The pitfalls of the electronic patient dossier EPD
By 2020, hospitals, nursing homes, general practitioners and laboratories will have to align themselves with the electronic patient dossier (EPD). They are legally obliged to do so. Management und Qualität interviewed *Claudio Fuchs, an expert in authorization management, to discuss the pitfalls of introducing the EPD.
With the introduction of the EPD, there will be some changes in user and authorisation management. From April 2020, hospitals will have to operate an identity management system for the first time. Mr. Fuchs, what exactly does that mean for specialists like you?
First of all, two points; the patients always have sovereignty over the accesses. The patient should therefore have full control over his own data. However, the electronic management of particularly sensitive data is complex. This means, for example, that service providers must specify the names of their treatment staff so that patients are aware of their access and can prevent it if they wish.
In Switzerland, it is intended that patients can set positive and negative authorizations on individual reports.
But now to the second point: In general, a distinction must be made between the classic patient record as primary documentation and the new dossier as secondary documentation. The EPD must be downloaded from a central directory of the master community when patients are admitted, so that it can be supplemented and uploaded again when they leave.
The patient determines which parts of the dossier are visible to which hospitals or doctors and thus has control over his own data, his electronic dossier. The hospitals and the subsequent participants in the treatment process are legally obliged to be connected to a master community as of April 2020.
Do you see any other technical grey areas that are not easy to get to grips with?
One is the transformation of dossiers into secure data stores. However, there are also less technical problems such as staff turnover rates, which nevertheless also pose challenges. From a user and authorization management perspective, there are two main areas of action:
- The identification and authentication of medical and support staff for access to the dossier at the root community and the issuance of the necessary means of identification (interface ITI-40 according to IHE reference architecture) and
- the transmission of the current and correct personnel data of the relevant medical staff and auxiliary staff to the master community (interface ITI-59 according to IHE reference architecture).
Are hospitals ready for this and what are the biggest obstacles with regard to EPD user and authorisation management?
The situation varies; there are hospitals that have already examined many aspects of the EPD in detail, including user and authorisation management, and others that are still at the very beginning and are realising what changes the EPD will bring. A major obstacle is the preparation and design of identity management. Because every hospital employee must be mapped as an electronic identity.
This allows the digital management of the associated user accounts in the systems and applications as well as the means of identification, such as badge or SuisseID. This identity must be correctly filled with attributes such as name, profession, title, unique doctor number or institute and regularly transmitted to a master community. All this is only possible with an automated IAM system that can also offer these required qualities and security.
All these requirements necessitate a universal solution for authentication. What do you recommend to hospitals regarding the application programs to be integrated - "make or buy"?
This is really a big, open point at the moment. I therefore advise against making a decision on this now. I recommend internally considering the responsible offices for issuing such means of identification and also providing for corresponding tasks in the employee processes for entry and exit, but not yet undertaking any technical procurement.
It is also to be expected that some more providers will appear on the market and bring new competences into play. So if a hospital has the possibility to act as an identity provider, it can basically decide itself about the process and technology of the means of identification. These means of identification no longer have to be of a physical nature, but can function with apps and smartphones, for example.
Some hospitals already use multi-factor authentication. Under certain circumstances, this can be extended so that the requirements are met and employees can be equipped with it very flexibly. But also the other way round; for smaller hospitals it may be that this effort and the costs are too great, too expensive and they therefore stock up on the free market. Hospital management would do well to carefully examine the various options.
And does the EPD work, are there already projects, at best a conclusion?
Yes, there is. The canton of Geneva launched a kind of "EPD light" as a pilot project and evaluated it in 2017. It turned out that probably in urban agglomerations many patients rely on the digital future. Within a short time, around 28,000 patients were registered, which corresponds to about 5 percent of the Geneva population.
Do you see any other open points that should be clarified next?
If you ask like that, timely, systematic planning is the be-all and end-all. It's not just about procedural issues when installing the software, it's also about defining multiple staff appointments (e.g. as a senior physician and at the same time as an attending physician). The organizational responsibilities must be regulated at an early stage.
HR departments are the first to come into focus. HR, IT, doctors and nursing must work closely together. It is important not to look at processes in isolation for one department. This would not be effective. Hospitals must ensure, for example, that doctors have a means of identification from their first day on the job.
As with a bank, entries must be reported in full at an early stage, and IT must correctly register the means of identification and the relevant persons in the master community.
*Claudio Fuchs, Managing Director Switzerland & Austria, IPG, is responsible for and coordinates IPG's project business in Switzerland and Austria. Claudio Fuchs has been dealing with the topic of IAM for about 12 years. He has held various positions as an IAM expert and has expertise ranging from project management to implementation. Claudio Fuchs has a part-time job as a lecturer for project and quality management at a Swiss university.
