Clinical records or patient records?

As noted above, most clinical information systems mirror clinical practice in that each care team has a record keeping system, and information flows between them in the form of summaries (referral letters, discharge letters, opinions, test results and so on). The whole record may be copied to another team if the patient is transferred, but otherwise the records are clinician-based rather than patient-based, and only summary information flows between them.

As mentioned above, there has been interest recently in a different model, the `unified electronic patient record', which accumulates all the clinical notes and data in a patient's lifetime [MRI94]. But securing a unified record is complicated, for a number of reasons:

• if the records are held by the patient on an optical card or diskette, then how will we recover from lost records? But if the records (or backups) are held on a central database, then how would aggregation be controlled?

• birth records contain the mother's personal health information as well. Surely the patient will not obtain unrestricted access to them?

• how would one deal with large files such as CAT scans and the records of long chronic illnesses?

• how would clinicians be guaranteed access to former patients' records to evaluate the care they gave and to defend themselves from lawsuits?

• suppose that I walk into a hospital and claim that my demons are particularly troublesome. When asked my name I reply `John Major'. May the psychiatrist access the prime minister's record and append a diagnosis of schizophrenia? In other words, does a patient-based record force us to authenticate patients much more carefully, and if so, what are the implications for emergency care, for patients who wish to be treated anonymously (such as fourteen year old girls seeking post-coital contraception), and indeed for civil liberties?

• if a patient receives treatment in prison, then this fact may not be recorded elsewhere once his conviction has expired under the applicable rehabilitation rules. So prison records cannot realistically be held elsewhere, and neither can highly sensitive records restricted to a single clinician. What then is the gain of a centralised system if local records must still exist?

• a lifetime record would promote data retention because of the accretion of links between episodes, and make sensitive records (or markers indicating their absence) visible to the hundreds of health care staff who would get access at some time in the patient's life. How could these vulnerabilities be controlled without expensive manual editing?

The above list is by no means exhaustive. For a discussion of the security complexities of patient-based record systems, see Griew and Currell [GC95]. As their paper makes clear, the use of unified electronic patient records would force us to add quite a few principles to our list.

There are also trials with hybrid systems. Rather than putting all a patient's health information in a single file, one might have a central summary containing pointers to detailed files kept in clinicians' systems. There are currently at least two UK hospitals doing trials of systems based on this model, both of which apparently allow all users to access all records; but even with proper access control, one might ask what is wrong with the traditional GP record. Although `doctor-based', it is the closest we have to a lifelong patient record.

In any case, the onus is on proposers of `patient-based' record systems to provide a clear statement of the expected health gains and analyse the threats, the cost of added countermeasures and the likely effects of the residual risk.