Comments on EHR Bloggers: ONC elaborates on security and privacy

You raise some interesting points. Briefly: 1. The...

2009-10-04T07:57:24.763-07:00

You raise some interesting points. Briefly:
1. The permissions rules engine will continue to evolve in its sophistication, and allow for fairly detailed granularity. We will comment on this with more detail in upcoming blog pieces – stay tuned.
2. The security and privacy built in to the Practice Fusion system does not allow IT staff to look at PHI. We have in place layers of audit and security that protect against this, and we keep track of an audit log that shows who has opened which patient’s record.
3. Pharmacy does not share in an EHR. They receive prescriptions (paper or electronic), which (from a data standpoint) are the minimally-necessary exports of packets of information needed for the legal filling of a prescription.

Robert, I am very interested in the "permissions r...

2009-10-02T08:35:33.892-07:00

Robert,
I am very interested in the "permissions rule engine". Based on my background in web application access control a few thoughts come to mind:
1. Can the patient define permissions on their health record? Maybe she does not want her gynecology lab results visible by her opthalmologist?
2. Does an IT admin, maintaining the EHR system have visibility into patient health records? By his job definition he has superuser rights to the database to keep it going, but how do we prevent him from viewing confidential patient data?
3. Granularity of access: The pharmacist can view John's name and address for prescription verification but can he view the diagnosis?

regards...