In the Netherlands as in many countries, if you change GP a patient is able to lose his medical history if he wants that. It is up to the patient to hand it over to the new GP.
And after 15 years he can demand his previous GP to remove his records. From that point on all his medical history has gone.
Is this different in the UK, where there is only one governmental health care provider? And how about Australia?
Sorry for the sloppy text. It is typed on a phone with bad sight because of the small screen and also the sun glittering on it. But reading back I see that it is easy to understand it well.
The deadlines are different, and they are different for
different "types" of medical data, and also for different age
groups of the patient, but essentially this is what it's like
in Germany as well.
Even more so, once a deadline has passed, providers would
actually be obliged to pro-actively delete old data (likely
even from records of active patients) unless they deem it
necessary for either legal self-protection or for continued
care. No need for the patient to demand deletion. However,
nearly no one does that (pro-active deletion).
Karsten
In the Netherlands the deadlines are more complicated also. I presented a simplified version of the regulations, for the discussion sake this is not important.
In fact it is so the the health care provider loses the responsibility to maintain the data after 15 years of inactivity, and the patient can already demand for removal after 5 years. But it is different when the patient is under 18, and it is also different if the health care provider is in employer relation to the patient. I don’t know what is meant there, but that is what the regulations say.
However, both can agree that the data will be maintained for longer time, for example in case of hereditary diseases.
Hi there,
just a short remark: we were involved in a regional EHR (in the sense of a health information exchange network) project in the state of Lower-Saxony, Germany. While this might be a different use case, we clearly had to be able to physically delete patient data from all IHE XDS repos and registries in the case of a patient’s withdrawal. So when we use openEHR for such a use-case, we still have the same requirement.
Cheers,
Birger
a) The repositories were likely not the primary repositories
intended for immediate clinical care ?
in which case the deadlines don't apply
b) had you suspected that a withdrawing patient intends to sue
the health information exchange network you would likely have
had the right to retain data regardless
But, yeah, physical deletion certainly seems necessary even
if only, say, 50 years post mortem ...
Karsten
Hi Karsten,
a) these repos are not the primary sources of the data. Hence, the deadlines do not apply!
b) Implementing such a process was demanded by the state data protection commissioner. I’m not sure how realistic this would be, but such a network heavily relies on patients’ trust. If there is doubt, you lose.
Besides: we implement openEHR in a distributed data warehouse scenario. Most data will be integrated locally from application systems. To be able to share data with other sites, we need to consider patients’ consent. If a patient withdraws, we don’t have any purpose to keep this ‘secondary use data’ within the data warehouse/openEHR system. Besides the legal questions, being able to physically delete data from such a database is also necessary for practical development and maintenance reasons.
For operative systems, this is a whole different story. I recently was told that physically deleting records should not be possible when you want your software to be certified as a medical product according to German law.
Birger
Hi Birger,
as a GP in Germany I know what you are talking about 
b) Implementing such a process was demanded by the state data protection
commissioner. I'm not sure how realistic this would be, but such a network
heavily relies on patients' trust. If there is doubt, you lose.
Assuming a patient intends to sue the network it would have
had the right to retain any patient data it needed for legal
proceedings, regardless of whether the patient requested
deletion. Say, to prove a given document arrived in the
repository at a given time or was passed on at another given
time or some such.
If a patient
withdraws, we don't have any purpose to keep this 'secondary use data' within
the data warehouse/openEHR system.
Except for: see above.
For operative systems, this is a whole different story. I recently was told
that physically deleting records should not be possible when you want your
software to be certified as a medical product according to German law.
I know and that is quite contrary to what the BDSG
demands, so German law contradicts German law.
However, the no-deletion policy is pretty much a scare
tactics (by over-interpretation) used by German EHR/document
archive vendors desiring to sell their "solutions" to German
doctors...
Karsten
Dear all,
It is time to reflect on the status of any data in any EHR, local or shared.
1- Documenting any fact in a data collection is an event with legal consequences.
There always is the obligation to document what one has done: adding, reading, deleting, changing the status, etc.
A log-file documents this.
2- Physical deletion is NOT possible. During the life cycle of data data collections are backed-up. This can be in write once, read many times, media. Sometimes complete databases are replicated as back-up.
3- Only logical deletion is possible by changing the status: tagging data or by changing the ACL of that data item.
Observe that changing the status is a legal act that needs to be documented.
4- All data items that are entered in to a EHR data collection have a lifecycle: new inactive data, evaluation, active health relevant data, evaluation, plans, actions
or new inactive data, evaluation, active administrative relevant data, evaluation, plans, actions.
5- Health and Administration relevant data can be declared by the HcP entering the data: de novo or re-used.
6- Next to life cycles of data items, there are life cycles of data item collections.
7- During the life cycle of any data item or data item collection new data items and/or data item collections are generated as re-used data.
This implies that data is copied and can be sent and stored else where.
8- When patients request the removal of data-items or data collections all legal events are and have to stay documented. They no longer can be read for the provision of healthcare either by changing the Access Control List or are tagged to be in-active.
All health and administrative related data and all data that is backed-up, and all data sent to others stay in their data collections.
9- Because of legal reasons or because of regulations any ‘logically removed’ data could be read.
10- Finally the Ross Anderson/BMA Security Policy Principles
Gerard Freriks
+31 620347088
gfrer@luna.nl
Kattensingel 20
2801 CA Gouda
the Netherlands
2- Physical deletion is NOT ...
... easy and often practically next to impossible.
possible. During the life cycle
of data data collections are backed-up. This can be in write
once, read many times, media. Sometimes complete databases
are replicated as back-up.
While true it draws blank stares from legal or political.
So we need to declare "deleted" to mean "deleted-as-much-as-possible".
Karsten
Small example.
As GP I had scanned early 1990’s to CD’s all ‘Green cards’, meaning patient records.
I can not remove these files on write-only media.
But logically they were removed because they were all archived and stored in a vault.
My EHR-system had no access to these scans.
All this might give frowns by the legal profession.
Logical deletion is possible at best.
Logical deletion means that that data no longer is actively used in health care provision processes.
Absolute and full Physical deletion many times is impossible, or not practical.
Gerard
Gerard Freriks
+31 620347088
gfrer@luna.nl
Kattensingel 20
2801 CA Gouda
the Netherlands
Gerard,
I think there is not much disagreement here. In our project, we had to physicially delete from our XDS repos and the registry. However, we would keep the ATNA logging files and the database backup. This might sound a bit inconsistent but that has been the reality in our state. While I agree with your statements regarding physical deletes, I still consider the delete in our use-case not as "logical" because the data objects were really to be deleted from the databases of the operational systems. The vendor from Austria had to change their IHE solution to physically delete the data instead of just flagging it.
What else is to say? There cleraly are use-cases for openEHR that go beyond the classic EHR scenarios. Therefore, there need to be ways described by the spec to support physical deletes (in the sense of the example given above) as well as logical deletes.
Best,
Birger
There should still be a way to differen ) but you are certainly right that
Small example.
As GP I had scanned early 1990’s to CD’s all ‘Green cards’, meaning patient records.
I can not remove these files on write-only media.
Oh, you can, but it is not feasible:
Re-read all CDs, delete from recovered data any data that
needs to be deleted, destroy old CDs, burn new CDs.
Logical deletion is possible at best.
Logical deletion means that that data no longer is actively used in health care provision processes.
Absolute and full Physical deletion many times is impossible, or not practical.
Exactly, the latter. An example for *you* are unable (as
opposed to *it* is not possible):
Your CDs were handed over to a data keeping company to
which you don't have access (say, it went bankrupt).
Under German law you might well be responsible for a) having
made sure that company complies with German law, and b) you
may *still* potentially be liable today.
Case in point: under German law when a doctor's children
inherit (!) patient charts hey automatically become the
legally responsible custodians of the records and become,
among other obligations, liable to litigations for privacy
breaches both by the parent they inherited from and also
themselves ! Yes, *non-doctors* may fall under doctor-patient
privacy laws just because they become heirs to a former GP
office's patient charts...
I doubt any such crazy thing is possible anywhere else.
Karsten
the deleted marker is for other (more boring) scenarios entirely - it’s just about content, not about moving / removing EHRs, which we also have to be able to do, but which is another question… specification of an EHR archive does not yet exist in openEHR, and you are right, that’s the place for this kind of thing. But, we wouldn’t want to solve everything on day 1… - thomas
Even when the patient wants all data to be removed, this means removeal in the context of the provision of helath care.
For legal and administrative purposes the data can NOT be removed but be available for these non-healthcare provision related circumstances.
One needs a label ‘deactivated’ (for health purposes.
EHR_STATUS has 2 Boolean flags - is_modifiable and is_queryable, which can be both turned off for these kinds of EHRs.
If people think we need more flags, they can be proposed to be added to this structure.
Remember: Even when the patient has left the author (HcP) has administrative and legal responsabilities. He is accountable for many years because fo actions taken. He needs to be able to defend himself.
exactly right. This is one of the drivers for the openEHR versioning system in fact...
- thomas
just to be clear, we are talking about (at least) 3 different things:
For the first scenario, changing a care plan, or stopping it, I wouldn’t think of calling it logical deleting it but bring it into another state: stopped, or something like that.
The second is in fact physical removing it from the Ehr and then saving it somewhere in some form. In the openehr standard is, as far as I know not a facility to do this. In fact the second scenario is, as I see it, from the openehr point of view the same as the third.
Bert
The question is in how far should openehr define a system. Should also describe an archival system? Should it describe also how to handle physical deletion? And why should it describe that?
It can become harder for system-builders to reach OpenEHR conformance.
I think this is a wrong direction. OpenEHR defines a logical semantic flexible datastructure. And a query language. It does not even define on which way to achieve that. The technical details are implementers business.
I think OpenEHR does not need a deletion flag, as I wrote before, that is describing a technical solution for archiving.
I must excuse myself,I am not able to participate more in this discussion this week because I am onholiday
Best regards.
Bert
Hi,
There are several (5) realities:
1- that what is actually happening in the Patient System
2- that what is observed by the HcP/author (observables via senses)
3- subjective evaluation by HcP
4- that what is documented in the EHR patient record (Committed Composition)
5- the EHR Patient Record system
a- Each commit must be logged and never physically removed.
Committed Compositions are never physically removed
Each is a legal act that needs to be documented and stored. Several other processes are connected such as: billing, (lega) reporting
b- The status of Committed Compositions can change (from active to not-active, cq readable to not-readable)
In other words the Access Control status is changed.
A change in a Care Plan as part of the Patient System is documented via a superseding new Committed Composition indicating the termination of the process that is a a Care Process Plan.
It will be a new update, as a new version, of the Committed Composition that is about the Care Process Plan.
Nothing can/must be 'logically deleted’, a new status must be documented.
c- When patients demand the removal of all data the Patient record is declared in-active or its Access Control List is changed such that only the patient has controlling access rights.
d- When specified Committed Compositions are ‘removed’ as requested by the Patient these wil be declared iin-active or its Access Control List is changed such that only the patient has controlling access rights.
e- In-active means that the data can NOT be used for the provision of Health Care; it can be used for administrative or legal purposes. Logging is one of the legal/administrative needs.
Gerard Freriks
+31 620347088
gfrer@luna.nl
Kattensingel 20
2801 CA Gouda
the Netherlands
Given the fact that ACLs are ephemereal in many sorts of ways
I can easily understand the desire for physical deletion (but
I agree with you that it is next to impossible under many
circumstances).
Best,
Karsten