Privacy Issues of Provenance in Electronic Healthcare Record Systems Tamás Kifor 1 , László Z. Varga 1 Sergio Álvarez 2 , Javier Vázquez-Salceda 2 , Steven Willmott 2 1 Computer and Automation Research Institute, Kende u. 13-17, 1111 Budapest, Hungary {tamas.kifor, laszlo.varga}@sztaki.hu http://www.sztaki.hu/ 2 Universitat Politècnica de Catalunya, Jordi Girona Salgado 1-3, E - 08034 Barcelona, Spain {salvarez, jvazquez, steve}@lsi.upc.edu http://www.upc.edu/ Abstract. Cooperation techniques modelled by agent systems and standardised electronic healthcare record exchange techniques help the reunification of the different pieces of the therapy of a single patient executed in a distributed way at different places, but currently these models and techniques are ad-hoc and based on the information provided by the patient. In the organ transplant dem- onstration application of the Provenance project we propose the usage of the novel provenance techniques to provide better healthcare services for patients by providing a unified view of the whole health treatment history. While this is good to improve the medical processes, it also introduces new privacy risks, because the agent with the provenance information knows much more about the patient than any other agent in the system. In this paper we are going to inves- tigate the privacy aspects of introducing provenance into healthcare informa- tion systems and propose methods against the new risks. 1 Introduction The applications of the agent paradigm for Healthcare information systems increase day by day [1]. Agents can support communication and coordination not only be- tween organizations but even among all members of a medical team, allowing the sharing of information and providing distributed decision making support. Agents can also be used to adapt medical services to patients’ needs (personalization). Moreover, the flexible way in which agents operate is suited to the dynamic situations in the open and changing environment in which healthcare information systems are ex- pected to operate. In distributed scenarios, modelling the application components as agents with some degree of autonomy easily reflects the decentralized nature of the network of healthcare institutions and can be considered as the natural extension to the notion of encapsulation in systems that are owned and developed by different authorities. Although the agent paradigm is well suited to modelling healthcare information systems, sometimes the distributed nature of healthcare institutions themselves hin-