Security, privacy and patient identity

Hello, I’m working quite a bit in patient identity and privacy standards in various bodies in the US and EU. I haven’t found much discussion in this forum about the topic, and would welcome the discussion.

There is some experience (and implementation) of IHE Advanced Patient Privacy Consents (APPC) with openEHR systems.

There are other approaches in use with openEHR systems, but not yet any standardisation within openEHR.

One view (mine;-) says that we should be adding Consent as a top-level content type to the EHR, and supporting computable consent representation within that. The challenge is how to represent access to specific kinds of content in a way that is comprehensible to patients and clinicians.

This is not easy, since it should potentially take account of the things that APPC does, i.e. actor types, episodes, facilities, withholding etc.

If you would like to post your specific interests here that would certainly help the discussion.

Hi Jim,

These are clearly significant issues but to a large extent currently outside of openEHR’s focus, as right now they are mostly driven by external efforts, mostly at a national level. e,g. even in the UK each of the 4 countries has a different approach to patient identity. This is also a heavily culturally nuanced and ‘political’ arena where public opinion has a significant impact.

In theory, as Thomas says, we should be able to embed some standardised ideas of fine-grain access control to parts of an openEHR record but it is non-trivial to reconcile all of the various potential rules involved, both technically, and in a way that humans understand the impact, and therefore restrict access in a way that does not damage care.


I’ve been following the discussions here on patient identity, data ownership, and privacy. I’d be happy to participate if there was more discussion.