Last week, I wrote a post addressing the risks of digital medical records and referenced the EMR platform that was developed by John Halamka and his team over at Beth Israel Deaconess Medical Center (BIDMC) here in Boston. In that post I stated that I was dismayed that when Halamka talked about this new EMR they are rolling out, and in some detail, nowhere did he make reference to the security features that would be built into the system to prevent, or at least minimize the kinds of breaches we’ve seen recently at any number of institutions. (I’ve written plenty on this in the past, do a search on the site to find more references.)

Halamka stated in a comment on his blog last week that he would address the security access issue this week. Halamka kept his promise. He has done a good job of articulating how access is controlled via some 500 rules that define access rights based on your role within the organization/IDN. Some very good lessons to be learned here that most other healthcare institutions would be wise to emulate.

Of course, I could not let Halamka completely off the hook. I have now asked if he will go a step further to articulate how BIDMC will reconcile access and opt-in rules a consumer may defined in their own personal PHR platform/system (e.g., Dossia, Google Health or HealthVault) that resides outside of BIDMC’s IDN, with the rules established within BIDMC.