Dear colleagues, GDPR as I understand it and apply in the Netherlands gives consumers/patients several rights: inspect, change, to be forgotten. An other important topic is: the goal binding of data. Only absolutely necessary data needed to execute a specified task can be collected.
With respect to the discussion: The EHR serves several purposes: documentation of the actions of the author/health care provider, the documentation of the state of (un-)health of the patient, input for billing and input for other processing such as research. The right to be forgotten does NOT imply that all the data needs to be removed. Removing is an impossibility when data is archived on for instance a DvD/CD. In my opinion when the patient asks to be forgotten then this applies to the Clinical/health context, only. In all other contexts the patient can never be forgotten or deleted. Any legal transaction is subject to archiving laws. For tax purposes the time period is 5 years in the Netherlands, I think. Only after these periods as defined by law the transactions can/must be deleted. In the case of the EHR (13606 / OpenEHR) there is a need to ‘obscure' the patient in the clinical context. But allow the patient to be found for medico-legal purposes, research, etc. This functionality is executed in the Patient-Index Service and NOT the Patient Health Record. All my reasoning is true in the local, and iCloud, wat of processing/storing data. Gerard Freriks +31 620347088 [email protected] Kattensingel 20 2801 CA Gouda the Netherlands > On 1 Sep 2018, at 19:24, Ian McNicoll <[email protected]> wrote: > > Hi Bert, > > There are certainly some implementations that allow for hard-deletes of > compositions and Ehrs. This is a complex area as GDPR does not confer an > absolute right for medical info to be forgotten (as I understand it). It does > allow for copies of the record to be retained for medico-legal purposes. > > However, in our cloud-provider setting, we absolutely need to be able to hard > delete Ehrs, as people may simply want to switch CDR providers. As a data > processor, we have no right to keep t record, as long as it is available via > another provider. > > Ian > > Dr Ian McNicoll > mobile +44 (0)775 209 7859 > office +44 (0)1536 414994 > skype: ianmcnicoll > email: [email protected] <mailto:[email protected]> > twitter: @ianmcnicoll > > > Co-Chair, openEHR Foundation [email protected] > <mailto:[email protected]> > Director, freshEHR Clinical Informatics Ltd. > Director, HANDIHealth CIC > Hon. Senior Research Associate, CHIME, UCL > > > On Sat, 1 Sep 2018 at 14:52, Bert Verhees <[email protected] > <mailto:[email protected]>> wrote: > OpenEhr does not really allow to delete data, only logical deletion (mark as > deleted), but GDPR demands the right of the patient to be forgotten. > > Is there some change expected in the specs for compliance to GDPR, or was > this already implemented? > > We had this discussion, slightly different, about ten months ago but no > conclusion if I recall well > > Sorry if I missed a message about this. > > Thanks > Bert Verhees > > _______________________________________________ > openEHR-technical mailing list > [email protected] > <mailto:[email protected]> > http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org > <http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org> > _______________________________________________ > openEHR-technical mailing list > [email protected] > http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ openEHR-technical mailing list [email protected] http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
