CHOS-WG Scenario: Patient Record Access Control

Version 1.0, 26 May 2009, Etienne Saliez

Having a valid patient identification the question is here the control of the access rights.

A priori every care provider is submitted to ethical and confidentiality rules. Moreover as reminder, a good practice is to ask to sign a written agreement. Nevertheless additional precautions are desirable.
Role Based Access Rules:

The underlying idea is the "Need to Know" principle, i.e. medical information should be exclusively available to the persons who need it in order to perform their care tasks.

The patient has to say about who he trust.
The authorization of who is allowed to write in the record, e.g. to prescribe treatments, is even a more critical responsibility than confidentiality issue about reading information.
Cultural context:

Open Source software provide software tools, but would not dictate in details how ethical rules should be applied.
Depending the country the approaches may be a little different, taking account of the relative importance allowed to factors as the patient rights, the healthcare professional rights, the question of who is the owner of the patient record, etc...
Border line privacy questions may still exists about what information is really necessary to share. Nobody would know which information could become useful next year, in function of the evolution of the patient.

Research projects are of course necessary for the community, but should be done as far as possible in an anonymous way.

The user must have a permanent profile allowing to access patient medical data at all. See the "authorization profile" as introduced in the "User Session" chapter.

Moreover being a registered healthcare professional, or even a doctor, is not enough. There should be evidence of a therapeutic role between the patient and the user requiring access.
In practice the question is with which level of precision this control should be implemented.

If the patient is coming to a local healthcare center asking for care, as ever, one can assume he trust the local team.
For example coming with a demand for lab tests, on request of a known doctor, both this doctor and the lab can be assumed to be allowed to access the information.

When the goal is to share patient records in the scope of a much larger multidisciplinary community at regional or national level, the solution is to install a Care Team registration inside the patient record, i.e. to maintain a list of actors allowed to share the patient record.
In order to get access, any user must be known as a member of the personal Care Team of the patient.
Management:

New members can be added at any time, on explicit request of the patient. This can be done explicitly, but to be practical indirect evidence should also be accepted automatically, as in the above lab example.
Actors will be automatically removed from the Care Team, after a given delay after the latest activity, e.g. a year, or sometime immediately on request of the patient.
The patient should keep a special key to manage his own Care Team.

Regarding some very sensible information, situations could arise where the control need to be at the item or document level inside the patient record and restricted to a few specific members of the care team.

If required more elaborated solutions could be implemented. One way to achieve this would be to consider multiple Care Teams, e.g. for example an extra Care Team between only the GP and the psy, and not open for the other members of the general Care Team. Every document being tagged with one or more Care Teams.

If OK the user can work in the patient record, according to the above levels of control. See the next pages.