CHOS-WG Scenario: Patient Record Access
Control
Version 1.0, 26 May 2009, Etienne Saliez
- Introduction:
- Having a valid patient identification the question is here the
control of the access rights.
- Principles:
- A priori every care provider is submitted to
ethical and confidentiality rules. Moreover as reminder, a good
practice is to
ask to sign a written agreement. Nevertheless additional
precautions are desirable.
- Role Based Access Rules:
- The underlying idea is the "Need to Know" principle, i.e.
medical information should be exclusively available to the persons who
need it in order to perform their care tasks.
- The patient has to say about who he trust.
- The authorization of who is allowed to write in the record,
e.g. to prescribe treatments, is even a more critical responsibility
than
confidentiality issue about reading information.
- Cultural context:
- Open Source software provide software tools, but would not
dictate in details how ethical rules should be applied.
- Depending the country the approaches may be a little
different, taking account of the relative importance allowed to factors
as the patient rights, the healthcare professional rights, the question
of who is the owner of the patient record, etc...
- Border line privacy questions may still exists about what
information is really necessary to share. Nobody would know which
information could become useful next year, in function of the evolution
of the patient.
- Research projects are of course necessary for the community,
but should be done as far as possible in an anonymous way.
- Considered solutions in practice:
- ( 1 ) Standard authorization profile:
- The user must have a permanent profile allowing to access
patient medical data at all. See the "authorization profile" as
introduced in the "User Session" chapter.
- ( 2 ) Therapeutic Role and the global record:
- Moreover being a registered healthcare professional, or even
a doctor, is not enough. There should be evidence of a
therapeutic role between the patient and the user requiring access.
In practice the question is with which level of precision this control
should be implemented.
- Simple evidence:
- If the patient is coming to a local healthcare center
asking for care, as ever, one can assume he trust the local team.
For example coming with a demand for lab tests, on request of a known
doctor, both this doctor and the lab can be assumed to be allowed to
access the information.
- "Care Team" Management:
- When the goal is to share patient records in the scope of
a much larger multidisciplinary community at regional or national
level,
the solution is to install a Care Team registration inside the patient
record, i.e. to maintain a list of actors allowed to share the patient
record.
- In order to get access, any user must be known as a
member of the personal Care Team of the patient.
- Management:
- New members can be added at any time, on explicit
request of the patient. This can be done explicitly, but to be
practical indirect evidence should also be accepted automatically, as
in
the above lab example.
- Actors will be automatically removed from the Care
Team, after a given delay after the latest activity, e.g. a year, or
sometime immediately on request of the patient.
- The patient should keep a special key to manage his own
Care Team.
- ( 3 ) Possibility of additional control at item level:
- Regarding some very sensible information, situations could
arise where the control need to be at the item or document level inside
the patient record and restricted to a few specific members of the care
team.
- If required more elaborated solutions could be
implemented.
One way to achieve this would be to consider multiple Care Teams, e.g.
for example an extra Care Team between only the GP and the psy, and not
open for the other members of the general Care Team. Every
document being tagged with one or more Care Teams.
- Result:
- If OK the user can work in the patient record, according to the
above levels of control. See the next pages.
- Required resources:
- As above plus the Care Team Class