In the course of the digitalisation of patient records, we have attempted to formulate a number of basic requirements and recommendations relating to this seemingly inevitable development, and in particular with regard to the procedure to be used for the physical storage of records (centralised, decentralised, patients, cards ...). In relation to this, it may very well be the case that in view of the multitude of methods and projects that are currently being developed in our country, some of our remarks will have to be revised or rephrased due to experience gained in this complex field.
In order to construct a clear framework, it is important to outline the various methods proposed for the storage of electronic patient records:
1. Decentralised or scattered storage, i.e. the medical data remains with the providers of medical services and a virtual record with the "public element of each episode" is drawn up, if necessary via a shared network involving all participants. A virtual dossier of this nature first and foremost raises the question of whether the dossier should be made available in full, and whether, despite that, certain personal data will have to be stored centrally.
2. Centralised storage on third party premises, i.e. all or a part of the medical data produced by a provider of medical services will be copied into a centralised records facility managed by the state (cantonal or federal) or a private company (service provider). The issues connected with this method relate to the confidentiality of the centralised facility and its accessibility.
3. Centralised storage with the patients themselves, i.e. all or part of the medical data generated by the provider of medical services will be copied on to a data carrier (chip card, CD) that is retained by the person to whom the data relates. The patient will thus have sole control over his or her data, with it being possible to deposit a back-up copy with a doctor of the patient's choice.
These three theoretical methods may be combined in various ways in practice. It is conceivable that the patient card could be used simply as a means of identification (insurance number, name, ...), as a storage medium for administrative data and/or details to be used in an emergency, as a cryptographic access key to the actual medical data or ultimately as the means for storing the full patient records.
Irrespective of which method of storage is used, the following precautions in relation to data protection are currently conceivable.
- Differentiation between administrative and medical data. Under medical data, a finer distinction between objective data (test results, …) and subjective data (diagnoses,…), medication, and details for use in an emergency. This last should be regulated separately, as it always relates to critical situations.
- The storage and encoding format for all data in order to guarantee long-term preservation and national or even international interoperability (recording/conversion of current data).
- Priority use of pseudonymising and anonymising procedures (see 9th Annual Report, Section 2.2.1) in order to limit the risk of data leaks as far as possible, but to allow the use of collected medical data for epidemiological or statistical purposes as far as possible.
- Encrypted storage of particularly sensitive personal data: the episodes on record can only be read or processed by those who possess a valid decryption key. Each medical episode can be separately encrypted, and the Patient (or if necessary his or her chosen doctor) should basically be able to decrypt the relevant data. For this, however, a not entirely elementary Public Key Infrastructure (PKI) must be set up.
- Possible temporary cover for the medical data that requires a verbal explanation from the relevant specialist provider of medical services.
- Systematic identification and strict authentication of all employees of the health services with access to the system.
- Detailed records of all accessing and editing of sensitive data that can be called up by the person affected at any time.
- Guarantee and regular monitoring of the confidentiality, integrity and availability of the data.
- Digital signature for all data entries in order to guarantee their integrity and indisputability.
- Varied accessibility of data (logical view) depending on the authorised user.
- Separate information channel adapted to the relevant requirements for insurance companies, which will have access to details relating to medical bills, possibly in an encrypted form to be agreed (see Section 5.1.2 of this Report).
- Similar separate solution for prescriptions and access for pharmacists.
[July 2003]