Comprehensive management of the access to the electronic patient record: Towards trans-institutional networks

doi:10.1016/j.ijmedinf.2006.09.014

International Journal of Medical Informatics

Volume 76, Issues 5–6, May–June 2007, Pages 466-470

https://doi.org/10.1016/j.ijmedinf.2006.09.014 Get rights and content

Abstract

Background

A system ensuring tight control access is used since 5 years at the University Geneva Hospitals (HUG) over a four campuses health care system with ambulatory care settings behaving like a small community care network. Access to identified clinical information is limited to care providers that have a therapeutic relationship with the patient and to those data needed for that relation. The same policy applies to administrative or scientific research accesses. This paper presents how the HUG met the challenging goal of protecting patient privacy within regulatory limits while keeping the system operational in terms of use and management.

Solution

The main characteristics of the system are: (a) an institution-wide policy for access rights to the computerized patient record; (b) an institutional management of the contracts of the collaborators; (c) access profiles based on application-independent, fine-grained access rights; (d) a decentralized attribution of profession-specific access profiles; (e) a complete, centralized log of all accesses to the clinical information system; and (f) a decentralized verification of the accesses. Many of these characteristics can be maintained when evolving towards a trans-institutional computerized patient record, but new constraints need to be taken into account.

Introduction

Privacy, accesses rights management, security are discussed since many years in the field of medical informatics [1]. Meanwhile, computerized patient records (CPR) evolve towards collaborative tools for care providers and patients in an ever-increasing networked environment, highlighting the need for complex rights managements. At the hospital level already, the CPR is an important collaborative tool shared among many different care providers and administrative or scientific services to fulfil all needs. Providing a comprehensive, fast and simple access management system that is compatible with the daily operational work while respecting the privacy of patients is a challenging goal [2], [3].

The Geneva University Hospitals (HUG) is a consortium of hospitals in four campuses and more than 30 ambulatory facilities in the state, comprising more than 2000 beds, 5000 care providers, over 45,000 admissions and 750,000 outpatients visits each year. It covers the whole range of in- and outpatient care, from primary to tertiary facilities. The HUG is the major public healthcare facility in the Geneva region and the adjacent France. The in-house developed CPR is used in the complete HUG and runs on more than 4500 PCs. More than 20,000 records are open every day, 7 days a week, around the clock with never less than 200 records accessed each hour. The system is used by around 3000 care providers from all functions, including physicians, nurses, medical secretaries, social care providers, physiotherapists, nutritionists, music therapists, etc. In addition, the CPR is used for many other purposes than care, such as admission clerks, billing, resource management, epidemiology, clinical research, among others. In order to ensure the best protection to patient's privacy while ensuring the best operational model and respecting legal constraints, we developed a complete process for right managements. This process is based on four pillars:

(a)
Institutional committee in charge of defining and validating the concepts and profiles of rights.
(b)
A standardized and unified computerized access management allowing centralization of the definition of the profiles and decentralization of the attribution to users.
(c)
A standardized track&trace computerized system in charge of tracking and consolidating all access to identified data that allows all accesses to be reviewed.
(d)
Institutional procedures to review, validate or sanction inappropriate accesses.

In addition, the track&trace utility produces a list of all users that accessed a record which is available directly in the record and, therefore, visible to the patient.

Section snippets

The conceptual framework

Fundamentally, it has been agreed that (i) accesses to the patient record must fit within a therapeutic relationship or one associated to (such as medical clerks) and (ii) the extent to which this is possible will vary according to the needs, i.e., according to the role of the user at the time of the access. The following points are the major components on which the system is built.

Organisational issues

In order to gain access to identified clinical information, the user must fulfil the following set of requirements:

-
have a valid contract with the institution;
-
have a profile attributed within the last 12 months;
-
the profile must be active at least in one domain;
-
the patient whose data will be accessed must be in the same domain at the same time.

The information that can be accessed and the actions that can be taken are under the control of the atomic rights included in the profile.

A user can have

Tracking accesses

In addition to a strict access policy restricting who can access what, and a mandatory review of all accesses made using the “break the glass” escape mechanism, all accesses to any clinical data from any application is tracked centrally and will is visible, in real-time, in the patient record, which is available to care providers and the patient itself. This is a first important step towards giving the patient control over his own data, and especially his medical data.

Technical aspects

The system is a Java, component-based architecture made of two major groups of components: one dealing with a priori authorisation and access management, and another dealing with a posteriori surveillance, based on access logs. For both groups, there are business components and user-interface components. The business components communicate with HTTP/XML protocols [4], including Simple Object Access Protocol (SOAP), but do also include technical interface to third party applications. As a

Evolving towards a trans-institutional network

The HUG's CPR can be considered as an institutional network. Moving towards a trans-institutional network, as planned and designed in the “e-toile” community health information network [5], will require several adjustments to the current model (Fig. 3).

Firstly, the therapeutic relationship will be materialized by the physical co-existence of the professional's card and the patient's card. The access profile of the professional will describe the default behaviour of the system, but the patient

Conclusion

The HUG have developed a framework covering organisational issues, regulatory constraints and technical solutions to ensure a proper level of privacy protection while ensuring a manageable operational load for handling right accesses to identified clinical information. The system, operational for 5 years, has been made mandatory for all in-house and third party application, allowing a unique concept of protection to be implemented. Managing accesses in health is a complex challenge: it implies

References (5)

F.H. Roger France
Security of the electronic health record
Stud. Health Technol. Inform.
(1997)
J.R. Scherrer
The problems related to confidentiality and effectiveness of health care
Eff. Health Care
(1983)

There are more references available in the full text version of this article.

Cited by (33)

Evaluation of an Enhanced Role-Based Access Control model to manage information access in collaborative processes for a statewide clinical education program
2014, Journal of Biomedical Informatics
Managing information access in collaborative processes is a critical requirement to team-based biomedical research, clinical education, and patient care. We have previously developed a computation model, Enhanced Role-Based Access Control (EnhancedRBAC), and applied it to coordinate information access in the combined context of team collaboration and workflow for the New York State HIV Clinical Education Initiative (CEI) program. We report in this paper an evaluation study to assess the effectiveness of the EnhancedRBAC model for information access management in collaborative processes when applied to CEI.
We designed a cross-sectional study and performed two sets of measurement: (1) degree of agreement between EnhancedRBAC and a control system CEIAdmin based on 9152 study cases, and (2) effectiveness of EnhancedRBAC in terms of sensitivity, specificity, and accuracy based on a gold-standard with 512 sample cases developed by a human expert panel. We applied stratified random sampling, partial factorial design, and blocked randomization to ensure a representative case sample and a high-quality gold-standard.
With the kappa statistics of four comparisons in the range of 0.80–0.89, EnhancedRBAC has demonstrated a high level of agreement with CEIAdmin. When evaluated against the gold-standard, EnhancedRBAC has achieved sensitivities in the range of 97–100%, specificities at the level of 100%, and accuracies in the range of 98–100%.
The initial results have shown that the EnhancedRBAC model can be effectively used to manage information access in the combined context of team collaboration and workflow for coordination of clinical education programs. Future research is required to perform longitudinal evaluation studies and to assess the effectiveness of EnhancedRBAC in other applications.
Security and privacy in electronic health records: A systematic literature review
2013, Journal of Biomedical Informatics
Citation Excerpt :
Two certificates are employed: a security processor certificate that contains a key-pair which is used for the cryptographic authentication of the machine and is bound to its unique hardware features, and a separate certificate called a rights management account certificate which contains a key-pair used for the authentication of the user and is bound to the user’s unique identifier and email address. Other access mechanisms presented in the studies are: username/password [5,27,32,35,50,62,74], login/password combined with a digital certificate [27,62,63,67,68], password and PIN [51–53], a smart card and its PIN [32,54–56,67,75], a smart card, its PIN and a fingerprint [36] and access policy spaces [40]. Daglish and Archer [61] use a username and a key by employing one of the following methods: (1) physical location as part of authentication; (2) the use of the Web and a security certificate of a trusted organization.
To report the results of a systematic literature review concerning the security and privacy of electronic health record (EHR) systems.
Original articles written in English found in MEDLINE, ACM Digital Library, Wiley InterScience, IEEE Digital Library, Science@Direct, MetaPress, ERIC, CINAHL and Trip Database.
Only those articles dealing with the security and privacy of EHR systems.
The extraction of 775 articles using a predefined search string, the outcome of which was reviewed by three authors and checked by a fourth.
A total of 49 articles were selected, of which 26 used standards or regulations related to the privacy and security of EHR data. The most widely used regulations are the Health Insurance Portability and Accountability Act (HIPAA) and the European Data Protection Directive 95/46/EC. We found 23 articles that used symmetric key and/or asymmetric key schemes and 13 articles that employed the pseudo anonymity technique in EHR systems. A total of 11 articles propose the use of a digital signature scheme based on PKI (Public Key Infrastructure) and 13 articles propose a login/password (seven of them combined with a digital certificate or PIN) for authentication. The preferred access control model appears to be Role-Based Access Control (RBAC), since it is used in 27 studies. Ten of these studies discuss who should define the EHR systems’ roles. Eleven studies discuss who should provide access to EHR data: patients or health entities. Sixteen of the articles reviewed indicate that it is necessary to override defined access policies in the case of an emergency. In 25 articles an audit-log of the system is produced. Only four studies mention that system users and/or health staff should be trained in security and privacy.
Recent years have witnessed the design of standards and the promulgation of directives concerning security and privacy in EHR systems. However, more work should be done to adopt these regulations and to deploy secure EHR systems.
Electronic health record implementation and hospitals' total factor productivity
2013, Decision Support Systems
The adoption and implementation of electronic health record (EHR) systems have been widely promoted as a means for improving health care delivery and controlling costs in U.S. hospitals. To date, the results of efforts to adopt such systems have been mixed and often unsuccessful. This paper uses frontier analysis to measure hospitals' Total Factor Productivity (TFP) during 2006–2008 and compare it to nine different stages of EHR implementation. Overall, we find that hospitals implementing EHR systems have lower TFP gains relative to those facilities that have as yet to adopt. In particular, hospitals that attempt to fully implement an EHR in one year, the ‘Big Bang’ strategy, have relatively low TFP levels. Therefore, the anticipated savings from increased EHR use may not be realized in the near-term for EHR system adopters. Moreover, an evidence-based approach to developing the ‘Meaningful Use’ incentive and reward program for EHR implementation is warranted.
Implementing electronic lab order entry management in hospitals: Incremental strategies lead to better productivity outcomes
2013, International Journal of Information Management
This paper evaluates the impact of varying implementation of electronic lab order entry management (eLAB) system strategies on hospitals’ productivity in the short run. Using the American Hospital Association's Annual Surveys for 2005–2008, we developed hospital productivity measures to assess facilities’ relative performances upon implementing eLAB systems. The results indicate that different eLAB system implementation strategies were systematically related to changes in hospitals’ relative productivity levels over the years studied. Hospitals that partially implemented an eLAB system without completing the roll-out experienced negative impacts on productivity. The greatest loss in short-term productivity was experienced by facilities that moved from having no eLAB system to a complete implantation in one year—a strategy called the “Big Bang”. The hybrid approach of a limited introduction in one period followed by complete roll-out in the next year was the only eLAB system implementation strategy associated with significant productivity gains. Our findings support a very specific strategy for eLAB system implementation where facilities began with a one-year pilot program immediately followed by an organization-wide implementation effort in the next period.
An enhancement of the Role-Based Access Control model to facilitate information access management in context of team collaboration and workflow
2012, Journal of Biomedical Informatics
Citation Excerpt :
Information access is an essential requirement to biomedical research, clinical education, and patient care [1–7].
Although information access control models have been developed and applied to various applications, few of the previous works have addressed the issue of managing information access in the combined context of team collaboration and workflow. To facilitate this requirement, we have enhanced the Role-Based Access Control (RBAC) model through formulating universal constraints, defining bridging entities and contributing attributes, extending access permissions to include workflow contexts, synthesizing a role-based access delegation model to target on specific objects, and developing domain ontologies as instantiations of the general model to particular applications. We have successfully applied this model to the New York State HIV Clinical Education Initiative (CEI) project to address the specific needs of information management in collaborative processes. An initial evaluation has shown this model achieved a high level of agreement with an existing system when applied to 4576 cases (kappa = 0.801). Comparing to a reference standard, the sensitivity and specificity of the enhanced RBAC model were at the level of 97–100%. These results indicate that the enhanced RBAC model can be effectively used for information access management in context of team collaboration and workflow to coordinate clinical education programs. Future research is required to incrementally develop additional types of universal constraints, to further investigate how the workflow context and access delegation can be enriched to support the various needs on information access management in collaborative processes, and to examine the generalizability of the enhanced RBAC model for other applications in clinical education, biomedical research, and patient care.
Access control management in electronic health records: A systematic literature review
2012, Gaceta Sanitaria
Este trabajo presenta los resultados de una revisión sistemática de la literatura relacionada con aspectos del control de acceso en sistemas de historias clínicas electrónicas, la seguridad en entornos inalámbricos y la formación de los usuarios de dichos sistemas en temas de privacidad y seguridad.
Como fuente de información se utilizaron artíıculos originales encontrados en las bases de datos Medline, ACM Digital Library, Wiley InterScience, IEEE Digital Library, Science@Direct, MetaPress, ERIC, CINAHL y Trip Database, publicados entre enero de 2006 y enero de 2011. Se extrajeron 1208 artículos usando una cadena de búsqueda predefinida, y el resultado fue revisado por los autores. El resultado final de la selección fue de 24 artículos.
21 de los artículos encontrados mencionaban las políticas de acceso a los sistemas de historias clínicas electrónicas. Once artículos discuten si deben ser las personas o las entidades quienes concedan los permisos en las historias clínicas electrónicas. Los entornos inalámbricos sólo se consideran en tres artículos. Finalmente, sólo cuatro citan expresamente que es necesaria la formación técnica de los usuarios.
El control de acceso basado en roles es el mecanismo preferido para implementar la política de acceso por los diseñadores de historias clínicas electrónicas. El control de acceso es gestionado por usuarios y profesionales médicos en la mayoría de los sistemas, lo que promulga el derecho del paciente a controlar su información. Por último, la seguridad en entornos inalámbricos no es considerada en muchos casos, y sin embargo, una línea de investigación es la eSalud en entornos móviles, conocida como mHealth.
This study presents the results of a systematic literature review of aspects related to access control in electronic health records systems, wireless security and privacy and security training for users.
Information sources consisted of original articles found in Medline, ACM Digital Library, Wiley InterScience, IEEE Digital Library, Science@Direct, MetaPress, ERIC, CINAHL and Trip Database, published between January 2006 and January 2011. A total of 1,208 articles were extracted using a predefined search string and were reviewed by the authors. The final selection consisted of 24 articles.
Of the selected articles, 21 dealt with access policies in electronic health records systems. Eleven articles discussed whether access to electronic health records should be granted by patients or by health organizations. Wireless environments were only considered in three articles. Finally, only four articles explicitly mentioned that technical training of staff and/or patients is required.
Role-based access control is the preferred mechanism to deploy access policy by the designers of electronic health records. In most systems, access control is managed by users and health professionals, which promotes patients’ right to control personal information. Finally, the security of wireless environments is not usually considered. However, one line of research is eHealth in mobile environments, called mHealth.

View all citing articles on Scopus

View full text