Who should access electronic patient records

Access control to Electronic Patient Records (EPR) may greatly depend on users’ objectives and needs. The purpose of this study is to assess the opinions of medical doctors within a university hospital towards access control to an EPR. We selected a randomized sample of 58 doctors from a university hospital and 45 structured interviews were applied. 42 respondents (93%) agree with the existence of access control levels to patient information according to healthcare professionals’ category and 31 (69%) think that more sensitive information (e.g. HIV) should be accessed only by doctors that treat those patients. As 24 doctors (53%) feel that there is no need for them to see all information about all the patients, 41 (91%) think that nurses should not be able to do it also. Further, 31 doctors (69%) believe that patients themselves should not access their full medical record. These results show that it is very hard to get to a consensual policy regarding access control to EPR by its regular users. There is therefore the need for a multidisciplinary agreement that can include healthcare professionals’ experiences and needs in order to define the most appropriate and efficient way to perform access control to the EPR.