Bill,
In response to:
>The "Health Care Facility Nominated Trusted Clinician" section on page 5
>contains the sentence "This access will be on a 'need to know'
>basis." Here in the U.S., HIPAA has specifically rejected "need to know"
>as a valid basis for access. A user of the EHR may only access
>information the patient has granted them the right to access.
My response is typically a French one: partially following the US point of
view, but also complementary.
First, following HIPAA's point of view, French legislation tells that the
patient decides who will be allowed to access the EHR data.
So, when authoring patient's data, we may consider that the Patient's
physician has the delegation to define the ACL.
Second, by default, the HealthCare Agent's category (i.e. a surgeon, a
physician, a nurse, a student...) defines restrictions of accessibility to
the EHR.
Third, the patient's physician may delegate exams or treatments to other
HealthCare Agents (HCA). To complete this delegation, the healthcare agents
need a view on the EHR: so a restriction of the access rigths to the
patient's EHR. If these HCA themselves delegate acts to other HCA, these
delegations also come with appropriate restrictions on the visibility of
the EHR.
Forth (and last, so pull the entire stack into action's parameters), all
these rules may not apply.
For example, because the Patient's Physician is in vacation, and the
Patient's conciousness is also in vacation: holiday time, the Patient is in
coma (an example ? diabetes). So a physician comes to see the Patient and
tells the program: "I, Physician, in charge of managing the Patient's
Health in a possible case of life or death, do transgress the program's and
EHR data limitations, with full conciousness of what this means. I fully
assume the consequences. So now, give me unlimited, full access to the
Patient's information. Signed: XXXX". And this transgression will be added
to the Patient's record. And this transgression will also be notified to
the Patient and to the physicians that the Patient choose: so any abuse may
lead to legal consequences. Also, in a case of emergency, the program -and
the software company which made it- will not be responsible of the death of
a human being.
Conversely, if the use of a program leads or may lead to the patient's
death or illness, you may be sure that (1) the importation and use of the
program will be prosecuted in most european countries; (2) the software
authors and editors will assume the full consequences, including jail and
money.
So, now, the Patient is in the middle of a desert. Around him, the only
help is a less competent healthcare agent: for example, a student, or a
nurse. Because of the possible consequences, the heathcare agent may type
on his/her PDA/GPS/satellite_link_to_eath's_global_health_service's TTY:
"I, less competent people, require appropriate information to do my best".
And we all will pray.
-- Patrick Lefebvre ------------- ( plefebv at wanadoo.fr )
----------------------
"Ce que j'?cris n'engage que moi, et ce jusqu'? ma prochaine id?e."
"What I write is only my current opinion."
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20031118/0b71f35b/attachment.html>
