The Challenge of Access Control

The foundations of the relationship between a clinician and a patient are the delivery of clinical care to the highest possible standard and the respect for patient autonomy [27]. This inevitably means that the right to informed consent and the right to confidentiality are important moral principles for a good health record system. Patients should exercise as much choice over the content and movement of their health records as is consistent with good clinical care and the lack of serious harm to others. Records should be created, processed and managed in ways that optimally guarantee the confidentiality of their contents and legitimate control by patients in how they are used. The communication of health record information to third parties should take place only with patient consent unless emergency circumstances dictate that implied consent can safely be assumed. Around the globe these principles are progressively becoming enshrined in national data protection legislation.

In an ideal world, each fine-grained entry in a patient's record should be capable of being associated with an access control list of persons who have rights to view that information, which has been generated or at least approved by the patient and which reflects the dynamic nature of the set of persons with legitimate duty of care towards patients through their lifetime. The access control list will ideally include those persons who have rights to access the data for reasons other than a duty of care (such as health service management, epidemiology and public health, consented research) but exclude any information which they do not need to see or which the patient feels is too personal for them to access. On the opposite side, the labelling by patients or their representatives of information as personal or private should not hamper those who legitimately need to see the information in an emergency, nor give genuine healthcare providers such a filtered perspective that they are misled into managing the patient inappropriately. Patients' views on the inherent sensitivity of entries in their health record may evolve over time, as their personal health anxieties alter or as societal attitudes to health problems change. Patients might wish to offer some heterogeneous levels of access to family, friends, carers and members of their community as well as to those in healthcare professions. Families may wish to provide a means by which they are able to access parts of each other's records (but not necessarily to equal extents) in order to monitor the progress of inherited conditions within a family tree.

Such a set of requirements is arguably more extensive than that required of the data controllers in most other industry sectors. It is in practice made extremely complex by:

• the numbers of health record entries made on a patient during the course of modern healthcare,

• the numbers of healthcare personnel, often rotating through posts, who might potentially come into contact with a patient at any one time,

• the numbers of enterprises with which a patient might come into contact during his lifetime,

• the difficulty (for a patient or for anyone else) of classifying in a standardised way how sensitive a record entry might be,

• the difficulty of determining how important a single health record entry might be to the future care of a patient, and to which classes of user,

• the logically indelible nature of the EHR and the need for revisions to access control to be rigorously managed in the same way as revisions to the EHR entries themselves,

• the need to determine appropriate access very rapidly, potentially in less than one second,

• the low level of concern the majority of patients have about these requirements,

• the high level of concern expressed by a growing minority of patients to have their consent for disclosure recorded and respected.

In order to support interoperable EHRs, and seamless communication of EHR data between providers of healthcare, the negotiation that is required to determine if a given requestor of EHR data should be permitted to receive the data needs to be capable of automation. If this were not possible, the delays and workload of managing human decisions for every or most record communications would obviate any value in striving for data interoperability: paper would probably be just as quick!

In practice, efforts are in progress to develop international standards for defining access control and privilege management systems that would be capable of computer-to-computer negotiation. However, this kind of work is predicated upon health services agreeing on a mutually consistent framework for defining the privileges they wish to assign to staff, and the spectrum of sensitivity they offer for patients to define within their EHRs.

The main principles of the approach to standards development in the area of EHR communications access control are to match the characteristics and parameters of a request to the EHR provider's policies, and with any access control or consent declarations within the specified EHR, to maintain appropriate evidence of the disclosure, and to make this capable of automated processing.

This requires consistency in the way the relevant information is expressed, to make this sensibly scalable at definition-time (when new EHR entries are being added), at run-time (when a whole EHR is being retrieved or queried), and durable over a patient's lifetime. It is also important to recognise that much diversity will exist across Europe on the specific approaches to securing EHR communications — including differing legislation — and that a highly prescriptive approach to standardisation is not presently possible.

The view taken by the authors, and reflected in work currently in progress within CEN (towards EN13606) is that a coarse-grained categorisation is needed for staff privilege, for record sensitivity and for their interrelationship. Such a framework needs to be underpinned by a sound set of defaults, in which the public have a high degree of confidence, since the vast majority of record accesses will occur in situations where patients do have trust in their clinical carers, and will wish to exercise few if any specific constraints, if those defaults are seen to be adequate.

This is a rapidly progressing aspect of health informatics standardisation, and the reader is encouraged to review the latest versions of publications from ISO TC/215 in this field.

Was this article helpful?

0 0
100 Health Tips

100 Health Tips

Breakfast is the most vital meal. It should not be missed in order to refuel your body from functional metabolic changes during long hours of sleep. It is best to include carbohydrates, fats and proteins for an ideal nutrition such as combinations of fresh fruits, bread toast and breakfast cereals with milk. Learn even more tips like these within this health tips guide.

Get My Free Ebook

Post a comment