Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees 
In all other contexts the patient can never be forgotten or deleted. Any
> legal transaction is subject to archiving laws. For tax purposes the time
> period is 5 years in the Netherlands, I think. Only after these periods as
> defined by law the transactions can/must be deleted.
>

It is true that there are laws which make it necessary to keep certain
data, good example, taxes. I business owner must keep a record of all
financial transactions. I think the GDPR excludes this from its effect,
because laws may not contradict each other.

Thanks for this remark

Bert
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Karsten Hilbert 
On Mon, Sep 03, 2018 at 03:19:04PM +0200, Bert Verhees wrote:

> Karsten, you are right, a clinician, in the most countries is obliged to
> keep an EHR. But the law does mostly not say he must keep it at his own
> office. So if it is kept at Google or Microsoft, or some smaller PHR
> provider, I think this is fine according to the law, but still some
> law-changes may be needed.

I think we agree.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees 
Karsten, you are right, a clinician, in the most countries is obliged to
keep an EHR. But the law does mostly not say he must keep it at his own
office. So if it is kept at Google or Microsoft, or some smaller PHR
provider, I think this is fine according to the law, but still some
law-changes may be needed.

The fact that the largest five companies in the world agreed to a common
interface/message format and defined dataset must have a good reason. The
reason will be that they want to offer a PHR service, and that in
compliance with GDPR, because 500 million people live in jurisdiction of
GDPR. The tech-companies are getting their part from the multi-billion
market, and they are right, according to their capabilities.

This agreement is not made to be the next EPIC in line and begging at
hospital-doors to implement their software. This service is meant to be
transmural in many ways.

That in some countries, there will be laws to have copies at clinicians
availability can be true, what I wanted to indicate was that it is not
necessary for good healthcare, and also not for medico-legal procedures.
But reality changes slower then possible, and that may be a good thing also.

I think there will not be a PHR service which is to use by clinicians for
coming five years, but the pressure is high. It is, in my opinion, the most
optimal solution for worldwide interoperability regarding to efficiency,
safety and privacy. And it breaks open a new market for appliances which
use data from several sources, it empowers the patients (ehhh
healthcare-consumers).

It really brings healthcare to a new level. GDPR is restrictive but also
gives chances, it makes more possible then was possible before, but in
another way.

Bert

Op ma 3 sep. 2018 om 13:59 schreef Karsten Hilbert :

> On Mon, Sep 03, 2018 at 01:08:41PM +0200, Bert Verhees wrote:
>
> > So, on medico-legal purposes as Ian and Karsten and maybe others referred
> > to, a patient, if he maintains his own PHR, and he likes to delete it, he
> > can never sue a clinician, because, he, himself, destroyed important
> > evidence.
>
> That is certainly not true, and also not what I intended to say.
>
> > For that reason, it is for a clinician not necessary to maintain
> > data-copies from the patient
>
> What ?   Even sub-legal practice law mandates keeping a record :-)
>
> I am sure I misunderstand what you are saying.
>
> > If the clinician needs access to the data, for example, to prepare for a
> > visit next day, he can ask the patient to allow access to the PHR the day
> > before the visit, but these are al infrastructural details, for which
> > solutions can be found.
>
> Not in the real world today.
>
> Karsten
> --
> GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread GF 
Dear colleagues,

GDPR as I understand it and apply in the Netherlands gives consumers/patients 
several rights: inspect, change, to be forgotten.
An other important topic is: the goal binding of data. Only absolutely 
necessary data needed to execute a specified task can be collected.

With respect to the discussion:
The EHR serves several purposes: documentation of the actions of the 
author/health care provider, the documentation of the state of (un-)health of 
the patient, input for billing and input for other processing such as research.
The right to be forgotten does NOT imply that all the data needs to be removed. 
Removing is an impossibility when data is archived on for instance a DvD/CD.
In my opinion when the patient asks to be forgotten then this applies to the 
Clinical/health context, only.
In all other contexts the patient can never be forgotten or deleted. Any legal 
transaction is subject to archiving laws. For tax purposes the time period is 5 
years in the Netherlands, I think. Only after these periods as defined by law 
the transactions can/must be deleted.

In the case of the EHR (13606 / OpenEHR) there is a need to ‘obscure' the 
patient in the clinical context. But allow the patient to be found for 
medico-legal purposes, research, etc.
This functionality is executed in the Patient-Index Service and NOT the Patient 
Health Record.

All my reasoning is true in the local, and iCloud, wat of processing/storing 
data.


Gerard   Freriks
+31 620347088
  gf...@luna.nl

Kattensingel  20
2801 CA Gouda
the Netherlands

> On 1 Sep 2018, at 19:24, Ian McNicoll  wrote:
> 
> Hi Bert,
> 
> There are certainly some implementations that allow for hard-deletes of 
> compositions and Ehrs. This is a complex area as GDPR does not confer an 
> absolute right for medical info to be forgotten (as I understand it). It does 
> allow for copies of the record to be retained for medico-legal purposes.
> 
> However, in our cloud-provider setting, we absolutely need to be able to hard 
> delete Ehrs, as people may simply want to switch CDR providers. As a data 
> processor, we have no right to keep t record, as long as it is available via 
> another provider.
> 
> Ian
> 
> Dr Ian McNicoll
> mobile +44 (0)775 209 7859
> office +44 (0)1536 414994
> skype: ianmcnicoll
> email: i...@freshehr.com 
> twitter: @ianmcnicoll
> 
> 
> Co-Chair, openEHR Foundation ian.mcnic...@openehr.org 
> 
> Director, freshEHR Clinical Informatics Ltd.
> Director, HANDIHealth CIC
> Hon. Senior Research Associate, CHIME, UCL
> 
> 
> On Sat, 1 Sep 2018 at 14:52, Bert Verhees  > wrote:
> OpenEhr does not really allow to delete data, only logical deletion (mark as 
> deleted), but GDPR demands the right of the patient to be forgotten.
> 
> Is there some change expected in the specs for compliance to GDPR, or was 
> this already implemented?
> 
> We had this discussion, slightly different, about ten months ago but no 
> conclusion if I recall well
> 
> Sorry if I missed a message about this.
> 
> Thanks
> Bert Verhees
> 
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org 
> 
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org 
> 
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org



signature.asc
Description: Message signed with OpenPGP
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Jan-Marc Verlinden 
Normal process in healthcare:
- The patient comes in and signs an informed consent. This is the place
where the Hospital states it has to keep the records for a zillion years.
Check https://gdpr-info.eu/art-6-gdpr/
- Then after a while the patient thinks "let's delete my data at the
Hospital" :-), so the next chapter pops in at
https://gdpr-info.eu/art-17-gdpr/

Now the Hospital says look dear "data subject" you have signed the informed
consent and we have the law that stated we have to keep the data. Check Art
6 bullet 3: Paragraphs 1 and 2 shall not apply to the extent that
processing is necessary, therefore check https://gdpr-info.eu/art-9-gdpr/.

Think it's all there.. :-)

Op ma 3 sep. 2018 om 13:59 schreef Karsten Hilbert :

> On Mon, Sep 03, 2018 at 01:08:41PM +0200, Bert Verhees wrote:
>
> > So, on medico-legal purposes as Ian and Karsten and maybe others referred
> > to, a patient, if he maintains his own PHR, and he likes to delete it, he
> > can never sue a clinician, because, he, himself, destroyed important
> > evidence.
>
> That is certainly not true, and also not what I intended to say.
>
> > For that reason, it is for a clinician not necessary to maintain
> > data-copies from the patient
>
> What ?   Even sub-legal practice law mandates keeping a record :-)
>
> I am sure I misunderstand what you are saying.
>
> > If the clinician needs access to the data, for example, to prepare for a
> > visit next day, he can ask the patient to allow access to the PHR the day
> > before the visit, but these are al infrastructural details, for which
> > solutions can be found.
>
> Not in the real world today.
>
> Karsten
> --
> GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
-- 

Regards, Jan-Marc
Mobile: +31 6 53785650
www.medrecord.io
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Karsten Hilbert 
On Mon, Sep 03, 2018 at 01:08:41PM +0200, Bert Verhees wrote:

> So, on medico-legal purposes as Ian and Karsten and maybe others referred
> to, a patient, if he maintains his own PHR, and he likes to delete it, he
> can never sue a clinician, because, he, himself, destroyed important
> evidence.

That is certainly not true, and also not what I intended to say.

> For that reason, it is for a clinician not necessary to maintain
> data-copies from the patient

What ?   Even sub-legal practice law mandates keeping a record :-)

I am sure I misunderstand what you are saying.

> If the clinician needs access to the data, for example, to prepare for a
> visit next day, he can ask the patient to allow access to the PHR the day
> before the visit, but these are al infrastructural details, for which
> solutions can be found.

Not in the real world today.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Jan-Marc Verlinden 
Think the GDPR already provides many answers...:-), see at
https://gdpr-info.eu/art-17-gdpr/

In the case of a person ("data subject") not being able to take control;
normally another person is appointed to do so on behalf of the "data
subject". So the same law applies..

Cheers, Jan-Marc

Op ma 3 sep. 2018 om 13:50 schreef Bert Verhees :

> It would be a bad thing to let all patients be restricted in their rights
> because one patient, suffering in the past from depression and having a
> recurring cancer can get into problems. Some people are emotionally
> unstable, they need protection. I don't know the best way, but I would
> think of something as the digital locked room. (mentioned here below), but
> this should not default happen for all patients.
> It is, btw, possible to switch digital locked rooms also when switching
> data to a new PHR provider. So that all data remain to be maintained at the
> company the patient chooses.
>
> For research purpose, the must also be solutions. People can allow
> voluntary access to their data by researchers, this is how it works now. So
> in the PHR situation, researchers go to the PHR providers instead of the
> clinicians. Not many people will delete all their data without transporting
> them to a new PHR provider (if someone wants to do, you can build a net of
> safety measures, confirmation time, etc), and for those two or three who
> still destroy all, researchers will not have data.
>
> Bert
>
>
> Op za 1 sep. 2018 om 20:29 schreef Thomas Beale  >:
>
>> I continue to wonder what will happen when a cancer patient (perhaps in a
>> moment of depression or disaffection with care) asks for the hard delete,
>> gets better, then has a recurrence a few years later. What does the health
>> system do when *all the notes are really gone*?
>>
>> I think a better solution is to create a digital locked room when such
>> EHRs are put, one-way encrypted with a giant key provided by the patient.
>> Then when they have regrets, they can ask - nicely - for their record to
>> come out of cold storage.
>>
>> Another argument against total deletion is that a) the state has invested
>> in helping sick patients and b) other citizens have a potential interest in
>> health records belonging to those in the same major disease cohort, i.e.
>> diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous deletions are
>> certainly going to compromise research that looks at longitudinal Dx v
>> treatments v outcomes. Perhaps perhaps permanent anonymisation is a better
>> solution in this case, with the original patient being given the new EHR id.
>>
>> I think GDPR has some way to go yet in healthcare...
>>
>> - thomas
>>
>> On 01/09/2018 18:57, Diego Boscá wrote:
>>
>> If a patient uses a private health provider then he has the right of
>> taking all that information and move to another provider. In that case he
>> will want a hard-delete of data. And I hope private health providers are
>> also able to use openEHR ;D
>> I think we should also review the "consent" mechanisms we have, as they
>> probably should also be tweaked to comply with GDPR.
>>
>>
>> ___
>> openEHR-technical mailing list
>> openEHR-technical@lists.openehr.org
>>
>> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
-- 

Regards, Jan-Marc
Mobile: +31 6 53785650
www.medrecord.io
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees 
It would be a bad thing to let all patients be restricted in their rights
because one patient, suffering in the past from depression and having a
recurring cancer can get into problems. Some people are emotionally
unstable, they need protection. I don't know the best way, but I would
think of something as the digital locked room. (mentioned here below), but
this should not default happen for all patients.
It is, btw, possible to switch digital locked rooms also when switching
data to a new PHR provider. So that all data remain to be maintained at the
company the patient chooses.

For research purpose, the must also be solutions. People can allow
voluntary access to their data by researchers, this is how it works now. So
in the PHR situation, researchers go to the PHR providers instead of the
clinicians. Not many people will delete all their data without transporting
them to a new PHR provider (if someone wants to do, you can build a net of
safety measures, confirmation time, etc), and for those two or three who
still destroy all, researchers will not have data.

Bert


Op za 1 sep. 2018 om 20:29 schreef Thomas Beale :

> I continue to wonder what will happen when a cancer patient (perhaps in a
> moment of depression or disaffection with care) asks for the hard delete,
> gets better, then has a recurrence a few years later. What does the health
> system do when *all the notes are really gone*?
>
> I think a better solution is to create a digital locked room when such
> EHRs are put, one-way encrypted with a giant key provided by the patient.
> Then when they have regrets, they can ask - nicely - for their record to
> come out of cold storage.
>
> Another argument against total deletion is that a) the state has invested
> in helping sick patients and b) other citizens have a potential interest in
> health records belonging to those in the same major disease cohort, i.e.
> diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous deletions are
> certainly going to compromise research that looks at longitudinal Dx v
> treatments v outcomes. Perhaps perhaps permanent anonymisation is a better
> solution in this case, with the original patient being given the new EHR id.
>
> I think GDPR has some way to go yet in healthcare...
>
> - thomas
>
> On 01/09/2018 18:57, Diego Boscá wrote:
>
> If a patient uses a private health provider then he has the right of
> taking all that information and move to another provider. In that case he
> will want a hard-delete of data. And I hope private health providers are
> also able to use openEHR ;D
> I think we should also review the "consent" mechanisms we have, as they
> probably should also be tweaked to comply with GDPR.
>
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees 
I promised to come back to some contributions.

So, on medico-legal purposes as Ian and Karsten and maybe others referred
to, a patient, if he maintains his own PHR, and he likes to delete it, he
can never sue a clinician, because, he, himself, destroyed important
evidence. For that reason, it is for a clinician not necessary to maintain
data-copies from the patient (besides this should not be allowed either),
because the patient has an external service which takes care for that. It
is not anymore a clinician's business.

If it comes to a medico-legal procedure, the clinician, or his lawyer,
should have access to all evidence which is important in context of this
procedure. This does not differ from other legal procedures.

If the clinician needs access to the data, for example, to prepare for a
visit next day, he can ask the patient to allow access to the PHR the day
before the visit, but these are al infrastructural details, for which
solutions can be found.

Bert

Op za 1 sep. 2018 om 19:25 schreef Ian McNicoll :

> Hi Bert,
>
> There are certainly some implementations that allow for hard-deletes of
> compositions and Ehrs. This is a complex area as GDPR does not confer an
> absolute right for medical info to be forgotten (as I understand it). It
> does allow for copies of the record to be retained for medico-legal
> purposes.
>
> However, in our cloud-provider setting, we absolutely need to be able to
> hard delete Ehrs, as people may simply want to switch CDR providers. As a
> data processor, we have no right to keep t record, as long as it is
> available via another provider.
>
> Ian
>
> Dr Ian McNicoll
> mobile +44 (0)775 209 7859 <+44%207752%20097859>
> office +44 (0)1536 414994 <+44%201536%20414994>
> skype: ianmcnicoll
> email: i...@freshehr.com
> twitter: @ianmcnicoll
>
>
> Co-Chair, openEHR Foundation ian.mcnic...@openehr.org
> Director, freshEHR Clinical Informatics Ltd.
> Director, HANDIHealth CIC
> Hon. Senior Research Associate, CHIME, UCL
>
>
> On Sat, 1 Sep 2018 at 14:52, Bert Verhees  wrote:
>
>> OpenEhr does not really allow to delete data, only logical deletion (mark
>> as deleted), but GDPR demands the right of the patient to be forgotten.
>>
>> Is there some change expected in the specs for compliance to GDPR, or was
>> this already implemented?
>>
>> We had this discussion, slightly different, about ten months ago but no
>> conclusion if I recall well
>>
>> Sorry if I missed a message about this.
>>
>> Thanks
>> Bert Verhees
>>
> ___
>> openEHR-technical mailing list
>> openEHR-technical@lists.openehr.org
>>
>> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org