JP2010250756A - Medical information management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a medical information management system that can protect particular individuals' medical information by prevent leakage of the particular piece of individuals' medical information. <P>SOLUTION: The medical information management system 10 includes a medical institution server 12A installed in a hospital 11A, a first business corporation server 14A for holding anonymous medical data on a plurality of persons, and a second business corporation server 16 for holding individual attribute data which individually specify the plurality of persons. The medical institution server 12A receives the anonymous medical data from the server 14A, and receives the individual attribute data corresponding to the received anonymous medical data from the server 16. The individual attribute data received from the server 16 is applied to the anonymous medical data received from the server 14A to create the particular individual's autonym medical data. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a medical information management system.

  Received and received a client terminal installed in multiple medical facilities and capable of sending and receiving medical information and sending instructions via a network with security functions, and medical information sent from the client terminal via the network A medical information management system formed from a data center server having a function of storing medical information separately for each medical facility having the management right and a function of controlling the use of stored medical information by a client terminal Yes (see Patent Document 1).

  The data center server permits use of medical information managed by a medical facility in advance by a client terminal, and a permission instruction indicating that one medical facility permits the other medical institution to use medical information managed by the medical facility Is transmitted from the client terminal installed in one medical facility, the medical information corresponding to the permission instruction can be used by the client terminal installed in the other medical facility. The permission instruction includes information indicating a usable range of medical information and information indicating a use permission period of medical information. The medical information includes a medical facility name, a patient name, a patient's electronic medical record, medical image data, an examination date, an imaging date, and the like.

JP 2002-268243 A

  The medical information management system disclosed in Patent Document 1 can specify the usable range and the use permission period for the medical information that is permitted to be used by the other medical facility, thereby improving the safety of the medical information. Can do. However, such medical information is managed independently by the client terminals installed in each medical facility, and as a means to prevent the medical information from being taken out or stolen from each client terminal, doctors and researchers at those medical facilities, Since there is no choice but to rely on the morals of the employee or the like, the medical information may be illegally taken out from each client terminal of the medical facility or the medical information may be inadvertently leaked outside. When medical information leaks from the client terminal to the outside, all medical information of a specific patient including a patient name and medical history may be known to a third party, and thus the medical information of a specific individual can be protected. Not only can not protect the privacy of specific individuals.

  An object of the present invention is to provide a medical information management system capable of preventing leakage of medical information of a specific individual, protecting the medical information of the specific individual, and protecting the privacy of the specific individual. There is.

  The medical information management system according to the present invention for solving the above-mentioned problems is installed in a medical institution server installed in a medical institution and a first contractor that exists independently of the medical institution and collected in the medical institution A first vendor server that holds anonymous medical data of a plurality of people and a second vendor that is installed in a second vendor that exists independently of the medical institution and the first vendor, and that holds personal attribute data that can individually identify the plurality of people. A medical provider server that receives anonymous medical data from the first supplier server, and second personal attribute data corresponding to the anonymous medical data received by the anonymous medical data receiving means. Applying personal attribute data received from the second vendor server to the personal attribute data receiving means received from the vendor server and anonymous medical data received from the first vendor server Characterized in that it has a real name medical data creating means for creating a real name medical data of a particular individual, and a real name medical data output means for outputting a real name medical data created.

  As an example of the medical information management system according to the present invention, the medical institution server includes medical institution first to nth servers installed in a plurality of medical institutions in which the medical institution servers exist separately and independently. At least one of them has anonymous medical data transfer means for transferring the anonymous medical data received from the first trader server to the other medical institution first to nth servers, and the other medical institution first to nth servers are medical. While executing personal attribute data receiving means for receiving personal attribute data corresponding to anonymous medical data transferred from at least one of the first to n-th institution from the second vendor server, The real name medical data creating means for creating the real name medical data of the specific individual by applying the personal attribute data received from the second trader server to the anonymous medical data transferred from the n server is executed.

  As another example of the medical information management system according to the present invention, the first trader server includes first trader first to nth servers installed in a plurality of first traders where the first trader server exists independently, and the medical institution server is Anonymous medical data receiving means for receiving anonymous medical data from at least two of the first traders 1st to nth servers is executed, and personal attribute data corresponding to the anonymous medical data received by the anonymous medical data receiving means is While executing the personal attribute data receiving means received from the second vendor server, the personal attribute data received from the second vendor server is appropriately applied to the anonymous medical data received from the first vendor first to n-th servers. A real name medical data creating means for creating medical data is executed.

  As another example of the medical information management system according to the present invention, the first vendor server sets a unique personal attribute data identifier in the personal attribute data, and the individual attribute data identifier is individually set for a plurality of persons. Personal attribute data identifier holding means for holding in a state associated with a specific identifier, anonymous medical data holding means for holding anonymous medical data in a state associated with a personal attribute data identifier, and a medical institution server presenting the personal identification identifier When requesting the transmission of anonymous medical data, the personal attribute data identifier corresponding to the presented personal identification identifier is specified, and the identified personal attribute data identifier and the anonymous medical data corresponding to the personal attribute data identifier are medically treated. Anonymized medical data transmitting means for transmitting to the institution server, and the second vendor server associates with the personal attribute data identifier Personal attribute data holding means for holding the personal attribute data in a state and the personal attribute presented when the medical institution server requests the transmission of the personal attribute data by presenting the personal attribute data identifier corresponding to the anonymous medical data. A personal attribute data transmitting means for transmitting the data identifier and personal attribute data corresponding to the personal attribute data identifier to the medical institution server; Are compared with the personal attribute data identifier received from the second vendor server, and real name medical data is created by combining the personal attribute data corresponding to the personal attribute data identifiers that match each other and the anonymous medical data.

  As another example of the medical information management system according to the present invention, an anonymous medical data holding unit that holds anonymous medical data in a state in which the first supplier server is associated with a personal identification identifier individually set for a plurality of persons, Personal attribute data identifier holding means for assigning a unique personal attribute data identifier to each attribute item of the personal attribute data, and holding each attribute item and the assigned personal attribute data identifier in association with the personal identification identifier, and the assigned individual Presented when the personal attribute data transmitting means for transmitting the attribute data identifier, the personal attribute data and the attribute item to the second trader server, and when the medical institution server requests the transmission of anonymous medical data by presenting the personal identification identifier. While identifying the personal attribute data identifier corresponding to the personal identification identifier, the identified personal attribute data identifier and its personal attribute An anonymous medical data transmitting means for transmitting the attribute item corresponding to the data identifier and the anonymous medical data to the medical institution server, and the second vendor server associated with the personal attribute data identifier corresponding to each attribute item Personal attribute data holding means for holding personal attribute data and the attributes presented when the medical institution server requests the transmission of personal attribute data by presenting attribute items and personal attribute data identifiers corresponding to anonymous medical data Personal attribute data transmitting means for transmitting the item and personal attribute data identifier and the personal attribute data corresponding to the attribute item and personal attribute data identifier to the medical institution server, and the real name medical data creating means is the first trader server Attribute items and personal attribute data identifiers received from the server and attribute items and personal attribute data received from the second vendor server. While comparing the identifier, creating a real name medical data by combining the personal attribute data and anonymous medical data corresponding to the attribute item and the personal attribute data identifier coincide with each other.

  According to the medical information management system of the present invention, anonymous medical data of a plurality of persons collected at a medical institution is held in the first trader server, and personal attribute data that can individually identify a plurality of persons is held in the second trader server. Therefore, anonymous medical data and personal attribute data are distributed and stored in separate and independent vendors. Therefore, even if anonymous medical data is illegally taken out from the first supplier server or leaked to the outside carelessly, the corresponding personal attribute data is not included in the medical data, and the anonymous medical data The real name, address, telephone number, etc. are never known, and the person cannot be identified from the leaked anonymous medical data. Even if personal attribute data is illegally taken out from the second vendor server or leaked to the outside, the personal attribute data does not contain the corresponding medical data and is specified from the personal attribute data. The medical information of the person is not identified, and the medical information cannot be identified from the leaked personal attribute data. The medical information management system can secure the confidentiality of medical information, can protect the privacy of a specific individual, and is involved in the leakage of extremely sensitive information such as personal medical information in the first and second contractors. Litigation risk can be avoided. Moreover, the medical information of a specific individual held by a medical institution can be managed with peace of mind by external first and second contractors. The medical information management system creates the real name medical data of a specific individual by applying the personal attribute data received from the second vendor server to the anonymous medical data received from the first vendor server by the medical institution server. It is possible to reliably acquire and confirm medical information of a person.

  A plurality of first to n-th medical institutions that exist independently and medical institution first to n-th servers installed in these medical institutions, wherein at least one of the first to n-th medical institutions is a first trader The medical information management system having the anonymous medical data transfer means for transferring the anonymous medical data received from the server to the other first to n-th medical institutions is another medical that has acquired the anonymous medical data of a specific individual from another medical institution. The institution server can apply personal attribute data to the medical data to create real name medical data for a specific individual, and ensure that the patient's medical information is available at the medical institution where the patient was introduced or the medical institution to which the patient was moved Can be obtained and confirmed. Even if anonymous medical data is illegally taken out from the 1st contractor server or leaked to the outside carelessly, the medical information management system does not include personal attribute data corresponding to the medical data, and anonymous medical data is not included. The real name, address, telephone number, etc. of the person in the data are not known, and the person cannot be identified from the leaked anonymous medical data. Even if personal attribute data is illegally taken out from the second vendor server or leaked to the outside, the personal attribute data does not contain the corresponding medical data and is specified from the personal attribute data. The medical information of the person is not identified, and the medical information cannot be identified from the leaked personal attribute data. Even if anonymous medical data leaks between medical institutions, the medical information management system cannot identify a person from the leaked anonymous medical data. Therefore, medical information can be exchanged between medical institutions by a highly convenient file transfer means. The medical information management system can secure the confidentiality of medical information and can protect the privacy of a specific individual.

  The first supplier server includes first supplier first to n-th servers installed in a plurality of first suppliers, and the medical institution server sends anonymous medical data to the first supplier first to n-th servers. The medical information management system that executes the anonymous medical data receiving unit that receives from at least two of the first and second servers maintains the anonymous medical data in the first independent first to nth servers. Dispersed and stored in one contractor. Therefore, even if anonymous medical data is illegally taken out from any of the first vendor servers or leaked out to the outside, only a part of the anonymous medical data is found. It is possible to avoid the risk that all contents are found, and to ensure the confidentiality of medical information. The medical information management system creates the real name medical data of a specific individual by applying the personal attribute data received from the second vendor server to the anonymous medical data received by the medical institution server from each of the first vendor first to n-th servers. Therefore, medical information of a specific person can be reliably acquired and confirmed in a medical institution.

  A medical information management system in which a first trader server sets a unique personal attribute data identifier in personal attribute data and retains the personal attribute data identifier in a state associated with individual identification identifiers individually set for a plurality of persons. Since the personal attribute data is replaced with the personal attribute data identifier and stored in the one trader server, the first trader server does not hold the personal attribute data itself, and anonymous medical data is illegally taken out from the first trader server, Even if it is accidentally leaked outside, only the personal attribute data identifier of the person corresponding to the medical data is found, and the real name, address, telephone number, etc. of the person of anonymous medical data are not found, A person cannot be identified from leaked anonymous medical data. The medical information management system compares the personal attribute data identifier received from the first trader server with the personal attribute data identifier received from the second trader server, and compares the personal attribute data corresponding to the personal attribute data identifiers that match each other and anonymous Real name medical data is created in combination with medical data, so that real name medical data of a specific individual can be created reliably at a medical institution, and medical information of a specific person can be reliably acquired and confirmed at a medical institution it can.

  The first vendor server assigns a unique personal attribute data identifier to each attribute item of the personal attribute data, holds each attribute item and the assigned personal attribute data identifier in association with the personal identification identifier, and assigns the assigned personal attribute. A medical information management system that transmits data identifiers, personal attribute data, and attribute items to a second vendor server, and holds the personal attribute data in a state in which the second vendor server is associated with a personal attribute data identifier corresponding to each attribute item. Since the personal attribute data is held as the personal attribute data identifier assigned to each attribute item in the first vendor server, the first vendor server does not hold the personal attribute data itself, and anonymous medical data is received from the first vendor server. Even if it is illegally taken out or is inadvertently leaked outside, the person who corresponds to the medical data The only personal attribute data identifier is only is found, not that person's real name and address of the anonymous medical data, telephone number, etc. is found, it is not possible to identify a person from an anonymous medical data that has leaked. The medical information management system holds each attribute item and the assigned personal attribute data identifier in association with the personal identification identifier, so that the combination information of each personal attribute data is managed by the first vendor server. In addition, personal information cannot be specified in the second vendor server. The medical information management system compares the attribute item and personal attribute data identifier received from the first vendor server with the attribute item and personal attribute data identifier received from the second vendor server, and matches the attribute item and personal attribute data that match each other. Since real name medical data is created by combining personal attribute data corresponding to an identifier and anonymous medical data, real name medical data of a specific individual can be reliably created in a medical institution, and medical information of a specific person in a medical institution Can be obtained and confirmed reliably.

The block diagram of the medical information management system shown as an example. Explanatory drawing which shows an example of the storage procedure of various medical information. The figure which shows an example of the anonymous medical data stored in the 1st business company 1st server. The figure which shows an example of the anonymized medical data stored in the 1st business company 2nd server. The figure which shows an example of the personal special data stored in the 2nd business company server. The figure which shows an example of the procedure which produces a patient's real name medical data in a medical institution server. The figure which shows an example of the produced real name medical data. The figure which shows another example of the procedure which produces a patient's real name medical data in a medical institution server. The figure which shows another example of the procedure which produces a patient's real name medical data in a medical institution server. Explanatory drawing which shows another example of the storage procedure of various medical information. The figure which shows another example of the anonymous medical data stored in the 1st business company 1st server. The figure which shows another example of the personal attribute data stored in the 2nd business company server. The figure which shows another example of the anonymous medical data stored in the 1st business company 1st server. The figure which shows another example of the anonymous medical data stored in the 1st business company 2nd server.

  The details of the medical information management system according to the present invention will be described below with reference to the accompanying drawings such as FIG. 1 which is a configuration diagram of a medical information management system shown as an example. This system 10 manages various medical information of a plurality of patients (a plurality of persons). The servers 12A, 12B, 14A, 14B, and 16 form a network via the Internet. However, in addition to the Internet, the servers 12A, 12B, 14A, 14B, and 16 may form a network via a VPN (Virtual Private Network) or the Internet VPN. Good.

  The medical information management system 10 exists separately from the medical institution servers 12A and 12B (medical institution first server to medical institution n server) installed in the hospitals 11A and 11B (medical institution) and the hospitals 11A and 11B. The first business company servers 14A and 14B (first trader first server to first trader n server) installed in the first business companies 13A and 13B (first trader) and the hospitals 11A and 11B and the first business It is comprised from the 2nd business company server 16 (2nd trader server) installed in the 2nd business company 15 (2nd trader) which exists separately from company 13A, 13B.

  Anonymized medical data is stored as electronic data in the first business company servers 14A and 14B. Anonymized medical data includes all medical information about patients such as medical records from the past to the present, medical records from the past to the present, interview records from the past to the present, interview records from the past to the present, etc. However, personal attribute data for identifying a patient is not included.

  The medical record includes the date, treatment, prescription, findings, various orders, and the like, and the medical record includes the date, images and memos taken by the diagnostic imaging apparatus, accounting records, and the like. Interview records and interview records include date, interview contents, interview contents, and the like. Examples of the diagnostic imaging apparatus include a film digitizer, digital radiography, digital fluorography, X-ray computed tomography apparatus, nuclear medicine diagnostic apparatus, ultrasonic diagnostic apparatus, electronic endoscope, and magnetic resonance imaging apparatus.

  In the second business company server 16, personal attribute data for individually identifying each patient is stored as electronic data. Individual attribute data includes an individual who can specify the patient's name, address or address, postal code, telephone number, mobile phone number, e-mail address, URL, date of birth, face photo image, blood type, permanent address, etc. Information is included, but anonymous medical data stored in the first business company servers 14A and 14B is not included. Note that the personal attribute data is not limited to those illustrated, but includes all personal information that can identify a patient.

  FIG. 1 illustrates two hospitals 11A and 11B that exist separately and independently, and two first operating companies 13A and 13B that exist separately and independently. The number of first business companies is not particularly limited, and the system 10 may include three or more hospitals and first business companies. The hospitals 11A and 11B include all types of public hospitals, private hospitals, university hospitals, and the like. In addition, hospitals 11A and 11B are illustrated as medical institutions, but in addition to hospitals 11A and 11B, medical institutions, medical laboratories, medical / dental universities, nursing schools, medical / dental vocational schools, etc. All institutions related to medical care are included.

  A medical institution first server 12A is installed in one hospital 11A, and a medical institution second server 12B is installed in the other hospital 11B. When the first to nth hospitals exist independently, the first hospital has the first medical institution server, and the second hospital to the nth hospital have the second medical institution server to the first medical institution. n servers are installed. In FIG. 1, one medical institution first server 12A and one medical institution second server 12B are illustrated, but actually, a plurality of medical institution first servers 12A are installed in the hospital 11A. A plurality of medical institution second servers 12B are installed in the hospital 11B.

  The medical institution first server 12A and the medical institution second server 12B are computers each having a central processing unit and a memory, and are equipped with a large-capacity hard disk. To these servers 12A and 12B, input devices such as a keyboard 17 and a mouse 18 and output devices such as a display 19 and a printer (not shown) are connected via an interface.

  Each patient using the hospitals 11A and 11B is set with a patient number (personal identification identifier) that identifies the patient. As the patient number, an insurance card number, a personal identification number, an ID number, and other identification codes that can individually identify each patient can be used. The personal identification number, ID number, and identification code are set in advance on the hospital 11A, 11B side to the patient who visited the hospital 11A, 11B and notified to the patient, or each patient decides on his own and the patient number is determined May be reported to the hospitals 11A and 11B.

  The hard disks of the medical institution first server 12A and the medical institution second server 12B include a hospital identification number (hospital identifier) for identifying the hospitals 11A and 11B and departments of the hospitals 11A and 11B (respiratory medicine, orthopedics, brain surgery). The department identification number (department identifier) for identifying the urology department, etc. is stored, and the patient numbers individually set for a plurality of patients (a plurality of persons) in the hospitals 11A and 11B are stored.

  In the hard disks of these servers 12A and 12B, department identification numbers are linked in a hierarchical manner immediately below the hospital identification number, and patient numbers are linked in a hierarchy immediately below the department identification number. In these servers 12A and 12B, by designating a specific department identification number, the designated department can be displayed on the display 19, and by designating a specific patient number in the department, the designated patient number can be displayed. The patient is displayed on the display 19.

  The medical institution first server 12A and the medical institution second server 12B read and write various information by accepting requests from other servers, a DNS server function for setting a correspondence between a host name and an IP address assigned to the host name. A database server function that provides a function to perform a mail server function, a mail server function that enables transmission / reception of e-mails, and a document server function that stores all information such as texts and images that have been created and makes it possible to retrieve the information.

  The medical institution first server 12A and the medical institution second server 12B can be connected to the Internet 20 via the DNS server function and can access the first business company servers 14A and 14B and the second business company server 16. . The first and second servers 12A, 12B can transmit predetermined data to the first business company servers 14A, 14B and the second business company server 16 via the Internet 20, and the predetermined data from these servers 14A, 14B, 16 Can be received. The first and second servers 12A, 12B can transmit predetermined data from one server 12A, 12B to the other server 12A, 12B via the Internet 20, and one server 12A, 12B can transmit the other server 12A. , 12B can receive predetermined data.

  The medical institution first server 12A and the medical institution second server 12B start the medical information management application stored in the instruction file in the memory based on the control by the operating system, and according to the application, the following means (each process) ). The first and second servers 12A and 12B execute medical information transmission means for transmitting various types of medical information (including patient numbers (personal identification identifiers)) of patients as electronic data to the first business company server 14A. The medical information of the patient includes anonymous medical data and personal attribute data. The medical information transmitting means is executed every time the patient's medical information is updated. In these servers 12A and 12B, the patient name corresponding to the patient number can be searched, and the patient number corresponding to the patient name can be searched.

  The medical institution first server 12A and the medical institution second server 12B execute anonymous medical data receiving means for receiving personal attribute data identifiers and anonymous medical data from the first business company servers 14A and 14B, and receive anonymous medical data. Anonymous medical data transfer means for transferring the personal attribute data identifier and the anonymous medical data received from the first business company server 14A, 14B to the other medical institution servers 12A, 12B is executed. The anonymous medical data transfer means transfers the personal attribute data identifier and the anonymous medical data as an e-mail from one medical institution server 12A, 12B to the other medical institution server 12A, 12B. And anonymized medical data are stored in a predetermined memory device (USB memory, disk, etc.), and the medical device 11A, 11B passes the memory device to the other medical institution 11A, 11B. Data transfer can also be performed.

  The medical institution first server 12A and the medical institution second server 12B execute personal attribute data receiving means for receiving personal attribute data corresponding to the anonymous medical data received by the anonymous medical data receiving means from the second business company server 16. Then, real name medical data creation means for creating real name medical data of a specific individual by applying the personal attribute data received from the second business company server 16 to the anonymous medical data received from the first business company server 14A, 14B is executed. . Furthermore, real name medical data output means for outputting the created real name medical data via the output device is executed.

  The first business company 13A is provided with a first business company first server 14A, and the first business company 13B is provided with a first business company second server 14B. When there are first to nth independent business companies, the first business company first server is installed in the first first business company, and the second first business company to the nth business company. The first business company second server to the first business company nth server are installed in one business company. In FIG. 1, one first business company first server 14A and one first business company second server 14B are illustrated, but actually, the first business company 13A includes a plurality of first servers. A server 14A is installed, and a plurality of second servers 14B are installed in the first business company 13B.

  The first business company first server 14A and the first business company second server 14B are computers having a central processing unit and a memory, and are equipped with a large-capacity hard disk. Input devices such as a keyboard 21 and a mouse 22 and output devices such as a display 23 and a printer (not shown) are connected to the servers 14A and 14B via an interface. The first and second servers 14A and 14B provide a DNS server function for setting a correspondence between a host name and an IP address assigned to the host name, and a function for receiving various requests and reading / writing various information. It has a database server function, a mail server function that enables transmission / reception of e-mails, and a document server function that stores all information such as created texts and images and makes it possible to search for such information.

  The first business company first server 14A and the first business company second server 14B can be connected to the Internet 20 via the DNS server function and can access the medical institution servers 12A and 12B and the second business company server 16. It is. The first and second servers 14A and 14B can transmit predetermined data to the medical institution servers 12A and 12B and the second business company server 16 via the Internet 20, and receive predetermined data from the servers 12A, 12B and 16 Is possible. The first and second servers 14A, 14B can transmit predetermined data from one server 14A, 14B to the other server 14A, 14B via the Internet 20, and one server 14A, 14B can transmit the other server 14A. , 14B can receive predetermined data.

  The first business company first server 14A and the first business company second server 14B start the medical information management application stored in the instruction file of the memory based on the control by the operating system, and according to the application, Execute means (each process). The first server 14A executes medical information receiving means for receiving various types of patient medical information transmitted from the medical institution servers 12A and 12B, and classifies the received medical information into anonymous medical data and personal attribute data. A personal attribute data identifier setting unit for individually setting a unique personal attribute data identifier for each personal attribute data is executed. The first server 14A executes personal attribute data identifier holding means for holding the personal attribute data identifier in a state associated with the patient number individually set for each patient, and performs anonymous medical treatment in a state associated with the personal attribute data identifier. Anonymous medical data holding means for holding a part of the data is executed.

  The first business company first server 14A executes medical information transmission means for transmitting a part of the anonymous medical data and the personal attribute data identifier (including the patient number) to the first business company second server 14B. The first business company second server 14B executes medical information receiving means for receiving the anonymous medical data and the personal attribute data identifier (including the patient number) transmitted from the first server 14A. The second server 14B executes personal attribute data identifier holding means for holding the personal attribute data identifier in a state associated with the patient number individually set for each patient, and performs anonymous medical treatment in a state associated with the personal attribute data identifier. Anonymous medical data holding means for holding a part of the data is executed.

  The first business company first server 14 </ b> A executes personal attribute data transmission means for transmitting the personal attribute data and the personal attribute data identifier set thereto to the second business company server 16. Therefore, the patient personal attribute data is not held in the hard disks of the first and second servers 14A and 14B (the personal attribute data is not stored). In the system 10, the servers 14A and 14B alone can search the personal attribute data identifier and the anonymous medical data associated therewith, but cannot search the personal attribute data.

  The first business company first server 14A and the first business company second server 14B request an authentication procedure from the medical institution servers 12A and 12B when the medical institution servers 12A and 12B access the servers 14A and 14B. Execute authentication procedure request means. The first and second servers 14A and 14B are presented when the medical institution servers 12A and 12B request the transmission of anonymous medical data by presenting the patient number of the patient after the medical institution servers 12A and 12B perform the authentication procedure. Anonymous medical data transmitting means for transmitting the specified personal attribute data identifier and the anonymous medical data corresponding to the personal attribute data identifier to the medical institution servers 12A and 12B while specifying the personal attribute data identifier corresponding to the patient number specified Execute.

  The second business company server 16 is a computer having a central processing unit and a memory, and is equipped with a large-capacity hard disk. An input device such as a keyboard 24 and a mouse 25 and an output device such as a display 26 and a printer (not shown) are connected to the server 16 via an interface. The server 16 has a DNS server function for setting a correspondence between a host name and an IP address assigned to the host name, a database server function for receiving a request from another server and a function for reading and writing various information, and an e-mail It has a mail server function that enables transmission and reception, and a document server function that saves all information such as created texts and images and makes it possible to search for such information.

  The second business company server 16 can be connected to the Internet 20 via the DNS server function, and can access the medical institution servers 12A and 12B and the first business company servers 14A and 14B. The server 16 can transmit predetermined data to the medical institution servers 12A, 12B and the first business company servers 14A, 14B via the Internet 20, and can receive predetermined data from the servers 12A, 12B, 14A, 14B. . In FIG. 1, one second business company server 16 is illustrated, but a plurality of second business company servers 16 are actually installed in the second business company 15.

  Based on the control by the operating system, the second business company server 16 activates the medical information management application stored in the instruction file in the memory, and executes the following means (each process) according to the application. The server 16 executes personal attribute data receiving means for receiving the personal attribute data transmitted from the first business company first server 14A and the personal attribute data identifier set thereto. Anonymized medical data is not transmitted to the second business company server 16.

  The second business company server 16 executes personal attribute data holding means for holding the received personal attribute data in a state associated with the personal attribute data identifier. Therefore, only the personal attribute data identifier and the personal attribute data are held in the hard disk of the server 16, and the patient's anonymous medical data is not held (anonymous medical data is not stored). In this system 10, the server 16 alone can search the personal attribute data identifier and the personal attribute data associated therewith, but cannot search the anonymous medical data.

  When the medical institution servers 12A and 12B access the server 16, the second business company server 16 executes an authentication procedure requesting unit that requests an authentication procedure from the medical institution servers 12A and 12B. Furthermore, after the medical institution servers 12A and 12B perform the authentication procedure, the medical institution servers 12A and 12B present the personal attribute data identifier corresponding to the anonymous medical data and request transmission of the personal attribute data. A personal attribute data transmission unit is transmitted for transmitting the attribute data identifier and the personal attribute data corresponding to the personal attribute data identifier to the medical institution servers 12A and 12B.

  FIG. 2 is an explanatory diagram showing an example of a procedure for storing various medical information, and FIG. 3 is a diagram showing an example of anonymous medical data stored in the first business company first server 14A. 4 is a diagram showing an example of anonymous medical data stored in the first business company second server 14B, and FIG. 5 is a diagram showing an example of personal attribute data stored in the second business company server 16. is there. FIG. 2 shows a case where medical information is transmitted from the medical institution first server 12A. Medical information may be transmitted from the medical institution second server 12B, or medical information may be transmitted from both the first and second servers 12A and 12B.

  The medical information formed from the anonymous medical data and the personal attribute data is individually collected in the hospital 11A, temporarily stored in the hard disk of the medical institution server 12A of the hospital 11A, and then the first business companies 13A and 13B as electronic data. To the first business company first server 14A and the first business company second server 14B. After connecting to the Internet 20, the medical institution first server 12A accesses the first business company first server 14A, and first receives the patient number, personal attribute data, and anonymous medical data (medical information) from the past to the present. It transmits to the server 14A (medical information transmission means).

  The first operating company first server 14A receives the medical information (patient number, medical record, medical record, interview record, interview record, personal attribute data) transmitted from the medical institution first server 12A (medical information receiving means) ) The received medical information is classified into anonymous medical data and personal attribute data, and a unique personal attribute data identifier is individually set for each personal attribute data (personal attribute data identifier setting means). The first server 14A holds these personal attribute data identifiers in a state associated with the patient numbers individually set for each patient (personal attribute data identifier holding means). Further, only the medical records from the past to the present are extracted from the anonymous medical data, and the extracted medical records are held in a state associated with the personal attribute data identifier (anonymous medical data holding means). 14 A of 1st servers hold | maintain only a medical record among anonymous medical data, and do not hold | maintain a medical record, an interview record, and an inquiry record.

  As shown in FIG. 3, the hard disk of the first business company first server 14A is associated with the personal attribute data identifier associated with the patient number, the date associated with the personal attribute data identifier, and the personal attribute data identifier. Stored, a prescription associated with the personal attribute data identifier, a finding associated with the personal attribute data identifier, and an order associated with the personal attribute data identifier. The first server 14A transmits the personal attribute data to the second business company server 16, and then deletes the personal attribute data from the hard disk.

  After connecting to the Internet 20, the first business company first server 14A accesses the second business company server 16 and the first business company second server 14B, and receives the personal attribute data and the personal attribute data identifier set thereto. It transmits to the 2nd business company server 16 (personal attribute data transmission means). The first server 14A transmits the personal attribute data identifier (including the patient number) set in the personal attribute data to the first business company second server 14B, and among the anonymous medical data, The interview record and the inquiry record are transmitted to the second server 14B (medical information transmitting means).

  The first business company second server 14B receives the medical information (patient number, personal attribute data identifier, medical record, interview record, interview record) transmitted from the first business company first server 14A (medical information receiving means) ). The second server 14B holds the personal attribute data identifiers in a state associated with the patient number set individually for each patient (personal attribute data identifier holding means), and in the state associated with the personal attribute data identifiers from the past to the present Medical records, interview records, and interview records up to this point are held (anonymous medical data holding means).

  As shown in FIG. 4, the hard disk of the first operating company second server 14B has a personal attribute data identifier associated with the patient number, a medical record associated with the personal attribute data identifier, and a personal attribute data identifier. Interview records and interview records associated with personal attribute data identifiers are stored. Furthermore, the medical record includes a date associated with the personal attribute data identifier, a photographed image associated with the personal attribute data identifier, a memo associated with the personal attribute data identifier, and an accounting record associated with the personal attribute data identifier. Stored.

  The hard disk of the first business company second server 14B stores, as interview records, the date associated with the personal attribute data identifier and the content associated with the personal attribute data identifier. As the inquiry record, the date associated with the personal attribute data identifier and the content associated with the personal attribute data identifier are stored. Although not shown, when there is only one first business company and anonymous medical data is stored in the server of the first business company, the anonymous shown in FIGS. Medical data is stored together.

  The second business company server 16 receives the personal attribute data transmitted from the first business company first server 14A and the personal attribute data identifier set thereto (personal attribute data receiving means). The second business company server 16 holds the received personal attribute data in a state associated with the personal attribute data identifier (personal attribute data holding means).

  As shown in FIG. 5, the hard disk of the second business company server 16 includes a name associated with the personal attribute data identifier, an address associated with the personal attribute data identifier, a postal code associated with the personal attribute data identifier, and an individual. Phone number associated with attribute data identifier, mobile phone number associated with personal attribute data identifier, email address associated with personal attribute data identifier, URL associated with personal attribute data identifier, associated with personal attribute data identifier The date of birth, the face photo image associated with the personal attribute data identifier, the blood type associated with the personal attribute data identifier, and the permanent address associated with the personal attribute data identifier are stored.

  FIG. 6 is a diagram illustrating an example of a procedure for creating real name medical data of a patient in the medical institution server 12A, and FIG. 7 is a diagram illustrating an example of the created real name medical data. FIG. 6 shows an example where there is only one first business company, and shows a case where the medical institution first server 12A creates real name medical data. In this case, the anonymous medical data shown in FIGS. 3 and 4 are collectively stored in the hard disk of the first business company first server 14A, and the personal attribute data shown in FIG. 5 is stored in the hard disk of the second business company server 16. Stored. In FIG. 7, specific description of the contents of each real name medical data is omitted. The medical institution second server 12B can also create real name medical data by the same procedure as in FIG.

  When creating real name medical data of a predetermined patient, the medical institution first server 11A connects to the Internet 20, accesses the server 14A using the URL of the first business company first server 14A, and performs the second business. The server 16 is accessed using the URL of the company server 16. When the medical institution first server 12A accesses the first business company first server 14A, the first business company first server 14A requests an authentication procedure from the medical institution first server 12A, as indicated by an arrow 1 in FIG. Then, an authentication procedure for determining the validity of the server 12A is performed (authentication procedure request means).

  In the authentication procedure, an authentication screen is displayed on the display 19 connected to the first medical institution server 12A, and the user is requested to input a user name, password, and account on the authentication screen. After they are input, the first business company first server 14A compares the input user name, password, and account with those stored in the memory, and determines their correctness. When the user name, password, and account are correct and the authentication result is valid, the anonymous medical data shown in FIGS. 3 and 4 can be downloaded from the server 14A to the server 12A, and the anonymous medical data is downloaded between the server 14A and the server 12A. Processing is performed.

  On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the first medical institution server 12A, and the anonymous medical data cannot be downloaded from the server 14A to the server 12A. The authentication method in the authentication procedure is password authentication, but in addition to password authentication, fingerprint authentication, voiceprint authentication, retina authentication, and IC card authentication can also be performed. As the password authentication, a one-time password can be adopted. It is also possible to perform mutual authentication that requires external authentication and internal authentication.

  When the medical institution first server 12A accesses the second business company server 16, the second business company server 16 requests an authentication procedure from the medical institution first server 12A, and as shown by an arrow 2 in FIG. An authentication procedure is performed to determine the legitimacy (authentication procedure request means). In the authentication procedure, an authentication screen is displayed on the display 19 connected to the server 12A, and an input of a user name, a password, and an account is requested on the authentication screen. After they are entered, the server 16 compares the entered username, password, and account with those stored in memory to determine their correctness. If the user name, password, and account are correct and the authentication result is valid, the personal attribute data in FIG. 5 can be downloaded from the server 16 to the server 12A, and the personal attribute data download process is performed between the server 16 and the server 12A. Done. On the contrary, when the authentication result is invalid, the authentication impossible message is displayed on the display 19 of the first medical institution server 12A, and the personal attribute data cannot be downloaded from the server 16 to the server 12A.

  After the anonymous medical data can be downloaded, the medical institution first server 12A presents the patient number of the predetermined patient (sends the patient number) as shown by the arrow 3 in FIG. Request transmission to the first server 14A of the first business company. When the medical institution first server 12A presents the patient number of the patient and requests transmission of anonymous medical data, the first operating company first server 14A collates the presented patient number with the patient number stored in the hard disk. The personal attribute data identifier corresponding to the patient number is specified.

  Next, the first business company first server 14A determines the specified personal attribute data identifier and anonymous medical data (medical record, medical record, interview record, interview record) from the past to the present corresponding to the personal attribute data identifier. Is extracted from the hard disk, and the extracted personal attribute data identifier and anonymous medical data are transmitted to the medical institution first server 12A (anonymous medical data transmitting means). The medical institution first server 12A receives personal attribute data identifiers and anonymous medical data from the past to the present from the first business company first server 14A as shown by an arrow 4 in FIG. 6 (anonymous medical data receiving means) ).

  After the personal attribute data can be downloaded, the medical institution first server 12A, as shown by the arrow 5 in FIG. 6, the personal attribute data corresponding to the anonymous medical data received from the first business company first server 14A. The identifier is presented (the personal attribute data identifier is transmitted), and the second business company server 16 is requested to transmit the personal attribute data. When the medical institution first server 12A presents the personal attribute data identifier corresponding to the anonymous medical data and requests transmission of the personal attribute data, the second business company server 16 displays the presented personal attribute data identifier and the personal attribute data thereof. The personal attribute data corresponding to the identifier is transmitted to the medical institution first server 12A (personal attribute data transmitting means).

  The medical institution first server 12A receives the personal attribute data identifier and the personal attribute data from the second business company server 16 as indicated by an arrow 6 in FIG. 6 (personal attribute data receiving means). The medical institution first server 12A applies the personal attribute data received from the second business company server 16 to the anonymous medical data received from the first business company first server 14A and creates real name medical data of a specific individual (real name). Medical data creation means).

  Specifically, the personal attribute data identifier received from the first business company first server 14A and the personal attribute data identifier received from the second business company server 16 are compared, and the individuals corresponding to the personal attribute data identifiers matching each other are compared. Real name medical data is created by combining attribute data and anonymous medical data. The first medical institution server 12A displays the created real name medical data on the display 19 (real name medical data output means), and outputs the real name medical data via a printer (real name medical data output means).

  In the created real name medical data, as shown in FIG. 7, personal attribute data is displayed in the personal attribute data display area 27, and a facial photographic image is displayed in the facial photographic image display area 28. Further, a medical record (medical data) is displayed in the medical record display area 29 (medical chart display area), and a medical record (medical data) is displayed in the medical record display area 30. The interview record (medical data) is displayed in the interview record display area 31, and the interview record (medical data) is displayed in the interview record display area 32.

  In the personal attribute data display area 27, the hospital name is displayed in the hospital name display area, the department name is displayed in the department name, the patient name is displayed in the name display area, the address is displayed in the address display area, the postal code is displayed in the postal code display area, and the telephone number display area. Phone number, mobile phone number in the mobile phone number display area, e-mail address in the e-mail address display area, URL in the URL display area, date of birth in the date of birth display area, blood type in the blood type display area, and personality display The permanent address is displayed in the area.

  The medical record display area 29 displays the date, process, prescription, finding, order, and the like, and the medical record display area 30 displays the date, photographed image, memo, accounting, and the like. The interview record display area 31 displays the date, contents, etc., and the interview record display area 32 displays the date, contents, etc. By clicking the pull-down list displayed in the date display area of the medical record display area 29 and designating the date, not only the current medical record but also any past date or past specified period A medical record can be displayed, and all medical records from the past to the present can be displayed by clicking on the display for the entire period.

  By clicking the pull-down list displayed in the date display area of the medical record display area 30 and specifying the date, it is possible to display not only the current medical record but also the past medical record. You can also display an enlarged image of the captured image by clicking the captured image displayed in the captured image display area, and all captured images by clicking the pull-down list displayed in the captured image display area. Can be displayed. By clicking the pull-down list displayed in the date display area of the interview record display area 31 and specifying the date, it is possible to display not only the current interview record but also the past interview record. By clicking the pull-down list displayed in the date display area of the medical record display area 32 and designating the date, it is possible to display not only the current medical record but also past medical records.

  In the medical information management system 10 of FIG. 6, anonymous medical data of a plurality of persons collected in the hospital 11A is held in the first business company first server 14A, and personal attribute data that can individually identify a plurality of persons is the second business. Since it is held in the company server 16, anonymous medical data and personal attribute data are distributed and stored in separate and independent business companies 13A and 15. Therefore, even if anonymous medical data is illegally taken out from the first operating company first server 14A or leaked to the outside carelessly, the personal attribute data corresponding to the medical data is not included, and anonymous medical data is not included. Personal information such as the real name, address, and telephone number of the person in the data is not known, and the person cannot be identified from the leaked anonymous medical data. Even if personal attribute data is illegally taken out from the second business company server 16 or is inadvertently leaked to the outside, the personal attribute data does not include the corresponding medical data. The medical information of the specified person is not known, and the medical information cannot be specified from the leaked personal attribute data.

  The medical information management system 10 can ensure the confidentiality of medical information and can protect the privacy of a specific individual. The medical information management system 10 applies the personal attribute data received from the second business company server 16 to the anonymous medical data received from the first business company first server 14A by the medical institution first server 12A, and the real name medical care of the specific individual Since the data is created, the medical information of a specific person can be reliably acquired and confirmed in the hospital 11A.

  FIG. 8 is a diagram showing another example of a procedure for creating real name medical data of a patient in the medical institution server 12A. FIG. 8 shows an example in which there are two first business companies (two first business company servers). In this case, the anonymous medical data shown in FIG. 3 is stored in the hard disk of the first business company first server 14A, and the anonymous medical data shown in FIG. 4 is stored in the hard disk of the first business company second server 14B. ing. Further, personal attribute data shown in FIG. 5 is stored in the hard disk of the second business company server 16. In addition, this medical information management system 10 can be implemented in the presence of three or more first independent business company servers, and the medical institution second server 12B creates real name medical data by the same procedure as in FIG. You can also

  When creating the real name medical data of a predetermined patient, the medical institution first server 12A connects to the Internet 20 and accesses the server 14A using the URL of the first business company first server 14A. The server 14B is accessed using the URL of the second server 14B, and the server 16 is accessed using the URL of the second business company server 16.

  When the medical institution first server 12A accesses the first business company first server 14A, the first server 14A requests an authentication procedure from the first server 12A, and as shown by an arrow 1 in FIG. An authentication procedure for judging sex is performed (authentication procedure request means). Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  When the authentication result is valid, the anonymous medical data in FIG. 3 can be downloaded from the first business company first server 14A to the medical institution first server 12A, and the anonymous medical data is downloaded between the server 14A and the server 12A. Processing is performed. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the anonymous medical data cannot be downloaded from the server 14A to the server 12A.

  When the medical institution first server 12A accesses the first business company second server 14B, the second server 14B requests an authentication procedure from the first server 12A, and as shown by an arrow 2 in FIG. An authentication procedure for judging sex is performed (authentication procedure request means) Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  When the authentication result is valid, the anonymous medical data in FIG. 4 can be downloaded from the first business company second server 14B to the medical institution first server 12A, and the anonymous medical data is downloaded between the server 14B and the server 12A. Processing is performed. On the contrary, when the authentication result is invalid, the authentication impossible message is displayed on the display 19 of the server 12A, and the anonymous medical data cannot be downloaded from the server 14B to the server 12A.

  When the medical institution first server 12A accesses the second business company server 16, the server 16 requests the first server 12A for an authentication procedure, and determines the validity of the server 12A as indicated by an arrow 3 in FIG. Perform authentication procedures (authentication procedure request means). Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  If the authentication result is valid, the personal attribute data in FIG. 5 can be downloaded from the second business company server 16 to the medical institution first server 12A, and the personal attribute data download process is performed between the server 16 and the server 12A. Done. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the personal attribute data cannot be downloaded from the server 16 to the server 12A.

  After the anonymous medical data can be downloaded, the medical institution first server 12A presents the patient number of the predetermined patient (sends the patient number) as shown by the arrow 4 in FIG. Request transmission to the first server 14A of the first business company. When the medical institution first server 12A presents the patient number of the patient and requests transmission of anonymous medical data, the first operating company first server 14A collates the presented patient number with the patient number stored in the hard disk. The personal attribute data identifier corresponding to the patient number is specified.

  Next, the first operating company first server 14A extracts the identified personal attribute data identifier and anonymous medical data (medical record) from the past to the present corresponding to the personal attribute data identifier from the hard disk, and extracts the extracted individual The attribute data identifier and the anonymous medical data are transmitted to the medical institution first server 12A (anonymous medical data transmitting means). The medical institution first server 12A receives personal attribute data identifiers and anonymous medical data from the past to the present from the first business company first server 14A as shown by an arrow 5 in FIG. 8 (anonymous medical data receiving means) ).

  After the anonymous medical data can be downloaded and after receiving the personal attribute data identifier and the anonymous medical data from the first business company first server 14A, the medical institution first server 12A has an arrow in FIG. 6, the received personal attribute data identifier is presented (personal attribute data identifier is transmitted), and the first business company second server 14B is requested to transmit anonymous medical data.

  When the medical institution first server 12A presents the personal attribute data identifier and requests transmission of anonymous medical data, the first business company second server 14B displays the anonymous medical data from the past to the present corresponding to the personal attribute data identifier. (Medical record, interview record, interview record) are extracted from the hard disk, and the personal attribute data identifier and the extracted anonymous medical data are transmitted to the medical institution first server 12A (anonymous medical data transmitting means). The medical institution first server 12A receives the personal attribute data identifier and the anonymous medical data from the past to the present from the first business company second server 14B as shown by the arrow 7 in FIG. 8 (anonymous medical data receiving means) ).

  After the personal attribute data can be downloaded, the medical institution first server 12A received from the first business company first server 14A or the first business company second server 14B as shown by an arrow 8 in FIG. The personal attribute data identifier corresponding to the anonymous medical data is presented (the personal attribute data identifier is transmitted), and the second business company server 16 is requested to transmit the personal attribute data. When the medical institution first server 12A presents the personal attribute data identifier corresponding to the anonymous medical data and requests transmission of the personal attribute data, the second business company server 16 is presented as shown by an arrow 9 in FIG. The personal attribute data identifier and the personal attribute data corresponding to the personal attribute data identifier are transmitted to the medical institution first server 12A (personal attribute data transmitting means).

  The first medical institution server 12A receives the personal attribute data identifier and the personal attribute data from the second business company server 16 (personal attribute data receiving means). The medical institution first server 12A applies the personal attribute data received from the second business company server 16 to the anonymous medical data received from the first business company first server 14A and the first business company second server 14B. Real name medical data is created (real name medical data creation means).

  Specifically, the personal attribute data identifiers received from the first business company first server 14A and the first business company second server 14B are compared with the personal attribute data identifiers received from the second business company server 16, and they match each other. The real name medical data is created by combining the personal attribute data corresponding to the personal attribute data identifier and the anonymous medical data. The first medical institution server 12A displays the created real name medical data on the display 19 (real name medical data output means), and outputs the real name medical data via a printer (real name medical data output means). Description of the real name medical data created by using FIG. 7 is omitted.

  The medical information management system 10 in FIG. 8 maintains the anonymous medical data in the first business company first server 14A and the first business company second server 14B that are separate and independent, so that the anonymous medical data is separated into the first business. Distributed and stored in companies 13A and 13B. Therefore, even if anonymous medical data is illegally taken out of either the first business company first server 14A or the first business company second server 14B or inadvertently leaked outside, Only a part is found, and the risk that the whole content of anonymous medical data is found can be avoided. Even if personal attribute data is illegally taken out from the second business company server 16 or is inadvertently leaked to the outside, the personal attribute data does not include the corresponding medical data. The medical information of the specified person is not known, and the medical information cannot be specified from the leaked personal attribute data.

  The medical information management system 10 can ensure the confidentiality of medical information and can protect the privacy of a specific individual. The medical information management system 10 uses the personal attribute data received from the second business company server 16 to the anonymous medical data received from the first business company first server 14A or the first business company second server 14B by the medical institution first server 12A. Is applied to create real name medical data of a specific individual, so that the medical information of a specific person can be reliably acquired and confirmed in the hospital 11A.

  FIG. 9 is a diagram showing another example of a procedure for creating real name medical data of a patient in the medical institution server 12B. FIG. 9 shows an example when there are two hospitals (two medical institution servers), and shows an example where anonymous medical data is transferred from the hospital 11A to the hospital 11B. In this case, the anonymous medical data shown in FIGS. 3 and 4 are collectively stored in the hard disk of the first business company first server 14A, and the personal attribute data shown in FIG. 5 is stored in the hard disk of the second business company server 16. Stored. The medical information management system 10 can be implemented in the presence of three or more separate medical institution servers. First, the medical institution first server 12A connects to the Internet 20 and accesses the server 14A using the URL of the first business company first server 14A.

  When the medical institution first server 12A accesses the first business company first server 14A, the first business company first server 14A requests an authentication procedure from the medical institution first server 12A, as indicated by an arrow 1 in FIG. Then, an authentication procedure for determining the validity of the server 12A is performed (authentication procedure request means). Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  When the authentication result is valid, the anonymous medical data in FIGS. 3 and 4 can be downloaded from the first business company first server 14A to the medical institution first server 12A, and the anonymous medical data is transmitted between the server 14A and the server 12A. Download processing is performed. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the anonymous medical data cannot be downloaded from the server 14A to the server 12A.

  After the download of the anonymous medical data becomes possible, the medical institution first server 12A presents the patient number of the predetermined patient (inputs the patient number) as shown by the arrow 2 in FIG. Request transmission to the first server 14A of the first business company. When the medical institution first server 12A presents the patient number of the patient and requests transmission of anonymous medical data, the first operating company first server 14A collates the presented patient number with the patient number stored in the hard disk. The personal attribute data identifier corresponding to the patient number is specified.

  Next, the first business company first server 14A determines the specified personal attribute data identifier and anonymous medical data (medical record, medical record, interview record, interview record) from the past to the present corresponding to the personal attribute data identifier. Is extracted from the hard disk, and the extracted personal attribute data identifier and anonymous medical data are transmitted to the medical institution first server 12A (anonymous medical data transmitting means). The medical institution first server 12A receives the personal attribute data identifier and the anonymous medical data from the past to the present from the first business company first server 14A as shown by the arrow 3 in FIG. 9 (anonymous medical data receiving means) ).

  The medical institution second server 12B connects to the Internet 20 and accesses the server 12A using the URL of the medical institution first server 12A. When the medical institution second server 12B accesses the medical institution first server 12A, the first server 12A requests an authentication procedure from the second server 12B and confirms the validity of the server 12B as shown by an arrow 4 in FIG. Perform the authentication procedure to judge (authentication procedure request means).

  Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted. If the authentication result is valid, the anonymous medical data shown in FIGS. 3 and 4 can be downloaded from the server 12A to the server 12B, and the anonymous medical data is downloaded between the server 12A and the server 12B. On the contrary, when the authentication result is invalid, the authentication impossible message is displayed on the display 19 of the server 12B, and the anonymous medical data cannot be downloaded from the server 12A to the server 12B.

  After the anonymous medical data can be downloaded, the medical institution second server 12B presents the patient number of the predetermined patient (sends the patient number) as shown by the arrow 5 in FIG. The transmission is requested from the medical institution first server 12A. When the medical institution second server 12B presents the patient number of the patient and requests transmission of anonymous medical data, the medical institution first server 12A specifies the personal attribute data identifier corresponding to the presented patient number, and performs anonymous medical care. The personal attribute data identifier and the anonymous medical data (medical record, medical record, interview record, interview record) received from the first business company first server 14A by the data receiving means are transferred to the medical institution second server 12B (anonymous medical care) Data transfer means).

  The medical institution second server 12B receives the personal attribute data identifier and the anonymous medical data from the past to the present from the medical institution first server 12A as shown by the arrow 6 in FIG. 9 (anonymous medical data receiving means). In the anonymous medical data transfer means, the personal attribute data identifier and the anonymous medical data are stored in a predetermined memory device, the medical institution 11A passes the memory device to the medical institution 11B, and the personal attribute data identifier and the anonymous medical data are stored. Transfer may be performed.

  The medical institution second server 12B that receives the personal attribute data identifier and the anonymous medical data from the medical institution first server 12A accesses the server 16 via the Internet 20 using the URL of the second business company server 16. When the medical institution second server 12B accesses the second business company server 16, the second business company server 16 requests an authentication procedure from the medical institution second server 12B, and the server 12B as shown by an arrow 7 in FIG. An authentication procedure is performed to determine the legitimacy (authentication procedure request means).

  Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted. If the authentication result is valid, the personal attribute data in FIG. 5 can be downloaded from the server 16 to the server 12B, and the personal attribute data download process is performed between the server 16 and the server 12B. On the other hand, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12B, and the personal attribute data cannot be downloaded from the server 16 to the server 12B.

  After the personal attribute data can be downloaded, the medical institution second server 12B sets the personal attribute data identifier corresponding to the anonymous medical data received from the medical institution first server 12A as shown by the arrow 8 in FIG. Present (send personal attribute data identifier) and request the second business company server 16 to send personal attribute data. When the medical institution second server 12B presents the personal attribute data identifier corresponding to the anonymous medical data and requests transmission of the personal attribute data, the second business company server 16 is presented as shown by an arrow 9 in FIG. The personal attribute data identifier and the personal attribute data corresponding to the personal attribute data identifier are transmitted to the server 12B (personal attribute data transmitting means).

  The medical institution second server 12B receives the personal attribute data identifier and the personal attribute data from the second business company server 16 (personal attribute data receiving means). The medical institution second server 12B applies the personal attribute data received from the second business company server 16 to the anonymous medical data received from the medical institution first server 12A to create real name medical data of a specific individual (real name medical data Creating means).

  Specifically, the personal attribute data identifier received from the medical institution first server 12A and the personal attribute data identifier received from the second business company server 16 are compared, and the personal attribute data corresponding to the personal attribute data identifiers that match each other. And real-name medical data is created by combining anonymous medical data. The medical institution second server 12B displays the created real name medical data on the display 19 (real name medical data output means), and outputs the real name medical data via a printer (real name medical data output means). Description of the real name medical data created by using FIG. 7 is omitted.

  In the medical information management system 10 of FIG. 9, the medical institution second server 12B that acquired the anonymous medical data of a specific individual from the medical institution first server 12A applies the personal attribute data to the medical data, and the real name medical data of the specific individual And the medical information of the patient can be reliably acquired and confirmed at the hospital where the patient is introduced or the hospital to which the patient is moved.

  In this medical information management system 10, even if anonymous medical data is illegally taken out from the first business company first server 14A or is inadvertently leaked outside, the medical data includes personal attribute data corresponding thereto. The real name, address, telephone number, etc. of the person in the anonymous medical data are not known, and the person cannot be identified from the leaked anonymous medical data. Even if personal attribute data is illegally taken out from the second business company server 16 or is inadvertently leaked to the outside, the personal attribute data does not include the corresponding medical data. The medical information of the specified person is not known, and the medical information cannot be specified from the leaked personal attribute data. The medical information management system 10 can ensure the confidentiality of medical information and can protect the privacy of a specific individual.

  FIG. 10 is an explanatory diagram showing another example of a procedure for storing various medical information, and FIG. 11 is a diagram showing another example of anonymous medical data stored in the first business company first server 14A. FIG. 12 is a diagram showing another example of personal attribute data stored in the second business company server 16. In the aspect shown in FIG. 10, at least one of the medical institution first server 12A and the medical institution second server 12B has first medical information (including a patient number (personal identification identifier)) as electronic data. The medical information transmission means for transmitting to the business company first server 14A is executed. The medical information of the patient includes anonymous medical data and personal attribute data. The medical information transmitting means is executed every time the patient's medical information is updated.

  The medical institution first server 12A and the medical institution second server 12B receive the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data from the first business company first server 14A. The data receiving means is executed, and the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier and the anonymous medical data received from the first business company first server 14A by the anonymous medical data receiving means are sent to another medical institution server. Anonymous medical data transfer means for transferring to 12A, 12B is executed. Examples of attribute items include name, address, postal code, telephone number, mobile phone number, e-mail address, URL, date of birth, face photo image, blood type, and family register. It is not limited and includes all items of personal information.

  The medical institution first server 12A and the medical institution second server 12B include a personal attribute data identifier corresponding to the anonymous medical data received by the anonymous medical data receiving means, an attribute item and personal attribute data corresponding to the personal attribute data identifier, Is received from the second business company server 16, and the personal attribute data received from the second business company server 16 is applied to the anonymous medical data received from the first business company first server 14A. Real name medical data creation means for creating real name medical data of a specific individual is executed. Furthermore, real name medical data output means for outputting the created real name medical data via the output device is executed.

  The first operating company first server 14A executes medical information receiving means for receiving various types of patient medical information transmitted from the medical institution servers 12A and 12B, and converts the received medical information into anonymous medical data and personal attribute data. Anonymized medical data holding means for holding anonymous medical data in a state associated with a patient number individually set for a patient while being classified is executed. The server 14A executes personal attribute data identifier assigning means for assigning a unique personal attribute data identifier to each attribute item to which the personal attribute data belongs, and associates each attribute item with each assigned personal attribute data identifier with a patient number. The personal attribute data identifier holding means held in the above is executed.

  The first business company first server 14A executes personal attribute data transmission means for transmitting the assigned personal attribute data identifier and the attribute item and personal attribute data corresponding to the personal attribute data identifier to the second business company server 16. . Therefore, only the personal attribute data identifier, the attribute item, and the anonymous medical data are held in the hard disk of the first server 14A, and the patient's personal attribute data is not held (the personal attribute data is not stored). ).

  When the medical institution servers 12A and 12B access the server 14A, the first business company first server 14A executes authentication procedure requesting means for requesting the authentication procedures from the medical institution servers 12A and 12B. When the medical institution servers 12A and 12B present the patient number of the patient and request transmission of anonymous medical data after the medical institution servers 12A and 12B perform the authentication procedure, the first server 14A Anonymized medical data transmitting means for transmitting the identified personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data to the medical institution servers 12A and 12B while identifying the corresponding personal attribute data identifier To do.

  The second business company server 16 executes personal attribute data receiving means for receiving the personal attribute data identifier transmitted from the first business company first server 14A, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data. To do. Anonymized medical data is not transmitted to the second business company server 16. The second business company server 16 classifies the received personal attribute data for each attribute item, and executes personal attribute data holding means for holding the personal attribute data in a state associated with the personal attribute data identifier of the attribute item to which it belongs. . Only the personal attribute data identifier, the attribute item, and the personal attribute data are held in the hard disk of the server 16, and the patient's anonymous medical data is not held (anonymous medical data is not stored).

  When the medical institution servers 12A and 12B access the server 16, the second business company server 16 executes an authentication procedure requesting unit that requests an authentication procedure from the medical institution servers 12A and 12B. Furthermore, after the medical institution servers 12A and 12B perform the authentication procedure, the medical institution servers 12A and 12B present the attribute items and personal attribute data identifiers corresponding to the anonymous medical data and request transmission of personal attribute data. The personal attribute data transmitting means for transmitting the attribute item and personal attribute data identifier and the personal attribute data corresponding to the attribute item and personal attribute data identifier to the servers 12A and 12B is executed.

  Another example of storing anonymous medical data and personal attribute data will be described with reference to FIG. After connecting to the Internet 20, the medical institution first server 12A accesses the first business company first server 14A, and first receives the patient number, personal attribute data, and anonymous medical data (medical information) from the past to the present. It transmits to the server 14A (medical information transmission means).

  The first operating company first server 14A receives the medical information (patient number, medical record, medical record, interview record, interview record, personal attribute data) transmitted from the medical institution first server 12A (medical information receiving means) ), The medical information received is classified into anonymous medical data and personal attribute data, and the anonymous medical data is held in a state associated with the patient number individually set for the patient (anonymous medical data holding means). The server 14A assigns a unique personal attribute data identifier to each attribute item to which the personal attribute data belongs (personal attribute data identifier assigning means), and associates each attribute item and each assigned personal attribute data identifier with the patient number. Hold (personal attribute data identifier holding means).

  On the hard disk of the first operating company first server 14A, as shown in FIG. 11, attribute items and personal attribute data identifiers associated with patient numbers, anonymous medical data (medical records, medical records, interview records, interview records) Is stored. The medical record includes date, treatment, prescription, findings, and order, and the medical record includes date, photographed image, memo, and accounting. Interview records and interview records include date and content. After connecting to the Internet 20, the first business company first server 14 </ b> A accesses the second business company server 16 and transmits the assigned personal attribute data identifier, attribute item, and personal attribute data to the second business company server 16. (Personal attribute data transmission means). The first server 14A transmits the personal attribute data to the second business company server 16, and then deletes the personal attribute data from the hard disk.

  The second business company server 16 receives the personal attribute data identifier transmitted from the first business company first server 14A and the attribute item and personal attribute data corresponding to the personal attribute data identifier (personal attribute data receiving means). . The second business company server 16 classifies the received personal attribute data for each attribute item, and holds the personal attribute data in a state associated with the personal attribute data identifier of the attribute item to which it belongs (personal attribute data holding means).

  As shown in FIG. 12, the hard disk of the second business company server 16 stores personal attribute data classified for each attribute item in a state associated with the personal attribute data identifier. The name attribute item stores the actual name in the personal attribute data identifier (2) (second file of the name attribute item), and the address attribute item includes the personal attribute data identifier (5) (address attribute item). The fifth file) stores the actual address. The postal code attribute item stores the actual postal code in the personal attribute data identifier (1) (first file of the postal code attribute item), and the telephone number attribute item includes the personal attribute data identifier (1). Stores the actual telephone number.

  The mobile phone number attribute item stores the actual mobile phone number in the personal attribute data identifier (3) (third file of the mobile phone number attribute item), and the e-mail address attribute item contains the personal attribute data. The actual e-mail address is stored in the identifier (4) (the fourth file of the e-mail address attribute item). In the URL attribute item, the actual URL is stored in the personal attribute data identifier (2) (second file of the URL attribute item), and in the date of birth attribute item, the personal attribute data identifier (6) (birth year) The actual date of birth is stored in the sixth file of the date attribute item). In the attribute item of the face photograph image, the actual face photograph image is stored in the personal attribute data identifier (5) (the fifth file of the face photograph image attribute item), and in the blood type attribute item, the personal attribute data identifier (6) The actual blood type is stored in (sixth file of blood type attribute item). In the attribute item of the permanent address, the actual permanent address is stored in the personal attribute data identifier (1) (first file of the permanent attribute attribute item). In addition, although the number is illustrated as a personal attribute data identifier, a personal attribute data identifier is not limited to a number, In addition to a number, an alphabet, a symbol, a character, etc. can also be used.

  With reference to FIG. 6, an example of a procedure in which the medical institution server 12 </ b> A creates the patient's real name medical data from the anonymous medical data and personal attribute data in FIGS. 10 and 11 will be described as follows. When creating the real name medical data of a predetermined patient, the medical institution first server 12A connects to the Internet 20, accesses the server 14A using the URL of the first business company first server 14A, and executes the second business. The server 16 is accessed using the URL of the company server 16.

  When the medical institution first server 12A accesses the first business company first server 14A, the first business company first server 14A requests an authentication procedure from the medical institution first server 12A, as indicated by an arrow 1 in FIG. Then, an authentication procedure for determining the validity of the server 12A is performed (authentication procedure request means). The authentication procedure is as shown in FIG.

  If the authentication result is valid, the anonymous medical data in FIG. 11 can be downloaded from the first business company first server 14A to the medical institution first server 12A, and the anonymous medical data is downloaded between the server 14A and the server 12A. Processing is performed. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the anonymous medical data cannot be downloaded from the server 14A to the server 12A.

  When the medical institution first server 12A accesses the second business company server 16, the second business company server 16 requests an authentication procedure from the medical institution first server 12A, and as shown by an arrow 2 in FIG. An authentication procedure is performed to determine the legitimacy (authentication procedure request means). The authentication procedure is as shown in FIG.

  If the authentication result is valid, the personal attribute data in FIG. 5 can be downloaded from the second business company server 16 to the medical institution first server 12A, and the personal attribute data download process is performed between the server 16 and the server 12A. Done. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the personal attribute data cannot be downloaded from the server 16 to the server 12A.

  After the anonymous medical data can be downloaded, the medical institution first server 12A presents the patient's patient number (sends the patient number) and transmits the anonymous medical data as shown by an arrow 3 in FIG. A request is made to the first business company first server 14A. When the server 12A presents the patient number and requests transmission of anonymous medical data, the first business company first server 14A collates the presented patient number with the patient number stored in the hard disk, and sets the patient number. While identifying the corresponding personal attribute data identifier, the specified personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data (medical record, medical record, interview record, interview record) are extracted from the hard disk Then, the extracted personal attribute data identifier, attribute item, and anonymous medical data are transmitted to the medical institution first server 12A (anonymous medical data transmitting means). As shown by an arrow 4 in FIG. 6, the first medical institution server 12A sends the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and the anonymous medical data from the past to the present first Receive from the server 14A (anonymous medical data receiving means).

  After the personal attribute data can be downloaded, the medical institution first server 12A, as shown by the arrow 5 in FIG. 6, the attribute item corresponding to the anonymous medical data received from the first business company first server 14A and The personal attribute data identifier is presented (attribute item and personal attribute data identifier are transmitted), and the second business company server 16 is requested to transmit the personal attribute data. When the first server 12A presents the attribute item and personal attribute data identifier corresponding to the anonymous medical data and requests transmission of the personal attribute data, the second business company server 16 sends the presented attribute item and personal attribute data identifier, The attribute item and personal attribute data corresponding to the personal attribute data identifier are extracted from the hard disk, and the extracted personal attribute data identifier, attribute item, and personal attribute data are transmitted to the first server 12A (personal attribute data transmitting means).

  The medical institution first server 12A receives the personal attribute data identifier and the attribute item and personal attribute data corresponding to the personal attribute data identifier from the second business company server 16 as shown by the arrow 6 in FIG. Attribute data receiving means). The first server 12A matches the attribute item and personal attribute data identifier received from the first business company first server 14A with each other while comparing the attribute item and personal attribute data identifier received from the second business company server 16 with each other. Real name medical data is created by combining personal attribute data corresponding to the attribute item and personal attribute data identifier and anonymous medical data (real name medical data creating means).

  Specifically, the medical institution first server 12A compares the attribute items received from the first business company first server 14A with the attribute items received from the second business company server 16, and the attribute items in the attribute items that match each other. After the personal attribute data identifiers are compared, if the personal attribute data identifiers match, the anonymous medical data received from the first server 14A is determined as valid data. Next, personal attribute data identifiers are compared in each attribute item, and if the personal attribute data identifiers match, the personal attribute data of each attribute item (file) received from the server 16 is determined as valid data.

  The medical institution first server 12A uses the actual name in the personal attribute data identifier (2) of the name attribute item (the second file of the name attribute item) as the name attribute item received from the first operating company first server 14A. Apply the actual address in the personal attribute data identifier (5) of the address attribute item (the fifth file of the address attribute item) to the address attribute item received from the first server 14A. Apply the actual zip code in the personal attribute data identifier (1) of the zip code attribute item (the first file of the zip code attribute item) to the zip code attribute item received from the first server 14A, and The actual telephone number in the personal attribute data identifier (1) (first file of the telephone number attribute item) is applied to the telephone number attribute item received from the first server 14A.

  The medical institution first server 12A receives the actual mobile phone number in the personal attribute data identifier (3) (the third file of the mobile phone number attribute item) of the mobile phone number attribute item from the first server 14A. E-mail address applied to the number attribute item and received from the first server 14A of the actual e-mail address in the personal attribute data identifier (4) of the e-mail address attribute item (fourth file of the e-mail address attribute item) Applies to attribute items. Applying the actual URL in the personal attribute data identifier (2) of the URL attribute item (second file of the URL attribute item) to the URL attribute item received from the first server 14A, the personal attribute data of the date of birth attribute item The actual date of birth in the identifier (6) (the fourth file of the date of birth attribute item) is applied to the date of birth attribute item received from the first server 14A.

  The medical institution first server 12A receives the actual face photograph image in the personal attribute data identifier (5) (the fifth file of the face photograph image attribute item) of the face photograph image attribute item from the first server 14A. Applied to the image attribute item, the actual blood type in the personal attribute data identifier (6) (the sixth file of the blood type attribute item) of the blood type attribute item is applied to the blood type attribute item received from the first server 14A To do. The actual register in the personal attribute data identifier (1) of the permanent register item (the first file of the permanent register item) is applied to the permanent attribute item received from the first server 14A.

  After the application of the attribute items is completed, the first medical institution server 12A creates real name medical data by combining the personal attribute data and the anonymous medical data. The first server 12A displays the created real name medical data on the display 19 (real name medical data output means), and outputs the real name medical data via a printer (real name medical data output means). The first server 12A can also store the created real name medical data in the hard disk. Description of the real name medical data created by using FIG. 7 is omitted.

  In the medical information management system 10 of the aspect of FIG. 10, anonymous medical data of a plurality of patients collected in the hospital 11A is held in the first operating company first server 14A, and personal attribute data is assigned to each attribute item. Since the personal attribute data identifier is held in the first server 14A and the individual attribute data of each patient is held in the second business company server 16, the anonymous medical data and the personal attribute data are stored in the independent business companies 13A and 15 respectively. Distributed and stored. Therefore, even if anonymous medical data is illegally taken out from the first server 14A or inadvertently leaked to the outside, the corresponding personal attribute data is not included in the medical data, and the anonymous medical data Personal information such as real names, addresses, and telephone numbers is never known, and a person cannot be identified from leaked anonymous medical data. Even if personal attribute data is illegally taken out from the server 16 or is inadvertently leaked to the outside, the personal attribute data does not include the corresponding medical data, and the person specified from the personal attribute data The medical information cannot be identified, and the medical information cannot be identified from the leaked personal attribute data.

  The medical information management system 10 holds the attribute item and the assigned personal attribute data identifier in a state associated with the patient number by the first business company first server 14A, so that the combination information of the individual attribute data is the first. It is managed by the server 14A, and the personal information cannot be specified by the second business company server 16. The medical information management system 10 can ensure the confidentiality of medical information and can protect the privacy of a specific individual. The medical information management system 10 applies the personal attribute data received from the second business company server 16 to the anonymous medical data received from the first business company first server 14A by the medical institution first server 12A, and the real name medical care of the specific individual Since the data is created, the medical information of a specific patient can be reliably acquired and confirmed in the hospital 11A.

  With reference to FIG. 9, another example of the procedure for creating the real name medical data of the patient in the medical institution server 12B will be described as follows. The first business company first server 14A stores the anonymous medical data in FIG. 11, and the second business company server 16 stores the personal attribute data in FIG. First, the medical institution first server 12A connects to the Internet 20 and accesses the server 14A using the URL of the first business company first server 14A.

  When the medical institution first server 12A accesses the first business company first server 14A, the first business company first server 14A requests an authentication procedure from the medical institution first server 12A, as indicated by an arrow 1 in FIG. Then, an authentication procedure for determining the validity of the server 12A is performed (authentication procedure request means). Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  If the authentication result is valid, the anonymous medical data in FIG. 11 can be downloaded from the first business company first server 14A to the medical institution first server 12A, and the anonymous medical data is downloaded between the server 14A and the server 12A. Processing is performed. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the anonymous medical data cannot be downloaded from the server 14A to the server 12A.

  After the anonymous medical data can be downloaded, the medical institution first server 12A presents the patient's patient number (inputs the patient number) and transmits the anonymous medical data as shown by the arrow 2 in FIG. A request is made to the first business company first server 14A. When the medical institution first server 12A presents the patient number of the patient and requests transmission of anonymous medical data, the first operating company first server 14A collates the presented patient number with the patient number stored in the hard disk. While identifying the personal attribute data identifier corresponding to the patient number, the identified personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data (medical record, medical record, interview record, interview record) ) Are extracted from the hard disk, and the extracted personal attribute data identifier, attribute item, and anonymous medical data are transmitted to the medical institution first server 12A (anonymous medical data transmitting means). As shown by an arrow 3 in FIG. 9, the medical institution first server 12A sends the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and the anonymous medical data from the past to the present first Receive from the server 14A (anonymous medical data receiving means).

  The medical institution second server 12B connects to the Internet 20 and accesses the server 12A using the URL of the medical institution first server 12A. When the medical institution second server 12B accesses the medical institution first server 12A, the first server 12A requests an authentication procedure from the second server 12B and confirms the validity of the server 12B as shown by an arrow 4 in FIG. Perform the authentication procedure to judge (authentication procedure request means).

  Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted. If the authentication result is valid, the anonymous medical data shown in FIGS. 3 and 4 can be downloaded from the server 12A to the server 12B, and the anonymous medical data is downloaded between the server 12A and the server 12B. On the contrary, when the authentication result is invalid, the authentication impossible message is displayed on the display 19 of the server 12B, and the anonymous medical data cannot be downloaded from the server 12A to the server 12B.

  After the anonymous medical data can be downloaded, the medical institution second server 12B presents the patient's patient number (sends the patient number) and transmits the anonymous medical data as shown by the arrow 5 in FIG. Requested to the medical institution first server 12A. When the medical institution second server 12B presents the patient number of the patient and requests transmission of anonymous medical data, the medical institution first server 12A specifies the personal attribute data identifier corresponding to the presented patient number, and performs anonymous medical care. Personal attribute data identifier received from the first business company first server 14A by the data receiving means, attribute items corresponding to the personal attribute data identifier, and anonymous medical data from the past to the present (medical record, medical record, interview record, medical interview) Record) is transferred to the second medical institution server 12B (anonymous medical data transfer means).

  As shown by the arrow 6 in FIG. 9, the medical institution second server 12B sends the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and the anonymous medical data from the past to the present to the medical institution first server 12A. (Anonymous medical data receiving means). The anonymous medical data transfer means stores the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data from the past to the present in a predetermined memory device, and stores the memory device in the medical institution 11A. May be transferred to the medical institution 11B to transfer personal attribute data identifiers or anonymous medical data.

  The medical institution second server 12B that has received the personal attribute data identifier, attribute item, and anonymous medical data from the first medical institution server 12A uses the URL of the second business company server 16 to access the server 16 via the Internet 20. To do. When the medical institution second server 12B accesses the second business company server 16, the server 16 requests an authentication procedure from the second server 12B, and determines the validity of the server 12B as shown by an arrow 7 in FIG. Perform authentication procedures (authentication procedure request means).

  Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted. If the authentication result is valid, the personal attribute data of FIG. 12 can be downloaded from the second business company server 16 to the medical institution second server 12B, and the personal attribute data download process is performed between the server 16 and the server 12B. Done. On the other hand, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12B, and the personal attribute data cannot be downloaded from the server 16 to the server 12B.

  After the personal attribute data can be downloaded, the medical institution second server 12B, as shown by an arrow 8 in FIG. 9, has attribute items and personal attributes corresponding to the anonymous medical data received from the medical institution first server 12A. The data identifier is presented (attribute item and personal attribute data identifier is transmitted), and the second business company server 16 is requested to transmit the personal attribute data. When the medical institution second server 12B presents the attribute item and personal attribute data identifier corresponding to the anonymous medical data and requests transmission of the personal attribute data, the second business company server 16 displays the presented attribute item and personal attribute data. The identifier, its attribute item, and personal attribute data corresponding to the personal attribute data identifier are extracted from the hard disk, and the extracted personal attribute data identifier, attribute item, and personal attribute data are transmitted to the server 12B (personal attribute data transmitting means).

  The medical institution second server 12B receives the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and the personal attribute data from the second business company server 16 as shown by the arrow 9 in FIG. Attribute data receiving means). The second server 12B compares the attribute item and personal attribute data identifier received from the medical institution first server 12A with the attribute item and personal attribute data identifier received from the second business company server 16, and matches the attribute items. The real name medical data is created by combining the personal attribute data corresponding to the personal attribute data identifier and the anonymous medical data (real name medical data creating means). Since the specific procedure is the same as that described in the system of the embodiment of FIG. 10, its detailed description is omitted.

  The first server 12A displays the created real name medical data on the display 19 (real name medical data output means), and outputs the real name medical data via a printer (real name medical data output means). The first server 12A can also store the created real name medical data in the hard disk. Description of the real name medical data created by using FIG. 7 is omitted.

  The medical information management system 10 described with reference to FIG. 9 is specified by the medical institution second server 12B, which has acquired the anonymous medical data of a specific individual from the medical institution first server 12A, applying personal attribute data to the medical data. Personal real name medical data can be created, and the medical information of the patient can be reliably acquired and confirmed at the hospital where the patient is introduced or the hospital to which the patient is moved.

  In this medical information management system 10, even if anonymous medical data is illegally taken out from the first business company first server 14A or is inadvertently leaked outside, the medical data includes personal attribute data corresponding thereto. The real name, address, telephone number, etc. of the person in the anonymous medical data are not known, and the person cannot be identified from the leaked anonymous medical data. Even if personal attribute data is illegally taken out from the second business company server 16 or is inadvertently leaked to the outside, the personal attribute data does not include the corresponding medical data. The medical information of the specified person is not known, and the medical information cannot be specified from the leaked personal attribute data. The medical information management system 10 can ensure the confidentiality of medical information and can protect the privacy of a specific individual.

  FIG. 13 is a diagram showing another example of anonymous medical data stored in the first server 14A of the first business company, and FIG. 14 shows another example of anonymous medical data stored in the first server 2B of the first business company. It is a figure which shows an example. 13 and 14, at least one of the medical institution first server 12A and the medical institution second server 12B uses various types of patient medical information (including a patient number (personal identification identifier)) as electronic data. The medical information transmitting means for transmitting to the first business company first server 14A is executed. The medical information of the patient includes anonymous medical data and personal attribute data. The medical information transmitting means is executed every time the patient's medical information is updated.

  The medical institution first server 12A and the medical institution second server 12B send the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and the anonymous medical data to the first business company first server 14A and the first business company. Anonymous medical data receiving means received from the second server 14B is executed. Examples of attribute items include name, address, postal code, telephone number, mobile phone number, e-mail address, URL, date of birth, face photo image, blood type, and family register. It is not limited and includes all items of personal information.

  The medical institution first server 12A and the medical institution second server 12B include a personal attribute data identifier corresponding to the anonymous medical data received by the anonymous medical data receiving means, an attribute item and personal attribute data corresponding to the personal attribute data identifier, Is received from the second business company server 16, and the second business company server 16 is added to the anonymous medical data received from the first business company first server 14A and the first business company second server 14B. The real name medical data creation means for creating the real name medical data of a specific individual by applying the personal attribute data received from the user is executed. Furthermore, real name medical data output means for outputting the created real name medical data via the output device is executed.

  The first operating company first server 14A executes medical information receiving means for receiving various types of patient medical information transmitted from the medical institution servers 12A and 12B, and converts the received medical information into anonymous medical data and personal attribute data. Anonymized medical data holding means for holding a part of the anonymous medical data in a state associated with the patient number individually set for the patient while being classified. The server 14A executes personal attribute data identifier assigning means for assigning a unique personal attribute data identifier to each attribute item to which the personal attribute data belongs, and associates each attribute item with each assigned personal attribute data identifier with a patient number. The personal attribute data identifier holding means held in the above is executed.

  The first business company first server 14A executes medical information transmission means for transmitting a part of the anonymous medical data and the patient number to the first business company second server 14B. The first business company second server 14B executes medical information receiving means for receiving the anonymous medical data and the patient number transmitted from the first server 14A. The second server 14B executes anonymous medical data holding means for holding a part of anonymous medical data in a state associated with the patient number.

  The first business company first server 14A executes personal attribute data transmission means for transmitting the assigned personal attribute data identifier and the attribute item and personal attribute data corresponding to the personal attribute data identifier to the second business company server 16. . Therefore, the hard disk of the first server 14A or the second server 14B holds only personal attribute data identifiers, attribute items, and anonymous medical data, and does not hold patient personal attribute data (personal attribute data is stored). Is never done).

  The first business company first server 14A and the first business company second server 14B request an authentication procedure from the medical institution servers 12A and 12B when the medical institution servers 12A and 12B access the servers 14A and 14B. Execute authentication procedure request means. The first and second servers 14A and 14B are presented when the medical institution servers 12A and 12B request the transmission of anonymous medical data by presenting the patient number of the patient after the medical institution servers 12A and 12B perform the authentication procedure. Anonymous medical treatment for transmitting the specified personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data to the medical institution servers 12A and 12B while specifying the personal attribute data identifier corresponding to the patient number specified Execute data transmission means.

  The second business company server 16 executes personal attribute data receiving means for receiving the personal attribute data identifier transmitted from the first business company first server 14A, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data. To do. Anonymized medical data is not transmitted to the second business company server 16. The second business company server 16 classifies the received personal attribute data for each attribute item, and executes personal attribute data holding means for holding the personal attribute data in a state associated with the personal attribute data identifier of the attribute item to which it belongs. . Only the personal attribute data identifier, the attribute item, and the personal attribute data are held in the hard disk of the server 16, and the patient's anonymous medical data is not held (anonymous medical data is not stored).

  When the medical institution servers 12A and 12B access the server 16, the second business company server 16 executes an authentication procedure requesting unit that requests an authentication procedure from the medical institution servers 12A and 12B. Furthermore, after the medical institution servers 12A and 12B perform the authentication procedure, the medical institution servers 12A and 12B present the attribute items and personal attribute data identifiers corresponding to the anonymous medical data and request transmission of personal attribute data. The personal attribute data transmission means for transmitting the attribute item and personal attribute data identifier and the personal attribute data corresponding to the attribute item and personal attribute data identifier to the medical institution servers 12A and 12B is executed.

  With reference to FIG. 2, another example of the procedure for storing the anonymous medical data in FIGS. 13 and 14 will be described as follows. After connecting to the Internet 20, the medical institution first server 12A accesses the first business company first server 14A, and first receives the patient number, personal attribute data, and anonymous medical data (medical information) from the past to the present. It transmits to the server 14A (medical information transmission means).

  The first operating company first server 14A receives the medical information (patient number, medical record, medical record, interview record, interview record, personal attribute data) transmitted from the medical institution first server 12A (medical information receiving means) ), While receiving medical information is classified into anonymous medical data and personal attribute data, only medical records from the past to the present are kept among the anonymous medical data in a state associated with the patient number set for each patient. (Anonymous medical data holding means).

  The first business company first server 14A assigns a unique personal attribute data identifier to each attribute item to which the personal attribute data belongs (personal attribute data identifier assigning means), and assigns each attribute item and the assigned individual attribute data identifier to the patient. Stored in a state associated with the number (personal attribute data identifier storage means) 14 A of 1st servers hold | maintain only a medical record among anonymous medical data, and do not hold | maintain a medical record, an interview record, and an inquiry record. As shown in FIG. 13, the hard disk of the first business company first server 14A stores attribute items associated with patient numbers, personal attribute data identifiers, and anonymous medical data (medical records). The medical record includes date, treatment, prescription, findings, and order.

  After connecting to the Internet 20, the first business company first server 14A accesses the second business company server 16 and the first business company second server 14B, and assigns the assigned personal attribute data identifier, attribute item, and personal attribute data. Are transmitted to the second business company server 16 (personal attribute data transmission means). The first server 14A transmits medical records, interview records, and interview records from the past to the present among the patient number and anonymous medical data to the second server 14B (medical information transmitting means). The first server 14A transmits the personal attribute data to the second business company server 16, and then deletes the personal attribute data from the hard disk.

  The first business company second server 14B receives the medical information (patient number, medical record, interview record, interview record) transmitted from the first business company first server 14A (medical information receiving means). The second server 14B holds medical records, interview records, and interview records from the past to the present in a state associated with the patient number (anonymous medical data holding means). As shown in FIG. 14, anonymous medical data (medical record, interview record, interview record) associated with the patient number is stored in the hard disk of the first business company second server 14B. The medical record includes date, photographed image, memo, and accounting. Interview records and interview records include date and content.

  The second business company server 16 receives the personal attribute data identifier transmitted from the first business company first server 14A and the attribute item and personal attribute data corresponding to the personal attribute data identifier (personal attribute data receiving means). . The second business company server 16 classifies the received personal attribute data for each attribute item, and holds the personal attribute data in a state associated with the personal attribute data identifier of the attribute item to which it belongs (personal attribute data holding means). The personal attribute data identifier, attribute item, and personal attribute data stored in the hard disk of the second business company server 16 are the same as those in FIG.

  With reference to FIG. 8, another example of the procedure for creating the real name medical data of the patient in the first medical institution server 12A will be described as follows. The first business company first server 14A stores the anonymous medical data in FIG. 13, and the first business company second server 14B stores the anonymous medical data in FIG. The second business company server 16 stores the personal attribute data of FIG. First, the medical institution first server 12A connects to the Internet 20 and accesses the server 14A using the URL of the first business company first server 14A.

  When the medical institution first server 12A accesses the first business company first server 14A, the first server 14A requests an authentication procedure from the first server 12A, and as shown by an arrow 1 in FIG. An authentication procedure for judging sex is performed (authentication procedure request means). Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  When the authentication result is valid, the anonymous medical data in FIG. 13 can be downloaded from the first business company first server 14A to the medical institution first server 12A, and the anonymous medical data is downloaded between the server 14A and the server 12A. Processing is performed. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the anonymous medical data cannot be downloaded from the server 14A to the server 12A.

  When the medical institution first server 12A accesses the first business company second server 14B, the second server 14B requests an authentication procedure from the first server 12A, and as shown by an arrow 2 in FIG. An authentication procedure for judging sex is performed (authentication procedure request means) Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  When the authentication result is valid, the anonymous medical data in FIG. 4 can be downloaded from the first business company second server 14B to the medical institution first server 12A, and the anonymous medical data is downloaded between the server 14B and the server 12A. Processing is performed. On the contrary, when the authentication result is invalid, the authentication impossible message is displayed on the display 19 of the server 12A, and the anonymous medical data cannot be downloaded from the server 14B to the server 12A.

  When the medical institution first server 12A accesses the second business company server 16, the server 16 requests the first server 12A for an authentication procedure, and determines the validity of the server 12A as indicated by an arrow 3 in FIG. Perform authentication procedures (authentication procedure request means). Since the authentication procedure is the same as that in FIG. 6, that in FIG. 6 is used and the description thereof is omitted.

  If the authentication result is valid, the personal attribute data in FIG. 5 can be downloaded from the second business company server 16 to the medical institution first server 12A, and the personal attribute data download process is performed between the server 16 and the server 12A. Done. On the contrary, when the authentication result is invalid, an authentication impossible message is displayed on the display 19 of the server 12A, and the personal attribute data cannot be downloaded from the server 16 to the server 12A.

  After the anonymous medical data can be downloaded, the medical institution first server 12A presents the patient number of the predetermined patient (sends the patient number) as shown by the arrow 4 in FIG. Request transmission to the first server 14A of the first business company. When the medical institution first server 12A presents the patient number of the patient and requests transmission of anonymous medical data, the first operating company first server 14A collates the presented patient number with the patient number stored in the hard disk. The personal attribute data identifier corresponding to the patient number is specified.

  Next, the first business company first server 14A extracts the identified personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and anonymous medical data (medical record) from the hard disk, and extracts the extracted personal attribute data. An identifier, an attribute item, and anonymous medical data are transmitted to the medical institution first server 12A (anonymous medical data transmitting means). As shown by an arrow 5 in FIG. 8, the medical institution first server 12A sends the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and the anonymous medical data from the past to the present first Receive from the server 14A (anonymous medical data receiving means).

  After the anonymous medical data can be downloaded and after receiving the personal attribute data identifier, attribute item, and anonymous medical data from the first business company first server 14A, the medical institution first server 12A As shown by an arrow 6, the patient number is presented (the patient number is transmitted), and the first business company second server 14B is requested to transmit the anonymous medical data.

  When the medical institution first server 12A presents the patient number and requests the transmission of anonymous medical data, the first business company second server 14B displays the anonymous medical data (medical record, (Interview record, interview record) is extracted from the hard disk, and the patient number and the extracted anonymous medical data are transmitted to the first medical institution server 12A (anonymous medical data transmitting means). The medical institution first server 12A receives the patient number and the anonymous medical data from the past to the present from the first business company second server 14B as shown by the arrow 7 in FIG. 8 (anonymous medical data receiving means).

  After the personal attribute data can be downloaded, the medical institution first server 12A, as shown by the arrow 8 in FIG. 8, the attribute item corresponding to the anonymous medical data received from the first business company first server 14A and The personal attribute data identifier is presented (attribute item and personal attribute data identifier are transmitted), and the second business company server 16 is requested to transmit the personal attribute data. When the medical institution first server 12A presents the attribute item and personal attribute data identifier corresponding to the anonymous medical data and requests transmission of the personal attribute data, the second business company server 16 displays the presented attribute item and personal attribute data. The identifier, the attribute item, and the personal attribute data corresponding to the personal attribute data identifier are extracted from the hard disk, and the extracted personal attribute data identifier, attribute item, and personal attribute data are transmitted to the server 12A (personal attribute data transmitting means).

  The medical institution first server 12A receives the personal attribute data identifier, the attribute item corresponding to the personal attribute data identifier, and the personal attribute data from the second business company server 16 as shown by the arrow 9 in FIG. Attribute data receiving means). The first server 12A matches the attribute item and personal attribute data identifier received from the first business company first server 14A with each other while comparing the attribute item and personal attribute data identifier received from the second business company server 16 with each other. Real name medical data is created by combining personal attribute data corresponding to the attribute item and personal attribute data identifier and anonymous medical data (real name medical data creating means). Since the specific procedure is the same as that described in the system of the embodiment of FIG. 10, its detailed description is omitted.

  The first server 12A displays the created real name medical data on the display 19 (real name medical data output means), and outputs the real name medical data via a printer (real name medical data output means). The first server 12A can also store the created real name medical data in the hard disk. Description of the real name medical data created by using FIG. 7 is omitted.

  The medical information management system 10 described with reference to FIG. 8 holds anonymous medical data in a separate first business company first server 14A and first business company second server 14B so that anonymous medical data is stored. Distributed and stored in separate first business companies 13A and 13B. Therefore, even if anonymous medical data is illegally taken out of either the first business company first server 14A or the first business company second server 14B or inadvertently leaked outside, Only a part is found, and the risk that the whole content of anonymous medical data is found can be avoided. Even if personal attribute data is illegally taken out from the second business company server 16 or is inadvertently leaked to the outside, the personal attribute data does not include the corresponding medical data. The medical information of the specified person is not known, and the medical information cannot be specified from the leaked personal attribute data.

  The medical information management system 10 holds the attribute item and the assigned personal attribute data identifier in a state associated with the patient number by the first business company first server 14A, so that the combination information of the individual attribute data is the first. It is managed by the server 14A, and the personal information cannot be specified by the second business company server 16. The medical information management system 10 can ensure the confidentiality of medical information and can protect the privacy of a specific individual. The medical information management system 10 uses the personal attribute data received from the second business company server 16 to the anonymous medical data received from the first business company first server 14A or the first business company second server 14B by the medical institution first server 12A. Is applied to create real name medical data of a specific individual, so that the medical information of a specific person can be reliably acquired and confirmed in the hospital 11A.

10 Medical Information Management System 11A Hospital (Medical Institution)
11B Hospital (medical institution)
12A medical institution first server (medical institution server)
12B medical institution second server (medical institution server)
13A First operating company (first contractor)
13B First operating company (first contractor)
14A First business company first server (first business company server)
14B First business company second server (first business company server)
15 Second Operating Company (Second Contractor)
16 Second operating company server (second supplier server)
20 Internet

Claims (5)

A medical institution server installed in a medical institution, a first trader server installed in a first trader that exists independently of the medical institution, and holds anonymous medical data of a plurality of persons collected in the medical institution; A second vendor server installed in a second vendor existing independently from the medical institution and the first vendor, and holding personal attribute data capable of individually specifying the plurality of persons,
The medical institution server receives the anonymous medical data from the first supplier server, and the second medical data receiving means receives the anonymous medical data received by the anonymous medical data receiving means. Personal attribute data receiving means received from a vendor server, and real name medical data for creating real name medical data of a specific individual by applying the personal attribute data received from the second vendor server to the anonymous medical data received from the first vendor server A medical information management system comprising data creation means and real name medical data output means for outputting the created real name medical data.   The system includes a plurality of first to n-th medical institutions that exist independently and medical institution first to n-th servers installed in the medical institutions, and at least one of the first to n-th medical institutions One has anonymous medical data transfer means for transferring the anonymous medical data received from the first supplier server to other first to n-th medical institutions, and is installed in the other first to n-th medical institutions The personal attribute that the medical institution first to n-th server receives the personal attribute data corresponding to the anonymous medical data transferred from at least one of the first to n-th medical institution from the second vendor server The real name for creating the real name medical data of a specific individual by applying the personal attribute data received from the second vendor server to the anonymous medical data transferred from the first to nth medical institutions while executing the data receiving means Medical care Medical information management system of claim 1, wherein executing the over data creation means.   The first vendor server includes first vendor first to n-th servers installed in a plurality of first vendors that exist independently, and the medical institution server sends the anonymous medical data to the first vendor first. The anonymous medical data receiving means that receives from at least two of the nth servers is executed, and the personal attribute data corresponding to the anonymous medical data received by the anonymous medical data receiving means is received from the second vendor server. While executing the personal attribute data receiving means for receiving, the personal attribute data received from the second vendor server is appropriately applied to the anonymous medical data received from the first vendor first to n-th servers, and the real name medical data of the specific individual The medical information management system according to claim 1 or 2, wherein the real name medical data creating means for creating a name is executed. Personal attribute data in which the first vendor server sets a unique personal attribute data identifier in the personal attribute data, and holds the personal attribute data identifier in a state associated with individual identification identifiers individually set for the plurality of persons An identifier holding means, an anonymous medical data holding means for holding the anonymous medical data in a state associated with the personal attribute data identifier, and the medical institution server presenting the personal identification identifier and requesting transmission of the anonymous medical data Anonymity is transmitted to the medical institution server while identifying the identified personal attribute data identifier and the anonymous medical data corresponding to the personal attribute data identifier while identifying the personal attribute data identifier corresponding to the presented personal identification identifier Medical data transmission means,
The second merchant server presents personal attribute data holding means for holding the personal attribute data in a state associated with the personal attribute data identifier, and the medical institution server presents a personal attribute data identifier corresponding to the anonymous medical data. Personal attribute data transmitting means for transmitting the presented personal attribute data identifier and the personal attribute data corresponding to the personal attribute data identifier to the medical institution server when the transmission of the personal attribute data is requested. ,
The real name medical data creating means compares the personal attribute data identifier received from the first trader server with the personal attribute data identifier received from the second trader server, and corresponds to the personal attribute data identifiers that match each other. The medical information management system according to any one of claims 1 to 3, wherein the real name medical data is created by combining attribute data and anonymous medical data. Anonymized medical data holding means for holding the anonymous medical data in a state in which the first vendor server is associated with individual identification identifiers individually set for the plurality of individuals, and an individual unique to each attribute item of the personal attribute data Personal attribute data identifier holding means for assigning attribute data identifiers and holding each attribute item and the assigned personal attribute data identifier in association with the personal identification identifier, the assigned personal attribute data identifier, the personal attribute data, and the attribute item Corresponding to the personal identification identifier presented when the medical institution server requests the transmission of the anonymous medical data by presenting the personal identification identifier. The personal attribute data identifier to be identified and the identified personal attribute data identifier and the personal attribute data identifier And a anonymous medical data transmission means for transmitting the attribute items and anonymous medical data to the medical institution server,
Personal attribute data holding means for holding the personal attribute data in a state in which the second vendor server is associated with the personal attribute data identifier corresponding to each attribute item, and the medical institution server corresponds to the anonymous medical data When the attribute item and the personal attribute data identifier are presented and the transmission of the personal attribute data is requested, the presented attribute item and the personal attribute data identifier and the personal attribute data corresponding to the attribute item and the personal attribute data identifier Personal attribute data transmission means for transmitting to the medical institution server,
The real name medical data creation means compares the attribute item and personal attribute data identifier received from the first vendor server with the attribute item and personal attribute data identifier received from the second vendor server, and matches the attribute items. The medical information management system according to any one of claims 1 to 3, wherein the real name medical data is created by combining personal attribute data corresponding to the personal attribute data identifier and anonymous medical data.

Images