For_Dummies_HCM

80 PART III Rollout of an HCM ✔✔Selection of which data to archive. Since an HCM system should contain all medical data for a case, there is usually also data present that does not require archiving. You must therefore decide in advance which data must be archived. For example, several formats of the same document will exist in the HCM system, and only one must be archived. As a rule, this should be the original format, but there are exceptions. For Word documents, for example, it may be sensible to prefer a format that can be archived longterm (PDF/A). It is also worth considering archiving data that has been handed over digitally to recipients outside the healthcare facility. Remember to coordinate your archiving concept with the data protection expert in your company and with the management. The next step is execution, which you either carry out yourself or commission a service provider with. But you should always remain at the helm. You cannot delegate the responsibility for the success of the implementation. The same applies to completion: the validation. Put the established archive through its paces. Do not forget that releasing data from the archive is also an important factor. If this takes too long, problems will arise in day-to-day operations. Also double-check whether data on the WORM really cannot be altered or deleted; for example, due to incorrect configuration. Can the HCM system send deletion requests to the WORM during normal operation? That would be bad. If the WORM works, nothing happens. If the WORM is switched to rewritable for whatever reason, you will have a serious problem. So let your imagination run free during testing. If the test is carried out faster than the setup, you have not tested thoroughly enough. It is also good practice to create a validation plan in which you specify in advance how and at what intervals you will verify the archiving. Step four: access authorization For reasons of data protection, users may only access the medical data of a patient case if they are in a treatment context for this patient. For practical reasons, data protection law envisages not linking access rights to individual users, but to user groups that have the same tasks in the same department. As an example, this would apply to all physicians in a specific department. Furthermore, there is data of particular importance for protection. This can originate from patients with special status or from specific data of a regular patient who has an increased need for protection. Before going live, you should ensure that such cases are taken into account. You therefore also need a good concept for access authorizations.