Conference article

Access Control for Electronic Health Records. A Delphi study of current challenges and highlighting of potential improvements

Rune Hystad
Department of Health and Nursing Science, University of Agder, Norway

Rune Fensli
Center for eHealth and Health Care Technology, Department of ICT, University of Agder, Norway

Download article

Published in: Scandinavian Conference on Health Informatics; August 22; 2014; Grimstad; Norway

Linköping Electronic Conference Proceedings 102:6, p. 37-44

Show more +

Published: 2014-08-20

ISBN: 978-91-7519-241-3

ISSN: 1650-3686 (print), 1650-3740 (online)


Access control is an essential function in electronic health records (EHR) to maintain the duality between patient safety and patient privacy by ensuring that authorized personnel are allowed access to health records. In the Norwegian secondary care; access control in EHR must be given on the basis of decisions about health care; so called decision based access. There is however no empirical data on experiences with the use and setup of decision based access. A Delphi survey was therefore undertaken to identify what end users and system administrators consider to be important challenges; and ways to improve the access control. The survey shows that challenges identified in previous studies are still present. Access control is not sufficiently tailored to treatment processes; and there is extensive use of exception mechanisms; which creates long event records that are not followed up systematically and therefore may go at the expense of patient privacy. Possible improvements include more education; standardization of access control; easier use of exception mechanisms and a more process oriented access control.


Access control; Electronic health records; Security measures; Patient safety; Delphi Technique


[1] Røstad L. Access Control in Healthcare Information Systems. PhD thesis. Norwegian University of Science and Technology; 2009.

[2] Ferreira A; Cruz-Correia R; Antunes L; Chadwick D. Access control: how can it improve patients’ healthcare? Stud Health Technol Inform 2007;127: 65-76.

[3] Nystadnes T. EPJ Standard del 2: Tilgangsstyring; retting og sletting Vol. 6/05; 2007.

[4] Helsedirektoratet. Norm for informasjonssikkerhet. (accessed 4 Jan 2014).

[5] Schmidt R. Managing Delphi surveys using nonparametric statistical techniques. Decision Sciences 1997;28(3): 763-774.

[6] Okoli C; Pawlowski SD. The Delphi Method as a research tool: an example; design considerations and applications. Information & Management 2004;42(1): 15-29.

[7] Hsieh HF; Shannon SE. Three Approaches to Qualitative Content Analysis. Qualitative Health Research 2005;15(9): 1277-1288.

[8] Åhlfeldt RM. Information Security in Distributed Healthcare. PhD Thesis. Stockholm University; 2008.

[9] Skulmoski; G.J; Hartman; F.T; Krahn; J. The Delphi method for graduate research. Journal of Information Technology Education 2007;6: 1–21.

[10] Andresen H. Tilgang til og videreformidling av helseopplysninger. PhD Thesis. University of Oslo; 2010.

[11] Faxvaag A; Johansen TS; Heimly; V; Melby L. Grimsmo A. Healthcare Professionals’ Experiences With EHRSystem Access Control Mechanisms. Studies in Health Technology and Informatics 2011;169: 601-605.

[12] Innomed. Mønstergjenkjenning som metode for å oppdage taushetspliktbrudd ved bruk av pasientjournal. (accessed 8 Feb 2014).

[13] Andresen H & Aasland OG. Helsepersonells håndtering av pasientopplysninger. Tidsskrift for den Norske legeforening 2008;128(24): 2823 – 7.

[14] Økland S. Haumann K.. & Christiansen RS. Urettmessig tilegnelse av taushetsbelagte opplysninger fra kliniske ITsystemer. Msc thesis. University of Agder: 2011.

[15] DIPS. Forenklet brukeradministrasjon. (accessed 10 Mar 2014).

[16] Andresen Ø. Moglegheiter for kvalitetsregister gjennom ny IKT. (accessed 21 Feb 2014).

[17] Finborud IM. Prosjekter gjennom tidene – hva har vi lært 2014/IngerM.Finborud_ProsjektarbeidiHelseSrst.pdf (accessed 18 Mar 2014).

Citations in Crossref