Comprehensive management of the access to the electronic patient record: Towards trans-institutional networks
This article describes a method for providing access rights and assuring security and privacy for electronic medical records across the four campus network of the University Geneva Hospitals. The authors posit that this methodology could be expanded to manage access and security for trans-institutional networks.
The conceptual framework for the methodology is that “(i) accesses to the patient record must fit within a therapeutic relationship or one associated to (medical clerks) and (ii) the extent to which this is possible will vary according to the needs, i.e. according to the role of the user at the time of the access.” The system in built upon the following components:
- User login and authentication through use of smartcard and ID number;
- Access profiles for each type of role of a user;
- Atomic rights of users, such as “signing a medical record, ordering a radiology exam, ordering ward materials.” Various rights are assigned to profiles, the rights behave according to the context of care, and are independent from the applications;
- Validity domains describe the context of care, such as medical service (cardiology) or care location (ward) that limit the domain in which an atomic right is executed. For example, a nurse may access patients in his/her ward, but not in other wards;
- Access is granted for a given time period, and must be renewed periodically;
- Demonstration of an a priori therapeutic relationship between the user and the patient is the most challenging aspect of the system due to call schedules, care provided by telephone, and transfers of care, etc.
At the organizational level, the definition and validation of users, profiles and rights are managed centrally, while the granting process is decentralized. Access can thus be granted by people working very close to users with a very fast response time, as is needed during emergency care. An additional escape mechanism, called “breaking the glass” is provided to some users such as physicians who can escape system constraints by providing justification. All accesses of this type are automatically reviewed.
Access tracking is vital to security and is visible to all providers, managers, and patients. This allows patients to monitor the security of their own information.
The authors report that this system has been successfully operational for 5 years and conclude that this system of access and security can manage the greater complexity of a multi-institutional environment. Amanda Clark