Data security and protection in cross-institutional electronic patient records.

Abstract This paper aims at identifying the specific legal requirements concerning data security and data protection of patient health data that apply to a cross-institutional electronic patient record (EPR) and describes possible solutions for meeting these requirements. In Germany, the legal framework for such records provide that disclosure of patient health information to physicians of third-party institutions is only allowed in case that it is necessary for the joint treatment of the patient, i.e. in case of a "treatment connection". As a first step, the functionality of a remote-access architecture was proven allowing a one-way connection between the EPR systems of two health institutions in Germany, which jointly treat tumor patients. Besides, a signature system model for ensuring the integrity and authenticity of medical documents was developed and implemented in the existing information system architecture of the University Medical Center of Heidelberg. Especially in Germany, the legal framework for cross-institutional EPRs is very complex and has a considerable influence on the development and implementation of cross-institutional EPRs. However, its introduction is thought to be valuable, since a cross-institutional EPR will improve communication within shared care processes, and thus improve the quality of patient care.