Use of a Web-based process model to implement security and data protection as an integral component of clinical information management.

Delivery of health care at Scott and White, a large integrated health care delivery system, is supported by an Electronic Medical Record (EMR) system repository of six million SGML-based documents. Control of document access is currently based on standard commercial security and confidentiality methodologies. Given the planned release in Fall 1999 of new federal security and confidentiality requirements, we have developed a web-based security process model that "wraps" existing EMR documents with HTML-compliant security attributes. Resulting logical documents are filtered regarding user queries by mapping the security attributes of the data to specific user role characteristics. A key virtue of our approach is that source EMR data do not undergo alteration by the imposition of the security process. It also places no additional work load or query pressure on the existing EMR system.