[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[use cases]
Hi all,
As per my action item, I'm posting two security policies with corresponding use
cases (or better to say scenarios).
The main purpose of this exercise for the submeeting team is to test its design
decisions on potential scenarios in healthcare.
If we can not come up with an idea how authorization rules would help for the
described scenarios, then HRAC facility would not make any good in healthcare.
Clearly, not everything can be enforced using "stupid computers." Parts of
discloser control has to be done via manual procedures.
When you read the use cases, you have to keep in mind that I do not have 10
years of clinical practice experience. In September, I'll discuss these use
cases with people here who are involved in administration of medical record
departments and nursing. Hopefully, they will provide useful feedback and help
in coming up with more realistic scenarios.
Also, I'll post more use cases after I see how these two go. I provided a use
case per policy. First a policy is listed and then a corresponding use case for
it is described.
If anybody has more scenarios for use cases, you are welcome to post them too.
Konstantin
-----------------------------------------------------------------
According to Florida Evidence Code section 503, ``Psychotherapist-Patient
Privilege,'' a patient, or a particular party representing the patient
interests, has a privilege to refuse to disclose any information,
and to prevent any other person from disclosing, confidential communications
or records made for the purpose of diagnosis or treatment of the patient's
mental or emotional condition, including alcoholism and other drug
addiction, between the patient and the psychotherapist, or persons
who are participating in the diagnosis or treatment under the direction
of the psychotherapist. This privilege includes any diagnosis made,
and advice given, by the psychotherapist in the course of that relationship.
Policy A:
Information related to diagnosis or treatment of the patient's mental
or emotional condition, including alcoholism and other drug addiction,
and information exchanged between the patient and the psychotherapist,
or persons who are participating in the diagnosis or treatment under
the direction of the psychotherapist, shall not be disclosed to
any other person if the patient refused to disclose such information
(as per the previous policy). Exception shall be provided:
* For communications relevant to an issue in proceedings to compel
hospitalization of a patient for mental illness, if the psychotherapist
in the course of diagnosis or treatment has reasonable cause to
believe the patient is in need of hospitalization.
* For communications made in the course of a court-ordered examination
of the mental or emotional condition of the patient.
* For communications relevant to an issue of the mental or emotional
condition of the patient in any proceeding in which the patient
relies upon the condition as an element of his or her claim or
defense or, after the patient's death, in any proceeding in which
any party relies upon the condition as an element of the party's
claim or defense.
Use Case for policy A:
Patient A visited her psychotherapist B to discuss recent
depression attack she experienced during the last week. B changed
A's diagnosis according to the information collected from A and
decided to prescribe a new stronger medicine for A instead of the
old one. According to the consent A signed when she began to use
this hospital, she did not explicitly refuse discloser of her medical
records data related to her mental and emotional condition in the
general disclosure agreement. So, A asked B not to disclose information
related to her visits to B when she has been told she needs medicine.
B began to mark all records made during A's visits to B in oder
to show that only B and his assistants should have access to the
information.
A also gave a visit to her primary care physician C in the same hospital
to discuss problems with her back. C looked through A's care history
in order to see any related problems. Some parts of A's medical
records information were blocked from C. C asked A if she wants
that information to be availabe to C. A preferred not.
Eighteen months later, A's situation with depressions became so bad
that B had to advise her to go through a treatment course under
tight control of medical stuff in the specialized hospital located
in the neighboring county. A did not want to take the course. Three
months later, B had been informed that A was delivered into an emergency
room with symptoms showing strong mental disorder. B did not see
any other way but to apply for A's hospitalization. B had to send
information from A's medical records related to her depression history
along with the hospitalization application to the department head.
.....
-------------------------------
.....
Section 4 of Florida's General Provisions on Public Health \cite{fs-381:1997}
requires that the identity of any person upon whom a test has been
performed and test results to be confidential. The following policy
is almost completely cited word by word from paragraph (f) of section
4.
Policy B:
No person who has obtained or has knowledge of result of a test
human immunodeficiency virus, or its antigen or antibody may disclose
or be compelled to disclose the identity of any person upon whom
a test is performed, or the results of such a test in a manner which
permits identification of the subject of the test, except to the
following persons:
1. The subject of the test or the subject's legally authorized
representative.
2. Any person, including third-party payors, designated in a legally
effective release of the test results executed prior to or after
the test by the subject of the test or the subject's legally authorized
representative. The test subject may in writing authorize the
disclosure of the test subject's HIV test results to third party
payors, who need not be specifically identified, and to other
persons to whom the test subject subsequently issues a general
release of medical information. A general release without such
prior written authorization is not sufficient to release HIV test
results.
3. An authorized agent or employee of a health facility or health
care provider if the health facility or health care provider itself
is authorized to obtain the test results, the agent or employee
participates in the administration or provision of patient care
or handles or processes specimens of body fluids or tissues, and
the agent or employee has a need to know such information. The
department shall adopt a rule defining which persons have a need
to know pursuant to this subparagraph.
4. Health care providers consulting between themselves or with health
care facilities to determine diagnosis and treatment. For purposes
of this subparagraph, health care providers shall include licensed
health care professionals employed by or associated with state,
county, or municipal detention facilities when such health care
professionals are acting exclusively for the purpose of providing
diagnoses or treatment of persons in the custody of such facilities.
5. The department, in accordance with rules for reporting and controlling
the spread of disease, as otherwise provided by state law.
6. A health facility or health care provider which procures, processes,
distributes, or uses:
(a) A human body part from a deceased person, with respect to medical
information regarding that person; or
(b) Semen provided prior to July 6, 1988, for the purpose of artificial
insemination.
7. Health facility staff committees, for the purposes of conducting
program monitoring, program evaluation, or service reviews pursuant
to chapters 395 and 766 of Florida's Statutes.
8. Authorized medical or epidemiological researchers who may not further
disclose any identifying characteristics or information.
9. A person allowed access by a court order.
10. A person allowed access by order of a judge of compensation claims
of the Division of Workers' Compensation of the Department of
Labor and Employment Security.
11. Those employees of the department or of child-placing or child-caring
agencies or of family foster homes, licensed pursuant to s. 409.175,
who are directly involved in the placement, care, control, or
custody of such test subject and who have a need to know such
information; adoptive parents of such test subject; or any adult
custodian, any adult relative, or any person responsible for the
child's welfare, and if a reasonable attempt has been made to
locate and inform the legal guardian of a test result.
12. Medical personnel who have been subject to a significant exposure
during the course of medical practice or in the performance of
professional duties, or individuals who are the subject of the
significant exposure as provided in subitems 10 and 11 of the
next policy.
Use Case for Policy B:
Patient A decided to donate his kidney to his son who had
been severely injured in a car accident. Among other preparation
procedures, A had his HIV test performed in the hospital. The lab
technician who processed specimens of blood was the one who obtained
and recorded the test results. A day later, A went back to the hospital
to find out the results. A's consulting physician B revealed the
test results to him. B also conducted face-to-face counseling according
to the hospital policy. The results were sent to the hospital where
A's son was going to be operated. When A donated his kidney, the
surgery team was informed on the HIV test results of A since they
were exposed significantly to A's body fluids and tissues.
A while later, QualityCare committee of the hospital did internal
evaluation of care services. During evaluation, they reviewed several
randomly chosen cases. A's was one of them. They went through the
corresponding records case by case and gave their recommendation
how the hospital workflow should be changed in order to increase
quality of provided care services.
Several months later, county epidemiological center were conducting
annual research on HIV related diseases. The hospital provided list
of all patients on whom HIV tests were performed and the results.
-------------------------------------------------------------------------------
----------------
Broadcast message to hrac-rfp from Konstantin Beznosov <beznosov@baptisthealth.net>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.