Security requirements in EHR systems and archives.

EHR system is a system for recording, retrieving, and manipulating information in electronic health care records. Archive is an organisation that intends to preserve health records for access and use for an identified group of consumers. There exist many combinations of EHR-systems and archives. EHR-system can be a single on-line system with integrated archiving functions or archive and EHR-system are co-operative or federated systems. This paper describes both common security requirements for EHR-systems and archives and security requirement specific for archives. Requirements are derived from ethical and legal principles. From principles a set of security requirements are derived. Safeguards for implementing security are discussed. In practise EHR-system and archive share many security services. This document is proposing that inside a security domain both the archive and EHR-system have a common security policy. In addition to this the archiving organisation needs a documented policy for information preserving and a policy for access and distribution of information between other archives.