The EU approach to the ownership of medical records is in my opinion the best, reasoned approach. However, this constitutes, in essence, a single legal system in a global community and there are many. At any time one or more of these communities can in a process of restructuring and/or modifying codes that could potentially affect EHR ownership. Enforcement can also be a variable as can code on the books that conflict with existing, enforced code.
I have lived in towns and cities that have refused to filter 'old' code and not because it appears funny and ridiculous today but because if more recent code is successfully attacked, modified or overturned the 'old' code is effective and legal. It is a strategic way of running a legal system. OpenEHR security will always have to address ownership issues regardless of the legal forum. A change of administration translates into changes in how daily lives must be conducted. Adaptability is key to survival. HIPPA itself is a prime example of competing forces that will continue to shape it even though it has been enacted and made effective. Legislative bodies legislate and change things. Designing a standard or a system in total conformance to today's version without adaptability is not a good idea. OpenEHR security must function within a human information system not a computer-based system. Wish it wasn't so because handing down a set of commandments in a computer-based system is considerably different, an example being the successful specification of security features for a Secure Data Store. We haven't had this much luck in human-based systems. Healthcare itself is dynamic and is likely to place even more burdens on OpenEHR security, e.g., remote monitoring, diagnosis, prescription and surgery. For example, Elizabeth Maher has submitted a short, recent response to the post 'Re: EPR vs. EHR" that reads: vvvvvvvvvv The English National Health Service makes an explicit distinction between the "cradle to grave" EHR and the Electronic Patient Record (EPR) which is used to record episodic or periodic healthcare. The EPR is a more generic term and is inclusive of other forms of periodic or episodic health care besides medical care. The proposed ISO definition of the EPR is the same as that of the English NHS except for the addition of the word "episodic". ^^^^^^^^^^ It is timely since it points out that there are non-medical sources of information that will ultimately have to be considered, e.g., mental health. Each source of information may have a security system separate and distinct from OpenEHR. The interface between security systems cannot be dropped, they must somehow be integrated. "episodic" (includes events, 'one-of-a-kind') records may or may not be important, e.g., the Patient was required to visit a Clinic in China during a business trip within the past two weeks. Records that may or may not have to be integrated but were created and maintained (hopefully) within some security system. Integration would have to be handled consistent with current (at the time) OpenEHR standards. Solutions include encapsulation of 'stray' records into a child EHR; easily controlled and stored. Interestingly encapsulation may also apply to EHRs created and maintained in different legal jurisdictions. SUGGESTION: Local, regional, national and global security monitoring and control is needed but may be dissimilar in many respects. Ownership issues will remain a plague. One might structure a response to include the assignment of a right to copy today's EHR and pertinent history with copy ownership remaining with the Healthcare Practitioner or Organization. -Thomas Clark ----- Original Message ----- From: "Bernd Blobel" <[email protected]> To: "Paul Juarez" <JuarezPD at wmmcpo.ah.org> Cc: <bill.walton at jstats.com>; <openehr-technical at openehr.org> Sent: Tuesday, April 29, 2003 12:56 AM Subject: Re: GEHR philosophical background info > Paul Juarez wrote: > > I've been following these discussions with a lot of interest. So I > > guess it's time for me to put in my two bits. While I've seen a couple > > of references to ownership of the medical record, I havent seen anything > > definitive that defines it (e.g. patient, provider, legal custiodian of > > record, etc., or some combination). It seems like this question needs > > to be clearly agreed on before issues of access can be identified. (It > > also could be a partial solution to distinguishing between the terms > > EMR, EHR, EPR). HIPAA aside, it seems that there may be some different > > legal issues about ownership that would also have implications for > > access. Any thoughts? > > > > > > >>> "Bill Walton" <bill.walton at jstats.com> 04/28/03 12:32PM >>> > > Hi Sam, > > > > > > BW: This is a really interesting problem space to me. I've been > > studying HIPAA (the Health care Information Portability and > > Accountability Act) and have become fascinated with the discussion over > > how best to balance the needs of the various parties involved in the > > provision and payment of healthcare services so as to improve the > > quality and decrease the cost of health care here in the U.S.. Talk > > about a non-trivial problem! Interestingly, it looks to me like all the > > nonsense can be traced back to the health record and some fundamental > > questions about who owns it, who controls access to it, etc. Thanks > > again for sharing. Hope to hear from you soon. > > > > > > SH: I agree - it is fascinating. Can I point you to our (original > > work on this - quite philosophical) which I wrote with Len Doyal - a > > professor of medical ethics in London. > > http //www.chime.ucl.ac.uk/work-areas/ehrs/GEHR/Deliverables.htm#D8 > > > > I hate to ask this, but is there one deliverable you could point me to > > that contains the philosophical stuff? I'm up to my eyeballs right now > > and I can see there's a whole bunch of good stuff at the Chime site on > > GEHR that I'll have to get to asap. > > > > Thanks, > > Bill > The ownership issue of medical information was a 10 years discussion in > Europe. Several projects we have been involved in tried to analyse > ethical and legal implications of personal medical information. > The interpretation of those issues is very different from country to > country, from region to region, from institution to institution and even > from scientists to sientists. In all official documents of the European > union sich as, e.g. the EU Data Protection Directive from 1995 which > meanwhile has been implemented in all EU Member States, avoids the term > ownership. In many circles, we talk about a comon responsibility of > doctor and patient within the trustworthy doctor-patient relationship. > Therefore, also the practical realisation of corresponding activities > are handled different. Many Healthcare Establishments hand over the > original materials to the patient. In the other hand, legislation for > documentation requirements and liability issues requires the originals > with the institutions. As you can see, the responsibility paradigm seems > to be a logical way - and all standards work items orient to the > responsibility paradigm. This means on the other hand, that without > consent of the patient (which could be defined at action level or at > role level), the doctor has no right to access and to communicate > patient's personal information. > > Best regards > > Bernd > > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
