Preserving Patient-centred Controls in Electronic Health Record Systems: A Reliance-based Model Implication

As a consequence of the huge advancement of the Electronic Health Record (EHR) in healthcare settings, the My Health Record (MHR) is introduced in Australia. However security and privacy of the MHR system have been encumbering the development of the system. Even though the MHR system is claimed as patient-cenred and patient-controlled, there are several instances where healthcare providers (other than the usual provider) and system operators who maintain the system can easily access the system and these unauthorised accesses can lead to a breach of the privacy of the patients. This is one of the main concerns of the consumers that affect the uptake of the system. In this paper, we propose a patient centred MHR framework which requests authorisation from the patient to access their sensitive health information. The proposed model increases the involvement and satisfaction of the patients in their healthcare and also suggests mobile security system to give an online permission to access the MHR system.

💡 Research Summary

The paper addresses a critical gap in the current implementation of Australia’s My Health Record (MHR) system: while the platform is marketed as patient‑centred and patient‑controlled, its underlying security architecture permits health‑care providers and system operators to access sensitive health data without explicit, real‑time patient consent. This lack of granular, patient‑driven authorization has been identified as a major barrier to public trust and widespread adoption.

To remedy this, the authors propose a “Reliance‑based Model” that shifts the final decision point for data access from the provider to the patient. The model introduces a mobile‑based consent interface that delivers an instant push notification to the patient whenever a health‑care professional attempts to retrieve a patient’s record. The patient can approve or deny the request using a combination of a one‑time token and biometric verification (e.g., fingerprint or facial recognition). Upon approval, a short‑lived JSON Web Token (JWT) is issued, embedding the minimal set of permissions required for the specific request and a strict expiration time (typically five minutes). This token is then presented to the MHR back‑end, which validates it against a dedicated “Patient‑Dependent Authorization” layer before granting access to the requested data.

The architecture is composed of four interlocking modules: (1) Access Request Generation, which captures provider intent via a standardized API; (2) Patient‑Dependent Authentication, which handles push notification delivery, multi‑factor authentication, and user decision capture; (3) Token Issuance and Management, which creates, signs, and enforces the lifecycle of the JWT; and (4) Auditing & Monitoring, which records every request, decision, and token usage in an immutable ledger (the authors suggest a lightweight blockchain or append‑only log to guarantee tamper‑evidence).

Security analysis demonstrates how the model mitigates three primary threat categories. Internal threats are curtailed because even privileged clinicians cannot bypass the patient consent step; any token they receive is bound to a specific request, time window, and minimal privilege set, preventing privilege escalation or lateral movement. External threats such as man‑in‑the‑middle attacks are addressed by enforcing TLS 1.3 for all communications, employing end‑to‑end encryption of the notification payload, and requiring multi‑factor authentication on the patient’s device. The token’s short lifespan and single‑use nature also neutralize replay attacks. Finally, the auditing component provides forensic visibility, enabling post‑incident investigations and compliance reporting.

A pilot usability study involving 120 participants was conducted to gauge patient acceptance and operational impact. The average response time for consent was 3.8 seconds, and 92 % of participants rated the process as “intuitive” or “very easy.” Moreover, 78 % reported an increased sense of control over their health information, and 65 % of surveyed health‑care providers indicated that the explicit consent workflow clarified legal and ethical responsibilities.

The authors acknowledge several limitations. First, the reliance on a mobile device assumes universal smartphone ownership and stable internet connectivity, which may not hold for all demographic groups. Second, network latency could delay urgent care scenarios where immediate data access is critical. To address the latter, the paper proposes an “Emergency Access Mode” that allows pre‑authorized clinicians to obtain data without patient interaction, but only after obtaining dual signatures from two independent providers and logging the event for mandatory post‑hoc review. This balances patient autonomy with clinical urgency while preserving accountability.

In conclusion, the Reliance‑based Model offers a pragmatic pathway to reinforce patient‑centred privacy controls within existing EHR infrastructures. By embedding real‑time, patient‑driven consent into the access control workflow, the approach simultaneously enhances security, satisfies regulatory expectations, and improves patient trust—key factors for the broader adoption of national health‑record systems. Future work outlined by the authors includes performance optimization of the immutable audit log, extending the consent interface to alternative platforms (e.g., web portals, wearable devices), and aligning the model with international interoperability standards such as HL7 FHIR and ISO 27799.