What is the proposed confidentiality model?
How can patients opt out completely from publishing their data on the EHR?
Having opted out, how can they elect to have specific items published?
If they have opted in (either by default or by selection) then how can they
elect not to have specific items published?
Bennett.
Hi Bennett,
A personal secure repository or a secure reposity service with appropriate legal structure, e.g.,
license along with legislation that defines and enumerates ownership, that requires revocable
Patient permission. For example, a secure facility ID is established, e.g., untraceable registration
number, created per visit (suggest including time, date and number of Patients). A secure, filtered
link to existing EHR/EMR records is established where Patient permission is obtained; if none
given, then summary information can be provided in an emergency or Public Health situation.
This is mechanism and how it is accomplished depends on the architects and implementers.
The important point is that the mechanisms for providing the service you mention exist and would
require little development. The major concern I have is the existing legal structures in the different
Jurisdictions; they have to be compatible.
I agree with what you suggest. It should be the normal/standard approach to handling EHR/etc
confidentiality.
-Thomas Clark
Bennett Quinn wrote:
"Bennett Quinn" <bnq@bneq.net>,
What is the proposed confidentiality model?
in the questions which follow, we need to remember that opt-ot and opt-in
models operate initially at higher levels than the EHR literally speaking -
they may be enshrined in legislation for example.
The EHR architecture has to support any model, including the possibilities you
indicate. If a patient "opts out" but wants some items published, then they
have an EHR - it just might be small. If they opt in but want to hide a few
things, they have a bigger EHR in general. The EHR model supports items
hidden from various parties, by using a generic access control definitions, in
which the meanings are not (currently) defined - they could be from any access
control model. In general, the patient sets consent-to-view or use via some
application, probably with the help of the GP or other carer, and this gets
applied to EHR content as a filter whenever a request is made for access.
How well this works largely depends on the quality of the implementation, the
sophistication of the security in the local environment and so on.
EHR Extracts can have items hidden if required by the patient consent settings
- recipients can only see what is appropriate.
- thomas beale
Please consider the need for emergent access and/or exchange with other
entities. Most patients, even those who were reluctant to otherwise have
information readily available, would agree to this, particularly if they
were unable to give consent (e.g. altered mental status, intubated, etc.).
Thus, the default for access by providers currently caring for the patient
under such circumstances should be full access, with the patient able to
then make adjustments as they see fit after some informed consent/refusal
process.
In addition, there needs to be an expeditious means of retrieving medical
information (even if just a problem list, medications, allergies and
end-of-life directions) about a patient who is receiving emergent care.
While technically limited by incomplete standards, even a plain text or
facsimile is often essential. Some means of verification of identity and
validity of requester, as well as document level security and validity
checks needs to be standardized ASAP (e.g. provider and facility public keys
sent for identification/requests, results transmitted encrypted with
provider/facilities public key/signed by sending facility/provider; all
providers and facilities must be verified/enrolled, with some means of
verification of validity of IDs and predetermined addresses to send
information to).
Again, most patients who present to the ED/A&E will support ready access by
the treating team to their prior records. Having obtuse protocols and
procedures to access these will be an impediment to patient safety and
quality care.
Kevin
Kevin M. Coonan, M.D.
kevin.coonan@utah.edu
University of Utah School of Medicine
Adjunct Assistant Professor, Division of Emergency Medicine
NLM Fellow, Department of Medical Informatics
Hi,
What are you talking about?
Is what you mean the record as kept by the healthcare provider for his own
use and the patient?
Or is it the information that is published to be shared between healthcare
providers?
Gerard
-- <private> --
Gerard Freriks, arts
Huigsloterdijk 378
2158 LR Buitenkaag
The Netherlands
+31 252 544896
+31 654 792800
Hi Bennett,
A personal secure repository or a secure reposity service with
appropriate legal structure, e.g.,
license along with legislation that defines and enumerates ownership,
that requires revocable
Patient permission. For example, a secure facility ID is established,
e.g., untraceable registration
number, created per visit (suggest including time, date and number of
Patients). A secure, filtered
link to existing EHR/EMR records is established where Patient permission
is obtained; if none
given, then summary information can be provided in an emergency or
Public Health situation.
This is mechanism and how it is accomplished depends on the architects
and implementers.
A secure EHR facility really requires the use of mandatory access
control (as opposed to the almost universal discretionary access
control) at the operating system and data storage levels (and at all
levels above that) - otherwise it is not secure against compromise by
the system administrators or the database administrators. Such systems
exist, but only the three letter security agencies have any experience
in using them.
The important point is that the mechanisms for providing the service you
mention exist and would
require little development.
Hmmm, not too much software development, perhaps, but a lot of human and
organisational development to create a culture which values personal
privacy to the degree you specify.
Tim C
Merely providing the mechanisms for access control will not suffice.
That was the basis of Ross Anderson's withering attack on the NHS network, on
behalf of the BMC, that led to a great deal of embarrassment for the NHS
and the UK government.
The hard part is to define a security policy model that:
-- is provably adequate with respect to the relevant legislative and ethical
environments;
-- is demonstrably implementable by the technical and social infrastructure;
-- comes complete with compliance checks that are necessary and sufficient for
validating any proposed implementation.
As far as I know, my preliminary paper on this matter
(http://www.soi.city.ac.uk/~bernie/hsp.pdf), incomplete though it is, is the
only work done in this area. As you'll see, it requires a degree of semantic
formalisation that is beyond the scope of any of the currently proposed EPR
standards, GEHR included. The fact that this degree of formalisation is also
beyond the comprehansion of most of the stakeholders is irrelevant. You don't
have to understand computational fluid dynamics to use a weather forecast.
Quoting Thomas Beale <thomas@deepthought.com.au>:
Sorry.
I thought I had.
Please feel free to distribute it as you see fit.
Quoting Thomas Beale <thomas@deepthought.com.au>: