Access control in a medical VNA

How do you make sure only the right personnel can see the medical media content stored in a VNA (Vendor Neutral Archive) – being sure that the access policies are adhered to, without devoting enormous resources to the task?

The answer is simple, but likely to prove unpopular.

Consider first the EPR (EPJ). There are two checkpoints to clear before a document is displayed to any employee with legitimate access to the EPR:
1) Does the employee have a current care relation with the patient (that the document describes)?
2) if yes, does the employee´s access profile include the category of the document in question?
The 2nd step is also crucial. As an example, a physiotherapist can read documents related to the work he/she carries out, but not the psychiatrist´s assessment, nor other clinical documents. Now, assume an image is added to the VNA relating to an aspect of the patient that´s outside of the legitimate needs of the physiotherapist How do we make sure the image is hidden from the physio? A modern teaching hospital has about 40 different professions, and maybe 100 document categories linked to the professions by access profiles.

To give you an idea:
As a SOMATIC NURSE you have READ access to somatic and psychiatric documents created by NURSES, and WRITE access to somatic NURSE DOCUMENTS .

There are many more documents you can read, and even more you cannot create or edit.

The employee can read the Document since the role gives access via the profile and the category of the document

So far so good within the EPR. We will now add the VNA to the mix. An image is added to the VNA in the patient´s folder. It is created within a clinical context (and encounter) with a specific purpose; generally the equipment used to capture the image receives some data from the EPR (metadata), that are stored with the image in the VNA (analogous to RIS/PACS workflow). The image shows “a bruise related to a fracture” caused by violence. The image is described in a journal record in the EPR which also includes remarks about a radiology report. We have a photo, an x-ray, and a document.

The question now arises: who should be able to see this image? First of all, the care relationship must be present. There is only one system that can determine if it is indeed present, and that is the EPR: so, we need to ask the EPR: does employee X have a current care relationship with patient Y? If the answer is yes, the patient folder in the VNA can be displayed. But will the VNA reveal all images about the patient to our employee X? No, it cannot, for the same reason as we have discussed above: access if filtered by profession.

Access to the Image is controlled by access to the linked Document in the EPR

If the image of the bruise captured above relates to a suspected criminal case, the journal record describing the bruise will belong to a specific category (type) to which only certain roles have access. Logically, the image of the bruise can only be revealed to those that can read the related journal record. Hence, the EPR must control which images are shown to whom, at the document level (category level can be sufficient. Norwegian law says that a single document instance can be blocked by request from the patient).

The simplest way to implement this is to remove direct access to the VNA. An image will only be displayed by opening a record in the EPR, and from there, opening the linked media content in the VNA.

We can allow direct access to the VNA, but this will carry a cost in the shape of a number of access requests to the EPR. We see that there must be one-way references from the journal record to the image identifier in the VNA at least; preferably both ways (the image stores the ID of the document).

The conclusion to this article is that the when the VNA is used to store clinical objects, such as images, ECG, video, and so on, it effectively becomes an extension of the EPR.
This is analogous to the way RIS-PACS interact with each other.

Well, what if there are images/objects in the VNA that are not linked to any document in the EPR? This case is very unusual, but a fallback rule saying “doctors only access” would probably suffice to cover it.