Who Should Access Electronic Patient Records

Access control to Electronic Patient Records (EPR) may greatly depend on users’ objectives and needs. The purpose of this study is to assess the opinions of medical doctors within a university hospital towards access control to an EPR. We selected a randomized sample of 58 doctors from a university hospital and 45 structured interviews were applied. 42 respondents (93%) agree with the existence of access control levels to patient information according to healthcare professionals’ category and 31 (69%) think that more sensitive information (e.g. HIV) should be accessed only by doctors that treat those patients. As 24 doctors (53%) feel that there is no need for them to see all information about all the patients, 41 (91%) think that nurses should not be able to do it also. Further, 31 doctors (69%) believe that patients themselves should not access their full medical record. These results show that it is very hard to get to a consensual policy regarding access control to EPR by its regular users. There is therefore the need for a multidisciplinary agreement that can include healthcare professionals’ experiences and needs in order to define the most appropriate and efficient way to perform access control to the EPR.

[1]  Dimitris Gritzalis A baseline security policy for distributed healthcare information systems , 1997, Comput. Secur..

[2]  David Young,et al.  Research Paper: Patient Experiences and Attitudes about Access to a Patient Electronic Health Care Record and Linked Web Messaging , 2004, J. Am. Medical Informatics Assoc..

[3]  David Chadwick,et al.  Access control: how can it improve patients' healthcare? , 2007, Studies in health technology and informatics.

[4]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[5]  James Day,et al.  Privacy and Personal Health Data in Cyberspace: The Role and Responsibility of Healthcare Professionals , 2001 .

[6]  Bernd Blobel,et al.  Authorisation and access control for electronic health record systems , 2004, Int. J. Medical Informatics.

[7]  Daloni Carlisle Electronic patient records. The new black. , 2007, The Health service journal.

[8]  Ab R. Bakker,et al.  Access to EHR and access control at a moment in the past: a discussion of the need and an exploration of the consequences , 2004, Int. J. Medical Informatics.

[9]  J Day Privacy and personal health data in cyberspace. , 2001, The journal of contemporary dental practice.

[10]  C. Pyper,et al.  Access to electronic health records in primary care-a survey of patients' views. , 2004, Medical science monitor : international medical journal of experimental and clinical research.

[11]  Ross E. G. Upshur,et al.  Feasibility of a patient decision aid regarding disclosure of personal health information: qualitative evaluation of the Health Care Information Directive , 2004, BMC Medical Informatics Decis. Mak..