EPR vs. EHR
Do Angels have sex, finally? -- next part -- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030429/ba4076be/attachment.html>
openEHR security
Hi, I must confess I didn't read very carefully each message on this thread ; however, I think that I may contribute by explaining the direction we are currently following. First I think we must distinguish between care coordination (inside an openEHR node) and continuity of care. Continuity of care means that you manage to index every contributions for a single patient (these contributions can be openEHR contributions or other systems contribution, or even data here and there). The acces rules must be very different in both cases since : - inside a node (care coordination) the system belongs to the team and/or the careplace (say it is a domain, maybe a meta-domain) and see patients passing through (from in to out). - a continuity of care system necesseraly belongs to the patient (when you consider a wide period of time, it is the only stable user) and see medical teams passing through. To adress this change of point of view (from a steady referential to a moving referential), we are building a system with the following rules : - the continuity of care system is an index of existing contributions and is granted access rights to the nodes - inside the continuity of care system, people that may access data are given a position inside the patient "health team" : the position depends on the people "job" (doctor, other health professional, family, social worker) and depends on his "distance" from the patient (usual care giver vs unusual one). Hence the access rights to the contribution are determined for each possible position and depends on the current role inside the personal halth team at the very moment. You can like the way we do it or not, however, I don't think you can make proper access rights if you don't adress the issue of steady referential (care coordination - or groupware) vs moving referential (continuity of care - every episod of care for every care team). Philippe >Hi Thomas, > >Thomas Beale wrote: > > >/snip/ > > > So. What do we know? > > - role-based access control is required. To make it work properly in a > > shared care community context (e.g. a hospital, 50 GPs, aged care homes, > > nursing care, social workers etc etc) then the roles need to be defined > > congruently. I seem to remember some Canadian project coming to the > > conclusion that really the roles need to be defined the same across the > > entire (national) health care system. I think this is both correct and a > > the same time unrealistic. > >With all due respect, Thomas, it it's unrealistic then, IMO, it can't be >correct. (Pragmatism R Us ;-) ) > >I'd like to offer food for thought. The fundamental assumption at work here >seems to be that care givers will access the same system, thus driving the >need for all users of the system to be assigned roles that are defined >congruently. Let's consider an alternative model. > >When I travel from the U.S. to the U.K., I (the physical being) move from >one socio-cultural-legal model to another. That does not change who / what >I am, but it does change my behavior because I operate under a different set >of norms and mores in the new environment. I accept new forms of >interaction and find that familiar forms are no longer available. > >Why should it be any different for the information about me than it is for >me? > >If we work from a perspective that posits that health information will move >from system to system and be used / modified based on the rule sets in place >within the various systems, does that make the problem more amenable to >solution? > > > I think we will be able to find ways of > > having diversely defined roles without every health care facility having > > incompatible definitions of "consultant", "treating physician" etc. > > Bernd's work on this area is pretty detailed. > >I thank Bernd for opening my eyes to what should have been obvious to me at >a much earlier stage. The security problem with EHR systems is >fundamentally the same problem faced in OLAP databases. Or perhaps I should >say that it's the OLAP security problem with a twist. At least OLAP >databases are typically confined to one environment / business. It's clear >that the EHR problem is more difficult in that EHR's must, IMO, be capable >of moving between environments. Perhaps, by requiring a more generalized >solution, the EHR problem will actually be easier to solve. > >I don't know if you've checked out Mike Mair's paper but it implicitly poses >a very interesting question. "Is a biologically-based security model >fundamentally better aligned with the needs of an information system about >biological entities than alternative models?" I'm hopeful the list will >have some comments on Mike's paper. I think the question is worth some >thought / discussion. > >/snip/ > >Best regards, >Bill > >- >If you have any questions about using this list, >please send a message to d.lloyd at openehr.org - If you have any questions about using this list, please sen
GEHR philosophical background info
Paul Juarez wrote: > I've been following these discussions with a lot of interest. So I > guess it's time for me to put in my two bits. While I've seen a couple > of references to ownership of the medical record, I havent seen anything > definitive that defines it (e.g. patient, provider, legal custiodian of > record, etc., or some combination). It seems like this question needs > to be clearly agreed on before issues of access can be identified. (It > also could be a partial solution to distinguishing between the terms > EMR, EHR, EPR). HIPAA aside, it seems that there may be some different > legal issues about ownership that would also have implications for > access. Any thoughts? > > > >>> "Bill Walton" 04/28/03 12:32PM >>> > Hi Sam, > > > > BW: This is a really interesting problem space to me. I've been > studying HIPAA (the Health care Information Portability and > Accountability Act) and have become fascinated with the discussion over > how best to balance the needs of the various parties involved in the > provision and payment of healthcare services so as to improve the > quality and decrease the cost of health care here in the U.S.. Talk > about a non-trivial problem! Interestingly, it looks to me like all the > nonsense can be traced back to the health record and some fundamental > questions about who owns it, who controls access to it, etc. Thanks > again for sharing. Hope to hear from you soon. > > > > SH: I agree - it is fascinating. Can I point you to our (original > work on this - quite philosophical) which I wrote with Len Doyal - a > professor of medical ethics in London. > http://www.chime.ucl.ac.uk/work-areas/ehrs/GEHR/Deliverables.htm#D8 > > I hate to ask this, but is there one deliverable you could point me to > that contains the philosophical stuff? I'm up to my eyeballs right now > and I can see there's a whole bunch of good stuff at the Chime site on > GEHR that I'll have to get to asap. > > Thanks, > Bill The ownership issue of medical information was a 10 years discussion in Europe. Several projects we have been involved in tried to analyse ethical and legal implications of personal medical information. The interpretation of those issues is very different from country to country, from region to region, from institution to institution and even from scientists to sientists. In all official documents of the European union sich as, e.g. the EU Data Protection Directive from 1995 which meanwhile has been implemented in all EU Member States, avoids the term ownership. In many circles, we talk about a comon responsibility of doctor and patient within the trustworthy doctor-patient relationship. Therefore, also the practical realisation of corresponding activities are handled different. Many Healthcare Establishments hand over the original materials to the patient. In the other hand, legislation for documentation requirements and liability issues requires the originals with the institutions. As you can see, the responsibility paradigm seems to be a logical way - and all standards work items orient to the responsibility paradigm. This means on the other hand, that without consent of the patient (which could be defined at action level or at role level), the doctor has no right to access and to communicate patient's personal information. Best regards Bernd - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
GEHR philosophical background info
On 2003-04-29 3:44, "Thomas Clark" wrote: > Hi Paul, > > > > > You are very right concerning the involvement of judges and attorneys. The > legal issues must be handled up front. > > -Thomas Clark > Yes. The problem is that in Europe, the USA, Canada, Australia, etc, there are many legal systems. One generic solution that will fit all will be difficult. The problem is intractable because it is a problem with at 5 degrees of freedom, if not more. In order to solve this we need discussions on: Descriptions of contexts, Type of infrastructure (pull/push, federation/messaging, MAC/DAC, the level of social (persons) control versus the dependency on technology for control, etc, What is stored in the audit-log, Scenario's / use cases. And then we can have nice discussions as I read now on this list. One solution is to assume for the discussion the existence of a Service next to the EHR service that will control access. And that the EHR service is completely ignorant and passive for this Access Service to operate. Then each country (legal jurisdiction) is able to handle its own context. And we all can use the same standard for the EHR. The Access Service will act as 'firewall' and has all the responsibilities for granting access. Personally I favour this simplistic approach. But I know there are two major contexts: - within a legal entity - between legal entities. In an institution there can be a mix of these two. Within a legal entity I will depend on social measures and therefore audit trails for security. For this solution we need a set of agreed rules plus a discussion on the content of the audit-trail. Between legal entities information can only be exchanged when a person consciously accepts responsibilities for a set of information to be shared for a specific purpose with a specific set of other persons. The provisions for exceptions need to be spelled out completely. Here again the audit-tral and a set of rules are needed. But foremost it must be one person that takes full responsibility. As you can see I try to solve the problem by not depending to much on informational facilities in any EHR. But I will depend on the audit-trail where will be recorded what was published and what was accessed by whom, for what purpose, etc. This is not part of the EHR. The reason why I'm suggesting this way of solving the problem is: - the problem of access control is about handling responsibility and proof. Only persons can be held responsible - Access control easily assumes that the evaluation of Identity, Role, Participation, the trustworthiness of information (or sets if information) are constants of time. All are not constant at all over time. Therefore we can not rely on machines to operate on values judgements (rules) from the past. But we need judgements made by responsible persons as a reaction to a request by an other responsible person as much as possible. Gerard -- -- Gerard Freriks, arts Huigsloterdijk 378 2158 LR Buitenkaag The Netherlands +31 252 544896 +31 654 792800 - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
openEHR security
Dear Bill,
""Is a biologically-based security model
> fundamentally better aligned with the needs of an information system about
> biological entities than alternative models?"
The view we developed when working on the ISO/TC215 access proposal (1.) was
that ownership was itself a cultural concept, and one extreme of a spectrum
of reciprocal relationships between rights and obligations. Pure ownership
is all rights and no obligations, which is scarcely achievable. It would
imply, for example, the right to destroy records, which would probably be
denied even where the paradigm of individual autonomy reigns supreme.
We suggested that there was no interoperability without an access control
mechanism being shared (how can you interoperate if you can't access?),
which was why we went for an actual technique for access control, which
developed
into the CDA 'detachable headers' concept in the later paper to which you
refer at the foot of this mail. The crucial components of this idea are
that:
- 'role for access' be part of a culture defined 'set' of roles, recognized
within a jurisdiction, and that these role sets and their access rules
change within and between jurisdictions.
-There would be a basic 'unit' of healthcare information which we called the
'attestable unit'. Later we learnt that the CDA was just such a unit
- That the header should contain 'role for access (role needed to access
that attestable unit).
-The header should be stored separately from the body,
and should act as a pointer to it when 'activated' by an appropriate search.
- Later we found that the CDA already had 'sections' to which different
access levels could apply. The culture defined (and dynamic) role set within
a
jurisdiction could connect in to a finite set of options within a finite
structure, the CDA.. The immunoglobin (biological) metaphor
seems very apt ('Gaia immunology'),
The audit trails of access are built in to the concept, since the data stays
put on the server, which also collects an audit trail of 'hits'.. but
the device itself, the CDA and its bifunctional structure are shared.
Thanks again for your interest.
Regards
Mike Mair
1.. 'Access to Electronic Health Records' NZ access proposal to ISO/TC 215
Current Work Item Proposals Available from: user name 'wg1' Password 'berlin
'. NB Section 3.2 had different authoring and contains conclusions that are
inconsistent with the other sections (the work item is not current at this
time). http://www.health.nsw.gov.au/iasd/imcs/iso-215/areas/atehr2000.pdf
Original Message -
From: "Bill Walton"
To:
Sent: Tuesday, April 29, 2003 9:33 AM
Subject: Re: openEHR security
> Hi Thomas,
>
> Thomas Beale wrote:
>
>
> /snip/
>
> > So. What do we know?
> > - role-based access control is required. To make it work properly in a
> > shared care community context (e.g. a hospital, 50 GPs, aged care homes,
> > nursing care, social workers etc etc) then the roles need to be defined
> > congruently. I seem to remember some Canadian project coming to the
> > conclusion that really the roles need to be defined the same across the
> > entire (national) health care system. I think this is both correct and a
> > the same time unrealistic.
>
> With all due respect, Thomas, it it's unrealistic then, IMO, it can't be
> correct. (Pragmatism R Us ;-) )
>
> I'd like to offer food for thought. The fundamental assumption at work
here
> seems to be that care givers will access the same system, thus driving the
> need for all users of the system to be assigned roles that are defined
> congruently. Let's consider an alternative model.
>
> When I travel from the U.S. to the U.K., I (the physical being) move from
> one socio-cultural-legal model to another. That does not change who /
what
> I am, but it does change my behavior because I operate under a different
set
> of norms and mores in the new environment. I accept new forms of
> interaction and find that familiar forms are no longer available.
>
> Why should it be any different for the information about me than it is for
> me?
>
> If we work from a perspective that posits that health information will
move
> from system to system and be used / modified based on the rule sets in
place
> within the various systems, does that make the problem more amenable to
> solution?
>
> > I think we will be able to find ways of
> > having diversely defined roles without every health care facility having
> > incompatible definitions of "consultant", "treating physician" etc.
> > Bernd's work on this area is pretty detailed.
>
> I thank Bernd for opening my eyes to what should have been obvious to me
at
> a much earlier stage. The security problem with EHR systems is
> fundamentally the same problem faced in OLAP databases. Or perhaps I
should
> say that it's the OLAP security problem with a twist. At least OLAP
> databases are typically confined to one environment / business. It's
clear
> that the EHR problem is more difficult in that EHR's
openEHR security
Bill Walton wrote: > Hi Thomas, > > Thomas Beale wrote: > > > /snip/ > > >>So. What do we know? >>- role-based access control is required. To make it work properly in a >>shared care community context (e.g. a hospital, 50 GPs, aged care homes, >>nursing care, social workers etc etc) then the roles need to be defined >>congruently. I seem to remember some Canadian project coming to the >>conclusion that really the roles need to be defined the same across the >>entire (national) health care system. I think this is both correct and a >>the same time unrealistic. > > > With all due respect, Thomas, it it's unrealistic then, IMO, it can't be > correct. (Pragmatism R Us ;-) ) > > I'd like to offer food for thought. The fundamental assumption at work here > seems to be that care givers will access the same system, thus driving the > need for all users of the system to be assigned roles that are defined > congruently. Let's consider an alternative model. > > When I travel from the U.S. to the U.K., I (the physical being) move from > one socio-cultural-legal model to another. That does not change who / what > I am, but it does change my behavior because I operate under a different set > of norms and mores in the new environment. I accept new forms of > interaction and find that familiar forms are no longer available. > > Why should it be any different for the information about me than it is for > me? > > If we work from a perspective that posits that health information will move > from system to system and be used / modified based on the rule sets in place > within the various systems, does that make the problem more amenable to > solution? > > >>I think we will be able to find ways of >>having diversely defined roles without every health care facility having >>incompatible definitions of "consultant", "treating physician" etc. >>Bernd's work on this area is pretty detailed. > > > I thank Bernd for opening my eyes to what should have been obvious to me at > a much earlier stage. The security problem with EHR systems is > fundamentally the same problem faced in OLAP databases. Or perhaps I should > say that it's the OLAP security problem with a twist. At least OLAP > databases are typically confined to one environment / business. It's clear > that the EHR problem is more difficult in that EHR's must, IMO, be capable > of moving between environments. Perhaps, by requiring a more generalized > solution, the EHR problem will actually be easier to solve. > > I don't know if you've checked out Mike Mair's paper but it implicitly poses > a very interesting question. "Is a biologically-based security model > fundamentally better aligned with the needs of an information system about > biological entities than alternative models?" I'm hopeful the list will > have some comments on Mike's paper. I think the question is worth some > thought / discussion. > > /snip/ > > Best regards, > Bill > > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org > > Dear friends, A crucial challenge for EHR security is the formalisation of policies and their rule-based but also interactive negotiation. This reflects some of the issues mentioned. Formal policy modelling is a CEN workitem over many years. Meanwhile (due to time constraints by other businesses also this project takes years), the issues mentioned are also content of a common 3 part CEN and ISO standard on Privilege Management and Access Control Management. Formal policy modelling and policy negotiation are essential aspect of the specification. Kindest regards Bernd - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
normalizing access vs. normalizing denial (was openEHR security)
Thomas Clark wrote: > Hi Bill, > > Suggested roles: > > FAMILY > Class #1: > -immediate > Class #2: > -legal next of kin > Class #3: > -parents > -siblings > > EMERGENCY: > -first responders > -transport > -emergency room > -life support > > NON-MEDICAL CAREGIVERS: > -Patient identified > outpatient services > > LEGAL > -Patient attorney > -health services > -social services > -police services > -fire services > -public health services > > MEDICAL > -family physician > -substitute family physician > -family medical designee > -nursing services > > The Patient can supply specific persons and organizations. However, some > should be identified and granted access based upon their function, e.g., > health and social services. > > -Thomas Clark > > - Original Message - > From: "Bill Walton" > To: > Sent: Monday, April 28, 2003 12:15 PM > Subject: normalizing access vs. normalizing denial (was openEHR security) > > > >>This is a multi-part message in MIME format. >> >>--=_NextPart_000_0183_01C30D90.8FC88240 >>Xontent-Type: text/plain; >>charset="iso-8859-1" >>Content-Transfer-Encoding: quoted-printable >> >>HI Sam, >>=20 >> BW: Related to all of the above, it seems like there are probably a = >> >>number of circumstances that would require that the control of the = >>Access Control list itself be capable of being over-ridden or delegated. = >> It looks to me like, as currently defined, the only roles that could = >>grant access would be the patient and Next of Kin roles. But assume, = >>for example, that a patient is hospitalized, needs a test performed that = >>can't be performed in the facility, and has designated a Next of Kin = >>that's not present. Perhaps it's just a difference between our systems, = >>but in the U.S. I can imagine a need to delegate the right to change the = >>Access Control list without delegating some of the other decisions = >>(e.g., "pull the plug") that are associated with Next of Kin here. = >>Again, as long as the Audit Trails are in place it seems that fears of = >>inappropriate access might be effectively balanced against the needs of = >>providers re: access to the records for the purpose of delivering the = >>appropriate care. Or perhaps I'm misunderstanding the Next of Kin role. >>=20 >> >>>SH: The whole approach is to normalise access rather than normalise = >> >>denial - so a transfer of a record (or part there-of) would almost = >>always mean that the person giving permission for the transfer was happy = >>with the hospital policy - as advertised under these 6 roles. The access = >>control list would have to be changed by an authorative person when = >>parts of the record required for ongoing care had been limited a = >>clinician who had left. Logging these things is far more important than = >>being highly restrictive - the latter being possible if the patient = >>wants this. >> >>It looks to me like maybe there needs to be rights to change the Access = >>Control List associated with each of the roles currently defined. Or = >>maybe there already are and I've just misunderstood. I completely agree = >>that logging is far more important than being restrictive. We certainly = >>can't hamper the timely provision of care. >> >>Thanks, >>Bill >>=20 >> >> >>--=_NextPart_000_0183_01C30D90.8FC88240 >>Xontent-Type: text/html; >>charset="iso-8859-1" >>Content-Transfer-Encoding: quoted-printable >> >> >> >>>http-equiv=3DContent-Type> >> >> >> >> >>HI = >>Sam, >> > > BW: Related to = >>all of the=20 >>above, it seems like there are probably a number of circumstances that = >>would=20 >>require that the control of the Access Control list itself be capable of = >>being=20 >>over-ridden or delegated. It looks to me like, as currently = >>defined, the=20 >>only roles that could grant access would be the patient and Next of Kin=20 >>roles. But assume, for example, that a patient is hospitalized, = >>needs a=20 >>test performed that can't be performed in the facility, and has = >>designated a=20 >>Next of Kin that's not present. Perhaps it's just a difference = >>between our=20 >>systems, but in the U.S. I can imagine a need to delegate the right to = >>change=20 >>the Access Control list without delegating some of the other decisions = >>(e.g.,=20 >>"pull the plug") that are associated with Next of Kin here. Again, = >>as long=20 >>as the Audit Trails are in place it seems that fears of inappropriate = >>access=20 >>might be effectively balanced against the needs of providers re: access = >>to the=20 >>records for the purpose of delivering the appropriate care. Or = >>perhaps I'm=20 >>misunderstanding the Next of Kin role. > SH: The whole = >>approach=20 >>is to normalise access rather than normalise denial - so a transfer of a = >>record=20 >>(or part there-of) would almost always mean that the person giving = >>permission=20 >>for the transfer was happy with the hospital policy - as advertised = >>under these=20 >>6 roles. The access contro
EPR vs. EHR
Hi The English National Health Service makes an explicit distinction between the "cradle to grave" EHR and the Electronic Patient Record (EPR) which is used to record episodic or periodic healthcare. The EPR is a more generic term and is inclusive of other forms of periodic or episodic health care besides medical care. The proposed ISO definition of the EPR is the same as that of the English NHS except for the addition of the word "episodic". Regards Liz Maher Australia Bill Walton wrote: > Hi Sam, > > > > BW: What's an EPR, what's in it, and what, if any, information > overlap does it have with an associated EHR? You introduce EPR in the > first example, but there's no definition provided and no reference to > an external source. > > > SH: Again, we have had a lot to say about this over the years. In > openEHR - it is the EHR - so the boundary is the model itself. There > is a real problem in the federated approach with addressing this - but > I think openEHR gives a clean approach. > I just want to make sure I'm understanding this correctly. If I > understand your response above, you're saying that EPR and EHR are one > and the same. The reason I ask again is that the second example in > Appendix A of "Access to Electronic Health Records" seems to imply > that they are different in the following sense. It looks like the EPR > is a record of a specific transaction and that the EHR is a > compliation of EPR's over time. > > Thanks, > Bill - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
GEHR philosophical background info
Paul I've been following these discussions with a lot of interest. So I guess it's time for me to put in my two bits. While I've seen a couple of references to ownership of the medical record, I havent seen anything definitive that defines it (e.g. patient, provider, legal custiodian of record, etc., or some combination). Some countries are giving legal ownership to the patient - and if it moves anywhere it will be there. The author has copyright. Ambiguous ownership has major advantages - and access can be legislated without solving the access problems. Cheers, Sam It seems like this question needs to be clearly agreed on before issues of access can be identified. (It also could be a partial solution to distinguishing between the terms EMR, EHR, EPR). HIPAA aside, it seems that there may be some different legal issues about ownership that would also have implications for access. Any thoughts? >>> "Bill Walton" 04/28/03 12:32PM >>> Hi Sam, > > BW: This is a really interesting problem space to me. I've been studying HIPAA (the Health care Information Portability and Accountability Act) and have become fascinated with the discussion over how best to balance the needs of the various parties involved in the provision and payment of healthcare services so as to improve the quality and decrease the cost of health care here in the U.S.. Talk about a non-trivial problem! Interestingly, it looks to me like all the nonsense can be traced back to the health record and some fundamental questions about who owns it, who controls access to it, etc. Thanks again for sharing. Hope to hear from you soon. > > SH: I agree - it is fascinating. Can I point you to our (original work on this - quite philosophical) which I wrote with Len Doyal - a professor of medical ethics in London. http://www.chime.ucl.ac.uk/work-areas/ehrs/GEHR/Deliverables.htm#D8 I hate to ask this, but is there one deliverable you could point me to that contains the philosophical stuff? I'm up to my eyeballs right now and I can see there's a whole bunch of good stuff at the Chime site on GEHR that I'll have to get to asap. Thanks, Bill -- next part -- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030429/e997479c/attachment.html>
openEHR security
Most of the serious issues in EHR security are essentially ethical, not legal, in nature. When the NHS first introduced a nationwide Healthcare Network, the BMA Ethics Committee advised all practitioners to put NO patient-related data on it because it had not been PROVED that the network's security mechanims could guarantee non-violation of the ethical principles governing access to such data (see Anderson, R. A., Security in Clinical Information Systems, BMA, 1996). Of course, such a proof cannot be performed, not only because the security mechanisms are not formally defined, but because the ethical principles themselves are not formally stated. In an attempt to overcome this obvious impasse, I prepared a tentative formal definition of some of the dozen or so governing ethical principles stated in the BMA document. Unfortunately, this met with a deafening silence from both sides of the argument. I suspect that something of this nature is still needed and that the need for it cannot be admitted by any of the stakeholders. The latest round of discussions of this group merely confirm that suspicion. Those who are interested in this line of enquiry may care to read my seven-year-old paper at http://www.soi.city.ac.uk/~bernie/hsp.pdf On Mon, 28 Apr 2003, Bill Walton wrote: > Date: Mon, 28 Apr 2003 16:33:06 -0500 > From: Bill Walton > To: openehr-technical at openehr.org > Subject: Re: openEHR security > > Hi Thomas, > > Thomas Beale wrote: > > > /snip/ > > > So. What do we know? > > - role-based access control is required. To make it work properly in a > > shared care community context (e.g. a hospital, 50 GPs, aged care homes, > > nursing care, social workers etc etc) then the roles need to be defined > > congruently. I seem to remember some Canadian project coming to the > > conclusion that really the roles need to be defined the same across the > > entire (national) health care system. I think this is both correct and a > > the same time unrealistic. > > With all due respect, Thomas, it it's unrealistic then, IMO, it can't be > correct. (Pragmatism R Us ;-) ) > > I'd like to offer food for thought. The fundamental assumption at work here > seems to be that care givers will access the same system, thus driving the > need for all users of the system to be assigned roles that are defined > congruently. Let's consider an alternative model. > > When I travel from the U.S. to the U.K., I (the physical being) move from > one socio-cultural-legal model to another. That does not change who / what > I am, but it does change my behavior because I operate under a different set > of norms and mores in the new environment. I accept new forms of > interaction and find that familiar forms are no longer available. > > Why should it be any different for the information about me than it is for > me? > > If we work from a perspective that posits that health information will move > from system to system and be used / modified based on the rule sets in place > within the various systems, does that make the problem more amenable to > solution? > > > I think we will be able to find ways of > > having diversely defined roles without every health care facility having > > incompatible definitions of "consultant", "treating physician" etc. > > Bernd's work on this area is pretty detailed. > > I thank Bernd for opening my eyes to what should have been obvious to me at > a much earlier stage. The security problem with EHR systems is > fundamentally the same problem faced in OLAP databases. Or perhaps I should > say that it's the OLAP security problem with a twist. At least OLAP > databases are typically confined to one environment / business. It's clear > that the EHR problem is more difficult in that EHR's must, IMO, be capable > of moving between environments. Perhaps, by requiring a more generalized > solution, the EHR problem will actually be easier to solve. > > I don't know if you've checked out Mike Mair's paper but it implicitly poses > a very interesting question. "Is a biologically-based security model > fundamentally better aligned with the needs of an information system about > biological entities than alternative models?" I'm hopeful the list will > have some comments on Mike's paper. I think the question is worth some > thought / discussion. > > /snip/ > > Best regards, > Bill > > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org > Prof Bernard Cohen, Dept of Comp Sc, City Univ, Northampton Sq. London EC1V 0HB tel: ++44-20-7040-8448 fax: ++44-171-477-8587 b.cohen at city.ac.uk WWW: http://www.soi.city.ac.uk/~bernie "Patterns lively of the things rehearsed" - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
GEHR philosophical background info
walton at jstats.com ; openehr-technical at openehr.org Sent: Monday, April 28, 2003 3:04 PM Subject: Re: GEHR philosophical background info I've been following these discussions with a lot of interest. So I guess it's time for me to put in my two bits. While I've seen a couple of references to ownership of the medical record, I havent seen anything definitive that defines it (e.g. patient, provider, legal custiodian of record, etc., or some combination). It seems like this question needs to be clearly agreed on before issues of access can be identified. (It also could be a partial solution to distinguishing between the terms EMR, EHR, EPR). HIPAA aside, it seems that there may be some different legal issues about ownership that would also have implications for access. Any thoughts? >>> "Bill Walton" 04/28/03 12:32PM >>> Hi Sam, > > BW: This is a really interesting problem space to me. I've been studying HIPAA (the Health care Information Portability and Accountability Act) and have become fascinated with the discussion over how best to balance the needs of the various parties involved in the provision and payment of healthcare services so as to improve the quality and decrease the cost of health care here in the U.S.. Talk about a non-trivial problem! Interestingly, it looks to me like all the nonsense can be traced back to the health record and some fundamental questions about who owns it, who controls access to it, etc. Thanks again for sharing. Hope to hear from you soon. > > SH: I agree - it is fascinating. Can I point you to our (original work on this - quite philosophical) which I wrote with Len Doyal - a professor of medical ethics in London. http://www.chime.ucl.ac.uk/work-areas/ehrs/GEHR/Deliverables.htm#D8 I hate to ask this, but is there one deliverable you could point me to that contains the philosophical stuff? I'm up to my eyeballs right now and I can see there's a whole bunch of good stuff at the Chime site on GEHR that I'll have to get to asap. Thanks, Bill -- next part -- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030429/b3642af1/attachment.html>
GEHR philosophical background info
Maybe you don't know it, but since a law dated march 4th 2002, a french citizen has the right to access himself his complete medical record and to get a copy of it without any kind of restrictions. -- next part -- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030429/c61684d4/attachment.html>
GEHR philosophical background info
orking Group 1 in TC 215 (Health Records and >Modelling Coordination) was unanimous that it SHOULD be the >patient/consumer who controls access to the EHR and therefore effectively >ownsthe EHR. > > > >In Australia, the Federal Government is quite clear that the >patient/consumer will control access to her/his EHR. Unfortunately, the >fine details of how this will be implemented have not yet been worked out >in terms of the eConsent and access control models. The Federal >Department of Health last year ran a concurrent series of four eConsent >projects. I was the clinical consultant for one of these and Sam Heard >was the clinical consultant to another. There was lots of good material >which came out of these projects including commissioned background papers >and project reports, but we do not yet seem to be much closer to having an >agreed and detailed national e-consent/access control model(s). > > > >I would be happy to dig out the relevant background papers and reports if >you or anyone else on the list would be interested. > > > >Regards > > > >Peter Schloeffel > > > > > >Dr Peter Schloeffel > >Director and CEO > >Ocean Informatics Pty Ltd > > > >30 Winchester Street > >St Peters SA 5069 > >Australia > > > >Tel:+61 (0)8 8363 1642 > >Fax: +61 (0)8 8363 3481 > >Mob: +61 (0)414 669 899 > ><mailto:peter.schloeffel at OceanInformatics.biz>peter.schloeffel at >OceanInformatics.biz > > >www.OceanInformatics.biz > ><http://www.openehr.org/>www.openehr.org > >www.gehr.org > > > > > > > > > >-Original Message- >From: owner-openehr-technical at openehr.org >[mailto:owner-openehr-technical at openehr.org] On Behalf Of Bill Walton >Sent: Tuesday, April 29, 2003 6:03 AM >To: Paul Juarez; openehr-technical at openehr.org >Subject: Re: GEHR philosophical background info > > > >Hi Paul, > > > >I agree completely that the ownership question is fundamental. Until >recently I was under the mistaken impression that everybody agreed that >the patient owned their medical records and that physicians were simply >the stewards. Then I discovered that, as of the early '90's, fewer than >one third of the states here U.S. even had laws that required that >patients be given access to their records. So yes, I think that clearing >up the question of ownership is ultimately necessary. And I'm hoping that >the move to electronic form will, at least in part, both precipitate that >discussion and facilitate the implementation of what I perceive to be to >be the obvious answer. > > > >Best regards, > >Bill > >- Original Message - > >From: <mailto:JuarezPD at wmmcpo.ah.org>Paul Juarez > >To: <mailto:bill.walton at jstats.com>bill.walton at jstats.com ; ><mailto:openehr-technical at openehr.org>openehr-technical at openehr.org > >Sent: Monday, April 28, 2003 3:04 PM > >Subject: Re: GEHR philosophical background info > > > >I've been following these discussions with a lot of interest. So I guess >it's time for me to put in my two bits. While I've seen a couple of >references to ownership of the medical record, I havent seen anything >definitive that defines it (e.g. patient, provider, legal custiodian of >record, etc., or some combination). It seems like this question needs to >be clearly agreed on before issues of access can be identified. (It also >could be a partial solution to distinguishing between the terms EMR, EHR, >EPR). HIPAA aside, it seems that there may be some different legal issues >about ownership that would also have implications for access. Any thoughts? > > > > >>> "Bill Walton" 04/28/03 12:32PM >>> > >Hi Sam, > > > > > BW: This is a really interesting problem space to me. I've been > studying HIPAA (the Health care Information Portability and > Accountability Act) and have become fascinated with the discussion over > how best to balance the needs of the various parties involved in the > provision and payment of healthcare services so as to improve the quality > and decrease the cost of health care here in the U.S.. Talk about a > non-trivial problem! Interestingly, it looks to me like all the nonsense > can be traced back to the health record and some fundamental questions > about who owns it, who controls access to it, etc. Thanks again for > sharing. Hope to hear from you soon. > > > > SH: I agree - it is fascinating. Can I point you to our (original > work on this - quite philosophical) which I wrote with Len Doyal - a > professor of medical ethics in London. > >http://www.chime.ucl.ac.uk/work-areas/ehrs/GEHR/Deliverables.htm#D8 > >I hate to ask this, but is there one deliverable you could point me to >that contains the philosophical stuff? I'm up to my eyeballs right now >and I can see there's a whole bunch of good stuff at the Chime site on >GEHR that I'll have to get to asap. > > > >Thanks, > >Bill -- next part -- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030429/a092b7ec/attachment.html>
openEHR security
;fundamentally the same problem faced in OLAP databases. Or perhaps I should >say that it's the OLAP security problem with a twist. At least OLAP >databases are typically confined to one environment / business. It's clear >that the EHR problem is more difficult in that EHR's must, IMO, be capable >of moving between environments. Perhaps, by requiring a more generalized >solution, the EHR problem will actually be easier to solve. > >I don't know if you've checked out Mike Mair's paper but it implicitly poses >a very interesting question. "Is a biologically-based security model >fundamentally better aligned with the needs of an information system about >biological entities than alternative models?" I'm hopeful the list will >have some comments on Mike's paper. I think the question is worth some >thought / discussion. > >/snip/ > >Best regards, >Bill > >- >If you have any questions about using this list, >please send a message to d.lloyd at openehr.org - If you have any questions about using this list, please send a message to d.lloyd at openehr.org -- next part -- An HTML attachment was scrubbed... URL: <http://lists.openehr.org/mailman/private/openehr-technical_lists.openehr.org/attachments/20030429/9891392f/attachment.html>
GEHR philosophical background info
Hi Gerard, Great! Agree! Thanks! -Thomas Clark - Original Message - From: "Gerard Freriks" To: "Thomas Clark" ; "Paul Juarez" ; ; Sent: Monday, April 28, 2003 11:57 PM Subject: Re: GEHR philosophical background info > On 2003-04-29 3:44, "Thomas Clark" wrote: > > > Hi Paul, > > > > > > > > > > You are very right concerning the involvement of judges and attorneys. The > > legal issues must be handled up front. > > > > -Thomas Clark > > > > Yes. > The problem is that in Europe, the USA, Canada, Australia, etc, there are > many legal systems. > One generic solution that will fit all will be difficult. > > The problem is intractable because it is a problem with at 5 degrees of > freedom, if not more. > > In order to solve this we need discussions on: > Descriptions of contexts, > Type of infrastructure (pull/push, federation/messaging, MAC/DAC, the level > of social (persons) control versus the dependency on technology for control, > etc, > What is stored in the audit-log, > Scenario's / use cases. > > And then we can have nice discussions as I read now on this list. > > One solution is to assume for the discussion the existence of a Service next > to the EHR service that will control access. And that the EHR service is > completely ignorant and passive for this Access Service to operate. Then > each country (legal jurisdiction) is able to handle its own context. > And we all can use the same standard for the EHR. > The Access Service will act as 'firewall' and has all the responsibilities > for granting access. > > Personally I favour this simplistic approach. > But I know there are two major contexts: > - within a legal entity > - between legal entities. > In an institution there can be a mix of these two. > > Within a legal entity I will depend on social measures and therefore audit > trails for security. For this solution we need a set of agreed rules plus a > discussion on the content of the audit-trail. > Between legal entities information can only be exchanged when a person > consciously accepts responsibilities for a set of information to be shared > for a specific purpose with a specific set of other persons. The provisions > for exceptions need to be spelled out completely. Here again the audit-tral > and a set of rules are needed. But foremost it must be one person that takes > full responsibility. > As you can see I try to solve the problem by not depending to much on > informational facilities in any EHR. But I will depend on the audit-trail > where will be recorded what was published and what was accessed by whom, for > what purpose, etc. This is not part of the EHR. > > The reason why I'm suggesting this way of solving the problem is: > - the problem of access control is about handling responsibility and proof. > Only persons can be held responsible > - Access control easily assumes that the evaluation of Identity, Role, > Participation, the trustworthiness of information (or sets if information) > are constants of time. All are not constant at all over time. Therefore we > can not rely on machines to operate on values judgements (rules) from the > past. But we need judgements made by responsible persons as a reaction to a > request by an other responsible person as much as possible. > > > > > Gerard > > > > > -- -- > Gerard Freriks, arts > Huigsloterdijk 378 > 2158 LR Buitenkaag > The Netherlands > > +31 252 544896 > +31 654 792800 > > - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
GEHR philosophical background info; different legal jurisdictions
The EU approach to the ownership of medical records is in my opinion the best, reasoned approach. However, this constitutes, in essence, a single legal system in a global community and there are many. At any time one or more of these communities can in a process of restructuring and/or modifying codes that could potentially affect EHR ownership. Enforcement can also be a variable as can code on the books that conflict with existing, enforced code. I have lived in towns and cities that have refused to filter 'old' code and not because it appears funny and ridiculous today but because if more recent code is successfully attacked, modified or overturned the 'old' code is effective and legal. It is a strategic way of running a legal system. OpenEHR security will always have to address ownership issues regardless of the legal forum. A change of administration translates into changes in how daily lives must be conducted. Adaptability is key to survival. HIPPA itself is a prime example of competing forces that will continue to shape it even though it has been enacted and made effective. Legislative bodies legislate and change things. Designing a standard or a system in total conformance to today's version without adaptability is not a good idea. OpenEHR security must function within a human information system not a computer-based system. Wish it wasn't so because handing down a set of commandments in a computer-based system is considerably different, an example being the successful specification of security features for a Secure Data Store. We haven't had this much luck in human-based systems. Healthcare itself is dynamic and is likely to place even more burdens on OpenEHR security, e.g., remote monitoring, diagnosis, prescription and surgery. For example, Elizabeth Maher has submitted a short, recent response to the post 'Re: EPR vs. EHR" that reads: vv The English National Health Service makes an explicit distinction between the "cradle to grave" EHR and the Electronic Patient Record (EPR) which is used to record episodic or periodic healthcare. The EPR is a more generic term and is inclusive of other forms of periodic or episodic health care besides medical care. The proposed ISO definition of the EPR is the same as that of the English NHS except for the addition of the word "episodic". ^^ It is timely since it points out that there are non-medical sources of information that will ultimately have to be considered, e.g., mental health. Each source of information may have a security system separate and distinct from OpenEHR. The interface between security systems cannot be dropped, they must somehow be integrated. "episodic" (includes events, 'one-of-a-kind') records may or may not be important, e.g., the Patient was required to visit a Clinic in China during a business trip within the past two weeks. Records that may or may not have to be integrated but were created and maintained (hopefully) within some security system. Integration would have to be handled consistent with current (at the time) OpenEHR standards. Solutions include encapsulation of 'stray' records into a child EHR; easily controlled and stored. Interestingly encapsulation may also apply to EHRs created and maintained in different legal jurisdictions. SUGGESTION: Local, regional, national and global security monitoring and control is needed but may be dissimilar in many respects. Ownership issues will remain a plague. One might structure a response to include the assignment of a right to copy today's EHR and pertinent history with copy ownership remaining with the Healthcare Practitioner or Organization. -Thomas Clark - Original Message - From: "Bernd Blobel" To: "Paul Juarez" Cc: ; Sent: Tuesday, April 29, 2003 12:56 AM Subject: Re: GEHR philosophical background info > Paul Juarez wrote: > > I've been following these discussions with a lot of interest. So I > > guess it's time for me to put in my two bits. While I've seen a couple > > of references to ownership of the medical record, I havent seen anything > > definitive that defines it (e.g. patient, provider, legal custiodian of > > record, etc., or some combination). It seems like this question needs > > to be clearly agreed on before issues of access can be identified. (It > > also could be a partial solution to distinguishing between the terms > > EMR, EHR, EPR). HIPAA aside, it seems that there may be some different > > legal issues about ownership that would also have implications for > > access. Any thoughts? > > > > > > >>> "Bill Walton" 04/28/03 12:32PM >>> > > Hi Sam, > > > > > > BW: This is a really interesting problem space to me. I've been > > studying HIPAA (the Health care Information Portability and > > Accountability Act) and have become fascinated with the discussion over > > how best to balance the needs of the various parties involved in the > > provision and payment of healthcare services so as to improve the > > quality
openEHR security
Hi Paul, hi the list, Thanks for your post - I thought nobody took the time to read mine ;o) I tried to keep my post in the range of openEHR, however, since you are pushing me one step further, I need to tell that, from my point of view, continuity of care is probably a step to cross, but not the ultimate goal. Once you agree that the patient is the owner of a system (say the EHR in the taxonomy you are proposing), you have to ask yourself : "when, why and by who shall this system get used ?". If you think that Electronic Health Record is the right concept for continuity of care, it is probably because you realized that Health doesn't mean "no disease", and that even people with chronic disease are most often managing their health than they are subject of care. The conclusion we made is that if the system belongs to the patient, it must be a tool for the person (and not only the patient). So, this very tool must be a he "health capital" manager. Since the system we are working on is problem oriented, and it allows to establish health objectives - and not only records, we called it : Individual Health Project. Now the taxinomy is richer, with three acronyms EMR, EHR and IHP ;o) Philippe >Philippe, > >The approach you have identified makes a lot of sense to me and goes a >long ways toward clarifying "ownership" of the record. I do think it >would be helpful to develop standard taxonomy for distinguishing the two: >EMR signifying within a closed health care system, and EHR signifying the >continuity of care record which is the property of the patient. It seems >to me that if this distinction is not made, "ownership" is going to boil >down to issues like "intellectual property." The way I see it, ownership >and access are two, separate, albeit, overlappying issues. Did I hear >somebody mention Napster? > > >>> Philippe AMELINE 04/29/03 > 12:54AM >>> >Hi, > >I must confess I didn't read very carefully each message on this thread ; >however, I think that I may contribute by explaining the direction we are >currently following. > >First I think we must distinguish between care coordination (inside an >openEHR node) and continuity of care. >Continuity of care means that you manage to index every contributions for >a single patient (these contributions can be openEHR contributions or other >systems contribution, or even data here and there). > >The acces rules must be very different in both cases since : >- inside a node (care coordination) the system belongs to the team and/or >the careplace (say it is a domain, maybe a meta-domain) and see patients >passing through (from in to out). >- a continuity of care system necesseraly belongs to the patient (when you >consider a wide period of time, it is the only stable user) and see medical >teams passing through. > >To adress this change of point of view (from a steady referential to a >moving referential), we are building a system with the following rules : >- the continuity of care system is an index of existing contributions and >is granted access rights to the nodes >- inside the continuity of care system, people that may access data are >given a position inside the patient "health team" : the position depends on >the people "job" (doctor, other health professional, family, social worker) >and depends on his "distance" from the patient (usual care giver vs unusual >one). > >Hence the access rights to the contribution are determined for each >possible position and depends on the current role inside the personal halth >team at the very moment. > >You can like the way we do it or not, however, I don't think you can make >proper access rights if you don't adress the issue of steady referential >(care coordination - or groupware) vs moving referential (continuity of >care - every episod of care for every care team). > >Philippe > > > >Hi Thomas, > > > >Thomas Beale wrote: > > > > > >/snip/ > > > > > So. What do we know? > > > - role-based access control is required. To make it work properly in a > > > shared care community context (e.g. a hospital, 50 GPs, aged care homes, > > > nursing care, social workers etc etc) then the roles need to be defined > > > congruently. I seem to remember some Canadian project coming to the > > > conclusion that really the roles need to be defined the same across the > > > entire (national) health care system. I think this is both correct and a > > > the same time unrealistic. > > > >With all due respect, Thomas, it it's unrealistic then, IMO, it can't be > >correct. (Pragmatism R Us ;-) ) > > > >I'd like to offer food for thought. The fundamental assumption at work here > >seems to be that care givers will access the same system, thus driving the > >need for all users of the system to be assigned roles that are defined > >congruently. Let's consider an alternative model. > > > >When I travel from the U.S. to the U.K., I (the physical being) move from > >one socio-cultural-legal model to another. That does
