Security of health care records in Belgium. Application in a University Hospital.

Access rules to electronic patient records (EPR) have been issued by the Belgian Council of Physicians. Access to identifiable data of the EPR is restricted to anyone responsible for diagnosis, treatment and continuity of care of the patient. By delegation, associated personnel, like secretaries, can also be authorised to have access. A new perspective is given by the availability in 2003 of a national identification card allowing electronic signature of patients. It could not only authorise but also forbid some accesses. A law in 2002 gives right to patients to access to their own record. Health personnel can also be identified by cards but the system is not yet implemented. In the meantime, local measures have been made. We describe practical solutions that have been taken as priorities in a University Hospital. It was felt more important to allow access to lifesaving EPR data than to restrict its access by too strictly theoretical rules. A pilot study (S3 project) is also in progress for interinstitutional communication in Belgium, using the unique identification number of the patient and a "third server".