13

Amongst the open source EMRs, which ones may be good to learn from? Any references I can go to as a starting point?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Ming K
  • 243
  • 2
  • 8

2 Answers2

15

Several of the PHP-based Open Source EHR systems have used PHP GACL for access control. I am not sure how often it is used any more, it is a good place to start to look at how role-based ACL can be implemented and controlled. PHP GACL provides a three-teir access model, so that you can split things up into access triads. Like role:doctor power:modify data:patient records can be made and intelligently exempted, such as role:doctor power:read data:patient except where doctor=Dr. Smith power=read and patient=Dr. Smiths daughter.

I am not sure how VistA does access control, but I believe that it does have the power to do both the general rules and to create these more subtle exceptions.

The combinations of healthcare IT regulations in the U.S. have given further structure to the access control issue. First, of course, is HIPAA, which insists that access control enforce the "minimum necessary" access control. 164.312 and 164.308(a)(4) 45 CFR 164.502(b) 45 CFR 164.514(d) of the security rule require this access control. But rather than read those standards, HHS has a nice summary of the notion of minimum necessary.

So an EHR must be configured so that each user has access to the minimum necessary to do their job. Which means that access control in healthcare is largely job dependent. Practically speaking that means that the best practice is simply to ask "does this type of user need access to this type of patient data to do their job?" If the answer is no, then a role-based access control restriction should prevent access, and probably automatically log access attempts for that combination of role to data object access.

Meaningful use also has a core requirement (#15) (protect electronic health information) that requires access control. Mostly just by requiring audit enforcement of the 45 CFR 164.308(a)(1) portion of HIPAA. So you have to do access control, and you need to do have audited compliance with that access control.

Notice that none of these regulations have said "Doctors should be able to do X and not Y" or "Schedulers should be able to see B but not C". This is quite intentional. There are too many naturally occurring variations of workflows in hospitals and clinics that there is no one-size-fits-most advice that really works, much less one-size-fits-all. So the only thing that is required is that

  1. Every employee should not be able to access everything and
  2. What they do have access to should be related to what they do for their job and
  3. You actually have to enforce it.

There are two general caveats to those details. "1." may not apply if your practice is small enough. If a practice is composed of one other person besides a doctor who does scheduling, nursing, billing, office management and takes out the garbage, then that person will probably need to have access to just about everything in the EHR. If you have all of the jobs, then you get the access of all of the jobs. Be sure to document this fact, however, to show that you considered the possibility of more stringent access controls, but rejected it for practical reasons.

Second, while PHP GACL etc can do tremendously complex things, many EHR systems will have simplistic or backward access control implementations. You may be very limited by what your EHR can do or what it can be configured easily to do. Again, if your EHR design does not allow you to handle access control in a way that is compatible with your workflow needs (forcing you to grant more generous access then you would prefer) be sure to formally document that too. Also file a bug with your vendor.

In general, I think the target should probably be generally be "compliance" unless your particular EHR has a "best practice" regarding how to set things up. VistA, for instance, has a kind of "zen of VistA" for all configuration decisions. A documented or informal rule about the right way to handle a particular configuration.

O'Reilly has released a guide to meaningful use called 'Meaningful Use and Beyond' (shameless plug... I wrote it) This issue is discussed in chapter 8 meaningful use overview and chapter 12 on HIPAA.

  • What a coincidence, I was just reading this book on Safari Books Online this morning. I really enjoyed your work, and thank you for this thoughtful response. – Ming K Nov 10 '11 at 07:00
2

In order to implement HIPAA and in particular HL7 scenarios such as the ones described here, it is worth considering attribute-based access control (ABAC) and XACML, the OASIS standard that implements ABAC.

David Brossard
  • 1,360
  • 7
  • 16