P -----Original Message----- From: Bert Verhees [mailto:[email protected]] Sent: Friday, April 14, 2006 8:30 AM To: openehr-technical at openehr.org Subject: Re: Authorisation
Gerard, thanks for your explanation. I was a bit confused by the ISO18308-conformance document I understand now, that there are classes X_ACCESS_CONTROL and ACCESS_GROUP to handle this. It is the local law which dictates how to implement access controls. Bert Op vrijdag 14 april 2006 13:44, schreef Gerard Freriks: > Bert, > > " GP sends the patient to the hospital" > > What do you mean: > Is he referred to a specialist? Then implicitly, at least in the > Netherlands, both the GP and specialist have access rights. Is he > referred to a lab-service in the hospital? Then the same reasoning can > be applied. Always the patient has the rights to limit the access > rights of others, including him self and the GP. > > The whole business of co-operating physicians is dealth with in a > coming European Standard: "System of Concepts for Continuity of Care", > ContSys) > > In the whole chain of events: Identification, Authentication, > Authorisation, Access Control and Logging. What you describe is, are > problems at the level of Access Control where the Patient mandate is > executed against the rights granted in the authorization phase. > > Gerard > > -- <private> -- > Gerard Freriks, arts > Huigsloterdijk 378 > 2158 LR Buitenkaag > The Netherlands > > T: +31 252 544896 > M: +31 654 792800 > > On 14-apr-2006, at 13:12, Bert Verhees wrote: > > A GP a few days ago was thinking of the following situation > > > > A patient goes to the GP, the GP sends the patient to the hospital, > > in the hospital there are some tests. The results of these tests can > > arrive in the openehr system, possiblities > > - the GP may not be allowed to see the results of these tests, > > because the specialist thinks the GP is not qualified to judge the > > outcome > > - the GP may not be allowed to see the results of these tests > > because the patient does not want him to see them > > - the GP is allowed to see the results because the specialist and > > the patient allow him to see the result. > > > > As I understand, in this case, the committer of the composition is > > the specialist > > ------------------ > > As I understand this, a authorization application keeping track of > > authorizations and group-definitions is needed to support the > > openehr-using application. Are there any thoughts about this? > > Can I read some more about this, anybody know where > > > > And also other thoughts about authorization by other ways are > > welcome. > > > > I was thinking of authorizations on the use of archetypes. In the > > above example, the specialist could have used a specially prepared > > archetype to post the test-results in case he did not want the GP to > > see the results, and another archetype if he grants the GP to see > > the results, then there would be only one extra authorization > > necessary, the patient must allow the GP to use all the archetypes, > > he as a GP is entitled to use. > > > > But maybe, very well possible, I am overlooking a lot, so > > > > Please help me thinkig about this > > > > Thanks > > > > Bert Verhees -- Met vriendelijke groet Bert Verhees ROSA Software
