Effective sharing of health records, maintaining privacy: a practical schema.

A principal goal of computerisation of medical records is to join up care services for patients, so that their records can follow them wherever they go and thereby reduce delays, duplications, risks and errors, and costs. Healthcare records are increasingly being stored electronically, which has created the necessary conditions for them to be readily sharable. However simply driving the implementation of electronic medical records is not sufficient, as recent developments have demonstrated (1): there remain significant obstacles. The three main obstacles relate to (a) record accessibility (knowing where event records are and being able to access them), (b) maintaining privacy (ensuring that only those authorised by the patient can access and extract meaning from the records) and (c) assuring the functionality of the shared information (ensuring that the records can be shared non-proprietorially across platforms without loss of meaning, and that their authenticity and trustworthiness are demonstrable). These constitute a set of issues that need new thinking, since existing systems are struggling to deliver them. The solution to this puzzle lies in three main parts. Clearly there is only one environment suited to such widespread sharing, which is the World Wide Web, so this is the communications basis. Part one requires that a sharable synoptic record is created for each care event and stored in standard web-format and in readily accessible locations, on 'the web' or in 'the cloud'. To maintain privacy these publicly-accessible records must be suitably protected either stripped of identifiers (names, addresses, dates, places etc.) and/or encrypted: either way the record must be tagged with a tag that means nothing to anyone, but serves to identify and authenticate a specific record when retrieved. For ease of retrieval patients must hold an index of care events, records and web locations (plus any associated information for each such as encryption keys, context etc.). For added security, as well as for trustworthiness, a method of verifying authenticity, integrity and authorship is required, which can be provided using a public key infrastructure (PKI) for cryptography (2). The second part of the solution is to give control over record access and sharing to the patient (or their identified representative), enabling them to authorise access by providing the index and access keys to their records. This can be done using a token (fe.g. smart card) or a secure online index which holds these details: this serves to relieve the formal record keeper of responsibility for external access control and privacy (internal access control and privacy can remain an institutional responsibility). The third part of the solution is to process the content of the stored records such that there is a 'plain English' copy, as well as an electronic copy which is coded and marked up using XML tags for each data element to signify 'type' (e.g. administrative, financial, operational, clinical etc.) and sub-types (e.g. diagnosis, medication, procedure, investigation result etc.). This ensures that the recipient can always read the data using a basic browser, but can readily manipulate and re-arrange the data for display and storage if they have a more sophisticated installation.