View article

The growth of the Internet has been accompanied by the growth of e-health services (e.g. online medical advice, online pharmacies). This proliferation of services and the increasing regulatory and legal requirements for personal privacy have fueled the need to protect the personal privacy of service users. Existing approaches for privacy protection such as access control are predicated on the e-service provider having possession and control over the user's personal data. In this paper, we propose a new approach to protecting personal privacy for e-health services: keeping possession and control over the user's personally identifiable information in the hands of the user as much as possible. Our approach can also be characterized as distributing personally identifiable information only on a "need to know" basis.