Op maandag 24 april 2006 17:11, schreef Thomas Beale: > Bert Verhees wrote: > >> available in the API) requires a higher level of access than other > >> operations, i.e. cannot just be done by any normal user - it might > >> require a system administrator with special permissions. This is > >> because physical removal of pieces of an EHR (like pieces of any > >> versioned repository) can easily lead to inconsistencies in the > >> remaining part. > > > > So I as I read above, it is possible to be law-compliant in the > > OpenEhr system, but it is difficult. > > it's nothing to do with openEHR - it's mathematically guaranteed that at > least in some cases, physical deletion of a subset of the items in a > version controlled repository that supports change-sets and legally > defensible history and audit will logically corrupt the repository. This > is because in general more than one thing can be changed in a change-set > (what we call a Contribution), not just the thing you want to delete. > Even if the thing you want to remove is the only thing in a > Contribution, removing the Contribution still falsifies the previous > states of the repository, and could easily leave both doctors and > patient without a legally defensible EHR (e.g. if some physician had > read the now-deleted information that said that the patient refuses > blood transfusions because of religion, and under the health service > rules, obeyed the patient preference; the patient then died as a result, > and now the family wants to know what the hell happened....how does the > physician prove what evidence his/her decision was made based on, if it > has been rubbed out).
I understand your arguments and Gerards his arguments, and I agree with most of it . But the law is the law, and some patients will want to practice their rights for deletion. This law comes from 1995. A health-care information application must be able to obey the law, even if it is a bad law. ---------------- The law is only applicable if the care consumer demands for a (partly) destroyal of his file. But it has build in some safeguards. - There are some exclusions regarding to the safety of other people, f.e. in the case of inheritable diseases. - There are some exclusions regarding to other laws, taxes, administrations, if they need a longer period of availability of data. - There is an exclusion for being important interests of others at stake, one can think of a reasonable period in which a care-producer needs for his legal defenses or otherwise safety the possibility to reproduce his activities. This is especially the case if there was an activity which can arise controversies, but a period in which controversies can arise must be seen as a limited period. - There is a period of three months after which a (partly) destroyal of a must have been accomplished, if there were no objections from above. If there is no demand from care consumer, the law demands the files to be kept 10 years, also with exclusions which can prolong this period, there has been a letter from the minister of Healthcare in 2005 to change this period to 15 years. The period of three months for care-consumer demand of destruction also still is literally in this letter, which can be seen as a confirmation from the intentions of the law. I found no information this change of 2005 did make it. to law. > > Technically, deletion is easy, but there are consequences for > consistency and legal value of the data. So making it harder to do is > <snip> > ------ > <snip> > many; once you have a secure environment, biometric or RFID login, data > encryption, and other measures, it is going to be a lot of work to steal > patient data and then match it to an actual person. The very people who > might have more reason to fear this are likely to have higher protection. I am not a lawyer, I cannot judge it, and maybe there is not a lot of jurisprudence, and one can always do it on other ways if a court forces us to do so. There is one safe method, described in Subversion, I forgot how, but it sounded possible. > > > It would be nice if every composition had a method: > > DestroyAndLeaveNoTrace, but I understand that this not desirable > > because it must be possible to revert to the state of the record where > > the information is in tact. I do not understand why, because when the > > law in case of art 455 says that it is not allowed (destruction means > > no way back!!) to revert back, why should openehr want to revert back? > > being able to reconstruct previous states of the EHR is the only way to > provide medico-legal support for claims made later about what happened > earlier. Most likely this law is in conflict with other laws that say > that physicians (or someone at least) have the right to keep such > information as is necessary to protect them from later claims in court > that they acted negligently; by the same argument, the _same_ > functionality also protects the patient, especially if they added > information to their own EHR and it was ignored. Physical deletion > breaks the integrity of any versioned repository, thus stopping it > performing one of its major functions. openEHR is no different in this > regard from Subversion, CVS, BitKeeper, ClearCase, SourceSafe or any > other tool you want to mention. > > > But as I said, it is not important to me, at the time it occurs I will > > find my way to comply to the law. > > consider how the (world's most stupid) law on region encoding of DVDs > was complied with: DVD manufacturers brought out all-region decoders. > Now we can buy a DVD in an airport and know it will play at the other end. > > - thomas -- Met vriendelijke groet Bert Verhees ROSA Software
