I’m looking for more information on the EHR_ACCESS class. At Cambio, we’re in the design stage for a set of services (outside the CDR) to help make compliance with the Swedish patient data laws easier for our clients. It would be nice to leverage as much openEHR access framework as possible, but it’s unclear exactly what this class is intended for.
As far as I can tell, you just have your basic LOCATEABLEs and then an ACCESS_CONTROL_SETTINGS class that’s undefined. What are people’s thoughts on how best to use this structure? Are there any non-openEHR info models for privacy control that I can look to for inspiration?
the general concept is that this is a plug-in class part of the model where specific kinds of content-based access control rules could be represented, but not (generally speaking) the totality of ‘access control’, which also consists of system-wide concepts of roles, attributes and policies/rules.
We originally thought that there would be an obvious standard (e.g. from ISO TC215 or similar) that could be formalised here, but nothing obvious appeared over the years.
If you make your own, there are a couple of schemes you can use.
Mark specific information items as private | open or similar, where ‘private’ is understood to mean that the patient gives specific permission at an encounter to a specific clinician and ‘open’ means standard ‘legitimate access’, i.e. access by any of the current care team seeing the patient for a current problem.
Under this kind of scheme, information items are marked as being only visible to certain roles. The difficulty with this approach is that the roles need to be understood the same way across the health system for the settings to be interoperable.
One important thing to note: just putting rules that mark certain content as having certain visibility doesn’t make it happen - to enforce it there must at least be a layer of access logic in the EHR server that obeys the rules strictly. However, this only achieves access management when there are no hackers or unplanned data copying. To truly enforce the rules potentially requires public key encryption or some equivalent that relies on presentation of appropriate keys at access time.
Outside of individual EHRs, you will still want a general RBAC and/or ABAC service that defines basic rights on the basis of user types / attributes, which will normally be based on token(s) obtained at authentication time.