Apart from the patient himself, only clinicians may have access to personal health information. The reasons for placing the trust perimeter at the professional boundary are both traditional and practical: the clinical professions do not consider the mechanisms of the civil and criminal law to give adequate protection. If a doctor gave a record to a social worker who then passed it to a third party without consent --- or merely kept it in an insecure local council computer system which was hacked --- then the doctor could still be liable, and might have no recourse.
In effect, only clinicians are trusted to enforce the principle of informed consent, and control of any identifiable clinical record must lie with the individual clinician who is responsible. This might be a patient's GP, or the consultant in charge of a hospital department.
Principle 3: One of the clinicians on the access control list must be marked as being responsible. Only she may alter the access control list, and she may only add other health care professionals to it.
Where access has been granted to administrators, as in the USA, the result has been abuse. In the UK, the tension between clinical confidentiality and administrative `need-to-know' has been assuaged by regulations that purchasing organisations must have `safe-havens' --- protected spaces under the control of an independent clinician --- to which copies of records may be sent if there is an administrative dispute [NHS92]. Administrative systems that might handle personal health information must support safe-haven procedures; for example, the clinical parts of patient records might be encrypted in such a way that only the clinician in charge of the safe-haven could decrypt them. Such systems must also abide by the Joint Computer Group guidelines mentioned above [JCG88].
When information is sought by, and may lawfully be provided to, a third party such as a social worker, a lawyer, a police or security service officer, an insurance company or an employer, then the information must be provided on paper. This reflects current practice: in the community care scenario mentioned above, records shared between doctors, nurses and social workers were kept on paper rather than on a database because of security concerns.
It should also be borne in mind that computer records are not usable as evidence unless they come with a paper certificate signed by the system owner or operator; direct electronic access is of little evidential value, and a signed statement on paper can best satisfy a bona fide requirement for evidence.