Patient Centric Electronic Health Records – an Empirical Study on the Acceptance of Different Access Policy Concepts for Critical Medical Data

This paper shows the framework as well as first achievements of an empirical study on access policy concepts for Electronic Health Records (EHR). Access policy concepts for practical usage and the achievements of a locally limited preliminary study, accomplished in spring 2004, will be identified. Introduction, Motivation and Goals Driven by the cost situation in health care, the technical and organisational evolution as well as the application of patient-centered electronical patient files is seen as a chance to improve relevant prevention, diagnosis and therapy processes in health care. The vision is to provide all health care service providers with the relevant information (and only with the relevant information) they need from the extensive patient file for their services. This includes patientspecific information, which has not been entered directly by the attending health service provider. Due to personal rights of the patients and data protection, the management of stored data results in an extensive asymmetry between owner and administrator of the data and the user resp. creator of medical information. On the one hand, the patient possesses the authorization to make the data full resp. restricted available or to lock it, as the information is about him. However, the adequate professional competence to decide about the clearance is not present in a sufficient form. On the other hand, there is the user of the data, usually a medic, who has sufficient professional compentence and who is furthermore the creator of new data for the patient’s file. Due to data security, the medic should not have full access to all stored data. The resulting question is, how to develop a concept to abolish the mentioned information asymmetry without trimming the personal rights of the patient or reducing the effectiveness and efficiency potentials of EHR’s (for a definition of EHR see Waegmann, 1999 or Prokosch, 2001). Here, direct and indirect interaction between patient and medic is needed. Such a solution does not have to be based on a technical level only. It also has to involve the organisational and social level. EHR Access Policy Concepts and Related Work In a management paper on the EHR the “Aktionsforum Telematik im Gesundheitswesen” (ATG activity panel telematics in health care) presents three archetypes of EHR (ATG, 2003): the networked EHR at the general practitioner, the patient-managed EHR and the case-oriented EHR. The model of the networked patient file at the general practitioner can be seen as a digital form of the former ‘paper-based communication’. The general practitioner serves as a central administrator of the patient’s EHR. If another medic examines the patient, he has to submit all relevant examination and documentation data to the general practitioner after the treatment. The general practitioner will insert the data into the EHR. In the patient-managed EHR, the patient has the full control over his examination data exclusively. It can be saved on different storage media: For example on smart-cards, on combinations of optical memory and smart-cards (e.g. Rimec Duocard, Euromed-ID-Systeme) or on web-based systems (e.g. Life-Sensor, PREHRRE-System). In this alternative type of EHR, the patient’s right on informational self-determination is implemented in a way that only the patient grants access to the medic and determines, which data shall be saved or deleted. In the case-oriented EHR, the data are stored locally at the medical facilities where they are created. Each medic submits diagnostic-oriented content only to the patient file located on a surgery PC. Other medics have reading access to this folder by using a secure network. The patient restricts the access to his health data by giving health professionals links and access codes (“tickets” volume with one or several transaction numbers (TAN)). These links are created by the medics who host the patient specific health data on their server (Bultmann et al., 2002). The patient manages the TAN, providing them to medics he wants to grant access to specific data (Kassenärztliche Bundesvereinigung, 2002). Further considerations include the implementation of additional central components (regional server) that act as a termporary cache (e.g. see Kassenärztliche Vereinigung Nordrhein, 2004). The networked EHR at the general practitioner and the case-oriented EHR can be based on the combination of a “chip card including key functions and a secured access to pseudonymised data” (Bultmann et al., 2002). These concepts thereby are suitable to be supported by the new German recordable chip card (Patient Data Card, PDC) that will be introduced on January 1, 2006. In combination with the Health Professional Card (HPC), the PDC will become an essential component for authorisation and for declarations of intention (Debold & Lux, 2004). According to (Debold & Lux, 2004) and (Bultmann et al., 2002), the process of consultation is shown. Within this scenario a case-oriented EHR is used. An adequate role concept, as shown in (Sergl, 2001), (Brose et al., 2002) or (BITKOM et al., 2003) is assumed. 1. The patient enters the physician’s surgery. 2. The general data (identification, insurance) will be selected from the patient’s chip card at the reception. 3. After entering the examination room, an authentification using the HPC and the PDC is done. The genuineness of the cards is proved and the access rights will be granted. 4. Patientand case-specific, the medic interviews the patient about his past medical history and habits. The patient grants the medic access to parts of his (distributed) EHR by electronic tickets. The medic uses the tickets in combination with his HPC to get relevant patient data from the servers of other medical facilities. 5. New data is created during the examination and treatment of the patient. The medic informs the patient at the end of an examination or treatment about the newly created documents. 6. The medic asks the patient about the preferred access rights of the new documents. In a first step, he asks whether the patient wants to have access (for other medics) or not. In accordance with the patient, he then links the location of the new documents (stored on a local server) with the card. At the same time, tickets are generated that make the documents available to other medics (after handed out by the patient). 7. The patient has to sign his approval on a printout or with a signature in the file. Besides the changes in existing examination processes, this example emphasizes on the problem of the administration of the access rights, which already exists in the case-oriented EHR and also in the patient-managed EHR. Additionally, the question of the acceptance of the medics has to be solved. Study Design Against this background, the goal of the described project is to evaluate concepts for controlling access to patient data stored on EHR. Especially the suitability for daily use, meaning the integration of different solutions into existing workflows of the practitioner, should be evaluated. For that purpose, the three primary concepts and some of their most important mutations as they are drafted and discussed by experts, will be provided to a wide circle of practicing medics for an empirical study. The scientific project consists of two phases: On the one hand, concept, execution and evaluation of a regional restricted pre-study and on the other hand the concept, execution and evaluation of the scientific study itself. Both phases include the necessary literature survey and expert discussions for the concept. The second phase, further on called main study, thereby bases on the conclusions (as partially described subsequently) and the derived perceptions from the pre-study. For the main study, a national survey via online questionnaire is scheduled for the second half of 2004. The questions identified as relevant in the pre-study will focus more on the processes of controlling the data access, which is stored on the case-oriented and patient-managed EHR’s. General acceptance, as the focus of the pre-study, will not be the major question of the main study. The realisation of preand main study takes place within the scope of the eHealth-Lab at the University of Hohenheim (see eHealth-Lab, 2004). The results will be offered to expert panels working on the creation of an area-wide telematic infrastructure in Germany.