Authorisation

Hi,

Have there ever been some thoughts on authorisation, and how to implement this.
Maybe I missed the subject in this list, or on the website.

I need some advise about how to implement authorisation for reading/writing openehr data.

I realize that there are many ways to do this, but what is the best advise?

Thanks in advance for any hint/answer

Bert Verhees

Hi,

Let me try again,

I found in the ISO18308-conformance PDF

Bert,

" GP sends the patient to the hospital"

What do you mean:
Is he referred to a specialist? Then implicitly, at least in the Netherlands, both the GP and specialist have access rights.
Is he referred to a lab-service in the hospital? Then the same reasoning can be applied.
Always the patient has the rights to limit the access rights of others, including him self and the GP.

The whole business of co-operating physicians is dealth with in a coming European Standard:
“System of Concepts for Continuity of Care”, ContSys)

In the whole chain of events: Identification, Authentication, Authorisation, Access Control and Logging.
What you describe is, are problems at the level of Access Control where the Patient mandate is executed against the rights granted in the authorization phase.

Gerard

– –

Gerard Freriks, arts

Huigsloterdijk 378

2158 LR Buitenkaag

The Netherlands

T: +31 252 544896

M: +31 654 792800

Gerard, thanks for your explanation.

I was a bit confused by the ISO18308-conformance document

I understand now, that there are classes X_ACCESS_CONTROL and ACCESS_GROUP to
handle this.

It is the local law which dictates how to implement access controls.

Bert

But the first is for EHR_Extract, the class Access_group I did not find in the
java-code.
I found Access_group_reference, which is only used in the class Archetyped

I will study the documentation and come back again, if necessary, thanks for
your cooperation

Bert

I should point out that the EHR Extract of openEHR is being completely redeveloped to suit Release 1.0, and a draft will be ready on the web in the next week or so. Types like X_ACCESS_CONTROL no longer exist.

- thomas beale

Bert Verhees wrote:

Thomas Beale schreef:

I should point out that the EHR Extract of openEHR is being completely redeveloped to suit Release 1.0, and a draft will be ready on the web in the next week or so. Types like X_ACCESS_CONTROL no longer exist.

Thanks for enlightening this
Bert

I think we have to lead here a little - I believe there is no case for a clinician to restrict access to records - only patients (unless the very unusual situation exists where a patient is not mentally well and it could be a risk (legally covered in some countries). The way to keep records private for clinicians is to work in their own space and contribute to the shared EHR when they are ready (ie have an openEHR server on site and linked in to the shared record). There will be many instances where this is appropriate (psychiatrist, sexual health etc). Partitioning the record except by the patient’s wish and consent is dangerous I think - what does decision support software do?

Cheers, Sam

Bert Verhees wrote: