Hi all, Just wanted to make folks aware of the available standard from the OMG Heathcare Domain Task Force (HDTF) that addresses security in a Heath Care setting. The Resource Access Decision (RAD) Facility (http://www.omg.org/cgi-bin/doc?formal/2001-04-01) is a mechanism for obtaining authorization decisions and administrating access decision policies. It enables a common way for an application to request and receive an authorization decision.
As we designed and developed this specification and since the HDTF is in the business of providing the "how" we looked to those standard bodies that are in the "what" business to define the following which could then be used in conjunction with RAD: 1) What is a resource that needs to be secured in Healthcare? The patient record, a piece of the record, a programming operation that may add, delete or modify the record, a person, a place, a web page, a box on a web page, etc. 2) What is a policy that can be used to secure a resource? A policy can include rules about who can access, what group can access and what roles can access, you can also have time constraints associated with a policy. Definitive answers to these questions were not available and we designed and developed the standard in an extensible manner to allow resources and policies to be defined by the organization using the standard with hopes that someday there may be commonly available terms for these resources and policies (but not to hold ones breath) What we are currently experiencing with our customers, who are utilizing our implementation of the standard, is that they are defining their own policies for their secured resources in light of waiting for some standards body to define what resources and polices are. With the advent of HIPAA in the U.S. our U.S. customers have something to work with in terms of defining what policies need to be created and what resources need to be secured. Tom _______________________________________________________ <http://www.2ab.com/>2AB, Inc. 1700 Highway 31 Calera, Alabama 35040 205-621-7455 ext 107 _____________________<http://www.2ab.com/ilock_ss.htm>iLock & <http://www.2ab.com/orb2.htm>orb2________________________ "Trusted Solutions for Distributed Business" Confidentiality Notice: This Email message and its attachments are for the sole use of the intended recipients. Any unauthorized review, use, disclosure or distribution is prohibited. At 10:52 PM 4/29/03 +0930, Peter Schloeffel wrote: >Hi Bill, > > > >I am part of the openEHR team in Australia and am also a GP (part time) >and heavily involved in health informatics standards development. One of >the first work items in ISO/TC 215 (Health Informatics) when it was formed >five years ago was titled Ownership and Access to the EHR. This was >proposed and led by New Zealand - Mike Mair in fact - and this was where >he first proposed his immunological model of access. > > > >Very early on in the life of this project, we agreed unanimously >(including the US) that the question of ownership of the EHR was > >a) not resolvable in an international context due to marked >jurisdictional differences between countries, but more importantly; > >b) the question of ownership is not really all that relevant in the >case of the EHR it is who controls access that is crucial control of >access equates to at least de facto ownership. > > > >The name of the NZ-led project was subsequently changed to just Access to >Electronic Health Recordsbut the project was never completed, due in large >part to demarcation disputes between the EHR working group and the >Security working group. This illustrates the need to make work items like >this cross vertical silo boundaries because both the technical (which >predominates in Security WGs) and clinical (which predominates in EHR WGs) >inputs are needed. We currently have a work item in Standards Australia >of the same name which is being led by Sam but we are doing this as a >joint project between the EHR and Security WGs. There is also a new work >item in TC 215 being led by Bernd Blobel in WG4 (Security) and called >Privilege Management and Access Control. The scope of this work item is >broader than just access to the EHR but it is very relevant >nevertheless. Im sure Bernd would be happy to give an update on the >latest status of this project. > > > >Questions of ownership, custodianship, stewardship etc will still be >considered important in particular jurisdictions (eg the GP is at least in >theory the custodian of the EHR in the English NHS). Different >jurisdictions will also have different opinions about who should control >access to the EHR (and to what extent, in what circumstances >etc). However, our Working Group 1 in TC 215 (Health Records and >Modelling Coordination) was unanimous that it SHOULD be the >patient/consumer who controls access to the EHR and therefore effectively >ownsthe EHR. > > > >In Australia, the Federal Government is quite clear that the >patient/consumer will control access to her/his EHR. Unfortunately, the >fine details of how this will be implemented have not yet been worked out >in terms of the eConsent and access control models. The Federal >Department of Health last year ran a concurrent series of four eConsent >projects. I was the clinical consultant for one of these and Sam Heard >was the clinical consultant to another. There was lots of good material >which came out of these projects including commissioned background papers >and project reports, but we do not yet seem to be much closer to having an >agreed and detailed national e-consent/access control model(s). > > > >I would be happy to dig out the relevant background papers and reports if >you or anyone else on the list would be interested. > > > >Regards > > > >Peter Schloeffel > > > >************************************************ > >Dr Peter Schloeffel > >Director and CEO > >Ocean Informatics Pty Ltd > > > >30 Winchester Street > >St Peters SA 5069 > >Australia > > > >Tel: +61 (0)8 8363 1642 > >Fax: +61 (0)8 8363 3481 > >Mob: +61 (0)414 669 899 > ><mailto:peter.schloeffel at OceanInformatics.biz>peter.schloeffel at >OceanInformatics.biz > > >www.OceanInformatics.biz > ><http://www.openehr.org/>www.openehr.org > >www.gehr.org > >************************************************ > > > > > > > >-----Original Message----- >From: owner-openehr-technical at openehr.org >[mailto:owner-openehr-technical at openehr.org] On Behalf Of Bill Walton >Sent: Tuesday, April 29, 2003 6:03 AM >To: Paul Juarez; openehr-technical at openehr.org >Subject: Re: GEHR philosophical background info > > > >Hi Paul, > > > >I agree completely that the ownership question is fundamental. Until >recently I was under the mistaken impression that everybody agreed that >the patient owned their medical records and that physicians were simply >the stewards. Then I discovered that, as of the early '90's, fewer than >one third of the states here U.S. even had laws that required that >patients be given access to their records. So yes, I think that clearing >up the question of ownership is ultimately necessary. And I'm hoping that >the move to electronic form will, at least in part, both precipitate that >discussion and facilitate the implementation of what I perceive to be to >be the obvious answer. > > > >Best regards, > >Bill > >----- Original Message ----- > >From: <mailto:JuarezPD at wmmcpo.ah.org>Paul Juarez > >To: <mailto:bill.walton at jstats.com>bill.walton at jstats.com ; ><mailto:openehr-technical at openehr.org>openehr-technical at openehr.org > >Sent: Monday, April 28, 2003 3:04 PM > >Subject: Re: GEHR philosophical background info > > > >I've been following these discussions with a lot of interest. So I guess >it's time for me to put in my two bits. While I've seen a couple of >references to ownership of the medical record, I havent seen anything >definitive that defines it (e.g. patient, provider, legal custiodian of >record, etc., or some combination). It seems like this question needs to >be clearly agreed on before issues of access can be identified. (It also >could be a partial solution to distinguishing between the terms EMR, EHR, >EPR). HIPAA aside, it seems that there may be some different legal issues >about ownership that would also have implications for access. Any thoughts? > > > > >>> "Bill Walton" <bill.walton at jstats.com> 04/28/03 12:32PM >>> > >Hi Sam, > > > > > BW: This is a really interesting problem space to me. I've been > studying HIPAA (the Health care Information Portability and > Accountability Act) and have become fascinated with the discussion over > how best to balance the needs of the various parties involved in the > provision and payment of healthcare services so as to improve the quality > and decrease the cost of health care here in the U.S.. Talk about a > non-trivial problem! Interestingly, it looks to me like all the nonsense > can be traced back to the health record and some fundamental questions > about who owns it, who controls access to it, etc. Thanks again for > sharing. Hope to hear from you soon. > > > > SH: I agree - it is fascinating. Can I point you to our (original > work on this - quite philosophical) which I wrote with Len Doyal - a > professor of medical ethics in London. > >http://www.chime.ucl.ac.uk/work-areas/ehrs/GEHR/Deliverables.htm#D8 > >I hate to ask this, but is there one deliverable you could point me to >that contains the philosophical stuff? I'm up to my eyeballs right now >and I can see there's a whole bunch of good stuff at the Chime site on >GEHR that I'll have to get to asap. > > > >Thanks, > >Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030429/a092b7ec/attachment.html>
