Abstract
The right to use patient data in treatment is based on the conditions of a need to know and patient consent. In electronic health records, these two conditions can be applied in various ways. We study the handling of consent in two Norwegian hospitals, with a view to how access control and consent handling can be integrated across electronic systems that process patient data. A workshop was held, where two consent handling scenarios were simulated, one in-hospital, the other external. Activities were identified and tied to roles and to the documents and systems used. Electronic systems were found to support the execution of the scenarios to some extent. The electronic functions used in-hospital were consent storage and logging of access; access control was not sufficient. When sharing information externally, the typical approach is a declaration signed by the patient or a referral; such external information sharing should be supported by specific functionality. A first step towards integrated access control is integrated consent handling.