Tim Churches wrote: > One of the reasons why people are reluctant to include facilities for > physical deletion seems to be the need for a legal record of the > information which was available to clinicians and others at particular > points in time. That's a reasonable concern, but such concerns can only > be addressed if use is made of digital notarisation of records by a > trusted third-party notary. Such notarisation needs to be tightly > integrated with the back-end storage mechanism, to permit digital > counter-signing of each version of each record, not just the whole database. > we have actually consciously made the change control model (section 6 in http://svn.openehr.org/specification/BRANCHES/Release-1.1-candidate/publishing/architecture/rm/common_im.pdf) compatible with notarisation by a TTP; in particular, the idea that a digital digest can be generated with each new version of any version container, and the digest sent elsewhere; then when copies of the versions are sent in Extracts to another location, the receiver has a way of verifying the authenticity (regenerate digest and compare with requested copy from notary service). We have yet gone to the lengths of explicitly modelling more than the digest (which is described in the forthcoming EHR Extract spec), but i suspect we might in the future.
- thomas
