5. Assume a system containing many providers, patients, and
records, and that every record’s write access can be shared with any
given provider, given the consent of both the provider who created it
and the patient who it is about, and perhaps can be shared in other
(against policy) ways as well. I will demonstrate that there will always be ways of sharing write
access which violate the policy.
Consider the beginning of a record’s lifespan. Initially, the
provider who creates a record is the only entity with write access to
the record. In order for another provider to gain write access to
that record, the two providers must be connected by a series of islands
and bridges, and perhaps some subjects along that path must take
certain actions to allow the sharing to take place. The path
falls into one of two cases:
- The patient whose record is being shared for writing is not required to take an action
in order to facilitate the sharing. This violates the requirement that the
patient must authorize such sharing.
- The patient whose record is being shared for writing is required to take an action
in order to facilitate sharing. This means that the patient can
gain write access to his own record (either through the original
authorized sharing, or by the new provider sharing write access back to
the patient without the original provider being involved), and will be
capable of sharing that write access with any healthcare provider whom
he is connected to by islands and bridges. There are two subcases:
-
- The patient is connected to other
providers by islands and bridges, and now may share write access to its
record without the creator’s authorization. This violates the requirement that the
original provider must authorize such sharing.
- The patient is not connected to other
providers by islands and bridges. By the original assumption, we
know that the record’s creator is able to share write access with other
providers, so if the patient has no island/bridge connection to
additional providers, the sharing path to the additional providers must
fall under case 1 (above), which will cause a violation when the record’s creator
shares write access with additional providers.