Hi Sam, Sam Heard wrote:
> > BW: First, and perhaps you consider this a seperate issue that's out of > > scope for Access Control, but what about Audit Trails? > SH: openEHR has full version control of all components so we have this > thoroughly covered. If you are talking about auditing what is viewed, our > research in the early 90s suggested that clinicians were totally against this > - and it is very difficult to be sure what is seen unless refresh times, > screen size and scrolling are all monitored - the idea is terrifying! I'm talking here about logging system activity at run-time, not version control. Also, I note that there seems to be concern about the phrase Audit Trails. I agree that it's way out of scope to try to log exactly what's seen. What's accessed (at the file or field level) is another question. I'll have more to say about this in another email in response to / support of Thomas Clark's comments. > > BW: In addition to the choices / decisions you summarize on Page 3, I > > believe there's a key question the system needs to be able to answer: "Who > > has had what access to my records?" > SH: We do believe that it is essential to log access - but not to what unless > there is an over-ride on the constraints set by the patient. This could > result in an automatic email to the patient in the future. But not policing > what the clinician who has access looks at. Hmmm.... I'm guessing this may be a difference at the national level in how the medical delivery systems work. I'll have more to say about this in the email response anticipated by the above, but here are some of the new requirements we having to come to grips with here in the U.S.... Under HIPAA, the patient has the right to request an accounting of disclosures and the physician must furnish that accounting. Moreover, HIPAA requires that disclosures of protected health information, even to others within the physician's office, be kept to the minimum needed by the requestor to fulfill their job duties. In addition, the patient has a right to request that specific information be kept confidential. Along with the Privacy and Security standards, HIPAA contains enforcement provisions and the commentary has been very explicit that sanctions are an essential component of any security scheme. It appears to me that, here in the U.S., we have to anticipate maintaining a log of accesses to allow a reviewer to determine whether or not HIPAA's requirements have been adhered to. > > BW: To answer this question it looks to me like the system needs to > > maintain two types of information: 1) a history of the changes to the > > Access Control List, > SH: In openEHR this is versioned like anything else... Excellent. So past Access Control Lists are kept and could be reused? This will become important for us (in the U.S.) because the fact that a physician had access to a patient's full medical history in the past does not mean they continue to have that level of access. > > BW: and 2) a history of accesses to the EHR itself. > SH: I agree as long as we are talking access - that is logged - and > over-rides and who authorised them and for what reason ( perhaps unconscious > in Emergency is appropriate. Patients could set the over-ride capability to > be turned off. More on this in other emails, but I think there's more to it than over-rides. > > BW: Further, it looks like the EHR access history should include reads as > > well as writes. That way, the trail would lead to the providers that have, > > with permission, made copies of the EHR within their own systems. > SH: True - it will only be able to be stored as an HTML rendition unless > there is an extract in openEHR - but you are right - this could be saved - > this is difficult to police. Oops! I'd assumed there would be extracts in openEHR. HIPAA specifies, under the Transaction Rules that go into effect in October of this year, a number of EDI transactions between systems that would require this. HTML will not be sufficient. > > BW: This is tied to the first question I think, but how does the system > > deal with the needs of Consulting Physicians and Researchers who are not > > going to provide care, but may need read access to the full record? If I > > read this correctly, the mechanism controls what information can be > > accessed, but not the type of access permitted (i.e., read vs. write). > SH: The fact is, unlike usual systems, there will be more restraints on > reads than writes. I'm taking this to mean that there will be configurable permissions on type of access. Yes? > SH: Research access will be via the kernel with an approved program unless it > is one-to-one reading of records when the patient's consent is required > anyway. Hmmm.... Again, perhaps a difference at the national level. Research here is the U.S. typically requires extracted data to be transferred from a physician's system to the research organization's system. > > BW: How do Emergency medicine providers get access to the records? It > > looks like there needs to be an override to allow the timely delivery of > > service in Emergency situations. It would seem to me that the existence of > > the Audit Trails above might calm fears of inappropriate access. > SH: As above More to come under seperate headings. Best regards, Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030428/b074b675/attachment.html>
