kodusote wrote on Wednesday, October 29, 2014:
I need to give limited access to a Medical Records Officer (Health Informatics Officer) to be able to view the Client and Visit Reports. I have searched the Access Control Lists and could not identify which ACO is most appropriate for this.
Is there an existing ACO that would permit this or does one need to create a new ACO for this? Or any suggestion on how best to achieve this?
Thanks.
Kayode
fsgl wrote on Wednesday, October 29, 2014:
The most logical group for assignment is Administrator, but as you already know, there is no fine granular control without a code change. It is also unclear which ACO will permit only viewing of Reports. If I had to guess, a good place to start is Superuser.
blankev wrote on Wednesday, October 29, 2014:
Since you, as a medical service provider, you are bound to the HIPAA conventions, there should be no medical information available to the Medical Record Officer that can be directly related to the Demographics of a client.
Or you have to get some kind of secrecy oath in place with severe punishments, as the Government will give YOU severe financial repercussion punishments. If there is a discovered tress passing of medical information exchange.
You need to make a new one.
It is some heavy exercise, but try all available options and downgrade the options for the new member of the team. A good adviser is the HELP file on how to fine-tune the options for AGCL. For no USA based practice you might give the Administrator rights. I don’t think there is a Super User that can do everything programmed.
kodusote wrote on Wednesday, October 29, 2014:
Dear fsgl and Pieter,
Thanks for your contributions.
The administrator role is too broad for the cadre I have in mind and if it is possible to provide access to the reports that do not have the personal details of the patients, this would more than meet my needs.
Even in a non-USA based practice, you want to limit the cadre of users you give the Administrator rights.
Any suggestion on how to customize a ARO specifically to allow access to reports with limited private details of the patients?
Thanks.
fsgl wrote on Wednesday, October 29, 2014:
I did not mean to imply that all of Administrator’s ACO’s should be granted in its entirety. That’s where fine granular control comes into play.
Will rummage through openemr/interface/usergroup/adminacl.php & find the old thread where Brady helped you with a similar problem to hunt for clues.
fsgl wrote on Wednesday, October 29, 2014:
Here’s the old thread.
In addition to viewing Reports, you may want to grant read privilege to Encounters & clinical notes.
kodusote wrote on Wednesday, October 29, 2014:
Dear fsgl,
Thanks for the reminder.
I actually checked that first and noted that the acl_check for the report is (patient, med) that is Medical/History. However, this would include many other personal information of the patients contrary to HIPAAA convention. This is why I am looking for ways of limiting the access to reports that do not include demographic information of patients.
fsgl wrote on Wednesday, October 29, 2014:
We need a little background information regarding the Medical Records Officer. Is that person an employee of the practice? If yes, HIPAA makes provisions for administrative activities within a practice such that patient authorization is not required, provided the practice has every employee sign a patient confidentiality agreement. If it’s work sub-contracted outside of the practice, then a Business Associate Agreement would keep the practice in good stead.
HIPAA is not absolute. If we are never to share PMI, physicians would have to
perform every single function in the office. That becomes untenable in short order.
I assume the job description is that of ensuring compliance with some sort of governmental mandate. The guy will need to look at clinical notes & indirectly at Demographics, in addition to Reports, at some point as he goes about his duties.
kodusote wrote on Wednesday, October 29, 2014:
Dear fsgl,
The person is an employee of the practice.
Thanks for the clarification on the HIPAA convention as regards such employees.
fsgl wrote on Thursday, October 30, 2014:
It was my pleasure.