Post by Mariet NouriJanian, Eleonora Ciceri, Paola Aurucci and Andrea Micheletti. Image from

An Electronic Health Record (henceforth, EHR) is a collection of health information about a patient, which is stored in a digital format. Electronic records in an EHR are easily transferred between different health care settings, and include information from several sources (demographics, performed exams, medical history, vital signs etc.). This is a huge advantage with respect to paper-based solutions, since it eliminates the need to track down manually the clinical history of a patient, and ensures that data is accurate.

The European Commission, with the enacting of Directive 2011/24/EU, wants to allow all Europeans to have access to online medical records by 2020, dictating a series of patients’ rights when data are exchanged cross-border (Kierkegaard, 2011). These rights are directly linked to the ones traced by the new European directive on data protection, i.e., the General Data Protection Regulation (henceforth, GDPR). GDPR introduces a series of rights for data subjects, that are identifiable natural people from whom or about whom information can be collected. These rights need to be respected by two additional figures, i.e., data controllers (who decide the purpose and manner to be followed to process data) and data processors (who process the data on behalf of the data controller). As an example, a data controller could be a company that sells widgets to consumers (i.e., the data subjects), and the related data processor could be a second company that sends emails to consumers on behalf of the data controller.

The use of EHR brings its own benefits. First of all, the usage of EHR improves the overall efficiency by 6% per year with respect to paper-based solutions, removing the costs for unnecessary (redundant) tests or admissions (Dwight C. Evans, 2006). Moreover, handwritten documents are often difficult to be read, which could lead to medical errors due to the interpretation of reports written by other clinicians (Donaldson, 2000). Finally, the production of electronic documents to be inserted in EHRs could help clinicians in creating standardized documents with known format and structured content (Keke Gai, 2015).

However, sharing data across several countries and several care delivery organizations in digital form (i.e., via EHR) poses a great risk on patient’s privacy. Indeed, data need to be made confidential and accessible only by those clinicians and organizations who are authorized (for clinical or research reasons) to operate on patients’ data. When security measures are not adopted, data safety is breached and patients’ privacy is damaged. This is highly risky for patients, since health data alone are very sensitive and valuable. Indeed, while with other types of data (e.g., financial ones) countermeasures can be taken to address potential attacks (e.g., by blocking credit cards), health data can be neither revoked nor blocked. Moreover, EHR implementation across health care systems and providers is still highly heterogeneous, and the privacy concerns it raises are not exactly aligned with the ones that organizations have when EHR is not adopted.

Furthermore, the usage of a system that disperses information and doesn’t allow physicians to consistently access knowledge about patients’ status may cause threats to patients’ physical safety. Indeed, as doctors do not have at hand all the information, some considerations and interesting insights about patients’ health can be overlooked and thus mistreatment can be carried out.

In the following, we consider how to treat patient’s privacy safety and patient’s physical safety in the context of EHR.

Patient’s privacy safety

The recent introduction of GDPR enforces a scrupulous sharing of data that prevents data subjects’ rights to be infringed.

However, the necessity of merging information coming from several sources puts at risk patient’s data protection, as information is sparse in several (potentially untrusted) locations.

Here, privacy-preserving technologies play a significant role. These technologies are used to mask data and ensure their safety in all those occasions in which the security of the system is breached and data are exposed to attacks.

Anonyimization vs. pseudonymization

Current EU law sets a high bar for what data can be considered fully anonymous. The new General Data Protection Regulation 2016/679 (hereinafter “GDPR”) that abrogates Directive 95/46/EC which comes into effect in May 2018, appears to retain a high bar for anonymity, but also creates the foundation for a more nuanced and flexible approach. In either case, personal data that meets the “anonymity bar” or, to be more clear, as stated in Recital 26 personal data “that are rendered anonymous in such a manner that the data subject is not or no longer identifiable” are no longer subject to data protection law. GDPR, however, contains new provisions that recognize differing intermediate levels of de-identification. Several provisions include an explicit recognition of pseudonymization as a method of reducing risk. Article 4(5) of GDPR talks about pseudonymization, i.e., “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.

When pseudonymization is put in place, unique identifiers (i.e., the fields in a patient’s record that are used to uniquely identify him in a population of patients) are removed, while quasi-identifiers (i.e., the fields that alone do not help in recognizing a patient, but that if merged with other quasi-identifiers generate a unique identifier) are maintained. When anonymization is put in place, instead, both identifiers and quasi-identifiers are removed, enabling the sharing of data to untrusted domain without the danger of patient’s re-identification.

Patient’s physical safety

According to works in the state of the art (Sittig, 2012), data controllers (e.g., health organizations and institutions) and data processors need to align activities aimed at preserving patients’ privacy with the ones required to support a safe EHR-enabled health care system. Specifically, this is done by achieving a set of EHR-specific safety goals to improve organizational infrastructure, processes, and culture to adapt to new technology.

These goals are as follows:

  1. Address safety concerns unique to EHR technology, by adopting countermeasures when devices fail (and the information becomes unavailable)(Dittrich, 2012), and verifying that the merge of information coming from different sources is correctly performed (Hamblin, 2010);
  2. Mitigate safety concerns arising from failure to use EHRs appropriately, by avoiding the dispersion of information in multiple locations, and monitoring human errors due to the lack of knowledge of the new technology;
  3. Use EHRs to monitor and improve patients’ safety, by detecting, e.g., errors of commission related to preventable adverse drug events(Nwulu, 2013), postoperative complications (Griffin, 2008) and misidentification of patients (Adelman, 2012).

Let us now focus on the aforementioned second goal. There are three points to be considered.

First, by assuming that EHRs will be used appropriately, there is the possibility to prevent certain patient harms. Indeed, when information is dispersed, there could be the case that clinicians overlook some information (since they do not know how to retrieve it), thus causing a disruption in the provided treatment (Singh, 2009). On the other hand, when the information is centralized and there is a standardization in the transfer of information between providers:

  1. It is easier to track the actual status of the patient and his treatment;
  2. Providers of care can be promptly notifying providers when test results are abnormal.

Second, the more complex the system is, the more human errors and cognitive constraints are rising (Koppel, 2005). Indeed, users often resist to technology changes, specifically in non-IT sectors (e.g., the health one), and when faced with new systems, they try to use it without being specifically confident about it. Since EHR can be used to support doctors’ decisions (by embedding clinical decision support systems in it), a lack of confidence with the tool can lead to human errors, which results in non-appropriate treatment for patients. Therefore, it is necessary that those decision support systems are evaluated periodically. For instance, one could decide to integrate with them a mechanism for monitoring clinicians’ fatigue, so that important information cannot be inadvertently ignored.

Third, to maximize safety it is necessary to give a specific structure to critical data (Wright, 2007). The presence of unstructured data prevents the clinicians from being able to provide the patient with meaningful feedback or interpretation, because information stays hidden in unstructured texts and is not reported back when clinicians look for it.

Enhancing patient safety and quality of care by improving the usability of EHR systems (Middleton, 2013)

EHR systems have been recently introduced in the hospital environment as a new tool to collect patients’ information. Still, clinicians are usually not prone to the usage of new technology-oriented solutions, are quite conservative and tend to stick with those systems with which they are confident.

Thus, by introducing the use of new systems like the ones used to consult EHRs, it becomes important to make them easily usable.

The usability studies on EHRs have to take into account “effectiveness, efficiency, and satisfaction” of clinicians using those systems. Indeed, a high-usability system ensures that the clinical goals pursued by clinicians are easy to be achieved. Usually, in this field, having a high-usability system comprises having a well-designed user interface.

Specifically, the design of user interface can influence the productivity of healthcare providers: if the UI is well designed, their work will be speeded up, but if it is not, it will become time consuming and introduce human errors. Moreover, the lack of standard user interfaces (deriving from the fact that software is all different) sometimes creates confusion for physicians and causes dangerous effects on patients’ safety.

Role of DITAS

DITAS will allow to mask several sources of information, located in several locations, behind a unique interface for the exchange of knowledge between several hospitals and research centers.

This permits a consistent access to a patient’s health record, as if EHR will drain data from a single source of information, giving the possibility of retrieving of all the information needed to perform a diagnosis and formulate a prognosis.


  • Adelman, J. S. (2012). Understanding and preventing wrong-patient electronic orders: a randomized controlled trial. Journal of the American Medical Informatics Association, 305-310.
  • Dittrich, D. a. (2012). The Menlo Report: Ethical principles guiding information and communication technology research. US Department of Homeland Security, -.
  • Donaldson, M. S. (2000). To err is human: building a safer health system. National Academies Press, Vol. 6.
  • Dwight C. Evans, W. P. (2006). Effect of the implementation of an enterprise-wide Electronic Health Record on productivity in the Veterans Health Administration. Health Economics, Policy and Law, 163-169.
  • Griffin, F. A. (2008). Detection of adverse events in surgical patients using the Trigger Tool approach. BMJ Quality & Safety, 253-258.
  • Hamblin, J. F. (2010). Pathology results in the electronic health record. Electronic Journal of Health Informatics , 15.
  • Keke Gai, M. Q.-C. (2015). Electronic Health Record Error Prevention Approach Using Ontology in Big Data. IEEE 17th International Conference on High Performance Computing and Communications, 752-757.
  • Kierkegaard, P. (2011). Electronic health record: Wiring Europe’s healthcare. Computer Law & Security Review, 503-515.
  • Koppel, R. M. (2005). Role of computerized physician order entry systems in facilitating medication errors. Jama, 1197-1203.
  • Middleton, B. B. (2013). Enhancing patient safety and quality of care by improving the usability of electronic health record systems: recommendations from AMIA. Journal of the American Medical Informatics Association, e2-e8.
  • Nwulu, U. N. (2013). Improvement in the detection of adverse drug events by the use of electronic health and prescription records: an evaluation of two trigger tools. . European journal of clinical pharmacology, 255-259.
  • Singh, H. W. (2009). Improving follow-up of abnormal cancer screens using electronic health records: trust but verify test result communication. BMC medical informatics and decision making, 49.
  • Sittig, D. F. (2012). Electronic health records and national patient-safety goals. The New England Journal of Medicine, 1854-1860.
  • Wright, A. G. (2007). A description and functional taxonomy of rule-based decision support content at a large integrated delivery network. Journal of the American Medical Informatics Association, 489-496.