Gerard, thanks for your explanation. I was a bit confused by the ISO18308-conformance document
I understand now, that there are classes X_ACCESS_CONTROL and ACCESS_GROUP to handle this. It is the local law which dictates how to implement access controls. Bert Op vrijdag 14 april 2006 13:44, schreef Gerard Freriks: > Bert, > > " GP sends the patient to the hospital" > > What do you mean: > Is he referred to a specialist? Then implicitly, at least in the > Netherlands, both the GP and specialist have access rights. > Is he referred to a lab-service in the hospital? Then the same > reasoning can be applied. > Always the patient has the rights to limit the access rights of > others, including him self and the GP. > > The whole business of co-operating physicians is dealth with in a > coming European Standard: > "System of Concepts for Continuity of Care", ContSys) > > In the whole chain of events: Identification, Authentication, > Authorisation, Access Control and Logging. > What you describe is, are problems at the level of Access Control > where the Patient mandate is executed against the rights granted in > the authorization phase. > > Gerard > > -- <private> -- > Gerard Freriks, arts > Huigsloterdijk 378 > 2158 LR Buitenkaag > The Netherlands > > T: +31 252 544896 > M: +31 654 792800 > > On 14-apr-2006, at 13:12, Bert Verhees wrote: > > A GP a few days ago was thinking of the following situation > > > > A patient goes to the GP, the GP sends the patient to the hospital, > > in the hospital there are some tests. > > The results of these tests can arrive in the openehr system, > > possiblities > > - the GP may not be allowed to see the results of these tests, > > because the specialist thinks the GP is not qualified to judge the > > outcome > > - the GP may not be allowed to see the results of these tests > > because the patient does not want him to see them > > - the GP is allowed to see the results because the specialist and > > the patient allow him to see the result. > > > > As I understand, in this case, the committer of the composition is > > the specialist > > ------------------ > > As I understand this, a authorization application keeping track of > > authorizations and group-definitions is needed to support the > > openehr-using application. > > Are there any thoughts about this? > > Can I read some more about this, anybody know where > > > > And also other thoughts about authorization by other ways are welcome. > > > > I was thinking of authorizations on the use of archetypes. > > In the above example, the specialist could have used a specially > > prepared archetype to post the test-results in case he did not want > > the GP to see the results, and another archetype if he grants the > > GP to see the results, then there would be only one extra > > authorization necessary, the patient must allow the GP to use all > > the archetypes, he as a GP is entitled to use. > > > > But maybe, very well possible, I am overlooking a lot, so > > > > Please help me thinkig about this > > > > Thanks > > > > Bert Verhees -- Met vriendelijke groet Bert Verhees ROSA Software
