Updated January 2022.
How do you make sure only the right personnel can see the medical media content stored in a VNA (Vendor Neutral Archive) – being sure that the access policies are adhered to, without devoting enormous resources to the task?
The answer is simple, but likely to prove unpopular.
Consider first the EPR (EPJ). There are two checkpoints to clear before a document is displayed to any employee with legitimate access to the EPR:
1) Does the employee have a current care relation with the patient (that the document describes)?
2) if yes, does the employee’s access profile include the category of the document in question?
The 2nd step is also crucial. As an example, a physiotherapist can read documents related to the work they carry out, but not the psychiatrist’s assessment, nor other clinical documents. Now, assume an image is added to the VNA relating to an aspect of the patient that’s outside of the legitimate needs of the physiotherapist How do we make sure the image is hidden from the physio? A modern teaching hospital has about 40 different professions, and maybe 100 document categories linked to the professions by access profiles.
To give you an idea of an access rule:
A SOMATIC NURSE has:
READ access to SOMATIC and PSYCHIATRIC documents created by NURSES
WRITE access to somatic NURSE DOCUMENTS .
There are many more documents the NURSE can read, and even more the NURSE cannot create or edit.
So far so good within the EPR.
We will now add the VNA to the mix. An image is added to the VNA in the patient’s folder. It is created within a clinical context (and encounter) with a purpose; generally the equipment that is used to capture the image receives some data from the EPR (metadata), and the metadata are stored with the image in the VNA (analogous to RIS/PACS workflow). As an example, an image shows “a bruise related to a fracture” caused by violence. The image is described in a journal record in the EPR which also includes remarks about a radiology report. We have a photo, an x-ray, and a document.
The question now arises: who should be able to see this image? First of all, the care relationship must be present. There is only one system that can determine if it is indeed present, and that is the EPR: so, we need to ask the EPR: does employee X have a current care relationship with patient Y? If the answer is yes, the patient folder in the VNA can be displayed. But will the VNA reveal all images about the patient to our employee X? No, it cannot, for the same reason as we have discussed above: access if filtered by profession.
The figure below shows how this may be solved – the employee has a professional role attached to an access profile. The access profile includes document category 2, and so our Employee can see document Y, which is in this category. The document describes / is linked to an image, and thus the image must also be available to our employee.
In the figure below, the acces control is independent of the EPR once the document category has been assigned to the image: the image belongs to a category which it should inherit from the EPR. We can now establish access control outside the VNA, and the VNA must store the category that the image belongs to. The Access control function maintains a table of roles and access profiles, and thus is able to determine if a given employee should see a given image once it knows the category the image belongs to.
How is the category linked to the image? Potentially through the work process. When a clinician describes an image and creates a record in the EPR, the record and the image are linked and metadata exchanged.
The conclusion is that the when the VNA is used to store clinical objects, such as images, ECG, video, and so on, it effectively becomes an extension of the EPR, and must use the same logical mechanism as the EPR to control access to content.
This is analogous to the way RIS-PACS interact with each other.