Evaluating access control of open source electronic health record systems

Abstract

Incentives and penalties for healthcare providers as laid out in the American Recovery and Reinvestment Act of 2009 have caused tremendous growth in the development and installation of electronic health record (EHR) systems in the US. For the benefit of protecting patient privacy, regulations and certification criteria related to EHR systems stipulate the use of access control of protected health information. The goal of this research is to guide development teams, regulators, and certification bodies by assessing the state of the practice in EHR access control. In this paper, we present a compilation of 25 criteria relative to access control in EHR systems found in the Health Insurance Portability and Accountability Act (HIPAA) regulation, meaningful use certification criteria, best practices embodied in the National Institute for Standards and Technology (NIST) role-based access control standard, and other best practices found in the literature. We then examine the state of the practice in access control by evaluating four open source EHR systems using these 25 evaluation criteria. Our research indicates that the NIST Meaningful Use criteria provide HIPAA compliance, but none of the regulatory and certification criteria address the implementation standards, and best practices related to access control. Additionally, our results indicate that open source EHR system designers are not implementing robust access control mechanisms for the adequate protection of patient data.