WO2013034310A2

WO2013034310A2 - Method for accessing and sharing a medical record

Info

Publication number: WO2013034310A2
Application number: PCT/EP2012/003790
Authority: WO
Inventors: Patrick Coudert; Jabir Abdelali
Original assignee: Patrick Coudert; Jabir Abdelali
Priority date: 2011-09-08
Filing date: 2012-09-10
Publication date: 2013-03-14
Also published as: WO2013034310A3; FR2980020A1; FR2980019B1; FR2980019A1; FR2980020B1; EP2754104A2

Abstract

The invention relates to a method for accessing and sharing a personal computer file comprising personal and non-personal data in a network comprising: a first server (DMA - 300) for anonymous files based on an identifier (IDA); at least a second server (GED - 500; RG&P 700-800) comprising attachments as well as general and personal resources indexed via said identifier; a first system (1-1, 1-n) for accessing said first and second servers, comprising a DMN agent for generating a personal computer file and at least one encoding/decoding file and a lookup table (PLT) for the links between personal data and said anonymous identifier (IDA); and a second system (1000), wherein the method comprises the following steps: identification (login 402); downloading (403) a list of anonymous identifiers (IDA) associated with said identifier; generating a client list from the identifier (IDA) list and said table (PLT); selecting a client (405); downloading (406) the anonymous computer file; building (407) the personal computer file; updating (408) said personal computer file, the method being characterized in that it further comprises the steps of: downloading (409) a list of generic-resource identifiers from said servers; displaying (410) and composing a generic-resource selection list; optionally adding (411) personal resources generated by the provider; storing the anonymous computer file comprising the generic- and personal-resource selection list in said first server (DMA-300); creating (505) a connection identifier for said second system (1000) for said first and at least second server (300, 500, 700-800); generating at least one encryption key allocated to said second system (1000); transmitting the connection identifier, the encryption key(s), and the identifier (IDA) to said second system (1000) so as to enable the shared access to the anonymous computer file with the exception of any personal information.

Description

Method of accessing and sharing a medical file

Technical field of the invention

The present invention relates to information systems, and in particular to a method for accessing and sharing a medical computer file.

State of the art

With the rise of telecommunications and the Internet network, online commerce but also the provision of services are experiencing considerable development. Many consumers today no longer hesitate to rely, despite its lack of user-friendliness, the simplicity of a telematic connection to entrust various providers on the web to perform services that they would have formerly entrusted to professionals close to their home.

Dematerialized benefits are becoming widespread, whether in the banking sector, the insurance sector, etc., just like electronic commerce.

A particular category of professionals and service providers still escapes the upheaval imposed by the New Information and Communication Technologies (NICT). Indeed, because of the age-old nature of their profession, notoriety and credit slowly matured over the course of history, the liberal professions still escape this intrusion of telematics in their special relationship with their clientele. Therapeutic professions especially, but also liberal professions have focused on developing a special relationship with the clientele and the very privileged nature of this relationship is clearly opposed to the phenomenon of dematerialization that knows all the other sectors without limit.

As we know, the vast majority of these professionals are subject to professional secrecy, which is absolute and must be preserved at all costs. This is obviously the case of the doctor, the nurse, all the therapists but also the lawyer, the architect etc. Although therapists and, in general, liberal professionals are thus partially escaping the upheavals resulting from the widespread invasion of telecommunications systems, it remains desirable to offer them new tools specific to NICTs, adapted to the specific nature of their profession. and that allow them to offer new services to their customers.

This is the condition for the development of the liberal professions in the new information society.

Patent Application No. 08368018.1 of September 19, 2008 (Publication EP2166484), entitled "Method of Access to Personal Data, Such as a Personalized Medical Record, from a Local Generation Agent" and whose Applicants The present application is at the origin, describes a first technique to dematerialize the medical file of a patient coming to consult a group of therapists. For this purpose, specific procedures are implemented to ensure anonymous storage on a so-called DMA (Anonymous Medical File) server, which storage serves, during a consultation of the patient with a practitioner, to build, within the cabinet of the practitioner, an instance of the Nominative Medical Record - or personalized - of the patient, while preserving the confidential nature of the highly sensitive information contained in this medical file. In this way, the patient is allowed to consult various practitioners, especially within the same professional group but located in physically remote locations and who can access anywhere the personalized medical file without the risk that the IT service providers involved in the transmission of information can break the chain of secrecy. It is thus possible to preserve the confidentiality of the information stored on the network

Internet.

The solution described in this aforementioned application thus provides a significant improvement in the service rendered to the patient who, however, remains confined within the practitioner's office and ends when the patient takes leave of his practitioner.

However, it remains desirable to be able to further increase the distribution of the medical file, and specifically portability, allowing the holder, on the one hand, to simply access his file from home but also, on the other hand, 'to go to consult various therapists, in France and abroad, registered or not, and to enrich the medical file of the observations and the result of these consultations.

Of course, if it is appropriate to allow the development of this "portability" of the medical file - which must be able to "follow" the movements of the patient wherever he may be - it remains necessary to preserve the protection and confidentiality of the patient. folder.

The present invention aims to respond to this problem by providing therapeutic practitioners and their patients, a medical record perfectly portable that can be accessed anywhere in optimal security conditions.

Moreover, the invention makes it possible to safely offer a panoply of new services to the liberal professionals and their patients. Finally, and this is not the least of the problems, it is important to increase the readability of the patient's reading of the medical file and to provide the community with new statistical collection tools in order to strengthen the patient's health. impact of Public Health policies.

Here lies the challenge of a medicine of progress, entering the new millennium and integrating the world of health into an active approach to patient participation and empowerment by modernizing prevention, the optimization of care and the evaluation of the therapies that are proposed.

Presentation of the invention

The present invention aims to provide liberal professionals with a new tool to pave the way for new services for their customers, while preserving the confidential nature of their relationship with this same clientele. Another object of the present invention is to provide liberal professionals with a new tool making it possible to increase the comfort of the exercise of their profession, to increase the impact of their consultation with their patients by allowing them to to extend the consultation, which has its source in the secret of their practice, and which is extended at a distance, through personalized resources accessible remotely, carefully selected by the professional to the attention of his client. More generally, the present invention aims to provide the liberal professions and professional bodies with statistical monitoring tools to monitor real-time consultations. It is a fourth object of the present invention to provide the medical professions with a modern tool for constituting a computer solution for sharing medical, paramedical and social information respecting the confidentiality of nominative information.

The present invention aims to provide liberal professionals with a new tool to pave the way for a new mode of consultation, including distance, for their patient, while preserving the confidential nature of their relationship with this same clientele and by coming to enrich a personalized medical file.

Another object of the present invention is to provide liberal professionals with a new tool making it possible to systematize the constitution of a personalized medical file, containing nominative or non-personal data, and enabling the patient to benefit from the advantages of such a searchable file. everywhere and can be widely portable between different practitioners.

The invention solves these problems by means of a method of accessing and sharing a personalized computer file managed by a service provider for the benefit of a client, said file comprising data of a technical nature, including data medical data, and highly confidential personal data within an architecture that includes:

a first server (DMA) comprising anonymous information excluding any personal information in relation to said anonymous identifier (IDA);

at least one second server (GED, RG & P) comprising attachments contained in said personalized folder and general and personalized resources indexed via said anonymous identifier (IDA);

a first system for the service provider and allowing access to the first and second server audits, said first system comprising in its memory a DMN agent for generating a personalized computer file and at least one encryption / decryption file comprising an encryption key and a link mapping table (PLT) between a patient's nominative data and an anonymous identifier (IDA),

a second system (1000) for the patient and allowing access to the first and second systems; the process comprising the following steps:

- identification (login) on said first server corresponding to the identifier of said provider;

- download of a list of IDA anonymous identifiers associated with said prestatair;

generating a list of clients from the IDA ID list and said table

PLT;

- selection of a particular client;

downloading the anonymous computer file from said first server;

constructing the personalized computer file based on the information downloaded from said first and second servers and the personal information present in said PLT table.

- update of said personalized computer file.

The method further comprises the following steps:

downloading from said servers a list of generic resource identifiers;

displaying said resources and composing a generic resource selection list;

- optional addition of personalized resources generated by the provider;

- saving the anonymous computer file containing the list of generic and custom resources in said first server (DMA-300);

creating a connection identifier for the attention of said second system for said first and at least second servers (DMA, EDM, RG &I);

generating at least one encryption key allocated to said second system of the patient;

transmission of said connection identifier from the encryption key (s) and the IDA identifier to an administrator server and / or audits of the first and at least second servers;

transmission of the connection identifier, the encryption key or keys and the IDA identifier to said second system assigned to the client so as to allow shared access to the Anonymous computer file, to the exclusion of all nominative information. According to one embodiment, the first and second systems are a computer, a laptop, a communicating tablet, a portable terminal (smartphone) or a telephone.

In a particular embodiment, the transmission to the second system of the connection identifier, the encryption key or keys and the identifier IDA are carried out via an external storage medium, such as a biometric USB key, or via a wireless communication link between two communicating devices or by electronic mail.

Preferably, the method comprises, after the generation of the connection identifier and the encryption keys of said second system, the creation of a certificate / certificate to confirm the creation of access to said second system.

Among the personalized resources, it is possible to provide an audio or video recording made from said first system during the consultation with the practitioner.

In a particular embodiment, the exchanges between said first system (or second system) and said first and at least second servers (300, 500, 700-800) are encrypted using public / private encryption keys of the first system. (or second system). Preferably, the method is applied to the sharing of an anonymous medical file stored on the first server, to which the second system assigned to the client / patient can access by benefiting from generic and personalized resources prepared by a therapist.

Preferably, the method further comprises a statistical data collection and information server for monitoring the accesses to said first server as well as the downloading of said generic and personal resources for the purpose of producing statistical information, in particular on diagnostics, processing and the use of generic and custom resources. The invention also provides a method for accessing and sharing a personalized medical file managed by a service provider for the benefit of a patient, said file comprising medical data and nominative data highly confidential, within a architecture comprising:

at least one server containing anonymous information, excluding all nominative information in relation to an anonymous identifier (IDA) and also including attachments and general and personalized resources indexed via said anonymous identifier (IDA); access to said server from a system held by a practitioner resulting from the following steps:

detection of a support allocated to the patient comprising identification elements (non-nominative) and means of encryption / decryption; - reading and decryption of the anonymous identifier (IDA);

- launching a connection to said server;

- testing the anonymous identifier (IDA) so as to verify whether it corresponds to an anonymous medical file stored in said database;

- verification of the identity of the practitioner;

- Displaying an anonymous medical file under a first interface with limited rights (EMERGENCY) so as to provide the practitioner with critical medical information concerning the patient even when the patient is unconscious. In a particular embodiment, the support may be a smart card, a key

USB even see a mobile terminal such as a smartphone (smartphone in the English literature).

In a particular embodiment, the practitioner's verification includes a test on the professional health card (CPS) presented by the latter.

Preferably, the anonymous medical data transmitted by said server causes the display of the anonymous medical file in relation to separate interfaces for medical professionals and the patient himself, the interfaces having different access rights.

In a particular embodiment, access to the DMA from the patient's home includes a password test to ascertain the identity of the patient and allow him, in good conscience, to extend the access rights for the patient. a practitioner already intervened on his file.

In one embodiment, the patient has his own interface (PATIENT) comprising access to general and personal resources specifically created by the practitioners who worked on his file. More specifically, the PATIENT interface comprises a search engine exploiting the data of the Medical File Anonymous stored on said server.

In a particular embodiment, the method of access to the anonymous medical file includes a location test to determine whether the territory on which the patient consults is an exposed or secure territory, the updating data of the DMA being exclusively stored on the patient card in the case of an exposed territory. More specifically, a synchronization phase can be implemented as soon as the patient returns to a presumed secure territory in order to update the medical data of the DMA.

In one embodiment, in order to perform the location test, the IP address used to access the file is tested, or, alternatively, the method uses a geolocation using a GPS receiver (Global Positioning System).

According to a particular embodiment, the invention provides a method of updating medical data between a first origin server and a second server located in different countries, so as to avoid cross-border transmission.

The method comprises the steps:

detection of a communication between a practitioner's system and an external support held by the patient, the external support comprising an external support identifier (ID card) and a country of origin identifier as well as means for identification and encryption / decryption corresponding to the patient;

reading of the identifier of the external support as well as the country of origin of the patient;

checking with said second server if the external support identifier corresponds to a medical file associated with the patient;

- if a medical file is identified:

- send a request to the origin server and download the date of the last update;

- comparing the last update of said original server with the update of said second server;

- Download an encrypted update from said original server and update said second server;

- if a medical file is not identified:

- send a request to the origin server to download an encrypted update of the medical file;

creating a copy of the medical file within said second server;

- provisional registration of new medical data entered by the practitioner during the course of the consultation;

storage of the update of the medical file within said second server.

Preferably, the external support is a mobile phone, a laptop, a touch pad or a USB key with its own processing means. Preferably, the medical data is anonymous medical data.

The invention also allows the realization of a method of access and sharing to a computer medical file stored on a server and accessible from a first system associated with an external medium comprising a first means of identifying a patient, and that means encryption / decryption for communication with the server.

The method comprises the steps:

detecting the presence of the patient's external support within said first system;

transmitting a request to the server to solicit the programming of a remote consultation via a second system and implementing a first authentication of the first system, in particular by means of the authentication information present on the external medium, the establishment of a first session;

- generation and transmission of an electronic notification to the practitioner and in particular to a second system comprising identification means of said server, encryption / decryption elements and a password for the establishment of a second access to the server via the second system;

- Transmission by the second system of a request to the server using said means of identification, encryption / decryption and password received from the patient;

- Second verification performed by the server of the presence of authentication means (example CPS card) associated with the second system;

- opening a second session between the server and the second system belonging to the practitioner;

- generation and sharing of medical records on the first and second systems;

storage (390) and / or update of the medical file on the server with the information entered on the second system;

- closures of said first and second sessions.

This procedure makes it possible to organize a meeting between a practitioner and a patient, with the aim of conducting a remote clinical consultation, possibly combined with the examination of biological examination results and / or radiological images, while allowing a enriching the medical file with information from the patient, and validated by the practitioner. The meeting is particularly secure because of the double verification performed successively on both systems, allowing a particularly strong authentication. Preferably, the external medium comprises executable code on said first system for executing a viewer of X-ray images stored on a medium present in the first system. The executable code allows in particular the taking of control of the first system by the second system in order to make a selection of one or more images extracted from the radiological support, the conversion of these images into digital files which can then be directly integrated within the shared medical record and simultaneously accessed via both systems.

Description of the drawings

Other characteristics, objects and advantages of the invention will appear on reading the description and the drawings below, given solely by way of non-limiting examples. In the accompanying drawings: FIG. 1 illustrates a first embodiment of a general architecture for carrying out the method of the invention.

FIG. 2 illustrates a second embodiment of an architecture that can be used to implement the method according to the invention.

FIG. 3 illustrates an embodiment of a method for creating and registering a generic resource within servers 700 and 800 of FIGS. 1 and 2, respectively.

FIG. 4 illustrates one embodiment of the method of consulting and accessing the Nominative Medical File from the practitioner's computer.

Figure 5 illustrates one embodiment of creating the patient's login credentials for the DMA online consultation. FIG. 6 illustrates one embodiment of the on-line access method to the DMA from the connection identifier created by the practitioner.

FIG. 7 illustrates an embodiment of a method of updating the PLT table in the event of a succession of therapists not belonging to the same professional group.

FIG. 8 illustrates an embodiment of a diagnostic aid assistant used during step 408 of updating the Nominal Medical File.

Figure 9 illustrates the consultation of a practitioner n ° 3 in a secure environment (CPS) (1st visit)

Figure 10 illustrates a method implemented allowing access to practitioner No. 3 after the first visit.

FIG. 1a is an embodiment of a method implemented when the patient comes to consult a practitioner No. 4 located in a country exposed to a risk of fraud

FIG. 1b is an embodiment of a method of synchronizing the PATIENT card with the servers 200-500 when its holder returns to the secure zone.

Figure 12 illustrates an embodiment of a patient card in the form of a smart card with a USB connector.

Figure 13 illustrates the situation of cross-border medical data exchange.

FIG. 14 illustrates an embodiment of a method for updating a medical file in the server 300 -B.

Fig. 15 illustrates the block diagram of a remote consultation according to an embodiment of the present invention.

Fig. 16 illustrates an embodiment of a method according to the present invention. Description of the embodiments

An embodiment of the invention is now described for setting up a computerized medical file intended for patients and various therapists, practitioners and members of the medical professions or not likely to intervene in the constitution and development of their computerized medical records.

If one thinks naturally of the intervention of the doctors, physiotherapists, nurses, chiropodists, psychologists, dentists, radiologists, biologists, dieticians ... other members of medical and paramedical professions could be envisaged to come to enrich, in as needed, the computerized medical record of a patient.

The invention can be used regardless of the mode of exercise of the professionals considered. Of course, we will first of all consider the liberal doctors and all the members of professions practicing in a so-called "liberal" framework. But this does not exhaust the possibilities of the present invention which can be applied equally to all professionals practicing in a salaried framework. Employees of complex organizations (clinics, professional associations, etc.) will be able to use the tools and processes described below in the performance of their duties.

In order to fully understand the multiple variants and possibilities offered by the present invention, we will successively describe the application of the solution to a server storing anonymous data (A), then a more general case, that of a server that can where appropriate store personal data or not (B).

A. Access to a server storing an anonymous folder

The presentation will successively address: I. Elements of architecture and general definitions;

II. Procedures implemented to obtain the new functionalities and in particular the portability of the anonymous medical file (DMA)

I. Elements of architecture and general definitions a) Elements of architecture

For the sake of brevity and simplicity, we will rely on the architecture presented and described in the patent application 08368018.1 to describe an embodiment, which however will be non-limiting of the present invention.

As illustrated in FIG. 1, a plurality of practitioners, practicing individually or, as described in the aforementioned patent application, within the same group of professionals and having any computer system is considered. . Considering more specifically the case of a grouping of n professionals or therapists, the figure shows a set of n computers 1-1 to 1-n (it is assumed that the group considered comprises n systems), each equipped with a processor 6, storage means including a RAM 7 in which is loaded an operating system 11 (such as WINDOWS (registered trademark) or LINUX for example), an application software 12, a user interface module 13 and DMN agent 14 for carrying out the procedures described hereinafter. The system 1-1 is furthermore equipped with conventional input / output means enabling the connection to a screen 2, a keyboard 3, a pointing device such as a mouse 4, as well as specific ports for connecting the peripherals. suitable, for example a serial device type USB (Universal Serial Bus) or IEEE1394 (firewire) ... Each system 1-1 can also include external storage means, as seen with a USB key 20 which may, in one embodiment, include a file 21 storing a PLT table and encryption / decryption keys 22 described below.

Each system 1-1 to 1-n also has means of communication, in particular with the Internet network 100 so as to be able to access, for example via the http protocol {Hyper Text Transfer Protocol) or any equivalent protocol, to external servers, and in particular to an Administrator server 200, a so-called DMA server 300 for storing anonymous medical data, a TSB server 400 for storing temporary personal data, a GED 500 server for Document Management, a server 600 for the collection and analysis of statistical data and a server RG & P 700 for storing Generic and Custom Resources that will be made available to patients. It should be noted that the servers 200 and 600 may also communicate with the DMA server 300 by means of TCP / IP type communications according to a client-server communication architecture well known to a person skilled in the art that he is not no need to develop more.

Finally, to complete the presentation of Figure 1, it should be noted that the patient also has a computer 1000, such as a laptop but more generally any information processing device, with means of communication such as a telephone, a pocket terminal ("smartphone" according to the Anglo-Saxon literature), a PDA (Personal Document Assistant), a communicating graphics tablet, etc., allowing the patient to access, in complete confidentiality through the procedures that will be described below, to his own personalized medical record. The computer 1000 may be equipped with the same devices as those present in the practice of the practitioner, including a USB port, an external storage disk, or even a smart card reader 30 for reading a personal health card ( for example, the so-called VITAL card in France).

In a particular embodiment, the USB port of the computer 1000 is used to connect a PATIENT card comprising means for identifying, encrypting and storing an executable program for carrying out the procedures described herein. -after.

In general, it should be noted that, following the teaching of the aforementioned patent application 08368018.1, the data stored in the servers 300, 400 and 500 are encrypted using the encryption keys of the practitioners who intervened to create the files. By way of derogation from the teaching of the aforementioned application, it can now be considered that the data stored on the servers are not systematically encrypted, but that their encryption only intervenes during the exchanges between the servers and the computers 1-1. 1-n or even the patient's computers and other therapists who can intervene on the file. FIG. 1 illustrates a first embodiment comprising two separate servers, respectively 500 and 700 for the storage of the electronic documents specific to the patients' medical files (GED server 500) and the storage of the Generic and Custom Resources (RG & P 700 server) of which the Access will be allowed later to these same patients following the procedures below.

Of course, this is only an example and in a second embodiment, as illustrated in FIG. 2, it will be possible to store all the electronic documents and electronic resources proposed to the patients in a One and only Electronic Document and Resource Management (GED & R) 800 server. Figure 2 also illustrates the case of a single practitioner (only one 1-1 computer being illustrated) practicing alone in the secrecy of his office, the others numerical references unchanged with respect to FIG. 1, referring to the same elements.

Whatever the embodiment considered, it will be noted that, in general, the practitioners' computers may be loaded with a DMN agent, as described in the aforementioned patent application, and incorporated in the present application by simple reference, so as to implement the procedures provided for in this aforementioned application, in particular for:

create the first PLT table stored on a practitioner's computer and the encryption key associated with that same practitioner;

create, if necessary, new secondary PLT tables from a primary PLT table so as to allow other practitioners (N practitioners are considered in the example of Figure 1) belonging to the same group of professionals as the practitioner holding the first PLT table to share information stored on servers;

update stored PLT tables to add or delete patients; - and in general implement the various aforementioned servers so as to allow personalized access to the patient's Medical Record while preserving the confidentiality of nominative information sensitive to the latter.

This DMN agent can take many forms. It may be a signed executable code stored in an external memory, a program stored directly on the computer 1-1 of the practitioner, or even a Java Applet type program executed within a software program browser like "Internet Explorer" from US publisher MICROSOFT Corp. (trademark). In addition to the previously recalled procedures, the DMN Agent will be designed to further integrate the new features that will be described below. b) General Definitions

For the sake of consistency with the above-mentioned patent application, the following definitions will be briefly repeated: 1. Nominal Medical Data (DMN): this is referred to as the patient's complete file, comprising as well administrative and especially nominative information (name, age, sex, particularities, address, phone ...) as medical information (pathologies, diagnostics, treatments, etc.). By extension of language, one will also understand under the name DMN the Nominal Medical File namely the structure of data specifically created at a given moment and integrating the nominative medical data. In the embodiment of Figures 1 and 2, in accordance with the teachings of the above patent application, to ensure a high level of security, the DMN data is never stored on the servers 200-800. In the context of the aforementioned patent application, these data are generated, only at the request of the practitioner, directly locally on his system 1-1 by means of the storage device 20.

2. Medical Data Anonymous (DMA - 300). This category covers only medical information, excluding any personal information, such as name, address, telephone number, etc.

By language extension, this term DMA will also be understood as denoting the Medical Anonymous File, namely the data structure comprising the information of the same name. This DMA file containing the anonymous medical data, less sensitive than the complete DMN data, is stored on the DMA server 300 indexed by a non-nominative identifier, designated by IDA. It should be noted that the information stored on the server 300 in particular is of great use for the public authorities and organizations representing the professionals concerned because it provides statistical data of great interest for the implementation of a policy. of Public Health. In general, as will be seen below, the downloads of the information stored on the DMA servers 300 are protected by encryption keys known only to the practitioners / patients of in order to preserve the confidentiality of the exchanges between the servers and the practitioners (but also, as will be seen later, the patients).

3. Temporary Storage Base (TSB - 400). This database contains information enabling management of the updates of the storage devices used within the professional group considered, as is more specifically described in the aforementioned patent application.

4. Document Storage Base (GED - 500): This database contains files corresponding to various electronic documents, such as PDF documents or JPG images specific to the patient's medical file.

5. Link Table (PLT): This table serves as a pivot for the exchanges between the different servers as will appear below. Indeed, is found in this table, and only in it, the correspondence of the nominative information with the IDA index used in particular by the DMA server 300.

It is recalled that nominative data - highly sensitive - and purely medical data (pathologies - diagnostic - treatments) - which are simply sensitive - are treated differentially since the former remain in the practitioner's office while the seconds are stored on the DMA 300 server.

According to one embodiment of the present invention, the following definition elements can be added: 6. Data collection & analysis server 600

According to one embodiment, the architecture may furthermore comprise a server 600 serving to collect the anonymous data stored in the DNM server 300 and the requests exchanged between it and the other servers in order to constitute a database, perfectly anonymous. but which can be used for statistical analysis purposes for the implementation of public health policies.

7. Customized Generic and Individual Resources Database (RG & P 700) This database is used to store Generic and Custom Resources that can be created by therapists but also professional therapeutic organizations, and constitute a reservoir of electronic documents and multimedia files (audio -video-text) specially made available for the benefit of the patient according to the procedures that will be described below, and in particular a so-called PATIENT interface specifically dedicated to the DMA holder when he accesses the DMA from his home. This base 700 or 800 is intended to allow the storage of two types of resources:

- Generic Resources or Model Resources;

- Personalized Resources, namely individual as own for a given patient.

The first type of resources are generic resources that can be used multiple times, for a large number of patients, and that can serve as model resources to extend multiple consultations given by practitioners. In particular, such resources can be gathered in clinics, in which many professionals and therapists practice and who can find great interest to come to draw on this reservoir of generic resources. More generally, these resources may come from specialized training institutions and institutions and even from Universities and Faculties of Medicine. The invention therefore aims to develop a huge pool of professional resources, carefully selected and designed to provide patients with additional information with high added value. In addition, the second type of resources consists of personalized or individual resources, generated as needed, during a given consultation, and allowing the practitioner to add to the generic resources that he plans to offer to his patient in order to extend the consultation that takes place in his office. Of course, we will consider a video file in which the therapist, for a few moments, summarizes the essence of the consultation given to his patient, by shedding light on the elements of diagnosis, therapeutic indications, etc., but also to any document specifically prepared by the practitioner for the attention of his patient.

These resources are most often in the form of computer files stored on servers 700 (or 800) of Figure 1 (and Figure 2), and are usefully classified according to a pathology considered or a human body element to treat .

8. PATIENT CARD. The aim is under this name an external support intended to be retained by the patient. In a preferred embodiment, the PATIENT card is an individual card issued by the Network Administrator to the patient who requests it, or optionally delivered to the Patient during a first consultation with a Therapist regularly registered with the Administrator of the network. This patient card consists of a hardware support on which is stored an executable program for the implementation of the functionalities described below, the memory, and the identification and encryption elements (private / public keys) required for the application. access to the servers described previously.

Access to the programs and data stored on the card can be performed by means of a card reader 30 as illustrated in FIGS. 1 and 2. In a specific embodiment, illustrated in FIG. PATIENT is a smart card 90 (called SMARTCARD), having a form factor ID-1 format of dimension 85.60 x 53.98 mm, and having a chip 93 incorporated according to IS07816 standardization incorporating secure identification data. In addition, the PATIENT card comprises a USB port 92 for serial communication with the computer 1000, and storage means 95 for storing an executable code for implementing the functionalities described below, and in particular secure access to the various servers 300-400 and 500 of the architecture of Figure 1. In particular, the PATIENT card includes a viewer of medical imaging files for the selection of specific images and their conversion into portable files JPG type for example, and a functional code for remote control, under certain conditions, the patient's computer. In general, the active electronic circuits of the card 90 may be disposed within a surface 94 incorporating the various electronic components, including the chip 93 embedded in the material constituting the card. A cap 91 located at an angle of the card 90 covers the USB port when it is not used.

More generally, the PATIENT card may take the form of any electronic device, comprising the above identification elements, communications means and an executable code. We can consider the user of a mobile phone, a smartphone, allowing the patient access to his medical records. 9. DMA ACCESS INTERFACES

As will be seen in detail below with the detailed description of the procedures implemented between the various computers 1-1 (respectively 1-n), 1000 and the servers 200-800, the present invention allows the portability of the component data. the DMA anonymous medical file, or its DMN version, in order to allow access not only to the patient, to his referring generalist, but also to a whole series of specialists, therapists and practitioners paramedics and even, to a certain extent, to non-therapist professionals such as certain "coaches" of high level athletes for whom there is great interest in introducing physical preparation and training into the DMA. All this information is naturally intended to be collected within the Medical File, so as to allow the dematerialization and to make it accessible, everywhere, for the greatest interest of its holder.

In particular, each participant who is likely to access the DMA (or its DMN version) has a dedicated interface, allowing access to certain layers or layers of the file, to certain categories of information to the exclusion of others depending on the profile of the speaker.

In a specific embodiment, five interfaces are provided which will be described below as examples (and which may of course be completed and / or declined in a more specific manner).

A first interface called EMERGENCY (or "Safety Patient") allows access to a first level of DMA data corresponding to critical data that can be used in case of accident, especially when the patient is in a state of unconsciousness. The nature of the blood group, indications for allergies etc. clearly belong to this first level of data and will be accessible from the PATIENT card, even if the unconscious patient is not able to enter his word of pass for the use of the card. It should be noted that, in a particular embodiment, the data of the EMERGENCY interface may even be saved on the card or the PATIENT USB key (in particular in the storage area 95) delivered by the network administrator 200 to the user. holder of the DMA.

A second interface PRACTITIONER is the one specifically reserved for practitioners to whom comes to consult the patient. This interface more broadly allows access to anonymous medical data in relation to the field of expertise of the given practitioner while allowing management of access rights. In a particular embodiment, the MEDECIN interface may be more particularly adapted depending on the quality of the practitioner (GENERALIST, SPECIALIST), his field of specialty, or even the nature (usual / occasional) of the patient's consultation. . An interface specific to a given specialty will, in particular, display on the computer of the specialist tools likely to come generate general and individual resources specific to the given specialty, as will be illustrated in Figures 3 and 4. In a particular embodiment, the MEDECIN interface is associated with a number of access rights governing access to different data layers, within the DMA data stored on the servers.

More specifically, it can be envisaged that the patient can modify during his life, and by using his own interface PATIENT (which will be described later) the scope of the rights granted to the various practitioners managing his health.

A third interface known as PARAMEDICAL makes it possible to make certain layers of the Anonymous Medical Record accessible to paramedical professions, in the respect of the professional secrecy.

A fourth interface called NON MEDICAL makes it possible to make certain layers of the Medical Anonymous file accessible to certain professionals not belonging specifically to the medical community, in particular sports coaches and certain service providers (nutritionists, etc.) having to intervene on the DMA. , especially when the patient is a top athlete. Obviously, access, if necessary, to certain DMA data is done only in the strict respect of the professional secrecy and, in particular, with the agreement of the patient. Finally, a fifth interface is the PATIENT interface which is reserved specifically for the user, the holder of the anonymous medical file.

This interface is particularly important because it has a function to fulfill two distinct roles:

- it tends in the first place to facilitate the reading of the complex data making up the DMA and constitute for the patient a source of significant information relating to his pathologies, his treatments etc .;

- Secondly, it allows the management of possible access rights for the various practitioners involved in its health. Because the medical information is of great complexity, the invention ensures a better readability of this information and data generated during the various consultations, analyzes, observations, diagnostic and treatment elements etc. that the patient is likely to have to know. To increase this readability, according to one embodiment of the invention, the PATIENT interface is endowed with a search engine specific to the medical field, like the search engines existing in the commercial environment (the GOOGLE engine by example well known on the Internet), to bring to the patient a source of additional information.

In this way, the patient can enter keywords into the search engine of the PATIENT interface in order to initiate a search to identify resources available on the Internet (accessible via the Uniform Resources Locators link or URL) that can to provide him with additional information to understand his pathologies and useful to manage the treatment.

In a particular embodiment, the search engine available within the PATIENT interface has access to non-nominal DMA data to guide a contextual search that will only be more relevant with respect to observations, diagnostic elements , the specific treatment of the DMA holder.

This direct link between the search engine of the PATIENT interface and the coded data present in the DMA will make the searches significantly more relevant and, therefore, more useful to the patient. Thanks to the invention, and particularly fine classifications (especially those based on the international classification ICD-10) used within the DMA, the search engine can perform a high quality complementary search in order to complete the information. "brute" present in his anonymous medical file, and resulting observations, analyzes and diagnostic elements generated by the chain of practitioners and therapeutics that may have intervened on the file.

In addition, the search engine can also, like any conventional search engine, take advantage of the history of requests submitted by the patient or links already consulted by him to refine a search and provide complementary information ever richer and relevant .

As can be seen, the invention makes it possible, by the quality of the information that is made available to it, to more effectively manage the pathologies of which it suffers, the knowledge and the follow-up of these last ones, and more simply the fact of " to live "with his illnesses. Moreover, and this constitutes another significant and particularly advantageous contribution of the present invention, the PATIENT interface makes it possible to make available to the holder of the DMA, as will be seen in connection with the description of FIGS. a major interest for him since it will be general and personal resources (stored in the server RG & P 700 of Figure 1) specifically selected and / or generated by his own therapists.

Through the various interfaces and access rights that are arranged, the invention allows the development of a medical file rich in multiple information collected by or for a patient during its existence, perfectly anonymous since it does not include any personal data concerning it, while offering great portability for both the patient and the therapies that will be involved and work on the file.

Despite the remarkable portability of this DMA file, we will see, with the presentation of the procedures implemented that will follow, that the data contained in this file remain particularly well protected.

II. Presentation of the procedures implemented for the portability of the Electronic Medical Record We will further describe embodiments of procedures to ensure the portability of the Medical Record Anonymous. These are obviously only examples of embodiments that do not exhaust all the possibilities of the invention. In this respect, we will see the great flexibility and flexibility of the process by successively exposing the following examples:

1. Patient consultation of a usual practitioner (designated # 1)

2. DMA consultation at the patient's home

3) the patient's consultation of a new practitioner No. 2, regularly registered with the administrative service 200.

4) the consultation of a new practitioner n ° 3 in a secure environment

5). the consultation of a new practitioner n ° 4 in exposed environment

6) the consultation of a new practitioner n ° 5 in a context of national legislation proscribing the cross-border transfer of medical data 1. The patient's consultation of a usual practitioner (designated

The anonymous medical record naturally has the vocation of serving the usual general practitioner (commonly referred to by the referring physician) whom the patient comes to consult in the first place for any affection concerning him.

Although this is a usual practitioner, there is a great interest to come to build and develop a dematerialized DMA anonymous medical file (on different servers 200-800) because the patient may have to change his usual practitioner, and the storage of the DMA folder on professional servers is a guarantee of durability for the information stored there.

In addition, the storage of medical data out of harm's way concerning the lives of patients and practitioners (death, loss of hard disks) is a guarantee of sustainability for information that may prove to be of great interest for a policy of Public Health

Moreover, by accessing the DMA file via its interface PRATICIEN, the therapist has, according to one aspect of the invention, a dedicated interface with access rights, and including specific tools that can allow selection / creation generic and / or personalized resources for the patient.

FIG. 3 illustrates a method for creating and storing a generic resource created either by a given practitioner or directly within the administrator server 200 for storage in the library of generic or model resources (within the servers 700 or 800).

The method starts with a step 301. Then, in a step 302, the administrator or, as the case may be, the practitioner introduces his identifier (logiri), which is the subject of a test. If the test fails, the process ends with step 309. On the contrary, if the test of the identifier (logiri) proves positive, then the process continues with a step 303 which is the download of a list of pathologies and / or parts of the body (localizations). For this purpose, any appropriate classification of pathologies and / or localization according to a tree structure may be used.

The pathologies can be classified in three main chapters: injuries, diseases and accidents, in the form of a tree structure allowing to easily find the pathologies sought: Injuries: Location classification (body) = part of the body affected by the injury;

Disease: classification by specialty (infectious, digestive, ENT, dermato ...)

Accident: classification by body part, but grouping during an accident of several pathologies or injuries

It will also be possible to develop the classification used by using other categories, such as for example: "information on the risks and drawbacks that a pathology may present"; "Treatment monitoring information"; "Observation advice"; "Imaging explanations"; "Pre and post surgical advice"; "Rehabilitation exercises" "Rehabilitation counseling"; "Psychological assessments and advice" etc ...

Then, in a step 305, the method performs the creation of the Generic Resource, by generating a file, generally comprising a multimedia document (audio / video) detailed associated with the pathology and / or location.

In particular, the recording of any speech file - generated from the practitioner's computer system - or any video file created from the combination of the microphone integrated with the computer and a camera connected to the computer can be considered. system, and specifically the webcam, following an Anglo-Saxon terminology. The method continues with a step 306 which is the possible compression (by any compression algorithm such as the well-known MPEG-1, MPEG-2 or MPEG-4 algorithms developed by the Movie Picture Expert Group) and the encryption of the file. to ensure its security during the transmission to the server 700 or 800. Regarding the encryption, we can consider any symmetric encryption / decryption algorithm or not ... In general, we use here after an asymmetric encryption / decryption algorithm of the RSA type based on the use of public / private keys

In the following, to simplify the presentation, we will speak indiscriminately of Resources or Files to designate the compressed file. Then, in a step 307, the method proceeds to the registration in the DMA database 300 of the identifier (id) of the newly created Resource, which Resource is finally stored, in a step 308, within the server 700 (of Figure 1) or 800 (of Figure 2).

By repeating the method of FIG. 3, we thus come to constitute a database or library of generic resources stored in the servers 700-800 and whose identifiers will be stored in the DMA 300 servers. The identifiers will be used, like the Uniform Resources Locator (URL) identifier used in the HTTP Hyper Text Transfer Protocol used in Internet browsing. These resources will also be available from the PATIENT interface search engine accessible to the practitioner's patient.

It should also be noted that all generic resources, whether created by practitioners, the administrator or a third party (a Faculty of Medicine for example) are intended to serve as a basis for intellectual property rights and that the reproduction of these works, through the processes described below, will be the subject of appropriate agreements between the various holders and the organizers and administrators of the system. Such aspects extend beyond the merely technical scope of the present patent application and will therefore not be further developed. It will be noted that the 302 step of validation of the identifier (login) will be used for traceability purposes to keep the identifier of the creator of the Resource to allow the monitoring of the contractual policy and, if necessary, the billing.

We will now describe more precisely the creation of a Custom Resource, which will occur most often during the course of an ongoing consultation.

In this respect, FIG. 4 illustrates the method implemented by the DNM agent of the computer 1-1 to 1-n of the practitioner.

The process starts with a step 401.

Then, in a step 402, the method performs a login test of the practitioner, which, if it fails, leads to completion of the method by a step 413.

If the test of the identifier (login) is positive, then the process continues with a step 403 during which a request is transmitted from the computer 1-1 of the practitioner to the server DMA 300 to request the list of identifiers IDA that correspond to it.

The DMA server 300 responds by encrypting, by means of the practitioner's public key, the list of IDAs corresponding to it and the DNM agent of the computer 1-1 then proceeds to a step 404 during which the list of IDA is decrypted (using the decryption files present, for example, on the USB key20); compared and completed with the nominative elements presented on the PLT table located on the USB key 20, so as to generate the list of patients of this practitioner. In a step 405, a particular patient (which will correspond to the patient whose consultation is in progress) is selected or, failing this, the process ends with step 413. Once a patient has been selected, the process continues with a step 406 during which a request is prepared and sent to the agent DMA 300 to access the Medical Record Anonymous (DMA) of the same patient. In this respect, as described in the aforementioned patent application, the request is transmitted in encrypted form to the server 300 which returns the DMA file encrypted itself by means of the public key of the practitioner, which can then decrypted by to his private key.

Then, in a step 407, the DNM agent builds the Nominative Medical File by completing the downloaded DMA with the nominative information present within the PLT table present on the USB key or on its system 1-1. If necessary, if the practitioner feels the need to consult an attachment to the file, the agent will download it from the GED 500 server using the IDA ID.

Then, in a step 408, the practitioner unfolds his consultation and during this consultation comprising the clinical examination, the observation, the interrogation, etc. As already described above, in a particular embodiment, the practitioner disposes of its interface PRACTITIONER with a real "assistant" via a graphical interface on the computer 1-1 illustrated in Figure 8, which can diagnose a particular pathology and lead a detailed prescription. The assistant uses for this purpose a set of drop-down menus and guides based on the coding from the ICD10 classification (CIM10) assigning a code to each pathology so as to allow a statistical calculation as well as multilinguistic translations.

Since the consultation is "assisted" by the PRATICIEN interface consultation wizard, the DNM agent updates the DNM file by adding, modifying or deleting personal data. and / or medical, which will correspondingly modify the Anonymous Medical Record which will be stored again on the DMA server 300 or even the PLT table. If the pathology is discovered and discussed first, the DNM agent, under the control of the practitioner, will record the pathology in the DMN folder, which will affect its "anonymous" DMA version stored on the server 300. Successively, or concomitantly, the DNM agent proceeds, during a step 409, downloading from the server 300 of a list of contextual identifiers, namely generic resource identifiers associated with the pathology and / or localization, encrypted to again by means of the public key of the practitioner and deciphered by the latter thanks to his private key.

The DNM agent then proceeds, during a step 410, to the display for their selection, the list of generic resources downloaded. For this purpose, the DNM agent has a suitable Graphical User Interface (GUI) allowing it to scroll down the classification tree made during the constitution of the resource library, in order to compose a selection list. Generic resources, judiciously chosen according to the circumstances, and which will serve to prolong the consultation when the patient has taken leave of his doctor.

Clearly the realization of a graphical interface allowing the implementation of tools of navigations, the drop-down menus, the boxes of selection etc. is well known to a person skilled in the art and will not be developed further.

Then, in a step 41 1, the DNM agent adds individual, personalized resources. For this purpose, the agent can take control of the audio-video sensors of the computer 1-1, including an available camera (webcam), to allow the capture of a short audio message or a short video allowing the practitioner to summarize the key points of the consultation. This specific resource leads to the creation of a compressed, encrypted audio-video file that will be stored on 700-800 resource servers. The particular identifier of this specific resource will be stored on the DMA, itself stored on the server 300.

Alternatively, the DNM agent can proceed to the generation of any other multimedia file or even any electronic document useful to the patient, such as for example describing a specific exercise recommended by the practitioner.

Then, in a step 412, the DNM agent proceeds to the definitive registration of the nominative medical file, updating, as necessary the PLT, but especially the medical file enriched by the selection list of resource identifiers. (generic and individual) associated with the pathology / location considered, and which will ultimately be stored again on the anonymous server 300, and to which the patient will be able to access from his home via his own PATIENT interface.

The process then ends with step 413 which may be the end of the consultation within the practitioner's office.

It should be noted that, according to one embodiment of the invention, during the first consultation within the practitioner's office, the patient receives personalized access, not only to his medical file, but also to a particular selection of resources. Generic and Individual to which it will have access during a session, secured, through a registration procedure that is now described in connection with Figure 5.

The process starts with a step 501.

The test of the identifier (login) of the practitioner then intervenes during a step 502 which, in case of failure, ends with step 510.

On the contrary, if the test of the identifier (login) succeeds, the process continues with a step 503 similar to the preceding steps 403-404, during which the DNM agent proceeds to download the list of identifiers IDA then, after decryption, comparison with the PLT, to display a list of patients.

In a step 504, a patient is selected or, failing this, the process ends with step 510. Once a patient has been selected, the method proceeds with a step 505 in which the DNM agent generates an identifier of connection that will be used by the patient during his future connection to the server DMA 300. For this purpose, the method generates a random key (public / private). The IDA of the patient is also encrypted with the public key stored on the DMA and the set consisting of the encrypted IDA and the private key is then stored in a personal file, which will be delivered to the patient via his PATIENT card which, as has been exposed, takes the form of a removable medium, a USB key or even a smart card (SMARDCARD) as shown in Figure 12, which will be used both to decrypt files received different servers but also the signing of requests for access to different servers, including the DMA server 300. The DNM agent also transmits IDA at the same time.

In a particular embodiment, the PATIENT card can retrieve the nominative information found on the practitioner's PLT file in order to allow another practitioner to update his own PLT file. Alternatively, such personal information may be stored in a particularly protected memory area present on the smart card (SMARTCARD) of the PATIENT card. The successor practitioner will have the opportunity, thanks to this file given by the patient to update the patient's DMP. At the connection of the patient, the file will deduce his IDA after decryption (private key).

Then, in a step 506, the agent proceeds to the generation of an electronic certificate (patient signature) enabling the patient to confirm the procedure for validating access to the anonymous medical file.

It should be noted that, in a particular embodiment, the transmission of the connection and encryption / decryption information can be done via another channel than that of the PATIENT card, including any other USB media. Alternatively, the connection identifier and the encryption / decryption keys can be transferred by email or via the mobile phone, the mobile terminal (smartphone), the PDA present by the patient during the consultation. In general, many possibilities are possible and depend only on the needs considered.

Transmission of the connection identifier and public / private keys having been made, the DNM agent continues with a step 507 which is the transmission to the administrator 200 of a message advising the latter of the creation of the access personalized patient. In this way, the DMA 300 and 700-800 servers are informed of the login ID, IDA ID and public key of the patient that will have to be used for Anonymous Medical File encryption but also to verify the patient's signature. . Alternatively, it may be envisaged that it is the administrator 200 who will inform the DMA servers 300 and 700-800.

Once the registration has been made with the administrator 200 (and optionally with the server 300), the process ends with step 510. 2. The consultation of the DMA at the patient's home

By registering this personalized access to the Anonymous Medical Record stored on the server 300, the patient can now, thanks to the access he has received via his PATIENT card or by various means (USB sticks, mobile phone , e-mail etc.) to benefit from an extension the consultation with his practitioner by going to connect, once returned home, on the server DMA 300.

For this purpose a specific agent is implemented on the computer 1000 of the patient, which agent can take the form of an executable code directly from the operating system of the computer 1000 and previously stored on the PATIENT card or the computer. USB stick received during the consultation with the practitioner, or by any other means, electronic mail and even a JAVA applet running within a browser software.

The method starts with a step 601, during which, for example, the patient introduces his PATIENT card into the card reader 30 connected to his computer 1000.

Then, in a step 602, the method continues with an automatic connection step on the DMA server 300 by means of the connection identifier generated by the practitioner's DNM agent during step 506 of FIG. a particular embodiment, a password test is implemented to prevent illicit access to the anonymous medical file.

This connection request is tested by the server 300 which has been previously informed of the patient's identifier and its public key.

In case of connection failure, the process ends with step 610.

In case of success, on the contrary, the method decrypts the identifier and retrieves the identifier IDA during a step 603.

Then, in a step 604, the specific agent transmits the IDA identifier and proceeds to download the Anonymous Medical Record (DMA) stored on the DMA server 300, and enriched by the resource selection list prepared by the practitioner. The information encrypted by means of the public key of the patient can then be decrypted by the latter with his private key.

Then, in a step 605, the specific agent proceeds to display the anonymous medical file downloaded according to a graphical interface called PATIENT. It should be noted that since the DMA is completely anonymous, the information displayed will also be anonymous, but this will not pose any problem in this case since, by definition, the patient consulting his file is not interested in the personal information associated with this file. , but to medical information about him. Therefore, and this is a big difference from what is happening for the practitioner's DNM agent execution, the display taking place at the patient can remain perfectly anonymous as well. Alternatively, it can be imagined that the specific agent uses an auxiliary means, for example the information contained in a secure smart card (VITALE card for example) or stored on a secure medium such as the card illustrated in FIG. come to combine the anonymous information downloaded from the server 300 with nominative information extracted from this card / support and then offer the patient a medical file really nominative, like the one he saw in the office of his practitioner.

But this is absolutely not necessary and, in many situations, the patient will be largely satisfied with an anonymous display that will bring him all the medical information about him.

In addition, as seen with step 606, the patient can select, through its specific user interface (PATIENT interface), a particular pathology or a particular location contained in its DMA. The specific agent then proceeds, in a step 607, to the downloading of the Generic and / or Specific resources from the servers 700-800 which will proceed to the transmission of the corresponding files, suitably encrypted by means of the public key which will have been communicated to them by the administrator 200 in step 505 of FIG.

Once downloaded, the specific agent can then decrypt them using the patient's private key and display the general and / or personal resources in a step 608, which the patient can then consult as needed.

The patient thus has access not only to his anonymous medical file, but also to a set of detailed generic and personal resources for each of the pathologies he suffers from. In this way, he is offered the possibility of an easier reading of this medical file which, quite often, remains quite hidden for the general public.

In addition, the patient will be able to take advantage of the search engine present within the PATIENT interface, which will rely on non-nominative data present in the DMA to supplement, as needed, the selected general and personal resources. by the practitioner. In addition, the codification resulting from the ICD10 classification (CIM10) will be of a large interest in the search engine of the PATIENT interface, which will use the key words useful for conducting the documentary research to be carried out.

With the methods just described, the patient has a kind of "grid of reading" of his medical file, including not only the objective elements that constitute it (exams, radios, balance sheets), but also many elements complementary of great interest to him, especially those directly selected and / or generated by his usual practitioners. This is a big step forward in the medical transparency that is allowed for the patient.

When the patient has completed the consultation of his medical file - anonymous or not - the process ends with step 610. 3) the consultation by the patient of a new practitioner No. 2, regularly registered with the administrator service 200 .

This case corresponds to the situation envisaged in the aforementioned patent, with the difference that the new practitioner n ° 2 that comes to consult the patient has his own elements of identification / encryption / decryption regularly acquired from the administrator server and that he has therefore not benefited from access derived from the creation of a secondary USB key as described in the aforementioned patent application No. 08368018.1. In the situation that is now envisaged, the practitioner No. 2 is simply "registered" with the administrator server 200, without a priori link with other therapists that could have previously consulted the patient. By way of illustration, it may be considered, for example, that the patient has consulted for years a practitioner of the group of N professionals (illustrated in Figure 1), and then presents himself before a practitioner No. 2 having the illustrated system in FIG. 2, and in particular of its own USB key 20 comprising the executable code of its own DNM agent, as well as the PLT table 21 and its own encryption / decryption files 22.

The process starts with a step 701.

The identification test (login) of the practitioner No. 2 then occurs during a step 702 which, in case of failure, ends with step 710. On the contrary, if the identification test (login) succeeds, the method continues with a step 703 during which the DNM agent of the USB card 20 of the practitioner No. 2 accesses the storage medium presented by his patient and in particular to his PATIENT card, and receives communication of the IDA identifier by decrypting the identifier file.

Then, in a step 704 which may be optional, the DNM agent transmits the card of the practitioner No. 2 sends a request to the DMA server 300 using his own signature (private key) to inform him of his intervention in the patient's file. Incidentally, a similar request may also be transmitted to the administrator server 200.

The DMA 300 then proceeds to update the list of folders assigned to practitioner # 2, which list is used in step 503 of FIG.

Then, in a step 705, the DNM agent proceeds to download the patient's DMA file, encrypted by the public key of the practitioner No. 2.

In a step 706, the DNM agent updates the PLT located in the system 1-1, which can be done either by direct entry of the patient's personal information, or by extracting the same information from the PATIENT card or the patient's card. storage medium presented by the patient. Two embodiments may be considered ... In a first mode, the practitioner intervenes punctually on the DMA and, in this case, it is not necessary to update the PLT. In a second mode, the PLT is updated with the agreement of the patient following a secure procedure, for example validated by password.

In a step 707, the usual consultation can then take place and the DNM agent updates the anonymous medical file to be stored again on the anonymous server 300.

The patient can later access his file again thanks to the login and encryption / decryption keys he was issued during his visit to the first practitioner, and that he no need to change. But the invention provides more flexibility, since it is possible for the patient to consult other therapists even though, as we will see now, these other therapists were not regularly registered with the administrator server 200.

We will consider more specifically, in the following two paragraphs: - the consultation of a practitioner n ° 3 practicing in a secure environment

- the consultation of a practitioner n ° 4 practicing in an exposed environment

4) the consultation of a new practitioner n ° 3 in a secure environment

As we have seen, the DMA designed according to the present invention has a remarkable portability since it is thus allowed the patient to enrich his record as his travels.

However, according to one aspect of the invention, the DMA is particularly secure by allowing access and possible updating that following particularly severe conditions, which will however be lightened when the patient moves in a relatively secure environment.

The criterion corresponding to this category of environment will depend on the given application and the protection level chosen.

In a particular example, we can consider that as long as the patient moves to its territory of origin, for example the French territory having set up a Professional Health Card (CSP), the risk of fraud will be lower because the administrator server 200 will be able to carry out relevant research to confirm the true quality of practitioners seeking DMA access.

It will now be described, in connection with FIG. 9, the method that is performed when the patient goes to a practitioner No. 3 belonging to such a presumed secure environment.

The process starts with a step 901

Then, in a step 902, the patient introduces his PATIENT card (or USB key handed over by the administrator / practitioner No. 1) into the card reader 30 of the system 1000 of FIG. 2 (for example), which is then detected by the system 1000. Indeed, as already mentioned, this card PATIENT includes the program of an executable agent to implement the procedures described hereafter, but especially the identifier of the patient (IDA) - possibly encrypted - as well as the private key of the patient which will be able to be used for the decryption of the different elements composing the Personalized Medical File, which will be transmitted by the various servers. Then in a step 903, the method comprises reading the patient's identifier and, where appropriate, decryption by means of the private key associated with this patient. This identifier corresponds to the non-nominal identifier IDA, used in the database of the administrator. Then, in a step 904, the method initiates a connection to the server of the administrator 200.

Then, in a step 905, the method carries out a test to know if the identifier IDA is recognized as being present in the base. In case of failure, the method goes to step 913.

If the identifier IDA is recognized as valid, the method continues with a step 906 which is the launching of a second task for verifying the identification of the therapeutics. During this task, it is necessary to check that the practitioner n ° 3 has indeed a professional card of health (CPS).

In this regard, the method continues with a step 907 during which a test is performed to determine the presence of a professional health card. In this respect, the method may use the regulatory standardization elements in use in a given country, on the one hand, to validate the presence of a CPS card and, on the other hand, to extract the identification elements. Practitioner No. 3, who holds the card.

If a CPS card is present, the method goes to a step 908 and, if not, proceeds with step 913.

In considering the right-hand branch, when the method detects the presence of a CPS card, it proceeds to read the national identifier of the practitioner n ° 3 on the CPS during a step 908.

Then, in a step 909, the method transmits to the administrator server 200 a temporary registration request. In this regard, according to one embodiment, the method transmits identification elements (email address, telephone number, etc.) in order to receive a confirmation of registration.

Then in a step 910 (Optional), the agent receives - possibly through the information transmitted in 309 - an identifier and a password, which can be immediately used for access to the anonymous medical file, following a PRACTITIONER interface or, according to a particular embodiment, a reduced-rights interface called WEB-PATIENT in a step 911.

In the case where the test of step 907 fails, the method proceeds with a step 913 in which the method prompts practitioner # 3 to enter the national practitioner identification number.

In a step 914, the number is received by the administrator server which can then implement a verification procedure of the identification number and / or registration. In this regard, the method will perform an automatic check within databases, and in particular for the generation of a likelihood indicator of the authenticity of the practitioner No. 3 seeking provisional registration.

Step 915 is a test of this likelihood indicator to determine whether it is appropriate to assign a provisional registration.

If the test in step 915 fails, then the process continues with step 913 and stops.

On the contrary, if the test is successful, then the method continues with a step 911 which is the display of the anonymous medical file according to the minimum interface called EMERGENCY. This interface called EMERGENCY allows the practitioner to access a critical part of the DMA from the single card PATIENT, even if the patient is unconscious.

It is this interface called EMERGENCY that allows the practitioner to give first aid to the patient when it lies unconscious after a car accident for example.

During a step 912, the process enters a phase of effective updating of the medical file as the consultation with the practitioner n ° 3 takes place.

Then the process ends with step 913.

The procedure implemented when the patient returns to visit practitioner No. 3 is now described in connection with FIG.

The steps 1001-1006 respectively correspond to the steps 901-905 described above, namely the PATIENT card is successively inserted in the reader 30 of the practitioner's system. No. 3, then detected (step 1002), which causes the reading and decryption of the identifier IDA (step 1003). The connection to the administrator server 200 (step 1004) then leads to the validity test of the identifier IDA during step 1005. If the test of step 1005 is positive, then the process goes to a step 1006. in the course of which practitioner # 3 is prompted to enter his identifier and password (which he received in step 910 of Figure 9).

Then, in a step 1007, the method tests the password and, in case of failure, the process ends with step 1010.

If successful, on the contrary, the method proceeds, during a step 1008 to read the opening rights attributed to the given practitioner. It should be noted that during steps 908-911 of Figure 9, the practitioner was given minimum rights associated with the interface PRACTITIONER. On the contrary, during step 1008, the method proceeds to read the rights attributed to practitioner No. 3 (and may have been extended by the patient during a consultation at home for example) to define a PRATICIEN interface possibly with more extensive rights, and can go beyond the interface called EMERGENCY. These broader rights are justified by the fact that the patient, quite consciously, validated the principle of consultation during the first visit and now considers his practitioner n ° 3 as part of the list of "his "therapists.

Based on the open rights granted to the practitioner, the DMA server 300 and / or the administrator server 200, together with the executable agent present on the PATIENT card, perform the construction of the specific access interface corresponding to the rights granted to the user. practitioner.

As can be seen, step 1009 makes it possible to ensure the construction of a perfectly coherent interface as a function of the quality of the practitioner No. 3 consulted by the patient.

As can be seen, this rights management, which is permitted by the described method, makes it possible to discriminate between emergency situations (in which an immediate response to the concerns of a doctor providing emergency first aid must be provided) and more conventional consultation situations that may occur over the life of the patient. In particular, even if the method of Figure 9 does not require a password from the patient, there is nevertheless a very effective protection of non-nominal data included in the DMA since only a small part information extracted from this file - corresponding to the EMERGENCY interface - will be accessible and only to the practitioners who have been subjected to the verification tests of steps 909 and 914.

It is therefore a great advantage of this embodiment of the invention.

Then, in a step 1009, the DMA file is updated according to the progress of the consultation, the observations made by the practitioner No. 3 and the diagnosis that these observations lead him to formulate. It should be noted that this update of the file is based on the transmission of medical information concerning the patient, in relation to the anonymous identifier IDA, properly encrypted by means of the private key of the patient. In no way is there an exchange, during the steps 1008 and 1009 of nominative information. The construction of the medical file within the DMA server is carried out without requiring the exchange of nominative information.

The process then ends with a step 1010.

As can be seen in this embodiment, the method provides great flexibility since, even if the rights of a practitioner are likely to evolve over time, the DMA anonymous medical file will be continuously enriched by the consultation. successive.

This is a great advantage and interest of the present invention.

5. the consultation of a new practitioner n ° 4 in exposed environment

With reference to FIGS. 11a, 11b and 12, the procedure of provisional registration of a practitioner No. 4 supposedly located in a territory or a country which has not made the use of the professional card is now described. health or, more simply, in some for which it remains desirable to limit access to continuous information in servers 300 etc.

In such a context, presumed to correspond to an environment said to be exposed, the method provides additional security. In this case, the patient, who is regularly registered with the administrator service 200, comes to consult a practitioner abroad, and presents him with his patient card or the corresponding USB key.

As soon as the patient's card is introduced, executable software present on the latter starts during a step 1101.

Then, in a step 1103, the software reads the encrypted anonymous identifier (IDA), the decryption key, and proceeds to decrypt this IDA ID by means of the key. Then, during a step 1104, the method initiates a connection to the server 200 (or 300 as the case may be) and verifies the registration of the IDA ID of the patient.

Step 1105 corresponds to the test of this identifier IDA and, in case of failure, the process ends with step 1111.

If successful, on the contrary, the method proceeds, in a step 1106, the launch of a control application. In this regard, during a step 1107, the method transmits to the server 200 a request for temporary registration, if necessary by specifying e-mail and / or telephone coordinates for receiving confirmation messages and / or SMS messages. control. In one embodiment, it may be envisaged that the registration request of step 1107 involves receiving a control SMS, including a control password, on a mobile phone previously registered with the administrator server 200 .

In this way, it considerably reduces the risks of fraudulent access to the medical file, even if it is, as we have seen, devoid of any nominative information.

During a step 1108, the method tests the identifier and the password entered by the practitioner (and which he will have received optionally in step 1107) and, in the event of failure, the method finish with step 1111.

If successful, the process continues with a step 1109 during which the servers 200-300 transmit the constituent elements of the medical file of the patient, with the interface URGENCE (SAFETY PATIENT). In this way, access is granted - very secure since it is limited to the EMERGENCY interface containing only patient-related first-aid elements - to the patient's medical file, while forbidding complete access, which would be dangerous on the patient. plan of confidentiality. Then, in a step 1110, the process proceeds to update the medical file at the same time as the consultation takes place. In this regard, it should be noted that, unlike the update that is performed during the consultation of a practitioner with a CPS, the update performed under less secure conditions is simply stored on the memory storage of the patient's card or USB key presented by the patient.

It is thus possible, in a particularly advantageous manner, to come to enrich the medical file of the observations, the diagnostic elements collected during the unsecured consultation, with the aim of integrating them later when the patient returns to France, especially when he will come again to consult his usual practitioners. The process is then completed by step 1111.

FIG. 11b illustrates a particular embodiment in which the patient can, during a synchronization phase that can be implemented at his home or at the professional practice of his referring physician,

Steps 1121 to 1125 correspond to steps 1101-1105 of Figure 11a.

In a step 1126, the method performs a location test to verify that the synchronization can be performed in a secure context.

In a first embodiment, the method tests the local IP (Internet Protocol) used for access to the Internet and in particular to servers 200-300. This IP address can serve as an indicator to determine, for example, if the patient has returned to his country, in a more secure environment. Alternatively, we may consider other tests, particularly related to the detection of information provided by a GPS (Global Positioning System).

Step 1127 illustrates the test of the IP address to test the IP address, to determine the location of the patient and if the test reveals that the patient consults the record from an exposed territory, then the process goes to step 1 130. If the test of step 1127 succeeds, then the method proceeds with a step 1128 in which synchronization of the data stored locally on the PATIENT card (or where appropriate on the USB key) is implemented and the data of the DMAs stored on 300-500 servers.

Then, in a step 1128, the method synchronizes the information present on the patient's card with the information present on the server 300. In this respect, the method initiates a connection to the server 300 and presents a synchronization request, properly codified, with the information collected during the consultation which took place outside the secure environment.

Then, in a step 1129, the process proceeds with - optionally - with the update of the URGENCE interface, stored locally on the PATIENT card, in order to possibly integrate new data of observations, critical diagnostics that could to be critical of a patient's next trip abroad.

As can be seen, with the procedures just described, the sensitive information contained in the DMA remains particularly protected since no updating of the anonymous medical data will be permitted until the patient returns to a presumed secure territory.

Advantages of the proposed solution.

As we have seen, the invention offers therapists maximum comfort of use, in order to save time and efficiency in their medical practice. The solution presented is simple to implement, practical, complete and modular to meet the diversity of modes of use (full time or part time, single firm or professional groups) to combine a continuous use of therapists. As seen in FIG. 1, the statistical and collective analysis server 600 can access the servers DMA 300, GED 500 and the generic and collective resource servers 700 to continuously monitor the pathologies, the recommended therapies and also the effective use of generic and personal resources by the great diversity of patients. This provides a software tool of great interest that allows unlimited statistical exploitation and above all transparent, that is to say without overwork or loss of time for practitioners and their partners. patients. The invention thus contributes significantly to the development of intelligent tools for assisting the diagnosis, prescribing and rationalization of the cost / benefit ratio of the supply of care. Then, the use of the proposed solutions makes it possible to integrate the patient in the information sharing via a totally secure web access to prolong the consultation, to follow it remotely and to give him useful advice in term of health (appropriate care, surveillance of relevant medical criteria, advice and nutrition, sports and health advice ...). Finally, it should be noted that the different servers illustrated in Figure 1 may be conveniently arranged in various locations according to the specific needs of a given application. Depending on the costs, it will even be possible to concentrate the functionalities of the different servers within a small group of physical servers, but at the risk of reducing the security of the entire system. In particular, the servers 500 and 700 can merge into a single server 800 of Document Management and Resources.

Finally, it should be noted that it will be possible to easily extend the proposed solution to other media than the USB key for storing access information to the Medical Record, namely a mobile phone (including smartphones in the English terminology). -Saxonne), tablets tactile etc ... Clearly, any support that can store the files needed to access the servers described above can be used for consultation of the medical record and various consultations, everywhere, practitioners.

With the increased mobility that characterizes our Western societies, it is not uncommon for patients and consumers of medical care to cross national boundaries.

It is therefore quite appropriate, in many situations, for the same patient to consult various practitioners on a regular basis, belonging to different professional groups and in particular of different nationalities.

In this respect, one finds oneself in the situation illustrated by FIG. 13 in which it might be opportune for a patient to benefit from an occurrence of his personalized medical file (anonymous or even nominative) which would be stored in a national server, or even several national servers, which could be accessed by national professionals. Indeed, each group of practitioners may need, in the interest of their nomadic patients, access to a centralized medical file, for example, as described above, hence the interest of organizing as many servers 300'-A, 300'-B etc. that there are countries considered.

In most national legislation, however, there are very strict restrictions prohibiting the exchange of border data, whether registered or even anonymous. In such a context, unless it is placed in an irregular situation, it is not possible for the administrator of a first original server 300 -A (referring to FIG. 13) to simply duplicate in a second national host server 300'-B the medical data that would be hosted.

But a patient who has his doctor refer to a country A - and whose medical data are therefore hosted on the original server 300 -A, may need to consult a practitioner B, who may have his own access to a national medical data server 300 -B.

In the embodiment that will be described, it is possible to synchronize the medical records hosted by the two servers 300'-A and 300'-B without violating the national regulations, insofar as it is the patient who is at the heart of the synchronization and in particular the external support that accompanies it including all the elements of identification, encryption / decryption etc .. to access the servers described.

The method is illustrated more particularly with reference to FIG. 14, describing how, thanks to the external support (PATIENT card) presented by the patient, it is possible to take advantage of two or more national servers, while avoiding any transfer. cross-border data between these same servers. In this embodiment, the PATIENT card more specifically comprises a card identifier, and an identifier of the country of origin. The method starts with a step 1401, in which the practitioner's system 1300 is made to interact and communicate with the patient's external support. In a general manner, it will also be possible to consider any type of communication, and in particular without wires, between the practitioner's system 1300 and a portable electronic device, such as a laptop, mobile phone, smartphone, touch tablet etc. serving external support. However, it will also be possible, in the preferred embodiment, to opt, for the sake of simplicity, for a PATIENT card in the form of a system according to FIG. 12, in the form of a simple "key" USB ", which is undoubtedly the most popular external support for the public.

In a step 1402, the communication is detected and in particular the connection of the PATIENT card as a USB device in the example considered in FIG. 12. It should be noted that, in addition to the identification information previously described, the PATIENT card is brought to include additional information, including the URL of the national servers, a card ID (ID Card), and an identifier of the country of origin of the patient (Uniform Resource Locator in the English literature).

Then, in a step 1403, the method comprises reading the identifier of the card as well as the country of origin of the patient and proceeds, in a step 1404, to verification, to the server 300'-B of the country visited if the card has been previously registered, which corresponds to the presence or absence of a medical record associated with the patient considered.

Step 1405 is a test performed on the response received by the server 300'-B, to determine if a medical file is listed within the latter and corresponds to the identifier of the card (ID-Card)

If so, the method continues with a step 1406 and, if not, by a step 1410. In step 1406, the method downloads the date of update of the medical file within the server 300-B and then transmits a request to the origin server 300'-A so as to determine its own update date. This update date is downloaded in a step 1407. Then the method proceeds to a step 1408 which is a test that makes it possible to compare the two dates of update of the servers 300'-A and 300'B.

If the updates coincide, which means that no update is required on the server 300'-B, the process then proceeds directly with a step 1413. Otherwise, the system 1000 - and more specifically the external support of the patient when it is a smartphone - transmits an update request to the server 300'-B.

The process then proceeds with a step 1413.

In the test of step 1405, when the server 300 -B does not have a medical file assigned to the card identifier, the method proceeds with a step 1410 during which a request is transmitted to the origin server 300 '- AT . Then, the method continues with a step 1411 in which is performed a download of the encrypted medical record by means of the public key of the external support of the patient.

The medical file can then be decrypted by the processing means present on this external medium, and in step 1412, a duplicate is created and stored within the server 300'-B.

Then, in a step 1413, the consultation with the practitioner takes place in a completely conventional way, and this same practitioner is led to note the results of the clinical examination, the observations of the biological analyzes or the radios so as to enrich the medical file which can then be updated on the national server 300'-B.

At the end of the consultation, the process ends with step 1415.

As can be seen, the consultation which takes place within the practice of the practitioner belonging to the group of national professionals of country B is stored within the server 300'-B. This update can also be stored on the external support, in waiting for the patient to return to his country of origin for the purpose of potential synchronization.

Alternatively, we can clearly envisage a symmetrical scenario allowing the synchronization of the 300'-A server of the country of origin during the next visit of the patient to his reference practitioner of origin.

The synchronizations conducted between the different servers are therefore not automatic, occultly performed without the knowledge of the patient. And it is, on the contrary, the patient who, each time, is at the origin of the synchronization of the medical file at the server in the country where he stays, thus avoiding having to resort to a cross-border transmission of medical data that would be perfectly illegal.

We will now describe how the principles outlined above can be applied to the realization of a more general solution, that of a server storing nominative medical data and which, however, will benefit from increased protection due to double authentication.

B. Access to a server storing a name folder

We now describe the case of a server 1050 for storing and accessing a medical record that may contain personal data.

In addition, to show the many possibilities of application of the proposed method, we now consider a particular situation of remote consultation. Indeed, in many situations it is desirable to increase the flexibility of consultation with practitioners, especially the more well-known ones who, unfortunately, are not always ready in the immediate vicinity of their patient.

The present invention aims to address this problem, largely facilitating a quality consultation, preserving the confidentiality of the relationship between the practitioner and his patient, and allowing the constant enrichment of the medical record of the latter.

The invention achieves these goals by means of a method of access and sharing to a computer medical file stored on a server and accessible from a first system associated with an external medium comprising a first means of identifying a patient, as well as encryption / decryption means for communication with the server.

The method comprises the steps:

- opening a second session between the server and the second system belonging to the practitioner; - generation and sharing of medical records on the first and second systems;

- closures of said first and second sessions.

This procedure makes it possible to organize a meeting between a practitioner and a patient, with the aim of conducting a remote clinical consultation, possibly combined with the examination of biological examination results and / or radiological images, while allowing a enriching the medical file with information from the patient, and validated by the practitioner.

The meeting is particularly secure because of the double verification performed successively on both systems, thus allowing a particularly strong authentication.

Preferably, the external medium comprises executable code on said first system for executing a viewer of X-ray images stored on a medium present in the first system. The executable code allows in particular the taking of control of the first system by the second system in order to make a selection of one or more images extracted from the radiological support, the conversion of these images into digital files which can then be directly integrated within the shared medical record and simultaneously accessed via both systems.

Preferably, said external support of the patient is a smart card or a USB key comprising an executable code executing as soon as the card or the key is inserted.

Alternatively, the patient's external support is a mobile phone, a touch pad, or a personal assistant (PDA). Preferably, the viewer is a DICOM type viewer, for example, for extracting and converting images in JPG format, which are integrated into the medical file.

The invention also allows the realization of a method for accessing a computer medical file stored on a server and accessible from a first system associated with a support external device comprising a first means for identifying a patient, as well as encryption / decryption means for communication with said server.

The method comprises the steps:

detection of the presence of the external support of the patient within a second system;

- Starting access to said server (1050) by said second system, using the connection and authentication means present on said external medium;

- verification of the authentication of said second system by the server site (1050);

access to the personalized medical file via said second system.

With reference to FIG. 15, the case of a practitioner equipped with a data processing system represented by a laptop 1020, having access to the Internet network 100, notably to a DM 1050 server which is intended to receive the storage of medical records in any format, nominative or non-nominal. In the particular case of non-nominative data, it will be possible advantageously to be inspired by the principles described above.

The practitioner's system 1020 is furthermore associated with an authentication device, of the card reader type 1021, intended to receive an authentication card making it possible to authenticate the requests sent by the system 1020. for example consider a reader to receive the Card of Health Professional (CPS) that is in use in France, or any strong authentication system based on the use of a smart card ...

Alternatively, we can consider for the practitioner an authentication system based on a USB key specific to the practitioner, or even an autonomous system, such as a mobile phone, or a smartphone (in the Anglo-Saxon literature) with means of means authentication, such as electronic signature, encryption keys.

The patient has, for its part, a second information processing system 1020, represented for example by a laptop, and also having access to the Internet network 100.

As for the practitioner, the patient has an external support 90 for its own authentication and further comprising executable program elements, including encryption / decryption for the implementation of the procedures described below and secure exchanges with the DM 1050 server. In a particular embodiment, the external support is in the form of a so-called PATIENT card which can be slid into a card reader 101 1 as shown in FIG. 15, or which is equipped with a USB connector corresponding to the generally most common connection mode.

Preferably, the patient's external support will be in accordance with the map illustrated in FIG. 12, and described above, which clearly shows that the recommended solution can be used in various situations as needed.

In a preferred embodiment, the PATIENT card has a USB connector allowing a direct connection, without the need for a reader, to a USB port of the 1010 system. This system has the advantage of corresponding to the most common connection mode.

It should be noted, however, that the external support may take a form distinct from that of a card or a USB key. In other embodiments, it will be possible to introduce the elements of patient authentication, encryption / decryption for the connection to the server DM 1050 in an autonomous system, such as a telephone without wire, a smartphone (in the English terminology), a portable personal assistant (PDA), a touch pad etc. and communicating via own communication means with the system 1010, or even having their own access to the Internet 100 to access the DM 1050 server.

FIG. 15 also shows an optional administrator server 1060 responsible for administering and managing medical records, including enrollment and billing. As before, it will further be assumed that the systems 1010 and 1020 are equipped with means of notification, of the electronic mail type, as well as a browser, such as Internet Explorer of the publisher MICROSOFT Corp. for example, allowing simple access via the HTTP protocol (Hyper Text Transfer Protocol) to the DM 1050 server. Such means are well known to a person skilled in the art and do not require additional development. The use of more specific software and programs for the implementation of the notifications and procedures described below may also be considered. Furthermore, it may also be envisaged that the notifications transmitted via one of the systems 1010, or 1020, result from a notification transmitted via an external server. In the solution proposed in FIG. 15, and contrary to the devices described in the aforementioned patents, it is not necessary for the two parties to the consultation, namely the practitioner and his patient, to be regularly registered with the administrator server. 1060.

Indeed, and this is an advantage of this particular embodiment which is described now, and which should ensure in the short term a rapid deployment of the device, lies in the fact that the patient, and him only, can be registered with the server to allow the constitution of his personal medical file (nominative or not) and see file enriched as different consultations with practitioners, which need not be registered beforehand.

Clearly, eventually, it is absolutely not excluded that the practitioners themselves express the desire to register also with the administrator server 1060 of the operator who deployed the system.

An important element in the solution that is proposed, for the conduct of a remote consultation, is the "meeting" - remotely - of the two respective authentication devices of the patient and his practitioner, namely the external support 90 (the PATIENT card) and the authentication support of the practitioner, such as for example the professional health card (CPS), to enable the procedures described below to be carried out and, consequently, a remote consultation with high added value , while preserving the confidentiality of the exchange.

This results in a double layer of authentication significantly increasing the security of the system, even though the server is intended to contain sensitive medical data, especially when they are nominative.

In the following, it is assumed that the patient wishes to schedule a remote consultation with his practitioner and, quite simply, inserts his PATIENT card into the system 1010 (or alternatively activates an appropriate function on the external standalone support, such as than a smartphone).

The process is described with reference to FIG.

In a step 310, the system 1010 detects the presence of the PATIENT card (or more generally of the external support), and launches an executable code which, in general, is stored on this card. same card PATIENT 90. In a particular embodiment, the PATIENT card is a USB key whose executable code starts automatically upon detection of the key, resulting in no other formality the start of the program implementing the method described below . Then, in a step 320. a request is transmitted by the system 1010 to the DM server

1050 (and / or the server ADMIN 1060) via the Internet 100 to request programming a remote consultation. For this purpose, the identification elements of the patient are transmitted to the server, suitably encrypted, for example by means of the public key of the server DM 1050 stored on the external medium 90 and, where appropriate, properly authenticated by a digital signature present on the external support. This procedure leads to a first verification related to the 1010 system.

In a particular embodiment, the server DM1050 responds to this request by transmitting a properly formatted HTML page including, in addition to access links to its file, a list of the usual doctors of the patient, including their contact details and in particular their email address. . This embodiment is useful if it is not desired to store on the support 90 the references of the usual treating physicians and allows user-friendly access to the patient. Incidentally, this embodiment also allows the direct transmission, from the server 1050 and to the system 1020, a programming notification of a remote electronic consultation.

Then, in a step 330. the executable code on the site 1010 selects a consulting physician and sends to his e-mail address an electronic notification comprising, in addition to the consultation request notice, a password One Time Password (OTP) previously calculated to allow this doctor to access the patient's medical file with, if necessary, identification elements of the DM 1050 server as well as encryption / decryption keys for secure exchange with the latter. In particular, the identification elements may consist of a specific URL allowing direct access to the server via a conventional browser.

In a particular embodiment, the OTP single use password also has a limited validity in time.

Clearly, the notification of step 330 can be transmitted via the email, possibly encrypted, according to conventional procedures. This is only here a particular example and we can consider the notification of password by any other means, including telephone, SMS etc. ..

The notification transmitted by the system 1010 is received within the system 1020 and the practitioner is then informed of the consultation request, which can then accept or reject it.

If the practitioner accepts the notification - which may occur several hours after the request made by the patient according to the customary practice within the profession and with the patient - the system 1020 then transmits in a step 340, a request to the server DM 1050 using the identification and encryption / decryption elements received from the 1010 system.

Then, in a step 350, the server proceeds to verify the presence of the authentication means of the practitioner. In this respect, the presence of the Professional Health Card (CPS) is tested in order to confirm to the DM 1050 server the presence of the authorized practitioner. In the case where the professional card is not present, then access to the server ends in a step 360.

In the case where the professional card is actually present, and confirms the identity of the practitioner present online, the DM 1050 server initiates a second session with the system 1020 in a step 370.

The two sessions opened respectively with the system 1010 and 1020 can thus take place simultaneously, allowing a remote consultation, during a step 380, between the practitioner and his patient who both have access to the medical file stored on the server 1050.

In this regard, we can consider many different features to enrich the consultation and allow greater user-friendliness in trade.

In particular, all the procedures previously described in Part A of this paper are clearly usable.

Firstly, the shared access to the patient's personal medical file can be achieved at the same time that the multimedia functions of the two systems 1010 and 1020 are activated, so as to allow a visual and audio exchange between the two parts. In addition, we can also consider that the practitioner comes to add, within the personalized medical file, a set of links (including URL - Uniform Resources Locators) to general or personalized resources to enrich the medical record of the patient and to enlighten him on certain aspects of his or her pathologies.

Alternatively, it can be envisaged that for the conduct of the 2nd open session with the practitioner's system 1020, the server DM uses a specific interface, of the URGENCY type, as described previously with reference to FIG. 10, so as to limit the rights of access to the doctor.

As can be seen from the remote electronic consultation which is organized according to the present proposal allows a multitude of possibilities, which can be opportunely enriched by the methods which have been described above, in relation with the methods described in relation with FIGS. , 9-1 lb and 13-14.

In particular, with reference to the situation of FIGS. 11a and 11b, it can be seen that the patient support server can conveniently accommodate temporary storage of medical data during a visit by a practitioner located abroad. pending the return of the patient to his country of origin.

Similarly, in connection with Figure 14, the patient support can also be used to update different national servers located in various countries between which there are regulatory restrictions on the cross-border exchange of nominative medical information.

Moreover, and this is an important advantage of the present invention, the patient is able, during the course of this remote consultation, to present various documents, results of analyzes, questionnaires etc. in the form of an electronic file, in particular PDF format (according to the format of the software publisher ADOBE (TM) which can thus be the subject of an immediate examination by the practitioner and can thus provide a validation of these documents, an interrogation etc .. which This validation will be particularly useful for the management of the medical file because it ensures that a particular document has been examined by a professional eye. confirming certain medical diagnostic hypotheses, for example, it is common for a patient to complete a form and declare allergies that ultimately e are not timely .. The solution that is proposed makes it possible to systematically codify the examination of the documents submitted to the practitioner (s), for the greater benefit of the patient.

It is also frequent for the patient to present medical imaging documents, generated in particular during extensive radiological examinations, such as MRI, etc. In this respect, the patient may be required to present a DVD medium comprising thousands of images from an MRI scan. In a particular embodiment, the external support 90 of the patient comprises a universal reader DICOM type for reading electronic medical imaging files. The universal reader has a simplified functionality, allowing the selection of one or more images within a file containing several hundred images, and the conversion of these images in the form of independent digital files, for example JPG type. It should be noted that the DICOM file corresponding to radiological imaging is only an example of a file that the second system can access. In other embodiments, for example biology, HPRIM ... Or other files in other standards: HL7 or equivalent may be relevant to all specialties of medicine.

In a specific embodiment, the executable code present on the PATIENT card comprises a remote control capability, by the computer 1020 having received the notification of the consultation request step 330, to enable the implementation of the DICOM file viewer and the control of the CD / DVD reader, and thus allow the practitioner to select one or more images deemed appropriate and relevant, and insert them into the patient's medical file.

Such an operation requires particularly extensive rights on the functionalities of the system 1010 and is generally not accessible for a browser software which, in principle, must remain within the strict framework of the "sand box" defining the access rights to the resources hardware and software.

In this particularly advantageous embodiment, it is indeed the physical medium 90, and in particular the PATIENT card 90, which makes it possible to combine all the elements necessary for setting up a simultaneous double session between, on the one hand, the server 1050 and, on the other hand, the two systems 1010 and 1020, and which allows the conduct of the consultation and the sharing of the medical file. Thus, without it being necessary to organize a physical meeting between the practitioner and his counsel, it becomes possible, thanks to the proposed solution, to proceed within the practitioner's office to a selection of images extracted from the DICOM held at the clinic. his home by the patient, which can be validated and integrated into the medical file, suitably and automatically indexed according to the pathology considered (for example "pathology of the knee" and more specifically "fracture of the knee"), supplemented by comments, d observations and detailed analyzes on the part of the practitioner. In addition, it will not be necessary to store on the DM server (1050) thousands of images forming the entirety of the DICOM (s) generated (s) for the patient, which can only lead, in addition to a prohibitive occupation of memory on the server, to a great confusion within the nominative medical file. In the solution that is recommended, it is a selection of images, personally chosen and validated by the practitioner and accompanied, if necessary, detailed observations and relevant, which will enrich the medical record. As can be seen, it is thus possible to organize a consultation, remotely, and to present a great added value, and this in particular thanks to the systematization of the analysis carried out during the course of the double session of simultaneous access.

According to one embodiment, as soon as access to the DICOM viewer is completed, the remote control program completes its progress, which allows the patient to recover the hand on his system 1010. It should be noted that the method ensures the most useful functionality, while maintaining a high degree of safety for the patient. Firstly, the remote control by the system 1020 relates only to the single viewer DICOM, which clearly prohibits any other operation, including moving or copying files and, secondly, the remote control ends with the end of the use of the viewer.

When the remote consultation comes to an end, the process then continues with the storage of the new information resulting from the consultation, during a step 390 and, if necessary, ends the two sessions initiated with the two systems, in a step 400.

Beyond the consultation that took place between the parties, and whose milestones were thus able to be indexed, codified and integrated into the patient's medical file, the patient will be able to find, later, if he / she wishes, the elements this consultation by making individual access to his medical file, which is allowed by the storage medium. The practitioner, on the other hand, will be able to freely access the medical file according to the access rights granted to him by "his" patient and, where appropriate, by an application for registration previously submitted to the administrator server 1060. proposed solution, besides it has the advantage of organizing and supervising in a very secure context, a consultation between a practitioner and his patient, also makes it possible to codify and systematize the various phases of the consultation, in particular the clinical examination, the examination of biological results or the examination of radiological images, their eventual validation and a precise listing of the latter in the doctor's file so as to preserve a precise and useful trace for the patient.

It should be noted that, in a particular embodiment, the external support 90 of the patient is also used during a conventional consultation, during a patient's move to the practitioner's office, even in this access situation. a server storing nominative data. In this respect, the identification and encryption / decryption elements present on the patient's card notably make it possible to access the personalized medical file, instead of the practitioner's office, from the DM 1050 server, regardless of whether the patient belongs to the patient. practitioner to a group of professionals duly registered with the medical data server. In this hypothesis, as in others, it is the external support of the patient that serves as a gateway to the doctor, whoever he is and whatever the place of his office, to access the medical file.

It should be noted, however, that if the patient can access his medical file thanks to his external support, it is a "read only" access and updates (and more generally accesses "in writing"). ") are performed under the control of a practitioner as observed with the method of Figure 16: it is the patient who brings the result of his radiological images, but it is the practitioner, authorized by the patient, who performs the selection of images, provide relevant comments and observations, and records the data on the medical file stored on the server so that it is the true image of the state of the diseases and patient treatments.

It is also noted, and this is another very interesting advantage of the proposed solution, that the external support of the patient, in particular in the form of the PATIENT card or of the. USB key, can serve conveniently even outside a context of remote consultation.

Indeed, the storage medium can be used very opportunely even during a very conventional consultation, including within the practice of a practitioner not registered with the administrator site of the server 1050, to grant the practitioner, for the consultation time, access and rights associated with the personalized medical record. For this purpose, during the consultation, the patient transmits his PATIENT card, for example the USB key containing his identifiers and the different means of authentication and encryption / decryption, which can be used then to consult the medical file as would the patient at his home.

In this respect, the method performed on the practitioner's system comprises the following steps: detection of the presence of the external support of the patient within a second system;

- Starting an access to said server by said second system, using the connection and authentication means present on said external medium;

access to the personalized medical file via said second system.

And we note that it is even possible, at this time, that the practitioner initiates a double remote consultation with a second practitioner - for example a specialist - who could at this time come to share the medical file downloaded from the server 1050 in order to ensure a consultation of the greatest interest for the patient.

As can be seen, the patient card that is proposed according to the various embodiments opens up many new combinations and different applications.

Claims

1. A method for accessing and sharing a personalized computer file managed by a service provider for the benefit of a client, said file comprising data of a technical nature, including medical data, and highly confidential personal data, at within an architecture comprising:

- a first server (DMA - 300) containing anonymous information excluding any nominative information in relation to an anonymous identifier (IDA);

at least one second server (GED - 500; RG & P 700-800) comprising attachments contained in said personalized file and general and personalized resources indexed via said anonymous identifier (IDA);

a first system (1-1, 1-n) allowing access to the first and second server audits, said first system comprising in its memory a DMN agent for generating a personalized computer file and at least one encryption / decryption file and a link mapping table (PLT) between a patient's nominative data and an anonymous identifier (IDA),

a second system (1000) allowing access to the first and second systems; the process comprising the following steps:

- identification (login) (402) on said first server corresponding to the identifier of said provider;

downloading (403) a list of IDA anonymous identifiers associated with said provider;

generating (404) a client list from the IDA ID list and said PLT table;

- selection of a particular client (405);

downloading (406) the anonymous computer file from said first server;

- building (407) the personalized computer file from information downloaded from said first and second servers and the personal information present in said PLT table.

updating (408) said personalized computer file;

and characterized in that it comprises the steps:

downloading (409) from said servers a list of generic resource identifiers;

displaying (410) said resources and composing a generic resource selection list; optional addition (411) of personalized resources generated by the provider;

creating (505) a connection identifier for the attention of said second system (1000) for said first and at least second servers (300, 500, 700-800);

generating at least one encryption key allocated to said second system (1000);

transmission of said connection identifier from the encryption key or IDA to an administrator server or directly to said first and at least second server (300, 500, 700-800)

transmission of the connection identifier, the encryption key or keys and the IDA identifier to said second system (1000) so as to allow shared access to the Anonymous computer file, to the exclusion of any nominative information.

2. Method according to claim 1 characterized in that said first and second system (1-1, 1-n, 1000) are a computer, a laptop, a communicating tablet, a pocket terminal (smartphone) or a telephone.

3. Method according to one of the preceding claims, characterized in that said transmission to the second system (1000) of the connection identifier, the encryption key or keys and the identifier IDA are performed via a support of external storage, such as a biometric USB stick, or via a wireless communication link between two communicating devices or by electronic mail.

4. Method according to one of the preceding claims characterized in that it comprises, subsequent to the generation of the connection identifier and encryption keys of said second system the creation of a certificate / certificate (506) for confirming creating access to said second system.

5. Method according to one of the preceding claims characterized in that said personalized resources are made from an audio or video recording made from said first system (1-1, 1-n) during consultation with the practitioner. .

6. Method according to one of the preceding claims characterized in that the exchanges between said first system (1-1) and said first and at least second servers (300, 500, 700-800) are encrypted by means of encryption keys. public / private of the first system.

7. Method according to one of the preceding claims characterized in that the exchanges between said second system (1000) and said first and at least second servers (300, 500, 700-800) are encrypted by means of public encryption keys / private of the second system, generated and transmitted by said first system (1-1).

8. Method according to one of the preceding claims characterized in that a specific agent on said second system downloads the anonymous computer file from said first and at least second (300, 500, 700-800) servers and completes the information by access to a local storage medium with anonymous data.

9. The method of claim 8 characterized in that the specific agent accesses a smart card reader to retrieve nominative information for generating a personal computer file.

10. Method according to one of the preceding claims characterized in that it is applied to access and sharing an anonymous medical record stored on said first server.

11. Method according to one of the preceding claims characterized in that said DNM agent accesses the storage medium of a third system having the connection identifier of another client, and presents a request to said first server (DMA 300). using said IDA ID to update the IDA anonymous identifier list associated with said provider and proceeds to update said PLT table to integrate said other client.

12. The method of claim 11 characterized in that the updating of said PLT table is performed by means of a smart card containing nominative information of said patient.

13. Method according to one of the preceding claims characterized in that it comprises a collection server and statistical information for monitoring access to said first server and the download of said generic and personal resources for the purpose of producing information statistical.

14. Method according to one of claims 10 or 13 characterized in that said DNM agent implements a wizard for the diagnosis based on a classification of pathologies based on the codification from classification ICD10 (ICD10)

15. A computer medium comprising a computer program based on program instructions which, when it is connected to a computer or a data processing device and that computer or data processing device is loaded with said program instructions, implements the method as defined in any one of claims 1 to 14.

16. A method for accessing and sharing a personalized medical file managed by a service provider for the benefit of a patient, said file comprising highly confidential medical data and nominative data, within an architecture comprising:

- at least one server (200, DMA-300, GED-500, RG & P 700-800) containing anonymous information excluding all nominative information in relation to an anonymous identifier (IDA) and also including attachments and general and custom resources indexed via said anonymous identifier (IDA); access to said server from a system (1000) belonging to a practitioner resulting from the following steps:

detection (902) of a support allocated to the patient including identifying elements

(non-nominative) of said patient, means of encryption / decryption;

reading and decrypting the anonymous identifier (903);

launching a connection to said server (904);

testing (95) the anonymous identifier (IDA) so as to verify whether it corresponds to an anonymous medical file stored in said database;

- verification of the identification of the practitioner (913, 908)

- Displaying an anonymous medical file under a first interface with limited rights (EMERGENCY) so as to provide the practitioner with critical medical information concerning the patient even when the patient is unconscious.

17. The method of claim 16 characterized in that said patient support is a smart card, a USB key or even a mobile terminal such as a smartphone.

18. The method of claim 16 characterized in that the verification of the practitioner includes a test on the professional health card (CPS) presented by the latter.

19. The method of claim 16 characterized in that said server causes the display of the anonymous medical record in relation to separate interfaces for medical professionals and the patient himself, the interfaces with different access rights.

20. The method of claim 19 characterized in that access to the DMA from the patient's home includes a password test to ensure the identity of the patient and allow him, in good conscience, to modify the rights of the patient. access granted to a practitioner who has accessed his DMA file.

21. The method of claim 19 characterized in that the patient has its own interface (PATIENT) comprising access to general and personal resources specifically created by the practitioners intervened on the file, to his attention.

22. The method of claim 19 characterized in that the interface (PATIENT) of the patient comprises a search engine using the data of the Medical File Anonymous stored on said server.

23. Method according to one of claims 16 to 22 characterized in that it comprises a location test (1 126) to determine whether the territory on which the patient consults is a territory exposed or secure, the data of setting day of the DMA being exclusively stored on the patient card in the case of an exposed territory.

24. The method of claim 23 characterized in that it comprises a synchronization phase for updating the medical data of the DMA when the patient consults his file from a location deemed secure.

25. Method according to one of claims 23 or 24, characterized in that the location test is a test of the Internet Protocol address used to access the file or a geolocation test using a GPS receiver (Global Positioning System). ).

26. Method according to any one of claims 19 to 25, characterized in that it comprises an interface for the medical professions, according to their specialty, an interface for the paramedical professions.

27. A method of updating medical data between a first origin server (300'-A) and a second server (300 -B) located in different countries, the method comprising the steps of:

detection (1402) of a communication between a practitioner's system (1300) and an external support (90) held by the patient, said external medium comprising an identifier of external support (ID card) and a country of origin identifier as well as means of identification and encryption / decryption attributed to the patient;

reading of the identifier of the external support (1403) as well as the country of origin of the patient;

checking (1404, 1405) with said second server (300'-B) if the external support identifier corresponds to a medical file associated with the patient;

- if a medical file is identified:

transmitting a request (1406) to said origin server (300'-A) and downloading the date of the last update;

comparing the last update of said origin server (300'-A) with the update of said second server (300'-B);

- Downloading an encrypted update (1409) from said origin server (300'-A) and updating said second server (300 -B);

- if a medical file is not identified:

- send a request to the origin server (300'-A) to download an encrypted update of the medical file;

creating a copy of the medical file within said second server (300'-B);

storage of the update of the medical file within said second server.

28. The method of claim 27 characterized in that said external medium is a mobile phone, a laptop, a touch pad or a USB key with its own processing means.

29. The method of claim 27 characterized in that said medical data are anonymous medical data.

30. A method for accessing and sharing a computer medical file stored on a server (1050) and accessible from a first system (1010) associated with an external medium comprising a first means of identifying a patient, as well as means of encryption / decryption for communication with said server, said method comprising the steps of:

detecting (310) the presence of the patient's external support within said first system;

- transmitting (320) a request to said server to request programming a remote consultation via a second system (1020) and implementation of a first authentication of said first system (1010);

FIRE I LLE OF REM PLACEM ENT (RULE 26) generating and transmitting (330) an electronic notification to said second system (1020) comprising means for identifying said server, encryption / decryption elements and a password for setting up a second access to said medical file via said second system;

- transmitting a request (340) to said server by the second system using said identification, encryption / decryption means and the password received from said first system;

- checking (350) by said server (1050) the presence of authentication means associated with said second system (1020);

opening a second session (370) between said server and said second system;

generating and sharing (380) the DM on said first and second systems (1010, 1020);

- storing (390) and / or updating the DM 1050 with the information entered on said second system (1020);

- Closures of said first and second sessions (400).

31. The method of claim 30 characterized in that said external medium comprises an executable code on said first system for executing a viewer of x-ray images stored on a medium present in the first system and in that the method includes the following steps:

taking control of the first system (1010) by said second system (1020);

the selection by said second system (1020) of one or more images extracted from said medium;

the conversion of said selected images into independent digital files; and

integrating said selected images into said medical file shared by said first and second systems.

32. The method of claim 30 or 31 characterized in that said external medium is a smart card or a USB key comprising an executable code executing upon insertion of the card or key.

33. The method of claim 30 or 31 characterized in that said external medium is a mobile phone, a touch pad, or a portable personal assistant (PDA).

34. The method of claim 33 characterized in that the viewer is a DICOM type viewer for example for the extraction and conversion of images in JPG format, which are integrated in the medical file.

FIRE I LLE OF REM PLACEM ENT (RULE 26)

35. Method according to one of claims 30 to 34 characterized in that it comprises the step of introduction via said second system (1020) links to generic resources and / or customized to enrich the medical record, for subsequent consultation of this file by the patient.

36. Method according to one of claims 30 to 34 characterized in that the access of said practitioner to the medical file is determined by access rights under the control of the patient.

37. A method for accessing a computer medical file stored on a server (1050) and accessible from a first system (1010) associated with an external medium comprising a first means of identifying a patient, and encryption means / decryption for communication with said server, said method comprising the steps of:

access to the personalized medical file via said second system.

External support characterized in that it comprises the means for carrying out the process defined in any one of Claims 1 to 14 and 16 to 37.

39. A computer data server adapted for carrying out the method claimed in one of claims 1 to 14 and 16 to 37.

FIRE I LLE OF REM PLACEM ENT (RULE 26)