Bert Verhees wrote: > >> available in the API) requires a higher level of access than other >> operations, i.e. cannot just be done by any normal user - it might >> require a system administrator with special permissions. This is >> because physical removal of pieces of an EHR (like pieces of any >> versioned repository) can easily lead to inconsistencies in the >> remaining part. > So I as I read above, it is possible to be law-compliant in the > OpenEhr system, but it is difficult. it's nothing to do with openEHR - it's mathematically guaranteed that at least in some cases, physical deletion of a subset of the items in a version controlled repository that supports change-sets and legally defensible history and audit will logically corrupt the repository. This is because in general more than one thing can be changed in a change-set (what we call a Contribution), not just the thing you want to delete. Even if the thing you want to remove is the only thing in a Contribution, removing the Contribution still falsifies the previous states of the repository, and could easily leave both doctors and patient without a legally defensible EHR (e.g. if some physician had read the now-deleted information that said that the patient refuses blood transfusions because of religion, and under the health service rules, obeyed the patient preference; the patient then died as a result, and now the family wants to know what the hell happened....how does the physician prove what evidence his/her decision was made based on, if it has been rubbed out).
Technically, deletion is easy, but there are consequences for consistency and legal value of the data. So making it harder to do is sensible. We have to realise that all such legislation as has been mentioned here is written as if we were in 1850, still writing everything on paper. Even then it was not watertight - anyone could make a written copy, and it was not long before photography and typewriters made that job a lot faster. In my opinion the best way to satisfy the intention of this kind of legislation is to design EHRs so that the identity of the patient can be kept completely out of the EHR if desired. openEHR supports 3 levels of this separation: - no subject of care Ids at all in the (have to create a ehr_id, subject of care id table elsewhere, in a secure space) - subject of care id is mentioned only in the root EHR object of the EHR (relatively easy to stop most software getting to this particular object) - subject of care id is mentioned in any/all information items about the subject, i.e. Entry.subject in openEHR terms. In more open environments within secure boundaries, patient names can even be included in the record if desired. The level of separation is up to each site or health authority. The first level means that even if you succeed in stealing and decrypting the whole EHR, you still don't know whose it is. I agree that if it happens to contain information correspponding to a small minority (people with HIV, people with one leg etc) this protection is reduced. But this protection is only one of many; once you have a secure environment, biometric or RFID login, data encryption, and other measures, it is going to be a lot of work to steal patient data and then match it to an actual person. The very people who might have more reason to fear this are likely to have higher protection. > It would be nice if every composition had a method: > DestroyAndLeaveNoTrace, but I understand that this not desirable > because it must be possible to revert to the state of the record where > the information is in tact. I do not understand why, because when the > law in case of art 455 says that it is not allowed (destruction means > no way back!!) to revert back, why should openehr want to revert back? being able to reconstruct previous states of the EHR is the only way to provide medico-legal support for claims made later about what happened earlier. Most likely this law is in conflict with other laws that say that physicians (or someone at least) have the right to keep such information as is necessary to protect them from later claims in court that they acted negligently; by the same argument, the _same_ functionality also protects the patient, especially if they added information to their own EHR and it was ignored. Physical deletion breaks the integrity of any versioned repository, thus stopping it performing one of its major functions. openEHR is no different in this regard from Subversion, CVS, BitKeeper, ClearCase, SourceSafe or any other tool you want to mention. > > But as I said, it is not important to me, at the time it occurs I will > find my way to comply to the law. consider how the (world's most stupid) law on region encoding of DVDs was complied with: DVD manufacturers brought out all-region decoders. Now we can buy a DVD in an airport and know it will play at the other end. - thomas
