| Note |
|---|
This page is no longer in use |
...
USE CASES, PROBLEMS AND REQUIREMENTS
What standards are we trying to meet?
In USthe U.S., HIPAA and the states make the rules; Europe has privacy standards.
What about the countries we are working in? Are there minimal good practices that we should try to propagate? UNAIDS/PEPFAR have issued security and privacy guidance. US In the U.S., the FDA has special requirements for drug trials; as I understand them, they deal more with auditing than with privacy. See Resources below.
We would like to have the ability to limit access to patient and encounter data by location. This handles two use cases: (a) a multi-facility installation, either internet connected or synchronized; and (b) a location within a facility with special privacy requirements, typically a psychiatric ward or an STD clinic. We should discuss whether a treating physician (or others) without special privileges should be able to access these records.
We would like to have the ability to limit access to patient and encounter data by role. Registration clerks and administrators should not have routine access to patient health data.
Do we need to limit access any further? E.g., should community health workers doing programmatic outreach have access to observations/encounters not related to the program?
We would like to have the ability to limit access to providers who have a relationship with the patient.
See the British Medical Association principles in the Powerpoint presentation by Dominic Duggan below.
Aggregate reports should always give the same results, regardless of who runs them. This probably requires us to distinguish between reads for the purpose of aggregating and reads for the purpose displaying detail; we might be able to have reporting tasks run as a different, trusted user. 8. Should a registration clerk be able print out a flow sheet?
WHAT DO WE HAVE NOW AND WHAT HAVE WE TRIED
...
RESOURCES
Information on HIPAA
UNAIDS/PEPFAR Confidentiality and Security Guidelines
...