Sam, My response to Arild was in the context of use cases as information gathering mechanisms. You are, it seems to me, proposing use cases as material that show both context and how to set up / use the ACL given that context. I agree that they would be valuable for the latter. On the other hand, you've demonstrated the problem of developing a single mechanism that functions across different contexts very nicely.
The "Health Care Facility Nominated Trusted Clinician" section on page 5 contains the sentence "This access will be on a 'need to know' basis." Here in the U.S., HIPAA has specifically rejected "need to know" as a valid basis for access. A user of the EHR may only access information the patient has granted them the right to access. This complicates Access Control considerably since it requires not only control of levels of information but also specific health care episodes. Take for example the case of a businessman who contracts an STD on a trip to the Far East and receives treatment upon returning home. Here in the U.S. the patient, assuming he paid cash for the treatment, has the right to deny access to even header information disclosing the treatment ever occurred to anyone but himself and the physician who rendered treatment. I still wonder whether the Access Control Mechanism can't be made configurable in terms of both Roles defined and Access Rights per Role. Perhaps that's too complicated, especially for Version 1. At any rate... thanks for sharing. Best regards, Bill ----- Original Message ----- From: "Sam Heard" <[email protected]> To: "Bill Walton" <bill.walton at jstats.com>; <openehr-technical at openehr.org> Sent: Tuesday, November 18, 2003 12:26 AM Subject: RE: use case documents from the health care domain - ROLES > Bill > > I believe that we have to define roles in a standard manner that can work in > all settings - and that patients can understand when they go from place to > place - it is a massive simplification - a little strange - but I think it > can work. It requires that all policies are written using the same roles - > patients can then give individuals specific roles - or more usually, > hopefully, accept the local policy. > > I attach a paper that has had some positive response in different > situations. > > Cheers, Sam > > > -----Original Message----- > > From: owner-openehr-technical at openehr.org > > [mailto:owner-openehr-technical at openehr.org]On Behalf Of Bill Walton > > Sent: Tuesday, 18 November 2003 2:17 AM > > To: openehr-technical at openehr.org > > Subject: Re: use case documents from the health care domain] > > > > > > Arild Faxvaag wrote: > > > > > Has someone tried to establish a collection of use case documents with > > > descriptions of information-related tasks by health care workers? > > > > > > Would you developers consider it useful if such a collection existed? > > > > It seems to me that question of "context" needs to be addressed > > before those > > task descriptions will have much value. I'm thinking that Roles > > differ from > > country to country, and in most cases, by health-care setting within a > > country. So just starting here we have a three-level hierarchy > > (Country -> > > Setting -> Role). Once that's established, Responsibilities and Authority > > can be mapped. Exceptions to Authority would need to be mapped. > > Now we're > > at five levels, perhaps six depending on the approach to mapping > > exceptions. > > > > I wouldn't suggest even attempting to extend this to descriptions of the > > tasks. Just establishing the taxonomy above would be a huge job; forget > > about the effort to maintain it over time. Task descriptions would, IMO, > > make the maintenance task impossible. > > > > It seems to me that the value of such a collection would extend _much_ > > further than the development community. > > > > Best regards, > > Bill > > > > - > > If you have any questions about using this list, > > please send a message to d.lloyd at openehr.org > - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
