Bert Verhees wrote: > I understood that physically deleting (which is, in my view, complete removal > of records (leaving no trace at all) is impossible except by bypassing the > kernel and doing it manually. The reasons why I understood this are > following. > - Gerard said it should not be possible to physically delete a record, only > logically may be possible. Logically removing in my view is adding a new > version which has a deletion mark (like SVN works) > - Sam said that for really (untraceable) removal, it would be necessary to > hack in the underlying database manually > - You said that too, and emphasized it by mentioning that that is not easy > because of different DB-Vendors. And also you pointed to Subversion, which at > this moment has no way for permantent deleting a record and removing all > traces to it, all evidence it ever existed.
It seems inevitable that physical deletion of patient records will be needed in some circumstance, and may be required by law in some countries. Of course, as various people have pointed out, if a system administrator has physical access to the back-end database or repository, then physical deletion of particular records is always possible (although deletion of that record from all back-up copies on tape etc can be very difficult to achieve). The question for openEHR is whether it should define a function in its storage kernel specifications to facilitate such physical deletion and ensure that they are done in a consistent and safe fashion, or whether it should be left up to the system/database administrator to have to hack away at teh back-end storage, bypassing the openEHR storage kernel. I would suggest that if one of the aims of openEHR to good integrity of medical records, it should be doing everything in its power to discourage system/database administrators from having to bypass the openEHR storage kernel to effect such deletions, and thus specify functions for the physical as well as the more usual logical deletion of patient records. One of the reasons why people are reluctant to include facilities for physical deletion seems to be the need for a legal record of the information which was available to clinicians and others at particular points in time. That's a reasonable concern, but such concerns can only be addressed if use is made of digital notarisation of records by a trusted third-party notary. Such notarisation needs to be tightly integrated with the back-end storage mechanism, to permit digital counter-signing of each version of each record, not just the whole database. Tim C
