Antw: Author Information Mandate (Re: Archetype production: Types of Archetyp...

In een bericht met de datum 14-12-2007 21:13:21 West-Europa (standaardtijd), schrijft jpfreriks@gmail.com:

Dear Josina,

This question should perhaps be in the openEHR legal list serve

From the clinical point of view I understand your question. However, the two use cases differ 180 degrees.

The cancer use case is according to Dutch law at the edge of illegality. A Doctor is not allowed to not enter objective patient data in the record. He is allowed to keep personal notes on the cancer, but the moment he enters this information as reason for a labtest it should be disclosed to the patient. Anyway, the patronazing approach with respect to cancer has been left for over 25 years now.

The information about a relative which comes to attention of a doctor (health professional) must be kept confidential for the patient. Here it would be illegal to disclose it, aside from the medical implications.

the believing a patient or not can be handled in the problem oriented medical record. Dutch GP’s use subjective, objective, evaluation, plan. The easy way forward is to list the subjective things a patient tells and to balance that in the objective.
using the wording like i do not believe him/her is perhaps not appropriate in the medical record.

So if you want a technical solution, the two totally distinct use cases need to be addressed differently.

In a functional requitement set we made a separate section for care professionals to keep confidential notes. This is then not attached to the individual patient’s record, but is only accesible to this one person the doctor making the personal note (so not to other professionals).

William

Hello,

I posted this message to the clinical mailing list, but think this should be on the technical mailing list. Apologies if I’m not correct (and please a further explanation about what is meant by ‘technical’ )

I’ve got a question about Author Information Mandate. (an issue also brought up under ‘Archetype production: Types of Archetypes’ by Gerard Freriks.)

What is determined about the access control of information documented by the physician that s/he wants to keep obscured from the patient? I believe that the whole care process is characterised by a the subtle ‘game’ between physician and patient, where the physician has its private thoughts and goals (which he wants to document) but doesn’t want the patient to know, or only partly. For instance, a GP might be quite sure the patient has cancer but doesn’t want to alarm the patient right away so orders blood tests. (There surely are medically more correct examples.) Others are i.e. whether the physician believes the patient or not, or when the physician has got extra information conveyed by a relative that the patient mustn’t know about. It is harmful to the care process and the physician-patient relation if the patient has access to all of this.
Is there a way, in the RM for instance, that everything that is under EVALUATION is kept hidden from the patient? I think this should be so. There should be –according to my opinion – two separate parts in the EHR: a shared part (open to, and access controlled by the patient) and a private part containing the physicians evaluations and comments. This latter part should only be made visible to the patient under certain (legal) circumstances, where the patient can order to delete certain info.
My question: has this been taken care of right now? If so: how?

Josina Freriks

Sincerely yours,

dr. William TF Goossen
director
Results 4 Care b.v.
De Stinse 15
3823 VM Amersfoort
email: Results4Care@cs.com
phone + 31654614458
fax +3133 2570169
Dutch Chamber of Commerce number: 32121206

In een bericht met de datum 14-12-2007 21:13:21 West-Europa (standaardtijd), schrijft jpfreriks@gmail.com:

Dear Josina,

This question should perhaps be in the openEHR legal list serve

From the clinical point of view I understand your question. However, the two use cases differ 180 degrees.

The cancer use case is according to Dutch law at the edge of illegality.

I would even say it’s over the edge

A Doctor is not allowed to not enter objective patient data in the record. He is allowed to keep personal notes on the cancer, but the moment he enters this information as reason for a labtest it should be disclosed to the patient. Anyway, the patronazing approach with respect to cancer has been left for over 25 years now.

Couldn’t agree more. Although I can understand the idea of protecting the patient this is really not up to a health care provider. To give you an example: if a doctor seriously suspect something like cancer his/her non-verbal communication will tell. For a patient the thought, that something is so terrible that it must be kept hidden, can be more terrifying than knowing that there is a change that disease x is present and this must be excluded. I’ve witnessed several occasions where the patient was ‘protected’ and in the end the all told that they had a terrible time (one even for 6 weeks!!) and would have loved to know upfront what was going on.

The information about a relative which comes to attention of a doctor (health professional) must be kept confidential for the patient. Here it would be illegal to disclose it, aside from the medical implications.

the believing a patient or not can be handled in the problem oriented medical record. Dutch GP’s use subjective, objective, evaluation, plan. The easy way forward is to list the subjective things a patient tells and to balance that in the objective.
using the wording like i do not believe him/her is perhaps not appropriate in the medical record.

These are typical thing one would like to record as a personal note, but one should be very careful with this. These personal notes can start living a life on it’s own. What, in my opinion, is the right thing to do, is to ‘confront’ the ‘patient’ with this suspicion and note this and the response of the patient in the record as objectively as possible. Even a doctor can be biased by his/her personal believes:-)

Cheers,

Stef

William and Stef, thank you for your clarifying inputs.

I’m not a clinician and as I said - the cancer situation isn’t a good, ethical or even legal example, as you’ve (rightfully) pointed out.

But in general: are there situations thinkable where a health professional doesn’t want to disclose her/his comments to the patient? Because if there are, it will be neccessary to put this in the EHR model. I’ve got the intuition that especially when psychology comes in, or when a strategy is needed to get the patient to act in the most healthful way, this might be the case. Or isn’t this (having private, subjective notes) how medicine works, or should work, so that there’s no need to make private notes possible?

Kind regards,

Josina

Stef Verlinden schreef:

Interesting discussion. One of the major problems is that notions of personal privacy and patient access to records remain so controversial and dynamic from nation to nation that it is difficult to know if we can really come to any consensus except in the most abstract fashion.

I think, we can safely say that there are or will be entries within an EHR that

1. Should remain private to the patient
2. Should remain inaccessible to the patient whether for ? dubious professional reasons or more legitimately for the protection of others e.g child protection concerns, violent patients

The reasons why such areas exist (and their legitimacy for doing so) will remain extremely controversial. e.g In the UK, patients have the right to access all of their records unless there are compelling justifiable reasons to prevent this - comments by or about 3rd parties, public safety concerns or significant risk of harm to patient themselves. The examples discussed above re concealing concerns about a cancer diagnosis would be very unlikely to be legal in the UK.

I agree too with William’s argument that some medical record comments should not appear in the EHR at all. In the UK context however these could still not be concealed from a patient on request.

With regards to OpenEHR, although it might be interesting to tease out some of the requirements using an archetype, I am pretty sure that most of this technically comes down to simple Role -based access controls, similar to the Windows Groups/Users security model. The Reference model allows for this for all LOCATABLE classes, which includes archetyped data, so in reality almost anything that needs to be ‘hidden’ can be.

The human and technical management of such a role-based access system within the complex clinical domain is far from certain although both England and the Netherlands are attempting to do so via professional smartcards linked to sophisticated algorithmic determinations of each professional having a ‘legitimate relationship’ with the patient in many different contexts. I remain far from convinced that this is possible in the chaotic setting of much clinical practice where staff change very regularly, fulfil multiple roles, are highly mobile and often have compelling requirements to ‘cheat the system’ e.g. by sharing smartcards when one is lost or malfunctioning.

Very interesting and challenging area but I don’t think we should be trying to factor security issues into archetypes.

Ian

I know for sure that in many occasions I want to document a private thought in the context of my note about a patient.
I know for sure that when the patient demands access to these notes I must give them, when I have them.
I know for sure that the EHR is the official play ground where others will read and interact with each other. So this is not the place for private notes.
I know for sure that part of the privacy is dealt with at the system levels. (Desktop, Networks, Applications, Services)
I know for sure that at the end of the line the EMR or EHR will play a role as well because here the patient mandate is stored and exchanged. (part 4 of EN1606)
So
I know for sure that openEHR will have to deal with all this and the OpenEHR tooling must be able to produce Templates/Archetypes to deal with the Patient Mandate.

The question is: how?

Gerard

– –
Gerard Freriks, MD
Huigsloterdijk 378
2158 LR Buitenkaag
The Netherlands

T: +31 252544896
M: +31 620347088
E: gfrer@luna.nl

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Dear Josina

You have raised an interesting discussion topic, and already had some good answers. I’ll offer my own views!

I find it firstly helpful to differentiate clinical management policies from information management policies, as far as is possible. Secondly, for each, to distinguish the definition of policies and their use from the implementation of policy decisions that have been made. Thirdly, to distinguish the representation from the operationalisation of policy decisions.

In the case of the logical EHR our role is primarily one of faithful representation of policy decisions that have been made. Security components will operationalise these, and although EHR systems will play a role in this, it is ideally done by generic (standards based) security components. Policies are largely defined by nations, professional bodies or health systems, who will set the rules for good/acceptable information practice such as access rules e.g. if data can be masked from the patient.

Wearing an EHR architect hat, I see my role as to design a logical model to represent the domain of plausible access policy decisions (rules) in as generic and interoperable way as possible. EN 13606 Part 4 seeks to do this, and you might wish to read its introduction section which explains the approach taken. It has been my hope that openEHR uses this standard, extending it if necessary, rather than inventing another different approach.

Wearing other hats, I do get involved in UK and EU policy definition activities, where some of the more fun and controversial issues get aired, such as those raised on this list in recent days.

With best wishes,

Dipak Kalra
UCL

I know for sure that in many occasions I want to document a private thought in the context of my note about a patient.

I know for sure that when the patient demands access to these notes I must give them, when I have them.

Agreed

I know for sure that the EHR is the official play ground where others will read and interact with each other. So this is not the place for private notes.

but there are other types of notes that are accessible to clinicians but legally concealable to the patient which may exist within the EHR.

I know for sure that part of the privacy is dealt with at the system levels. (Desktop, Networks, Applications, Services)
I know for sure that at the end of the line the EMR or EHR will play a role as well because here the patient mandate is stored and exchanged. (part 4 of EN1606)

Agreed but privacy rules are bound to Archetyped information as part of the OpenEHR reference model, although the rules themselves are not defined.

So
I know for sure that openEHR will have to deal with all this and the OpenEHR tooling must be able to produce Templates/Archetypes to deal with the Patient Mandate.

There is no problem in doing the modelling of the Patient Mandate using archetypes and templates but within OpenEHR, this class of data is seen as being separate, like metadata, to the main content of each archetype. Think of it like the Contributor,composition dates etc. which are elements automatically attached to the contribution to the EHR by the reference model.

The main difficulty is not modelling the requirements but in establishing the ‘maximal dataset’ of all possible approaches to patient confidentiality and security. An archetype approach would have to be as inclusive as possible a number of potential overlapping ideas. Could become very tricky!!

If anyone is interested in this area, I have a contact via my Msc Informatics course who was looking at varying privacy legislation as part of her final year project in the context of mutli-national occupational health records. She currently works for Shell and is/was based in the Netherlands.

Ian

I know for sure that in many occasions I want to document a private thought
in the context of my note about a patient.

Agree.

...

I know for sure that openEHR will have to deal with all this and the
OpenEHR tooling must be able to produce Templates/Archetypes to deal with
the Patient Mandate.

The question is: how?

In Germany it is legal to "remove" "personal" notes from the
record before handing it out to the patient ("personal" isn't
well defined, though. "remove" means temporary).

Technically it is usually done by marking comments to not be
part of the SOAP schema (rather being a "comment") and
filtering them out before handover.

Karsten

See below

GF

– –
Gerard Freriks, MD
Huigsloterdijk 378
2158 LR Buitenkaag
The Netherlands

T: +31 252544896
M: +31 620347088
E: gfrer@luna.nl

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

There is no problem in doing the modelling of the Patient Mandate using archetypes and templates but within OpenEHR, this class of data is seen as being separate, like metadata, to the main content of each archetype. Think of it like the Contributor,composition dates etc. which are elements automatically attached to the contribution to the EHR by the reference model.

Show me at the Archetype.
I think that the Patient Mandate is archetypable, but will In the end be a Template.
I will not be surprised that in the long run it will be a separate Patient Mandate Model Archetype that will be further constrained in the Template tool.

The main difficulty is not modelling the requirements but in establishing the ‘maximal dataset’ of all possible approaches to patient confidentiality and security. An archetype approach would have to be as inclusive as possible a number of potential overlapping ideas. Could become very tricky!!

That is why part 4 of EN13606 has one matrix that will cover 95% os most use cases.

If anyone is interested in this area, I have a contact via my Msc Informatics course who was looking at varying privacy legislation as part of her final year project in the context of mutli-national occupational health records. She currently works for Shell and is/was based in the Netherlands.

I’m very much interested

I am a haematologist/oncologist. Disclosure of sensitive information is
eternal problem for us. Even a skilled and experienced doctor feels
dubious whether/how inform the 'fact'.
Moreover, psycological medicine includes more sensitive infomation about
disclosure. Careless disclosure worses disease conditions.
I experienced to know patient's secret incidentally. I ordered a patient's
family HLA typing for bone marrow transplantation. The HLA data indicated
that he is related by blood with his mother, but not related with his
father. In this case, we discussed whether inform or not and only told
he did not have matched doner in his family. In genomic study, similar
cases are reported. A disease susceptibility gene analysis indicates more
disease infomation incidentally now and in the future because gene
profiling is updated frequently. Whether we must notice all such
incidental infomation is now discussed and never get the conclusion.
We sometimes notice some troubling persons' information for the staffs
but we do not want to inform our provision. This type information is
categorised in private note, but I think it should be shared among
healthcare prividers.
For example, "YAKUZA(Japanese mafia)", "Drug addiction", "Unpaid",
"Claimer", "

Hi all,

Thank you all for the very nice discussion. I find it a very interesting one. I think it might be time for an ‘interim score’ (which is a Dutch expression (tussenstand) to say that you make some sort of conclusion halfway in the procedure to help further the proces).

1. ‘Author Access Control’ is the concept I believe we’re talking about (instead of Author Mandate).
   This doesn’t imply at all that a patient cannot request to see the ‘private’ information. It is the author that must hand over the info, so the author has the access control. Now, the ‘architecture overview’ document section 7 only / mostly(?) speaks about patient access control.

2. I think that there’s agreement on the desirability on having author acces control modelled in the open EHR architecture. Arguments:

3. It’s advisable to put all possible requirements in, even when some countries have the policy not to accomandate for private notes. Policies change. (see Dipak’s contribution). And allready it seems to be normal policy in Germany (as Karsten pointed out).

4. Plus: private comments are part of the health care proces (as many of you pointed out). Health care providers want to make comments, or put in reminders that shouldn’t be disclosed to a patient instantly. These comments need to be recorded too, connected to (or part of?) the patients record.

And I think also in the EHR, because (as Gerard pointed out) when a patient requests it these comments must be shown. So they must be sharable. And some comments (like the ones Shinji mentioned) want to be shared amongst healt ptoviders. What other place should it be recorded than within the EHR? [As I understand it, the EHR is the whole complex of medical information, with the EPR being a subpart of it. Is this correct?]

1. The question remains on how author access control should be covered by openEHR.

2. There is an existing standard (EN 13606 Part 4) that is ‘a logical model to represent the domain of plausible access policy decisions (rules)’ (Dipak) and covers ‘95% of all use cases’ (Gerard). Are there any objections on using this standard within openEHR?

3. What is the best way to handle access control? By creating an Access Control Archetype or templates (as Gerard suggests), or by modelling it as meta-data in the Reference Model (as Ian suggests)?

I think author comments should have a different status than objective patient information. It seems better to provide for this by adding an author controlled comment section separately to the EPR part. This means that it would be better to create archetyped meta-data in the RM, and not on ENTRY level. Does this line of thinking make sense?

1. How to go from here?

2. The Architecture Overview chapter 7 treats access control mainly as patient access control. (That’s where ROLE comes in.) We want a section speaking about author control, too?

3. Will openEHR pick our ‘recommendations’ up, or should we make an official request?

4. Is there a committe that does the ‘official’ thinking, or are we, as the community, doing that?

5. Would it be advisable to form some sort of working group, getting other people (specialists) involved too? (like Ian’s contact).

I’m very much looking forward to your reactions!

Take care,

Josina

I have not followed the details of this discussion too closely, but
someone might consider creating a wiki page to capture some of the
statements made by various people - I suggest that it might go under the
Healthcare requirements part of the wiki -
http://www.openehr.org/wiki/display/healthcare/Healthcare+Home

If some specifications come out of this later on, we can document them
elsewhere in the wiki.

JP Freriks wrote:

There are some things I would like to add to my last posting:

1. ‘Author Access Control’ is the concept I believe we’re talking about (instead of Author Mandate). Although the two concepts are related.
   This doesn’t imply at all that a patient cannot request to see the ‘private’ information. It is the author that must hand over the info, so the author has the access control. Now, the ‘architecture overview’ document section 7 only / mostly(?) speaks about patient access control.

2. I think that there’s agreement on the desirability on having author acces control modelled in the open EHR architecture. Arguments:

3. It’s advisable to put all possible requirements in, even when some countries have the policy not to accomandate for private notes. Policies change. (see Dipak’s contribution). And allready it seems to be normal policy in Germany (as Karsten pointed out).

4. Plus: private comments are part of the health care proces (as many of you pointed out). Health care providers want to make comments, or put in reminders that shouldn’t be disclosed to a patient instantly. These comments need to be recorded too, connected to (or part of?) the patients record.

And I think also in the EHR, because (as Gerard pointed out) when a patient requests it these comments must be shown. So they must be sharable. And some comments (like the ones Shinji mentioned) want to be shared amongst healt ptoviders. What other place should it be recorded than within the EHR? [As I understand it, the EHR is the whole complex of medical information, with the EPR being a subpart of it. Is this correct?]

1. There are different types of information that under certain circumstances must become/remain inaccessible to the patient. What types, according to which situations can be distinguished?
   There’s info that is part of the medical record but can become inaccessible (when requested by the patient, for instance), and there are working notes of the physician that aren’t part of the EPR?

I guess (since I don’t have a copy of it) that this is all in CEN 13606 part 4?

- Should stuff like working notes be accomodated for by openEHR, or is this something extra to it, supplied for by applications?

1. It’s good to differentiate between:

1. clinical management policies and information management policies;
2. the definition of these policies and their use, and their implementation;
3. between a faithfull representation of (inter)national policies, and the representation of the domain of plausible access policy decisions (rules) in as generic and interoperable way as possible. (Dipak)

1. The question remains on how author access control should be covered by openEHR.

2. There is an existing standard (EN 13606 Part 4) that is ‘a logical model to represent the domain of plausible access policy decisions (rules)’ (Dipak) and covers ‘95% of all use cases’ (Gerard). Are there any objections on using this standard within openEHR?

3. What is the best way to handle access control? By creating an Access Control Archetype or templates (as Gerard suggests), or by modelling it as meta-data in the Reference Model (as Ian suggests)? Or by security components / Desktop, Networks, Applications, Service?

I think author comments should have a different status than objective patient information. It seems better to provide for this by adding an author controlled comment section separately to the EPR part. This means that it would be better to create archetyped meta-data in the RM, and not on ENTRY level. Does this line of thinking make sense?

1. How to go from here?

2. The Architecture Overview chapter 7 treats access control mainly as patient access control. (That’s where ROLE comes in.) We want a section speaking about author control, too?

3. Will openEHR pick our ‘recommendations’ up, or should we make an official request?

4. Is there a committe that does the ‘official’ thinking, or are we, as the community, doing that?

5. Would it be advisable to form some sort of working group, getting other people (specialists) involved too? (like Ian’s contact).

Best wishes,

Josina

Dear all,

Are there any documents comparing the Reference Information Models of HL7, openEHR and CEN/TC 251 ?

Best regards,

Ricardo Correia

Dear Ricardo,

These papers can be interesting for you:

A Survey and Analysis of Electronic Healthcare Record Standards
MARCO EICHELBERG, THOMAS ADEN and JORG RIESMEIER
http://www.srdc.metu.edu.tr/webpage/projects/ride/publications/EichelbergAdenDogacLaleci.pdf

A Framework for the Evaluation of Integration Technology Approaches in Healthcare
S. Kitsiou, V. Manthou, and M. Vlachopoulou
http://medlab.cs.uoi.gr/itab2006/proceedings/eHealth/106.pdf

Review of Shared Electronic Health Record Standards
Australian National E-Health Transition Authority
(Search it in Google

2007/12/20, Ricardo João Cruz Correia <rcorreia@med.up.pt>:

Dear Ricardo,

The subject you are looking for has engaged my attention for the past year
or so. The papers that David suggested to you provide some interesting
insights and particularly the first one, due to its size (30 pages)

A Survey and Analysis of Electronic Healthcare Record Standards
MARCO EICHELBERG, THOMAS ADEN and JORG RIESMEIER

<http://www.srdc.metu.edu.tr/webpage/projects/ride/publications/EichelbergAd
enDogacLaleci.pdf>
http://www.srdc.metu.edu.tr/webpage/projects/ride/publications/EichelbergAde
nDogacLaleci.pdf

The second paper, in which I am the lead author, provides also some
interesting points but it is less detailed than the first one because it was
presented at an IEEE sponsored conference.

Also, I have just finished writing a chapter book on Electronic Healthcare
Record Standards Analysis but it’s not published yet. I will check with my
editor if it’s ok to send it to you in order to help you, and will get back
to you on that.

Also, a very interesting project, the consortium of which did an amazing job
in studying interoperability standards in healthcare, and particularly for
EHRs, is the RIDE project (“A Roadmap for Interoperability of e-Health
Systems). You will find many interesting facts and analysis views from
various publications and deliverables that were undertaken within the
Framework of this Project.

The address is http://www.srdc.metu.edu.tr/webpage/projects/ride/

~s.K

Bernd Blobel of Regensburg, Germany has a presentation that compares the
RIM and 13606 reference models.

Ed Hammond

             Ricardo João Cruz
             Correia
             <rcorreia@med.up. To
             > "'For openEHR clinical
             Sent by: discussions'"
             openehr-clinical- <openehr-clinical@openehr.org>
             bounces@openehr.o cc
             rg
                                                                   Subject
                                       RIMs comparisson
             12/20/2007 04:45
             AM
                                                                           
             Please respond to
                For openEHR
                 clinical
                discussions
             <openehr-clinical
               @openehr.org>
                                                                           
Dear all,

Are there any documents comparing the Reference Information Models of HL7,
openEHR and CEN/TC 251 ?

Best regards,
Ricardo Correia_______________________________________________
openEHR-clinical mailing list
openEHR-clinical@openehr.org
http://lists.chime.ucl.ac.uk/mailman/listinfo/openehr-clinical

Dear Ian,

If anyone is interested in this area, I have a contact via my Msc

Informatics course who was

looking at varying privacy legislation as part of her final year project in

the context of

mutli-national occupational health records. She currently works for Shell

and is/was based in

the Netherlands.

I would be very much interested in this - various privacy legislations.

Could you please provide me with the contact / url / available reports...

Kind regards,

leo

This page includes some points of comparison -
http://www.openehr.org/206-OE.html

- thomas beale

Ricardo João Cruz Correia wrote:

This issue raises the thorny problem of Healthcare Security Policy, the nub of
which is to specify a policy which, verifiably, satisfies ALL of the following
criteria:
(a) no item of patient data may be disclosed to any party to whom the patient
denies it;
(b) any clinician with responsibility for the healthcare of the patient must
have access to all patient data relevant to that care;
(c) all accesses to patient records, and all records granting and rescinding
such access, must be recorded in audit trails for eventual use in either the
defence or the prosecution of malpractice suits.
As well as being extremely topical in the UK, given the recent data loss in the
NHS, it has been a serious problem for much longer.
In 1996, Ross Anderson famously reported that the NHS's enormously expensive
networking plans could not be shown to satisfy a dozen or so requirements of
this nature, a report that led the BMA to advise its members not to transmit
any patient data on that network.
In the same year, I constructed a formal, set-theoretic model of most
of these constraints (see http://www.soi.city.ac.uk/~bernie/hsp.pdf). I
submitted it for publication in a Healthcare Security
Conference, where it was rejected by a panel including Ross Anderson. At that
time, emotions were running high and the very idea of a networked EPR raised
fears of security breaches that could not be addressed rationally. Also, to the
healthcare community at that time, any attempt to address such issues
mathematically was anathema. Perhaps times have changed. If anyone would like
to explore the continued development and validation of such a formal model, I
would be happy to help.

Quoting JP Freriks <jpfreriks@gmail.com>: