We next must ensure that all record accesses (whether reads, appends or deletions) are correctly attributable.
Principle 6: All accesses to clinical records shall be marked on the record with the subject's name, as well as the date and time. An audit trail must also be kept of all deletions.
Systems developed under the present requirements for accreditation will typically record all write accesses; even if material is removed from the main record, there is an audit trail which enables the state of the record as it was at any time to be reconstructed and all changes to be attributed [RFA93]. If implemented properly, this will have an equivalent effect to restricting write access to append-only and marking all append operations with the clinician's name. The new requirements are that read accesses be logged, so that breaches of confidence can be traced and punished; and that deletions be logged so that the deliberate destruction of incriminating material can be attributed.
Some applications have particularly stringent attribution requirements. For example, a `Do-Not-Resuscitate' notice on the record of a patient in hospital must be signed by the consultant in charge, and also requires consent if the patient is competent to give it [Som93]. When such life critical functions are automated, the mechanisms --- including those for supporting attribution --- must be engineered with the same care and to the same standards that are expected in life support systems.
There are also attribution requirements that are rarely invoked. For example, with only a few exceptions, patients have read access to all their records and may append objections if they have any. These requests are rare, and so they are typically supported with manual mechanisms. A common procedure is for the clinician to print out any records to which access is requested, and in the event of objections to enter the patient's comment and hand him a copy of the updated record for confirmation. We have no objection to these procedures. We do not insist that security be all in software; we are concerned with the net effect of all processing, both automated and manual.