We are implementing OpenEMR as a hosted service that will serve the needs of various providers in Greece. However, this raises a number of privacy concerns, especially with regard to European privacy legislation. For instance, each provider has immediate access to the entirety of patients’ data that have been entered by other providers (encounters, diagnoses, appointments, etc). While this has some advantages (for instance, better coordination between providers for the treatment of complicated incidents), it could raise legal issues that we have to tackle. We would greatly appreciate some advice concerning the protection of patients’ privacy in such a context. A provider can access every patient’s data, including every diagnosis and prescription by other providers for this particular patient. This could be construed as unauthorized access by Greece’s Data Protection Agency. Is there a way for us to give each provider (or group of providers) access only to the data of the patients s/he has entered into the system, with access to other patients’ data being granted only after specific authorization has been given? We have tried creating different groups, but still they have access to all patients in the database.
It was very successful. The only point to keep in mind is , these instances are sharing one codebase. So if you have to do customization for specific specialty or a NGO which is trying to capture different other data (thus requiring change in the data model), you will not be able to do that.
Experts, please comment if our assumption is correct.
Thank you for your quick response. I see that there is a separate database for each provider. However, this seems to raise a few other concerns:
1. Having a potentially large number of databases can cause maintenance and management difficulties, especially when it comes to data security - and security of health records is an extremely sensitive matter.
2. Each dedicated server can only handle so many databases. This could cause an unwelcome increase in running costs.
3. Assume that a patient has been treated by several different providers and needs - for whatever reason - to have access to all of his data at some point. With the data spread among several different databases (since each provider has a separate database), aggregation and synthesis of the data could be hindered.
Avantsys, I think this first depends on the specifics of the legal requirements. In the U.S. I would not dream of using the same database or otherwise co-mingling data for multiple independent practices - any needs to share information must be handled carefully and with suitable tools and procedures.
If there is added cost for multiple databases, that would be a rather artificial requirement imposed by your hosting service. It’s not a significant barrier in terms of physical computing or storage resources. See what you can work out with them.
Regarding customization for specific users - you can and should do that in a way that works with a shared web directory. There is a “globals” table in an OpenEMR database that holds site-specific option settings, and code can be written to take alternative actions according to those settings. Also if you have any such improvements that may be of general interest, it is to everyone’s advantage to submit them for possible inclusion in the project’s code base.
Back to the manageability and maintenance of a multiple site installation, I am concerned about issues such as patching numerous different instances. Is it absolutely certain that there is no other way to ensure that a provider who has edited information in a certain patient’s records cannot see what other providers have entered? Besides the issues created by the privacy legislation in Europe and Greece, I have to say that there are problems regarding petty competitions between doctors.
An idea I had would be as follows:
Assume that a certain provider (let’s call him d1 - d for “doctor”) has created a certain patient in the database (let’s call him p1). The way things are right now, another provider (let’s call him d2) can see everything that d1 has entered and d1 can see everything that d2 has entered. Greek legislation dictates that d1 cannot see what d2 has done and vice versa. Furthermore, there is the problem of petty antagonism between doctors - a problem present and persistent in Greek society.
Using a multiple site installation would mean that maintenance would be quite complicated. Also, it would probably mean that we would lose the ability to have a portal for the patients, because it would be meaningless - the portal would have to browse through multiple databases, searching for entries regarding this particular patient using the patient’s Social Security number as a search term, then sorting them by chronological order and aggregating them into a document that will have this patient’s records, appointments and whatnot. Something like this would obviously require extensive modifications to the OpenEMR’s patient portal.
Another thought we have is to manipulate the privileges of the various users.
Rod, I was writing my previous reply before having seen yours. My main concern about manageability is the fact that most of the potential users will be many small practices instead of a few sizeable hospitals and/or clinics.
In the case where we have multiple databases, which would be the best way to implement a patient portal that would allow a patient to access the data concerning him that exist in every database?
I’m still a bit confused with some details. If you have multiple physicians working in the same practice, does Greek law still require they can’t see each other’s records? If so, how do they cover each other on vacations/sickness/call etc?