By ` personal health information', or equivalently ` identifiable clinical information', we mean information that concerns a person's health, medical history or medical treatment (whether past or future) in a form that enables the person to be identified by a person other than the treating clinician [RAC+93].
By a ` clinician', or equivalently ` clinical professional' or ` healthcare professional', we mean a licensed professional such as a doctor, nurse, dentist, physiotherapist or pharmacist, who has access in the line of duty to personal health information and is bound by a professional obligation of confidentiality. We include doctors working in public health, even though they may not technically be clinicians.
The reader may consult the Access to Health Records Act of 1990 for a legal definition of `healthcare professional', but should be aware that it is controversial: there is debate about whether psychotherapists, telephone advice line staff, practitioners of complementary medicine and social workers should be brought inside the trust boundary. However the boundary has to be somewhere, and its precise location has little effect on our policy. Social workers, students, charity workers and receptionists may of course access personal health information under the supervision of a healthcare professional; but the professional remains responsible for their conduct. To keep things simple, we do not include such delegation in our security policy; but at the level of detailed design, it is wise for system builders to support delegation in intelligent ways.
Our use of ` patient' will be a shorthand for `the individual concerned or the individual's representative', in the sense of the draft BMA bill [BMA95]. In most cases this is the actual patient; but where the patient is a young child, it may be a parent or guardian who acts on his behalf. There are rules for patients who are unconscious or who have died, and even more complex rules for patients who are mentally incapacitated. The rules may depend on the previously expressed wishes of the patient, and they vary from one part of the UK to another [Som93]. We shall not discuss this area further.
For economy of expression, we will assume that the clinician is female and the patient male. The feminist versus grammarian issue is traditionally solved in the computer security literature by assigning definite gender roles, with the females being at least as high status as the males. Our choice is not meant to assert that the clinician has higher status than the patient in the therapeutic partnership between them.
By a ` system' we generally mean the totality of hardware, software, communications and manual procedures which make up a connected information processing system. We are not concerned whether a system is made up of a single large mainframe with thousands of terminals, of thousands of PCs linked by a suite of protocols and distributed applications, or even from thousands of clerks moving pieces of paper around. We are only concerned with the net effect of the information processing; this is also the sense of the recent EU directive on data protection [EU95].
It should be clear from the context whether we are talking about the totality of interconnected clinical systems, or the subsystem which serves the needs of a particular individual or care team.