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility); U.S. Pat. No. 5,535,383 (Database system with methods for controlling object interaction by establishing database contracts between objects); U.S. Pat. No. 5,528,516 (Apparatus and method for event correlation and problem reporting); U.S. Pat. No. 5,481,613
(Computer network cryptographic key distribution system); U.S. Pat. No. 5,347,578 (Computer system security); U.S. Pat. No. 5,265,221 (Access restriction facility method and apparatus), each of which is expressly incorporated herein by reference.
[0095] Secure Networks
[0096] U.S. Pat. No. 5,579,393 (Conner, et al., Nov. 26, 1996), expressly incorporated herein by reference, relates to a system and method for secure medical and dental record interchange, comprising a provider system and a payer system. The provider system includes a digital imager, a processing unit, a data transmission/reception device, and a memory having a provider management unit and a security unit. For each image acquired from the digital imager, the provider management unit generates a unique image ID, and creates an image relation structure having a source indicator, a status indicator, and a copy-from indicator. The provider management unit organizes images into a message for transmission to a payer system. The security unit performs message encryption, image signature generation, and message signature generation. The payer system includes a processing unit, a data transmission/reception device, and a memory having a payer management unit and a security unit. The payer system's security unit validates message signatures and image signatures received. The payer management unit generates a message rejection notification or a message acceptance notification. A method for provider-side secure medical and dental record interchange comprises the steps of: acquiring an image; generating a unique image ID and an image relation structure; maintaining a status indicator, a source indicator, and a copy-from indicator; generating an image signature; creating a message that includes the image; and generating a message signature. A method for payer-side secure medical and dental record interchange comprises the steps of: validating a message signature; validating an image signature; and selectively generating a message acceptance notification or a message rejection notification.
[0097] U.S. Pat. No. 5,890,129 (Spurgeon, Mar. 30, 1999), expressly incorporated herein by reference, relates to a system for exchanging health care insurance information. An information-exchange system is provided for controlling the exchange of business and clinical information between an insurer and multiple health care providers. The system includes an information-exchange computer that is connected over a local area network to an insurer computer using a proprietary database and over the Internet to health-care provider computers using open database-compliant databases. The information-exchange computer receives subscriber insurance data from the insurance computer database, translates the insurance data into an exchange database, and pushes the subscriber insurance data out over the Internet to the computer operated by the health-care provider assigned to each subscriber. The information-exchange system stores the data in the provider database. The information-exchange systems also provide for the preparation, submission, processing, and payment of claims over the local area network and with push technology over the Internet. In addition, prior authorization requests may be initiated in the provider computers and exchanged over the information-exchange system for review by the insurer computer. Processed reviews are transmitted back to the provider computer and to a specialist computer, if required, using push technology over the Internet.
[0098] U.S. Pat. No. 5,930,759 (Moore, et al., Jul. 27, 1999), expressly incorporated herein by reference, relates to a method and system for processing health care electronic data transactions. A system or network for assembling, filing and processing health care data transactions and insurance claims made by patients pursuant to health care policies issued to the patients by insurance companies or other carriers for service provided to the patients at health care facilities is provided. The network comprises a multitude of participating patients, a multitude of health care facilities, and a plurality of insurance companies or other carriers. Each of the patients has a personal data file including a set of patient related data encoded in a machine readable format, and each of the health care facilities has a telecommunications unit and a file reader to read the data on the personal data files and to transmit the patient related data to the telecommunications unit at the facility. The network further includes a central claims processing unit connected to the telecommunications units of the health care facilities to receive the electronic claim forms from those facilities and to adjudicate those claims.
[0099] U.S. Pat. No. 5,933,498 (Schneck, et al., Aug. 3, 1999), expressly incorporated herein by reference, relates to a system for controlling access and distribution of digital property represented as data. Portions of the data are protected and rules concerning access rights to the data are determined. Access to the protected portions of the data is prevented, other than in a non-useable form; and users are provided access to the data only in accordance with the rules as enforced by a mechanism protected by tamper detection. A method is also provided for distributing data for subsequent controlled use of those data. The method includes protecting portions of the data; preventing access to the protected portions of the data other than in a non-useable form; determining rules concerning access rights to the data; protecting the rules; and providing a package including: the protected portions of the data and the protected rules. A user is provided controlled access to the distributed data only in accordance with the rules as enforced by a mechanism protected by tamper protection. A device is provided for controlling access to data having protected data portions and rules concerning access rights to the data. The device includes means for storing the rules; and means for accessing the protected data portions only in accordance with the rules, whereby user access to the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data.
[0100] U.S. Pat. No. 5,978,918 (Scholnick, et al., Nov. 2, 1999), expressly incorporated herein by reference, relates to a practical method and system for supplementing or replacing current security protocols used on public networks involving the distribution of a proprietary system for use on a public network access provider's network. The proprietary system includes processing hardware and proprietary software. The proprietary system transmits private data, outside the Internet, over proprietary lines to a back-end process. When a "sender" sends private data it is sent over the proprietary system to a back-end process. The back-end process returns a time sensitive token that the "sender" sends to the "receiver". The "receiver" takes the time sensitive token and uses it to either retrieve the private data, over a proprietary system, or initiate a transaction with a financial institution. Encryption is used to allow authentication of the participants. This method can be used in conjunction with Secure Socket Layer (SSL) encryption and/or the Secure Electronic Transaction (SET) protocol.
[0101] U.S. Pat. No. 6,005,943 (Cohen, et al., Dec. 21, 1999), expressly incorporated herein by reference, relates to electronic identifiers for network terminal devices. The generation of electronic identifiers for network interface units connected to a data network for use in detecting unauthorized decryption of encrypted data transmitted over the data network. A random number is generated for use as a private key decryption code and is stored in memory in each network interface unit. A public key is calculated from the stored private key using a non-invertible mathematical formula. If the calculated public key is unique, then a portion of the public key (e.g. a subset of its bits) is stored in a data provider database as an electronic identifier for use in detecting unauthorized decryption of data by the interface unit.
[0102] U.S. Pat. No. 6,009,526 (Choi, Dec. 28, 1999), expressly incorporated herein by reference, relates to an information security system for tracing information outflow from a remotely accessible computer or computer network. The system includes an internal communication system that has at least one internal computer for transmitting security information by tracing data through communication equipment, outputting the data to an external output means, and connecting the internal computer to an external network. A communication monitoring device stores information regarding the data that is to be transmitted by applying a security policy according to a security grade assigned to the destination to which the data is to be transmitted. The communication-monitoring device is configured for extracting the identification of the destination from the transmitted data. It also includes a communication-monitoring server for storing and displaying predetermined information about the data to be transmitted and for determining whether the tracing information is stored according to the security grade for the identified destination. A method of operating the disclosed system is also described.
[0103] U.S. Pat. No. 6,021,202 (Anderson, et al., Feb. 1, 2000), expressly incorporated herein by reference, relates to a method and system for processing electronic documents, which includes a markup language according to the SGML standard in which document type definitions are created under which electronic documents are divided into blocks that are associated with logical fields that are specific to the type of block. Each of many different types of electronic documents can have a record mapping to a particular environment, such as a legacy environment of a banking network, a hospital's computer environment for electronic record keeping, a lending institution's computer environment for processing loan applications, or a court or arbitrator's computer system. Semantic document type definitions for various electronic document types (including, for example, electronic checks, mortgage applications, medical records, prescriptions, contracts, and the like) can be formed using mapping techniques between the logical content of the document and the block that is defined to include such content. Also, the various document types are preferably defined to satisfy existing customs, protocols and legal rules.
[0104] U.S. Pat. No. 6,021,491 (Renaud, Feb. 1, 2000), expressly incorporated herein by reference, relates to digital signatures for data streams and data archives. Methods, apparatuses and products are provided for verifying the authenticity of data within one or more data files Each data file is provided with an identifier, such as a one-way hash function or cyclic redundancy checksum. A signature file, that includes the identifiers for one or more data files, is provided with a digital signature created with a signature algorithm. The data file(s) and signature file are then transferred, or otherwise provided to a user. The user verifies the digital signature in the signature file using a signature-verifying algorithm. Once verified as being authentic, the signature file can be used to verify each of the data files. Verification of the data files can be accomplished by comparing the identifier for each data file with the corresponding identifier in th