subject:"GDPR and OpenEhr."

Re: GDPR and OpenEhr.

2018-09-05 Thread GF

Lets be clear.
Each record of a patient is a unique traversal of the health and care system 
over time and therefor very much identifying the patient.

What we talk about is: the right to be forgotten and the circumstance that 
after a legal period the medical data must be destroyed in some countries.
The EHR 13606 is designed based on a set of medical-legal requirements.
I’m of the opinion that that set does not need an update because of the new 
privacy law.
When I’m mistaken I would like to be pointed at those missing requirements.



Gerard   Freriks
+31 620347088
  gf...@luna.nl

Kattensingel  20
2801 CA Gouda
the Netherlands

> On 5 Sep 2018, at 17:12, Bert Verhees  wrote:
> 
> On 05-09-18 11:15, GF wrote:
>> Thomas,
>> 
>> The record can stay where it was.
>> Only the connection of identifying patient data and the Record-ID needs to 
>> be encrypted.
>> De-encryption can take place using a key owned and provided by a notary 
>> public.
> 
> I don't think that is enough, Gerard, if the record contains DNA material, or 
> other identifying material.
> 
> A 1997 study showed that up to 87% of the U.S. population could be identify 
> with just zip code, birthdate and gender.
> A researcher was able to identify William Weld (Massachusetts Gov.) from 
> anonymous hospital discharge records.
> 
> Today this numbers will be much higher because clinical actions will be on 
> cell-phones and internet-browsers, and there is much more linked-information 
> about individuals.
> 
> Read this, very interesting:
> 
> https://www.forbes.com/sites/adamtanner/2013/04/25/harvard-professor-re-identifies-anonymous-volunteers-in-dna-study/#41635a6892c9
>  
> 
> 
> An organization which has no business with your medical data should not have 
> access to them, not even historical clinical data.
> GDPR, were we all talk about, which is the thread of this message, is mainly 
> build around consent, but what is consent?
> 
> There should be more discussion about to get the understanding landing at 
> normal people:
> Click on the image, I found yesterday, to see more images:
> https://twitter.com/ianmthompson/status/1037276071002038272 
> 
> 
> Bert



signature.asc
Description: Message signed with OpenPGP
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-05 Thread Bert Verhees

On 05-09-18 11:15, GF wrote:

Thomas,

The record can stay where it was.
Only the connection of identifying patient data and the Record-ID
needs to be encrypted.
De-encryption can take place using a key owned and provided by a
notary public.

I don't think that is enough, Gerard, if the record contains DNA
material, or other identifying material.

A 1997 study showed that up to 87% of the U.S. population could be
identify with just zip code, birthdate and gender.
A researcher was able to identify William Weld (Massachusetts Gov.) from
anonymous hospital discharge records.

Today this numbers will be much higher because clinical actions will be
on cell-phones and internet-browsers, and there is much more
linked-information about individuals.

Read this, very interesting:

https://www.forbes.com/sites/adamtanner/2013/04/25/harvard-professor-re-identifies-anonymous-volunteers-in-dna-study/#41635a6892c9

An organization which has no business with your medical data should not
have access to them, not even historical clinical data.
GDPR, were we all talk about, which is the thread of this message, is
mainly build around consent, but what is consent?

There should be more discussion about to get the understanding landing
at normal people:

Click on the image, I found yesterday, to see more images:
https://twitter.com/ianmthompson/status/1037276071002038272

Bert

All must be handled by the Patient-ID server and an official
functionary that is equipped to manage keys in a trusted way.

Gerard Freriks
+31 620347088
gf...@luna.nl

Kattensingel 20
2801 CA Gouda
the Netherlands

On 1 Sep 2018, at 20:28, Thomas Beale > wrote:

I continue to wonder what will happen when a cancer patient (perhaps
in a moment of depression or disaffection with care) asks for the
hard delete, gets better, then has a recurrence a few years later.
What does the health system do when/all the notes are really gone/?

I think a better solution is to create a digital locked room when
such EHRs are put, one-way encrypted with a giant key provided by the
patient. Then when they have regrets, they can ask - nicely - for
their record to come out of cold storage.

Another argument against total deletion is that a) the state has
invested in helping sick patients and b) other citizens have a
potential interest in health records belonging to those in the same
major disease cohort, i.e. diabetes, cystic fibrosis, BRCA1 cancer
etc. Numerous deletions are certainly going to compromise research
that looks at longitudinal Dx v treatments v outcomes. Perhaps
perhaps permanent anonymisation is a better solution in this case,
with the original patient being given the new EHR id.

I think GDPR has some way to go yet in healthcare...

- thomas

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

--
*Bert Verhees*
Software developer, architect
Twitter: https://twitter.com/VerheesBert
LinkedIn: https://www.linkedin.com/in/bertverhees/
Email: bert.verh...@rosa.nl
Mobile: +31 06 28050294
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-05 Thread GF

Thomas,

The record can stay where it was.
Only the connection of identifying patient data and the Record-ID needs to be 
encrypted.
De-encryption can take place using a key owned and provided by a notary public.

All must be handled by the Patient-ID server and an official functionary that 
is equipped to manage keys in a trusted way.

Gerard   Freriks
+31 620347088
  gf...@luna.nl

Kattensingel  20
2801 CA Gouda
the Netherlands

> On 1 Sep 2018, at 20:28, Thomas Beale  wrote:
> 
> I continue to wonder what will happen when a cancer patient (perhaps in a 
> moment of depression or disaffection with care) asks for the hard delete, 
> gets better, then has a recurrence a few years later. What does the health 
> system do when all the notes are really gone?
> 
> I think a better solution is to create a digital locked room when such EHRs 
> are put, one-way encrypted with a giant key provided by the patient. Then 
> when they have regrets, they can ask - nicely - for their record to come out 
> of cold storage.
> 
> Another argument against total deletion is that a) the state has invested in 
> helping sick patients and b) other citizens have a potential interest in 
> health records belonging to those in the same major disease cohort, i.e. 
> diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous deletions are certainly 
> going to compromise research that looks at longitudinal Dx v treatments v 
> outcomes. Perhaps perhaps permanent anonymisation is a better solution in 
> this case, with the original patient being given the new EHR id.
> 
> I think GDPR has some way to go yet in healthcare...
> 
> - thomas
> 



signature.asc
Description: Message signed with OpenPGP
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-04 Thread Ricardo Correia

In my view, GDPR is a huge opportunity for openEHR.

Issues like versioning of templates and compositions allow security aligned
with GDPR.

Ricardo Correia

---
Ricardo João Cruz Correia
Professor Auxiliar
ISI: www.researcherid.com/rid/A-2756-2009
research gate: www.researchgate.net/profile/Ricardo_Cruz-Correia/
OrcId: orcid.org/-0002-3764-5158
linked-in: pt.linkedin.com/in/ricardojccorreia
<http://pt.linkedin.com/in/ricardojccorreia%E2%80%8E>‎
<http://pt.linkedin.com/in/ricardojccorreia‎>


*MEDCIDS* - Departamento de Medicina da Comunidade, Informação e Decisão em
Saúde <http://cides.med.up.pt/>
*CINTESIS* - Center for Research in Health Technologies and Information
Systems <http://cintesis.med.up.pt>
Faculty of Medicine, University of Porto

Tel: (+351) *220 426 909 / *(+351) *225 513 622,* Fax: +351 *225 513 623*
Rua Dr. Plácido da Costa, s/n | 4200-450 Porto | *Portugal*


On Tue, Sep 4, 2018 at 4:22 PM Bert Verhees  wrote:

> On 04-09-18 16:40, Ricardo Correia wrote:
>
> Dear all,
>
> I published recently an attempt to "systematyse" the relation between
> openehr and gdpr.
>
>
> Thanks very much for sharing, I am sure that the chapter OpenEhr and GDPR
> is not yet to be closed, there is quite some work to do.
> Although I have difficulties estimating the consequences, because of the
> concise wording.
>
> I hope that the community shall find its way. OpenEhr must be able to run
> under jurisdiction of the GDPR, and of course also many other jurisdictions
>
> Bert
>
>
> Hope it is useful to you.
>
> Link: http://ebooks.iospress.nl/publication/48760
>
>
> Regards,
>
> Ricardo Correia
>
> ---
> Ricardo João Cruz Correia
> Professor Auxiliar
> ISI: www.researcherid.com/rid/A-2756-2009
> research gate: www.researchgate.net/profile/Ricardo_Cruz-Correia/
> OrcId: orcid.org/-0002-3764-5158
> linked-in: pt.linkedin.com/in/ricardojccorreia
> <http://pt.linkedin.com/in/ricardojccorreia%E2%80%8E>‎
> <http://pt.linkedin.com/in/ricardojccorreia%E2%80%8E>
>
>
> *MEDCIDS* - Departamento de Medicina da Comunidade, Informação e Decisão
> em Saúde <http://cides.med.up.pt/>
> *CINTESIS* - Center for Research in Health Technologies and Information
> Systems <http://cintesis.med.up.pt>
> Faculty of Medicine, University of Porto
>
> Tel: (+351) *220 426 909 / *(+351) *225 513 622,* Fax: +351 *225 513 623*
> Rua Dr. Plácido da Costa, s/n | 4200-450 Porto | *Portugal*
>
>
> On Mon, Sep 3, 2018 at 2:26 PM Bert Verhees  wrote:
>
>>
>>
>>
>> In all other contexts the patient can never be forgotten or deleted. Any
>>> legal transaction is subject to archiving laws. For tax purposes the time
>>> period is 5 years in the Netherlands, I think. Only after these periods as
>>> defined by law the transactions can/must be deleted.
>>>
>>
>> It is true that there are laws which make it necessary to keep certain
>> data, good example, taxes. I business owner must keep a record of all
>> financial transactions. I think the GDPR excludes this from its effect,
>> because laws may not contradict each other.
>>
>> Thanks for this remark
>>
>> Bert
>> ___
>> openEHR-technical mailing list
>> openEHR-technical@lists.openehr.org
>>
>> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>>
>
>
> ___
> openEHR-technical mailing 
> listopenEHR-technical@lists.openehr.orghttp://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
>
> --
> *Bert Verhees*
> Software developer, architect
> Twitter: https://twitter.com/VerheesBert
> LinkedIn: https://www.linkedin.com/in/bertverhees/
> Email: bert.verh...@rosa.nl
> Mobile: +31 06 28050294
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-04 Thread Bert Verhees


On 04-09-18 16:40, Ricardo Correia wrote:

Dear all,

I published recently an attempt to "systematyse" the relation between 
openehr and gdpr.


Thanks very much for sharing, I am sure that the chapter OpenEhr and 
GDPR is not yet to be closed, there is quite some work to do.
Although I have difficulties estimating the consequences, because of the 
concise wording.


I hope that the community shall find its way. OpenEhr must be able to 
run under jurisdiction of the GDPR, and of course also many other 
jurisdictions


Bert



Hope it is useful to you.

Link: http://ebooks.iospress.nl/publication/48760


Regards,

Ricardo Correia

---
Ricardo João Cruz Correia
Professor Auxiliar
ISI: www.researcherid.com/rid/A-2756-2009 
<http://www.researcherid.com/rid/A-2756-2009>
research gate: www.researchgate.net/profile/Ricardo_Cruz-Correia/ 
<https://www.researchgate.net/profile/Ricardo_Cruz-Correia/>
OrcId: orcid.org/-0002-3764-5158 
<http://orcid.org/-0002-3764-5158>
linked-in: pt.linkedin.com/in/ricardojccorreia 
<http://pt.linkedin.com/in/ricardojccorreia%E2%80%8E>‎ 
<http://pt.linkedin.com/in/ricardojccorreia%E2%80%8E>



*MEDCIDS* - Departamento de Medicina da Comunidade, Informação e 
Decisão em Saúde <http://cides.med.up.pt/>
*CINTESIS* - Center for Research in Health Technologies and 
Information Systems <http://cintesis.med.up.pt>

Faculty of Medicine, University of Porto

Tel: (+351) *220 426 909 / *(+351) *225 513 622,* Fax: +351 *225 513 623*
Rua Dr. Plácido da Costa, s/n | 4200-450 Porto | *Portugal*


On Mon, Sep 3, 2018 at 2:26 PM Bert Verhees <mailto:bert.verh...@rosa.nl>> wrote:





In all other contexts the patient can never be forgotten or
deleted. Any legal transaction is subject to archiving laws.
For tax purposes the time period is 5 years in the
Netherlands, I think. Only after these periods as defined by
law the transactions can/must be deleted.


It is true that there are laws which make it necessary to keep
certain data, good example, taxes. I business owner must keep a
record of all financial transactions. I think the GDPR excludes
this from its effect, because laws may not contradict each other.

Thanks for this remark

Bert
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
<mailto:openEHR-technical@lists.openehr.org>

http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org



___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org



--
*Bert Verhees*
Software developer, architect
Twitter: https://twitter.com/VerheesBert
LinkedIn: https://www.linkedin.com/in/bertverhees/
Email: bert.verh...@rosa.nl <mailto:bert.verh...@rosa.nl>
Mobile: +31 06 28050294
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-04 Thread Diego Boscá

Really useful resource Ricardo!

El mar., 4 sept. 2018 a las 16:41, Ricardo Correia (<
ricardo.jc.corr...@gmail.com>) escribió:

> Dear all,
>
> I published recently an attempt to "systematyse" the relation between
> openehr and gdpr.
>
> Hope it is useful to you.
>
> Link: http://ebooks.iospress.nl/publication/48760
>
>
> Regards,
>
> Ricardo Correia
>
> ---
> Ricardo João Cruz Correia
> Professor Auxiliar
> ISI: www.researcherid.com/rid/A-2756-2009
> research gate: www.researchgate.net/profile/Ricardo_Cruz-Correia/
> OrcId: orcid.org/-0002-3764-5158
> linked-in: pt.linkedin.com/in/ricardojccorreia
> <http://pt.linkedin.com/in/ricardojccorreia%E2%80%8E>‎
> <http://pt.linkedin.com/in/ricardojccorreia‎>
>
>
> *MEDCIDS* - Departamento de Medicina da Comunidade, Informação e Decisão
> em Saúde <http://cides.med.up.pt/>
> *CINTESIS* - Center for Research in Health Technologies and Information
> Systems <http://cintesis.med.up.pt>
> Faculty of Medicine, University of Porto
>
> Tel: (+351) *220 426 909 / *(+351) *225 513 622,* Fax: +351 *225 513 623*
> Rua Dr. Plácido da Costa, s/n | 4200-450 Porto | *Portugal*
>
>
> On Mon, Sep 3, 2018 at 2:26 PM Bert Verhees  wrote:
>
>>
>>
>>
>> In all other contexts the patient can never be forgotten or deleted. Any
>>> legal transaction is subject to archiving laws. For tax purposes the time
>>> period is 5 years in the Netherlands, I think. Only after these periods as
>>> defined by law the transactions can/must be deleted.
>>>
>>
>> It is true that there are laws which make it necessary to keep certain
>> data, good example, taxes. I business owner must keep a record of all
>> financial transactions. I think the GDPR excludes this from its effect,
>> because laws may not contradict each other.
>>
>> Thanks for this remark
>>
>> Bert
>> ___
>> openEHR-technical mailing list
>> openEHR-technical@lists.openehr.org
>>
>> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>


-- 

[image: VeraTech for Health SL] <https://htmlsig.com/t/01C268PZ>

[image: Twitter]  <https://htmlsig.com/t/01C47QQH> [image: LinkedIn]
<https://htmlsig.com/t/01C4DPJG> [image: Maps]
<https://htmlsig.com/t/01BZTWS7>

Diego Boscá Tomás / Senior developer
diebo...@veratech.es
yamp...@gmail.com

VeraTech for Health SL
+34 654604676 <+34%20654604676>
www.veratech.es

Su dirección de correo electrónico junto a sus datos personales forman
parte de un fichero titularidad de VeraTech for Health SL (CIF B98309511)
cuya finalidad es la de mantener el contacto con usted. Conforme a La Ley
Orgánica 15/1999, usted puede ejercitar sus derechos de acceso,
rectificación, cancelación y, en su caso oposición, enviando una solicitud
por escrito a verat...@veratech.es.
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-04 Thread Ricardo Correia

Dear all,

I published recently an attempt to "systematyse" the relation between
openehr and gdpr.

Hope it is useful to you.

Link: http://ebooks.iospress.nl/publication/48760


Regards,

Ricardo Correia

---
Ricardo João Cruz Correia
Professor Auxiliar
ISI: www.researcherid.com/rid/A-2756-2009
research gate: www.researchgate.net/profile/Ricardo_Cruz-Correia/
OrcId: orcid.org/-0002-3764-5158
linked-in: pt.linkedin.com/in/ricardojccorreia
<http://pt.linkedin.com/in/ricardojccorreia%E2%80%8E>‎
<http://pt.linkedin.com/in/ricardojccorreia‎>


*MEDCIDS* - Departamento de Medicina da Comunidade, Informação e Decisão em
Saúde <http://cides.med.up.pt/>
*CINTESIS* - Center for Research in Health Technologies and Information
Systems <http://cintesis.med.up.pt>
Faculty of Medicine, University of Porto

Tel: (+351) *220 426 909 / *(+351) *225 513 622,* Fax: +351 *225 513 623*
Rua Dr. Plácido da Costa, s/n | 4200-450 Porto | *Portugal*


On Mon, Sep 3, 2018 at 2:26 PM Bert Verhees  wrote:

>
>
>
> In all other contexts the patient can never be forgotten or deleted. Any
>> legal transaction is subject to archiving laws. For tax purposes the time
>> period is 5 years in the Netherlands, I think. Only after these periods as
>> defined by law the transactions can/must be deleted.
>>
>
> It is true that there are laws which make it necessary to keep certain
> data, good example, taxes. I business owner must keep a record of all
> financial transactions. I think the GDPR excludes this from its effect,
> because laws may not contradict each other.
>
> Thanks for this remark
>
> Bert
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees

In all other contexts the patient can never be forgotten or deleted. Any
> legal transaction is subject to archiving laws. For tax purposes the time
> period is 5 years in the Netherlands, I think. Only after these periods as
> defined by law the transactions can/must be deleted.
>

It is true that there are laws which make it necessary to keep certain
data, good example, taxes. I business owner must keep a record of all
financial transactions. I think the GDPR excludes this from its effect,
because laws may not contradict each other.

Thanks for this remark

Bert
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Karsten Hilbert

On Mon, Sep 03, 2018 at 03:19:04PM +0200, Bert Verhees wrote:

> Karsten, you are right, a clinician, in the most countries is obliged to
> keep an EHR. But the law does mostly not say he must keep it at his own
> office. So if it is kept at Google or Microsoft, or some smaller PHR
> provider, I think this is fine according to the law, but still some
> law-changes may be needed.

I think we agree.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees

Karsten, you are right, a clinician, in the most countries is obliged to
keep an EHR. But the law does mostly not say he must keep it at his own
office. So if it is kept at Google or Microsoft, or some smaller PHR
provider, I think this is fine according to the law, but still some
law-changes may be needed.

The fact that the largest five companies in the world agreed to a common
interface/message format and defined dataset must have a good reason. The
reason will be that they want to offer a PHR service, and that in
compliance with GDPR, because 500 million people live in jurisdiction of
GDPR. The tech-companies are getting their part from the multi-billion
market, and they are right, according to their capabilities.

This agreement is not made to be the next EPIC in line and begging at
hospital-doors to implement their software. This service is meant to be
transmural in many ways.

That in some countries, there will be laws to have copies at clinicians
availability can be true, what I wanted to indicate was that it is not
necessary for good healthcare, and also not for medico-legal procedures.
But reality changes slower then possible, and that may be a good thing also.

I think there will not be a PHR service which is to use by clinicians for
coming five years, but the pressure is high. It is, in my opinion, the most
optimal solution for worldwide interoperability regarding to efficiency,
safety and privacy. And it breaks open a new market for appliances which
use data from several sources, it empowers the patients (ehhh
healthcare-consumers).

It really brings healthcare to a new level. GDPR is restrictive but also
gives chances, it makes more possible then was possible before, but in
another way.

Bert

Op ma 3 sep. 2018 om 13:59 schreef Karsten Hilbert :

> On Mon, Sep 03, 2018 at 01:08:41PM +0200, Bert Verhees wrote:
>
> > So, on medico-legal purposes as Ian and Karsten and maybe others referred
> > to, a patient, if he maintains his own PHR, and he likes to delete it, he
> > can never sue a clinician, because, he, himself, destroyed important
> > evidence.
>
> That is certainly not true, and also not what I intended to say.
>
> > For that reason, it is for a clinician not necessary to maintain
> > data-copies from the patient
>
> What ?   Even sub-legal practice law mandates keeping a record :-)
>
> I am sure I misunderstand what you are saying.
>
> > If the clinician needs access to the data, for example, to prepare for a
> > visit next day, he can ask the patient to allow access to the PHR the day
> > before the visit, but these are al infrastructural details, for which
> > solutions can be found.
>
> Not in the real world today.
>
> Karsten
> --
> GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread GF

Dear colleagues,

GDPR as I understand it and apply in the Netherlands gives consumers/patients 
several rights: inspect, change, to be forgotten.
An other important topic is: the goal binding of data. Only absolutely 
necessary data needed to execute a specified task can be collected.

With respect to the discussion:
The EHR serves several purposes: documentation of the actions of the 
author/health care provider, the documentation of the state of (un-)health of 
the patient, input for billing and input for other processing such as research.
The right to be forgotten does NOT imply that all the data needs to be removed. 
Removing is an impossibility when data is archived on for instance a DvD/CD.
In my opinion when the patient asks to be forgotten then this applies to the 
Clinical/health context, only.
In all other contexts the patient can never be forgotten or deleted. Any legal 
transaction is subject to archiving laws. For tax purposes the time period is 5 
years in the Netherlands, I think. Only after these periods as defined by law 
the transactions can/must be deleted.

In the case of the EHR (13606 / OpenEHR) there is a need to ‘obscure' the 
patient in the clinical context. But allow the patient to be found for 
medico-legal purposes, research, etc.
This functionality is executed in the Patient-Index Service and NOT the Patient 
Health Record.

All my reasoning is true in the local, and iCloud, wat of processing/storing 
data.

Gerard   Freriks
+31 620347088
  gf...@luna.nl

Kattensingel  20
2801 CA Gouda
the Netherlands

> On 1 Sep 2018, at 19:24, Ian McNicoll  wrote:
> 
> Hi Bert,
> 
> There are certainly some implementations that allow for hard-deletes of 
> compositions and Ehrs. This is a complex area as GDPR does not confer an 
> absolute right for medical info to be forgotten (as I understand it). It does 
> allow for copies of the record to be retained for medico-legal purposes.
> 
> However, in our cloud-provider setting, we absolutely need to be able to hard 
> delete Ehrs, as people may simply want to switch CDR providers. As a data 
> processor, we have no right to keep t record, as long as it is available via 
> another provider.
> 
> Ian
> 
> Dr Ian McNicoll
> mobile +44 (0)775 209 7859
> office +44 (0)1536 414994
> skype: ianmcnicoll
> email: i...@freshehr.com 
> twitter: @ianmcnicoll
> 
> 
> Co-Chair, openEHR Foundation ian.mcnic...@openehr.org 
> 
> Director, freshEHR Clinical Informatics Ltd.
> Director, HANDIHealth CIC
> Hon. Senior Research Associate, CHIME, UCL
> 
> 
> On Sat, 1 Sep 2018 at 14:52, Bert Verhees  > wrote:
> OpenEhr does not really allow to delete data, only logical deletion (mark as 
> deleted), but GDPR demands the right of the patient to be forgotten.
> 
> Is there some change expected in the specs for compliance to GDPR, or was 
> this already implemented?
> 
> We had this discussion, slightly different, about ten months ago but no 
> conclusion if I recall well
> 
> Sorry if I missed a message about this.
> 
> Thanks
> Bert Verhees
> 
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org 
> 
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org 
> 
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

signature.asc
Description: Message signed with OpenPGP
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Jan-Marc Verlinden

Normal process in healthcare:
- The patient comes in and signs an informed consent. This is the place
where the Hospital states it has to keep the records for a zillion years.
Check https://gdpr-info.eu/art-6-gdpr/
- Then after a while the patient thinks "let's delete my data at the
Hospital" :-), so the next chapter pops in at
https://gdpr-info.eu/art-17-gdpr/

Now the Hospital says look dear "data subject" you have signed the informed
consent and we have the law that stated we have to keep the data. Check Art
6 bullet 3: Paragraphs 1 and 2 shall not apply to the extent that
processing is necessary, therefore check https://gdpr-info.eu/art-9-gdpr/.

Think it's all there.. :-)

Op ma 3 sep. 2018 om 13:59 schreef Karsten Hilbert :

> On Mon, Sep 03, 2018 at 01:08:41PM +0200, Bert Verhees wrote:
>
> > So, on medico-legal purposes as Ian and Karsten and maybe others referred
> > to, a patient, if he maintains his own PHR, and he likes to delete it, he
> > can never sue a clinician, because, he, himself, destroyed important
> > evidence.
>
> That is certainly not true, and also not what I intended to say.
>
> > For that reason, it is for a clinician not necessary to maintain
> > data-copies from the patient
>
> What ?   Even sub-legal practice law mandates keeping a record :-)
>
> I am sure I misunderstand what you are saying.
>
> > If the clinician needs access to the data, for example, to prepare for a
> > visit next day, he can ask the patient to allow access to the PHR the day
> > before the visit, but these are al infrastructural details, for which
> > solutions can be found.
>
> Not in the real world today.
>
> Karsten
> --
> GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
-- 

Regards, Jan-Marc
Mobile: +31 6 53785650
www.medrecord.io
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Karsten Hilbert

On Mon, Sep 03, 2018 at 01:08:41PM +0200, Bert Verhees wrote:

> So, on medico-legal purposes as Ian and Karsten and maybe others referred
> to, a patient, if he maintains his own PHR, and he likes to delete it, he
> can never sue a clinician, because, he, himself, destroyed important
> evidence.

That is certainly not true, and also not what I intended to say.

> For that reason, it is for a clinician not necessary to maintain
> data-copies from the patient

What ?   Even sub-legal practice law mandates keeping a record :-)

I am sure I misunderstand what you are saying.

> If the clinician needs access to the data, for example, to prepare for a
> visit next day, he can ask the patient to allow access to the PHR the day
> before the visit, but these are al infrastructural details, for which
> solutions can be found.

Not in the real world today.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Jan-Marc Verlinden

Think the GDPR already provides many answers...:-), see at
https://gdpr-info.eu/art-17-gdpr/

In the case of a person ("data subject") not being able to take control;
normally another person is appointed to do so on behalf of the "data
subject". So the same law applies..

Cheers, Jan-Marc

Op ma 3 sep. 2018 om 13:50 schreef Bert Verhees :

> It would be a bad thing to let all patients be restricted in their rights
> because one patient, suffering in the past from depression and having a
> recurring cancer can get into problems. Some people are emotionally
> unstable, they need protection. I don't know the best way, but I would
> think of something as the digital locked room. (mentioned here below), but
> this should not default happen for all patients.
> It is, btw, possible to switch digital locked rooms also when switching
> data to a new PHR provider. So that all data remain to be maintained at the
> company the patient chooses.
>
> For research purpose, the must also be solutions. People can allow
> voluntary access to their data by researchers, this is how it works now. So
> in the PHR situation, researchers go to the PHR providers instead of the
> clinicians. Not many people will delete all their data without transporting
> them to a new PHR provider (if someone wants to do, you can build a net of
> safety measures, confirmation time, etc), and for those two or three who
> still destroy all, researchers will not have data.
>
> Bert
>
>
> Op za 1 sep. 2018 om 20:29 schreef Thomas Beale  >:
>
>> I continue to wonder what will happen when a cancer patient (perhaps in a
>> moment of depression or disaffection with care) asks for the hard delete,
>> gets better, then has a recurrence a few years later. What does the health
>> system do when *all the notes are really gone*?
>>
>> I think a better solution is to create a digital locked room when such
>> EHRs are put, one-way encrypted with a giant key provided by the patient.
>> Then when they have regrets, they can ask - nicely - for their record to
>> come out of cold storage.
>>
>> Another argument against total deletion is that a) the state has invested
>> in helping sick patients and b) other citizens have a potential interest in
>> health records belonging to those in the same major disease cohort, i.e.
>> diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous deletions are
>> certainly going to compromise research that looks at longitudinal Dx v
>> treatments v outcomes. Perhaps perhaps permanent anonymisation is a better
>> solution in this case, with the original patient being given the new EHR id.
>>
>> I think GDPR has some way to go yet in healthcare...
>>
>> - thomas
>>
>> On 01/09/2018 18:57, Diego Boscá wrote:
>>
>> If a patient uses a private health provider then he has the right of
>> taking all that information and move to another provider. In that case he
>> will want a hard-delete of data. And I hope private health providers are
>> also able to use openEHR ;D
>> I think we should also review the "consent" mechanisms we have, as they
>> probably should also be tweaked to comply with GDPR.
>>
>>
>> ___
>> openEHR-technical mailing list
>> openEHR-technical@lists.openehr.org
>>
>> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
-- 

Regards, Jan-Marc
Mobile: +31 6 53785650
www.medrecord.io
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees

It would be a bad thing to let all patients be restricted in their rights
because one patient, suffering in the past from depression and having a
recurring cancer can get into problems. Some people are emotionally
unstable, they need protection. I don't know the best way, but I would
think of something as the digital locked room. (mentioned here below), but
this should not default happen for all patients.
It is, btw, possible to switch digital locked rooms also when switching
data to a new PHR provider. So that all data remain to be maintained at the
company the patient chooses.

For research purpose, the must also be solutions. People can allow
voluntary access to their data by researchers, this is how it works now. So
in the PHR situation, researchers go to the PHR providers instead of the
clinicians. Not many people will delete all their data without transporting
them to a new PHR provider (if someone wants to do, you can build a net of
safety measures, confirmation time, etc), and for those two or three who
still destroy all, researchers will not have data.

Bert

Op za 1 sep. 2018 om 20:29 schreef Thomas Beale :

> I continue to wonder what will happen when a cancer patient (perhaps in a
> moment of depression or disaffection with care) asks for the hard delete,
> gets better, then has a recurrence a few years later. What does the health
> system do when *all the notes are really gone*?
>
> I think a better solution is to create a digital locked room when such
> EHRs are put, one-way encrypted with a giant key provided by the patient.
> Then when they have regrets, they can ask - nicely - for their record to
> come out of cold storage.
>
> Another argument against total deletion is that a) the state has invested
> in helping sick patients and b) other citizens have a potential interest in
> health records belonging to those in the same major disease cohort, i.e.
> diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous deletions are
> certainly going to compromise research that looks at longitudinal Dx v
> treatments v outcomes. Perhaps perhaps permanent anonymisation is a better
> solution in this case, with the original patient being given the new EHR id.
>
> I think GDPR has some way to go yet in healthcare...
>
> - thomas
>
> On 01/09/2018 18:57, Diego Boscá wrote:
>
> If a patient uses a private health provider then he has the right of
> taking all that information and move to another provider. In that case he
> will want a hard-delete of data. And I hope private health providers are
> also able to use openEHR ;D
> I think we should also review the "consent" mechanisms we have, as they
> probably should also be tweaked to comply with GDPR.
>
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-03 Thread Bert Verhees

I promised to come back to some contributions.

So, on medico-legal purposes as Ian and Karsten and maybe others referred
to, a patient, if he maintains his own PHR, and he likes to delete it, he
can never sue a clinician, because, he, himself, destroyed important
evidence. For that reason, it is for a clinician not necessary to maintain
data-copies from the patient (besides this should not be allowed either),
because the patient has an external service which takes care for that. It
is not anymore a clinician's business.

If it comes to a medico-legal procedure, the clinician, or his lawyer,
should have access to all evidence which is important in context of this
procedure. This does not differ from other legal procedures.

If the clinician needs access to the data, for example, to prepare for a
visit next day, he can ask the patient to allow access to the PHR the day
before the visit, but these are al infrastructural details, for which
solutions can be found.

Bert

Op za 1 sep. 2018 om 19:25 schreef Ian McNicoll :

> Hi Bert,
>
> There are certainly some implementations that allow for hard-deletes of
> compositions and Ehrs. This is a complex area as GDPR does not confer an
> absolute right for medical info to be forgotten (as I understand it). It
> does allow for copies of the record to be retained for medico-legal
> purposes.
>
> However, in our cloud-provider setting, we absolutely need to be able to
> hard delete Ehrs, as people may simply want to switch CDR providers. As a
> data processor, we have no right to keep t record, as long as it is
> available via another provider.
>
> Ian
>
> Dr Ian McNicoll
> mobile +44 (0)775 209 7859 <+44%207752%20097859>
> office +44 (0)1536 414994 <+44%201536%20414994>
> skype: ianmcnicoll
> email: i...@freshehr.com
> twitter: @ianmcnicoll
>
>
> Co-Chair, openEHR Foundation ian.mcnic...@openehr.org
> Director, freshEHR Clinical Informatics Ltd.
> Director, HANDIHealth CIC
> Hon. Senior Research Associate, CHIME, UCL
>
>
> On Sat, 1 Sep 2018 at 14:52, Bert Verhees  wrote:
>
>> OpenEhr does not really allow to delete data, only logical deletion (mark
>> as deleted), but GDPR demands the right of the patient to be forgotten.
>>
>> Is there some change expected in the specs for compliance to GDPR, or was
>> this already implemented?
>>
>> We had this discussion, slightly different, about ten months ago but no
>> conclusion if I recall well
>>
>> Sorry if I missed a message about this.
>>
>> Thanks
>> Bert Verhees
>>
> ___
>> openEHR-technical mailing list
>> openEHR-technical@lists.openehr.org
>>
>> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Bert Verhees

There are good arguments in the discussion. I take this message to reply to 
because it is the last for this subject at the moment. 

I am thinking of following situation. This week, Microsoft, Google, Amazon and 
IBM agreed that there must be a health data platform which exposes itself in 
FHIR and API. Apple will certainly connect too. What will run below is not 
specified. It could well be OpenEhr. Their might also be smaller parties which 
will be health data provider. 

The idea is that the patient (or better, consumer) becomes the owner of the 
data. A connected PHR. He gives the healthcare providers access to his data.  
The healthcare data company is a tech company and the consumer choose it like 
he chooses his telephone provider.. Maybe it is a combined service. 

GDPR supports this new market idea. But when the user switches provider, he 
must be sure that all his data are removed from the old provider. 

This is the intention from the tech companies, and it is a good intention.  

Of course the Google's of this earth will be leading, but it is an open market 
so small parties can also enter and compete on price or special features in 
context of mhealth or sport-support or support for special conditions. 

Anyway, I have read about this this week in a journal, and it seems very 
promising. That was my thought about asking. 

I am now writing this from my phone, but tomorrow after 1200 km driving, I can 
come back to this. 

Best regards
Bert

Verzonden vanaf mijn Xperia™ van Sony-smartphone

 Karsten Hilbert schreef 

>On Sat, Sep 01, 2018 at 08:33:08PM +0200, Diego Boscá wrote:
>
>> Supporting hard delete doesn't mean mandate hard delete :)
>
>Indeed. I agree with that.
>
>Karsten
>-- 
>GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B
>
>___
>openEHR-technical mailing list
>openEHR-technical@lists.openehr.org
>http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Karsten Hilbert

On Sat, Sep 01, 2018 at 08:33:08PM +0200, Diego Boscá wrote:

> Supporting hard delete doesn't mean mandate hard delete :)

Indeed. I agree with that.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Diego Boscá

And as I said this is covered by the exemptions to hard delete on that law
article, no need for German providers to delete nothing their national law
doesn't allow for.

El sáb., 1 sept. 2018 a las 20:42, Karsten Hilbert ()
escribió:

> On Sat, Sep 01, 2018 at 08:29:33PM +0200, Diego Boscá wrote:
>
> > There is in fact that right, the "right to be forgotten"
> > https://gdpr-info.eu/art-17-gdpr/
> > The requirement you say about Germany is backed by sections 3 (b) and (c)
> > These exceptions do not apply to private providers, so we have the legal
> > need to support that kind of delete operations to allow openEHR systems
> to
> > be GDPR compliant
>
> Whether we like it or not (I do not like it, personally, as a
> patient, but do like it, professionally, as a GP): in Germany
> there is the right to keep a record "as long as there is
> suspicion you might be sued such that you can exercise your
> right to defend yourself". 30 years is the latest you can be
> sued in Germany. So that's when a hard delete can be
> requested (arguably it even becomes mandatory). Period.
>
> However, the provider is legally bound to make sure the
> record is not used after the patient requests that (there's
> other time limits for other things, but that's the most a
> patient can *request* after those other deadlines have
> passed and before 30 years are over).
>
> It doesn't matter what anyone thinks. That is the legal
> situation ATM.
>
> Karsten
> --
> GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>


-- 

[image: VeraTech for Health SL] 

[image: Twitter]   [image: LinkedIn]
 [image: Maps]


Diego Boscá Tomás / Senior developer
diebo...@veratech.es
yamp...@gmail.com

VeraTech for Health SL
+34 654604676 <+34%20654604676>
www.veratech.es

Su dirección de correo electrónico junto a sus datos personales forman
parte de un fichero titularidad de VeraTech for Health SL (CIF B98309511)
cuya finalidad es la de mantener el contacto con usted. Conforme a La Ley
Orgánica 15/1999, usted puede ejercitar sus derechos de acceso,
rectificación, cancelación y, en su caso oposición, enviando una solicitud
por escrito a verat...@veratech.es.
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Diego Boscá

Permanent annonimisation is allowed under some prerequisites (see the other
reply, point 3 of art 17). This is a patient right to be exercised with all
consequences. Data will never be lost as the patient has the right of
obtaining a copy of all the information a provider has about him in an
electronic standard when available. Luckily we can provide also that.

El sáb., 1 sept. 2018 a las 20:29, Thomas Beale ()
escribió:

> I continue to wonder what will happen when a cancer patient (perhaps in a
> moment of depression or disaffection with care) asks for the hard delete,
> gets better, then has a recurrence a few years later. What does the health
> system do when *all the notes are really gone*?
>
> I think a better solution is to create a digital locked room when such
> EHRs are put, one-way encrypted with a giant key provided by the patient.
> Then when they have regrets, they can ask - nicely - for their record to
> come out of cold storage.
>
> Another argument against total deletion is that a) the state has invested
> in helping sick patients and b) other citizens have a potential interest in
> health records belonging to those in the same major disease cohort, i.e.
> diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous deletions are
> certainly going to compromise research that looks at longitudinal Dx v
> treatments v outcomes. Perhaps perhaps permanent anonymisation is a better
> solution in this case, with the original patient being given the new EHR id.
>
> I think GDPR has some way to go yet in healthcare...
>
> - thomas
>
> On 01/09/2018 18:57, Diego Boscá wrote:
>
> If a patient uses a private health provider then he has the right of
> taking all that information and move to another provider. In that case he
> will want a hard-delete of data. And I hope private health providers are
> also able to use openEHR ;D
> I think we should also review the "consent" mechanisms we have, as they
> probably should also be tweaked to comply with GDPR.
>
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>


-- 

[image: VeraTech for Health SL] <https://htmlsig.com/t/01C268PZ>

[image: Twitter]  <https://htmlsig.com/t/01C47QQH> [image: LinkedIn]
<https://htmlsig.com/t/01C4DPJG> [image: Maps]
<https://htmlsig.com/t/01BZTWS7>

Diego Boscá Tomás / Senior developer
diebo...@veratech.es
yamp...@gmail.com

VeraTech for Health SL
+34 654604676 <+34%20654604676>
www.veratech.es

Su dirección de correo electrónico junto a sus datos personales forman
parte de un fichero titularidad de VeraTech for Health SL (CIF B98309511)
cuya finalidad es la de mantener el contacto con usted. Conforme a La Ley
Orgánica 15/1999, usted puede ejercitar sus derechos de acceso,
rectificación, cancelación y, en su caso oposición, enviando una solicitud
por escrito a verat...@veratech.es.
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Karsten Hilbert

On Sat, Sep 01, 2018 at 08:29:33PM +0200, Diego Boscá wrote:

> There is in fact that right, the "right to be forgotten"
> https://gdpr-info.eu/art-17-gdpr/
> The requirement you say about Germany is backed by sections 3 (b) and (c)
> These exceptions do not apply to private providers, so we have the legal
> need to support that kind of delete operations to allow openEHR systems to
> be GDPR compliant

Whether we like it or not (I do not like it, personally, as a
patient, but do like it, professionally, as a GP): in Germany
there is the right to keep a record "as long as there is
suspicion you might be sued such that you can exercise your
right to defend yourself". 30 years is the latest you can be
sued in Germany. So that's when a hard delete can be
requested (arguably it even becomes mandatory). Period.

However, the provider is legally bound to make sure the
record is not used after the patient requests that (there's
other time limits for other things, but that's the most a
patient can *request* after those other deadlines have
passed and before 30 years are over).

It doesn't matter what anyone thinks. That is the legal
situation ATM.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Diego Boscá

There is in fact that right, the "right to be forgotten"
https://gdpr-info.eu/art-17-gdpr/
The requirement you say about Germany is backed by sections 3 (b) and (c)
These exceptions do not apply to private providers, so we have the legal
need to support that kind of delete operations to allow openEHR systems to
be GDPR compliant

El sáb., 1 sept. 2018 a las 20:17, Karsten Hilbert ()
escribió:

> On Sat, Sep 01, 2018 at 07:57:31PM +0200, Diego Boscá wrote:
>
> > If a patient uses a private health provider then he has the right of
> taking
> > all that information and move to another provider. In that case he will
> > want a hard-delete of data.
>
> Indeed they will want that, but there is no absolute right
> for a hard-delete (not that I personally like that fact). As
> I said, in Germany, that right currently only takes effect
> after 30 years (that absolute right). In the meantime,
> however, there's a right for sealing against access.
>
> Karsten
> --
> GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B
>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>


-- 

[image: VeraTech for Health SL] 

[image: Twitter]   [image: LinkedIn]
 [image: Maps]


Diego Boscá Tomás / Senior developer
diebo...@veratech.es
yamp...@gmail.com

VeraTech for Health SL
+34 654604676 <+34%20654604676>
www.veratech.es

Su dirección de correo electrónico junto a sus datos personales forman
parte de un fichero titularidad de VeraTech for Health SL (CIF B98309511)
cuya finalidad es la de mantener el contacto con usted. Conforme a La Ley
Orgánica 15/1999, usted puede ejercitar sus derechos de acceso,
rectificación, cancelación y, en su caso oposición, enviando una solicitud
por escrito a verat...@veratech.es.
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Thomas Beale

I continue to wonder what will happen when a cancer patient (perhaps in 
a moment of depression or disaffection with care) asks for the hard 
delete, gets better, then has a recurrence a few years later. What does 
the health system do when /all the notes are really gone/?


I think a better solution is to create a digital locked room when such 
EHRs are put, one-way encrypted with a giant key provided by the 
patient. Then when they have regrets, they can ask - nicely - for their 
record to come out of cold storage.


Another argument against total deletion is that a) the state has 
invested in helping sick patients and b) other citizens have a potential 
interest in health records belonging to those in the same major disease 
cohort, i.e. diabetes, cystic fibrosis, BRCA1 cancer etc. Numerous 
deletions are certainly going to compromise research that looks at 
longitudinal Dx v treatments v outcomes. Perhaps perhaps permanent 
anonymisation is a better solution in this case, with the original 
patient being given the new EHR id.


I think GDPR has some way to go yet in healthcare...

- thomas


On 01/09/2018 18:57, Diego Boscá wrote:
If a patient uses a private health provider then he has the right of 
taking all that information and move to another provider. In that case 
he will want a hard-delete of data. And I hope private health 
providers are also able to use openEHR ;D
I think we should also review the "consent" mechanisms we have, as 
they probably should also be tweaked to comply with GDPR.


_______
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Karsten Hilbert

On Sat, Sep 01, 2018 at 07:57:31PM +0200, Diego Boscá wrote:

> If a patient uses a private health provider then he has the right of taking
> all that information and move to another provider. In that case he will
> want a hard-delete of data.

Indeed they will want that, but there is no absolute right
for a hard-delete (not that I personally like that fact). As
I said, in Germany, that right currently only takes effect
after 30 years (that absolute right). In the meantime,
however, there's a right for sealing against access.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Diego Boscá

If a patient uses a private health provider then he has the right of taking
all that information and move to another provider. In that case he will
want a hard-delete of data. And I hope private health providers are also
able to use openEHR ;D
I think we should also review the "consent" mechanisms we have, as they
probably should also be tweaked to comply with GDPR.

El sáb., 1 sept. 2018 a las 19:25, Ian McNicoll ()
escribió:

> Hi Bert,
>
> There are certainly some implementations that allow for hard-deletes of
> compositions and Ehrs. This is a complex area as GDPR does not confer an
> absolute right for medical info to be forgotten (as I understand it). It
> does allow for copies of the record to be retained for medico-legal
> purposes.
>
> However, in our cloud-provider setting, we absolutely need to be able to
> hard delete Ehrs, as people may simply want to switch CDR providers. As a
> data processor, we have no right to keep t record, as long as it is
> available via another provider.
>
> Ian
>
> Dr Ian McNicoll
> mobile +44 (0)775 209 7859
> office +44 (0)1536 414994
> skype: ianmcnicoll
> email: i...@freshehr.com
> twitter: @ianmcnicoll
>
>
> Co-Chair, openEHR Foundation ian.mcnic...@openehr.org
> Director, freshEHR Clinical Informatics Ltd.
> Director, HANDIHealth CIC
> Hon. Senior Research Associate, CHIME, UCL
>
>
> On Sat, 1 Sep 2018 at 14:52, Bert Verhees  wrote:
>
>> OpenEhr does not really allow to delete data, only logical deletion (mark
>> as deleted), but GDPR demands the right of the patient to be forgotten.
>>
>> Is there some change expected in the specs for compliance to GDPR, or was
>> this already implemented?
>>
>> We had this discussion, slightly different, about ten months ago but no
>> conclusion if I recall well
>>
>> Sorry if I missed a message about this.
>>
>> Thanks
>> Bert Verhees
>> ___
>> openEHR-technical mailing list
>> openEHR-technical@lists.openehr.org
>>
>> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>>
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>

-- 

[image: VeraTech for Health SL] 

[image: Twitter]   [image: LinkedIn]
 [image: Maps]

Diego Boscá Tomás / Senior developer
diebo...@veratech.es
yamp...@gmail.com

VeraTech for Health SL
+34 654604676 <+34%20654604676>
www.veratech.es

Su dirección de correo electrónico junto a sus datos personales forman
parte de un fichero titularidad de VeraTech for Health SL (CIF B98309511)
cuya finalidad es la de mantener el contacto con usted. Conforme a La Ley
Orgánica 15/1999, usted puede ejercitar sus derechos de acceso,
rectificación, cancelación y, en su caso oposición, enviando una solicitud
por escrito a verat...@veratech.es.
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Karsten Hilbert

On Sat, Sep 01, 2018 at 06:24:22PM +0100, Ian McNicoll wrote:

> There are certainly some implementations that allow for hard-deletes of
> compositions and Ehrs. This is a complex area as GDPR does not confer an
> absolute right for medical info to be forgotten (as I understand it). It
> does allow for copies of the record to be retained for medico-legal
> purposes.

The latter reason for retention would have a hard limit of 30
years in Germany.

Karsten
-- 
GPG  40BE 5B0E C98E 1713 AFA6  5BC0 3BEA AC80 7D4F C89B

___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

2018-09-01 Thread Ian McNicoll

Hi Bert,

There are certainly some implementations that allow for hard-deletes of
compositions and Ehrs. This is a complex area as GDPR does not confer an
absolute right for medical info to be forgotten (as I understand it). It
does allow for copies of the record to be retained for medico-legal
purposes.

However, in our cloud-provider setting, we absolutely need to be able to
hard delete Ehrs, as people may simply want to switch CDR providers. As a
data processor, we have no right to keep t record, as long as it is
available via another provider.

Ian

Dr Ian McNicoll
mobile +44 (0)775 209 7859
office +44 (0)1536 414994
skype: ianmcnicoll
email: i...@freshehr.com
twitter: @ianmcnicoll

Co-Chair, openEHR Foundation ian.mcnic...@openehr.org
Director, freshEHR Clinical Informatics Ltd.
Director, HANDIHealth CIC
Hon. Senior Research Associate, CHIME, UCL

On Sat, 1 Sep 2018 at 14:52, Bert Verhees  wrote:

> OpenEhr does not really allow to delete data, only logical deletion (mark
> as deleted), but GDPR demands the right of the patient to be forgotten.
>
> Is there some change expected in the specs for compliance to GDPR, or was
> this already implemented?
>
> We had this discussion, slightly different, about ten months ago but no
> conclusion if I recall well
>
> Sorry if I missed a message about this.
>
> Thanks
> Bert Verhees
> ___
> openEHR-technical mailing list
> openEHR-technical@lists.openehr.org
>
> http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org
>
___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

GDPR and OpenEhr.

2018-09-01 Thread Bert Verhees

OpenEhr does not really allow to delete data, only logical deletion (mark as 
deleted), but GDPR demands the right of the patient to be forgotten.

Is there some change expected in the specs for compliance to GDPR, or was this 
already implemented? 

We had this discussion, slightly different, about ten months ago but no 
conclusion if I recall well

Sorry if I missed a message about this. 

Thanks
Bert Verhees___
openEHR-technical mailing list
openEHR-technical@lists.openehr.org
http://lists.openehr.org/mailman/listinfo/openehr-technical_lists.openehr.org

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

Re: GDPR and OpenEhr.

GDPR and OpenEhr.

28 matches

Site Navigation

Mail list logo

Footer information