Like many, we are trying to automate the release of some records to patients and parents/legal guardians. Unfortunately, MEDITECH (and every other vendor I know) do a poor job of tracking who has legal access records. There is no way to setup an electronic linkage to say one person (identified by a key field) has legal acess to another person’s records.
Even if that existed it really is not granular enough to manage the complexities or HIPAA and other privacy laws. For example, in Wisconsin, children 12 and older have additional rights relating to behavioral health, reporoductive health and HIV status. All of this is tracked manually because there is no way to manage this with the systems we have.
Ideally a system would allow a child’s record to be linked to legal guardians. Also, there would be the capability to create additional linkages to support a person’t legal right to provide access to their spouse.
As we make health information available to people over the web, parents will also want to see their children’s records. Unfortunately, we don’t have a systemized way of identifying their children. We know which babies were born to which mothers, but even that falls short since the child could have gone to an adoptive home.
Of course the computer system changes to link patients with legal guardian would need to be followed with process changes in the registration and medical records areas.
Candid CIO 
Hi Will, I have enjoyed your insights. You have one of the best/honest healthcare IT blogs I have seen.
I wanted to tell you about the open source project . It is a robust and open implementation of access control that allows for the fine grain access control that you are looking for. It can handle individual user to record limitations, while normally allowing you to think in terms of classes. For instance if Jane is a patient at the hospital and her step-mother works there, the step-mother can be denied access to only Janes record, without effecting her other access rights. However, your example would fit nicely into the class system. For instance, if you generically list “parents” as a class of information accessors, and then over-12-year-olds as a resource, you can limit the access to sexuality related EHR data.
You might be interested to read the Star Wars example from the manual (introduction) which does a good example of summarizing the potential complexities of access control.
ClearHealth, which is the open sourceEHR project that I work on, uses PHPGacl. And I think FreeMED and OpenEMR do too. I am not sure what the VistA access control looks like.
Generally access control is one of those issues that is best handled by transparency. Which is best enabled by open source applications. One of the reason why the software that you mention is not very good, is because of the license restrictions regarding its source code. On ClearHealth if you disliked the way access control is handled, you could improve it yourself. This is an issue that I will explore more fully sometime on http://www.gplmedicine.org
Regards,
Fred Trotter
Will, if you’re interested in EMRs and PHRs, check out the following article at IBM’s HealthNex blog:
http://healthnex.typepad.com/web_log/2005/11/the_red_cross_s.html
Spouses(with permission) should be able to access their spouse’s medical file. The Veteran’s Administration will not even speak to me in reference to making appt. for my spouse. I am not asking for his medical history I am trying to arrange the neccasary (deemed so by them) exams. Nothing more.
Is there anyway at all I can get around this? I have a POA, but they refeused it based on the Privacy Act.
As to dependent underage children. If they are my responsiblity then I should be able to access their records. Why is a doctor able to decide when my child is able to make medical decsions for themselves? They can’t have a medical procedure done without my permisson.