EHR & Patient Management Workflows
Home / Clinical Modules / EHR & Patient Management / Workflows

EHR & Patient Management Workflows

This document defines nine core workflows for the EHR & Patient Management module. These workflows cover patient registration, demographics maintenance, MPI/duplicate resolution, allergy and problem list management, clinical documentation, document and consent management, and privacy controls (break‑the‑glass).

Regulatory context (UAE):
- UAE PDPL (Federal Decree-Law No. 45/2021) — governs personal data processing, consent, data subject rights, and breach notification.
- MOH / DOH / DHA — licensing, health information exchange (HIE) policies, and minimum dataset requirements.
- NABIDH (Dubai) / Malaffi (Abu Dhabi) — HIE platforms requiring timely, accurate ADT and clinical document submission.
- ADHICS / DHA Security Standards / TDRA/NESA — cybersecurity and audit requirements for access logging and BTG.

All workflows assume role-based access control (RBAC) using users, roles, permissions, and full auditability via audit_log.

WF-EHRPATIENTMGMT-001: Patient Registration (New)

Process Flow

Actor: Registration Clerk
Trigger: Patient arrives at facility (walk-in, scheduled appointment) or pre-registration via call/online request
Pre-conditions:

  • Registration Clerk authenticated with register_patient permission.
  • Facility and registration location configured in facilities / locations.
  • Emirates ID reader (if used) and scanner devices online.
  1. Clerk opens Patient Search screen (SCR-EHR-001) and selects facility context.
  2. Clerk searches for existing patient using one or more: - Emirates ID, MRN, passport number, mobile number, name + DOB.
  3. System queries: - patients, patient_identifiers, patient_demographics, duplicate_suspects and displays: - Exact matches, probable matches (with match score), and “no results”.
  4. Decision: Potential match found?
    - If yes, clerk verifies identity (ID card, verbal confirmation of DOB, mobile).
    - If no, proceed to new registration.
  5. Decision: Identity confirmed as existing patient?
    - If yes, system opens existing record; workflow ends (no new patient created).
    - If no / uncertain, clerk flags as “possible duplicate” and continues with new registration (system will create duplicate_suspects entry later via MPI job — outside this workflow).
  6. Clerk opens Patient Registration Form (SCR-EHR-002) in “New” mode.
  7. Clerk captures core identity data: - English/Arabic names, DOB, gender, nationality, Emirates ID, passport, visa details. - System validates Emirates ID format (784-YYYY-NNNNNNN-C) and DOB plausibility.
  8. Clerk captures contact and socio-demographic details: - Mobile, email, PO Box, emirate, city, emergency contacts, marital status, occupation, employer.
  9. Clerk captures insurance information: - Payer, plan, member ID, card expiry, coverage start/end. - System calls Insurance Eligibility integration (INT-EHR-007) to validate member status.
  10. Clerk scans/uploads Emirates ID and insurance card via Document Management (SCR-EHR-008):
    • System creates patient_documents entries with type “ID – Emirates ID”, “Insurance Card”.
  11. System assigns MRN:
    • Auto-generated based on facility-specific rules (e.g., prefix per facility) and ensures uniqueness in patients.mrn.
  12. System creates:
    • patients row (core identity and flags).
    • patient_demographics row (current demographic snapshot).
    • patient_identifiers rows for MRN, Emirates ID, passport, insurance member ID.
  13. System creates initial encounter shell (if appointment exists or walk-in):
    • Calls Scheduling module (INT-EHR-003) to create or link encounters record.
  14. Clerk presents PDPL-compliant data processing consent (general treatment + data processing + HIE sharing) via Consent Management (SCR-EHR-009):
    • Patient signs digitally; system inserts patient_consents row and stores signed document in patient_documents.
  15. For inpatients, system prints wristband with MRN, name, DOB, barcode; for outpatients, prints appointment slip if needed.
  16. System:
    • Sends ADT A04 (or A01 for admitted) to NABIDH/Malaffi (INT-EHR-001/002).
    • Logs all actions in audit_log (registration start/end, data created, consents).

Data Modified:

  • patients — INSERT
  • patient_demographics — INSERT
  • patient_identifiers — INSERT (multiple)
  • patient_documents — INSERT (ID, insurance scans)
  • patient_consents — INSERT
  • audit_log — INSERT (multiple events)
  • encounters (in Scheduling module) — INSERT via integration (not owned here)

Mermaid Flowchart

flowchart TD A["Start Registration<br/>Patient arrives"] --> B["Search existing patient<br/>(MRN/Emirates ID/Name)"] B --> C{"Potential match found?"} C -->|"No"| D["Open New Registration Form"] C -->|"Yes"| E["Verify identity with patient/ID"] E --> F{"Identity confirmed as existing?"} F -->|"Yes"| G["Open existing record<br/>No new patient"] G --> Z["End"] F -->|"No/Uncertain"| D D --> H["Enter identity & demographics"] H --> I["Enter contact & emergency details"] I --> J["Enter insurance details"] J --> K["Call Insurance Eligibility API"] K --> L{"Eligibility valid?"} L -->|"No"| L1["Flag insurance as unverified<br/>Inform patient"] L1 --> M L -->|"Yes"| M["Mark insurance verified"] M --> N["Scan/upload Emirates ID & insurance card"] N --> O["Generate MRN"] O --> P["Create patients & demographics & identifiers"] P --> Q{"Appointment exists?"} Q -->|"Yes"| R["Link to existing encounter in Scheduling"] Q -->|"No"| S["Create new encounter shell via Scheduling"] R --> T S --> T["Present PDPL & treatment consent"] T --> U["Capture digital signature<br/>Create consent record"] U --> V{"Inpatient?"} V -->|"Yes"| W["Print wristband"] V -->|"No"| X["Print appointment slip (optional)"] W --> Y X --> Y["Send ADT A04/A01 to NABIDH/Malaffi"] Y --> Z["End"]

Decision Points

  1. Potential match found? - If yes → verify identity; avoid duplicate creation. - If no → proceed with new patient creation.
  2. Identity confirmed as existing? - If yes → open existing record; do not create new patients row. - If no/uncertain → proceed but flag for MPI review.
  3. Insurance eligibility valid? - If yes → mark insurance as verified; allow normal billing. - If no → mark as unverified; prompt for self-pay or alternative payer.
  4. Inpatient vs outpatient? - Inpatient → wristband printing mandatory. - Outpatient → appointment slip optional.

Integration Points

  • Scheduling (INT-EHR-003)
  • Direction: Bidirectional
  • Data: Patient demographics, encounter creation/linkage
  • Trigger: New registration or walk-in without existing encounter.
  • Billing & Claims (INT-EHR-004)
  • Direction: Outbound
  • Data: Patient demographics, insurance details, encounter shell
  • Trigger: Registration completion or insurance update.
  • NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002)
  • Direction: Bidirectional
  • Data: ADT A04/A01 messages with demographics and encounter info
  • Trigger: New patient registration, admission.
  • Insurance Eligibility (INT-EHR-007)
  • Direction: Bidirectional
  • Data: Payer, member ID, DOB, name
  • Trigger: Insurance details entry or update.

Exception Handling

  • Duplicate MRN risk:
  • System enforces unique MRN constraint; if conflict, regenerate MRN and log incident.
  • Emirates ID validation failure:
  • System blocks saving Emirates ID; allows registration with alternative ID, flags record as “ID not verified”.
  • Insurance API timeout/error:
  • System marks insurance status as “pending verification”; allows registration but flags for follow-up.
  • HIE (NABIDH/Malaffi) transmission failure:
  • ADT message queued with retry; if repeated failures, alert integration admin; registration not blocked.
  • Consent refusal:
  • System records refusal in patient_consents with status “declined”; may restrict data sharing to HIE per facility policy.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Handwritten registration forms Structured electronic registration wizard Reduces errors, enforces mandatory fields
Photocopies of Emirates ID and insurance cards Scanned/uploaded images stored in patient_documents Instant availability across departments
Manual insurance verification via phone/fax Real-time API eligibility checks Faster throughput, audit trail of verification
Wet-ink signatures on general consent forms Digital consent with signature capture and expiry tracking Supports PDPL compliance and reporting

Remaining Paper Touchpoints: Optional printed wristbands and appointment slips; can be minimized if facility uses mobile/virtual tokens.

Inputs and Outputs

Inputs:

Source Data Element Format
Patient / Registration Desk Emirates ID, passport, identity documents Physical scan / barcode reader
Registration Clerk Name (EN/AR), DOB, gender, nationality, contact details SCR-EHR-002 registration form
Registration Clerk Insurance details (payer, plan, member ID) SCR-EHR-002 insurance section
Insurance Eligibility API (INT-EHR-007) Eligibility status, coverage details REST API response
Scheduling Module (INT-EHR-003) Existing appointment / encounter linkage Internal REST API
Patient / Clerk Signed consent (general treatment, PDPL, HIE sharing) Tablet e-signature capture

Outputs:

Destination Data Element Format
patients Core patient record (MRN, identity, flags) SQL INSERT
patient_demographics Current demographic snapshot SQL INSERT
patient_identifiers MRN, Emirates ID, passport, insurance member ID SQL INSERT (multiple rows)
patient_documents Scanned Emirates ID and insurance card SQL INSERT + file storage
patient_consents Signed consent record SQL INSERT
Scheduling Module (INT-EHR-003) Encounter shell creation/linkage Internal REST API
NABIDH / Malaffi (INT-EHR-001/002) ADT A04/A01 message HL7 v2.5.1 over MLLP/TLS
audit_log Registration events SQL INSERT (multiple)

Post-conditions:

  • Patient record exists with unique MRN and validated Emirates ID
  • Insurance eligibility status recorded (verified, unverified, or pending)
  • PDPL-compliant consent captured and stored
  • ADT message queued or transmitted to applicable HIE
  • Encounter shell created or linked in Scheduling module

SLA and Timing

Step Target Time Escalation Measurement Source
Walk-in registration (start to completion) < 10 minutes Alert Registration Supervisor at 15 min audit_log.created_at (end minus start)
Insurance eligibility API response < 5 seconds Mark as pending if > 10s; alert IT if > 30s integration_message_log.response_time_ms
Emirates ID validation < 2 seconds N/A — inline validation Client-side
ADT A04/A01 transmission to HIE < 5 seconds Retry queue; alert integration admin after 10 min integration_message_log.sent_at
MRN generation < 1 second Alert IT if uniqueness conflict patients.created_at
Consent capture (presentation to signature) < 3 minutes None — patient-driven patient_consents.granted_datetime
Pre-registration (portal/phone) < 5 minutes None — self-service audit_log.created_at

State Transition Diagram

stateDiagram-v2 [*] --> SearchingExisting : Clerk opens patient search SearchingExisting --> ExistingFound : Match confirmed ExistingFound --> [*] : Open existing record SearchingExisting --> NewRegistration : No match or uncertain NewRegistration --> DemographicsEntry : Clerk enters identity data DemographicsEntry --> InsuranceCheck : Demographics validated InsuranceCheck --> InsuranceVerified : Eligibility confirmed InsuranceCheck --> InsuranceUnverified : API timeout or ineligible InsuranceVerified --> DocumentCapture : Scan ID and insurance InsuranceUnverified --> DocumentCapture : Proceed with flag DocumentCapture --> MRNAssigned : System generates MRN MRNAssigned --> EncounterLinked : Encounter created/linked EncounterLinked --> ConsentPending : Present consent forms ConsentPending --> ConsentGranted : Patient signs ConsentPending --> ConsentDeclined : Patient declines ConsentGranted --> Registered : ADT sent, registration complete ConsentDeclined --> Registered : Registration complete with consent refusal flag Registered --> [*]

WF-EHRPATIENTMGMT-002: Patient Demographics Update

Process Flow

Actor: Registration Clerk, Senior Registration Clerk, Patient (via Portal)
Trigger: Patient reports change in personal information or periodic verification; insurance change; portal self-service update
Pre-conditions:

  • Patient exists in patients.
  • Actor authenticated with appropriate permissions:
  • Clerk: update_demographics
  • Senior Clerk: approve_demographic_changes
  • Patient: update_contact_info (limited fields via portal).
  1. Actor opens Patient Search (SCR-EHR-001) and locates patient by MRN/Emirates ID/name.
  2. System displays Patient Demographics View/Edit (SCR-EHR-003) with: - Current demographics and change history. - Highlighting of previously modified fields.
  3. Actor initiates “Edit” mode; system checks: - For portal users, restricts editable fields (contact info, address, emergency contacts, insurance).
  4. Actor updates relevant fields: - Address, PO Box, emirate, mobile, email, emergency contacts, insurance details, next-of-kin.
  5. System validates: - Emirates ID format (if changed). - Mobile number format (+971 5X XXX XXXX). - Email syntax.
  6. Decision: Critical fields changed? (name, DOB, Emirates ID, gender)
    - If yes, system flags update as “critical change” requiring Senior Clerk approval. - If no, change can be auto-approved.
  7. System creates new patient_demographics row with updated values and effective_date = now; previous row remains for history.
  8. System updates patient_identifiers if Emirates ID, passport, or insurance member ID changed: - Inserts new identifier rows with is_primary flags and expiry of old identifiers.
  9. For portal-initiated changes: - System sets status “pending approval” for critical changes; visible to Senior Clerk work queue.
  10. Senior Registration Clerk reviews pending critical changes:
    • Compares before/after values, may request supporting documents (e.g., updated Emirates ID scan).
    • Approves or rejects change.
  11. Upon approval:
    • System finalizes changes (if not already applied) and logs approval in audit_log.
  12. System sends ADT A08 (update) to:
    • NABIDH/Malaffi (INT-EHR-001/002).
    • Scheduling and Billing modules (INT-EHR-003/004).
  13. System logs full before/after snapshots for each changed field in audit_log.

Data Modified:

  • patient_demographics — INSERT (new snapshot)
  • patient_identifiers — INSERT/UPDATE (new identifiers, mark old as non-primary/expired)
  • patient_documents — INSERT (if new ID/insurance scans uploaded)
  • audit_log — INSERT (field-level change records, approvals)

Mermaid Flowchart

flowchart TD A["Trigger: Patient reports change<br/>or portal login"] --> B["Search & open patient record"] B --> C["Open Demographics View/Edit"] C --> D["User edits allowed fields"] D --> E["Validate Emirates ID, mobile, email"] E --> F{"Validation passed?"} F -->|"No"| F1["Show errors<br/>Prevent save"] F1 --> D F -->|"Yes"| G{"Critical fields changed?"} G -->|"No"| H["Create new demographics snapshot<br/>Update identifiers"] G -->|"Yes"| I["Mark as pending approval<br/>Route to Senior Clerk"] I --> J["Senior Clerk reviews changes"] J --> K{"Approve?"} K -->|"No"| K1["Reject changes<br/>Notify originator"] K1 --> Z["End"] K -->|"Yes"| L["Apply/confirm changes<br/>Update identifiers"] H --> M L --> M["Log before/after in audit_log"] M --> N["Send ADT A08 to NABIDH/Malaffi<br/>Notify Scheduling/Billing"] N --> Z["End"]

Decision Points

  1. Validation passed? - If no → user must correct invalid Emirates ID/mobile/email before saving.
  2. Critical fields changed? - If yes → require Senior Clerk approval; changes may be staged as pending. - If no → auto-apply changes.
  3. Senior Clerk approval? - If approved → finalize changes and propagate downstream. - If rejected → revert pending changes; notify originator (clerk or patient).

Integration Points

  • NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002)
  • ADT A08 messages with updated demographics.
  • Scheduling (INT-EHR-003)
  • Updated demographics for appointment communications.
  • Billing & Claims (INT-EHR-004)
  • Updated insurance details for claim accuracy.
  • Patient Portal (INT-EHR-006)
  • FHIR Patient updates initiated by patient; status flags for pending approval.

Exception Handling

  • Invalid Emirates ID or mobile:
  • System blocks save; displays field-level error messages.
  • Portal user attempts to change restricted fields (e.g., DOB):
  • System disallows direct change; offers “request correction” workflow (logged for HIM review).
  • HIE update failure:
  • ADT A08 queued; retries with backoff; integration admin alerted on repeated failures.
  • Approval SLA breach (e.g., pending > 48 hours):
  • System escalates to HIM Supervisor via dashboard/notification.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Paper “change of information” forms In-app edit with tracked snapshots and approvals Eliminates manual filing and misfiled forms
Manual chart annotations for demographic changes Versioned patient_demographics records with effective dates Clear history for audits and medico-legal review
Physical copies of updated IDs Scanned images linked to identifiers Quick verification, no physical storage required
Phone-based updates without documentation Portal self-service with full audit trail Improves accuracy and patient engagement

Remaining Paper Touchpoints: None — fully digital for facilities using scanners and portal; optional printed confirmation receipts if desired.

Inputs and Outputs

Inputs:

Source Data Element Format
Registration Clerk / Patient (Portal) Updated demographic fields (address, mobile, email, insurance, emergency contacts) SCR-EHR-003 edit form or FHIR Patient PATCH
EHR Current patient record and change history patients, patient_demographics, patient_identifiers tables
Senior Registration Clerk Approval/rejection for critical field changes SCR-EHR-003 approval queue
Patient Supporting documents (e.g., updated Emirates ID scan) Scanned upload

Outputs:

Destination Data Element Format
patient_demographics New demographic snapshot with effective date SQL INSERT
patient_identifiers Updated/new identifier rows SQL INSERT/UPDATE
patient_documents New ID/insurance scans (if uploaded) SQL INSERT + file storage
audit_log Field-level before/after change records and approvals SQL INSERT
NABIDH / Malaffi (INT-EHR-001/002) ADT A08 demographic update HL7 v2.5.1 over MLLP/TLS
Scheduling (INT-EHR-003) Updated demographics for appointment communications Internal REST API
Billing & Claims (INT-EHR-004) Updated insurance details Internal REST API

Post-conditions:

  • New patient_demographics snapshot exists with effective date and previous snapshot preserved
  • Critical field changes approved by Senior Clerk (if applicable)
  • ADT A08 transmitted to HIE and downstream modules
  • Full audit trail with before/after values for every changed field

SLA and Timing

Step Target Time Escalation Measurement Source
Non-critical update (clerk-initiated) < 5 minutes None — clerk workflow audit_log.created_at
Critical change approval (Senior Clerk) < 48 hours Escalate to HIM Supervisor at 48h audit_log.pending_approval_since
Portal-initiated update processing < 24 hours for critical; immediate for non-critical Dashboard alert for pending items audit_log.created_at
ADT A08 transmission to HIE < 5 seconds Retry queue; alert integration admin after 10 min integration_message_log.sent_at
Downstream module notification (Scheduling, Billing) < 5 seconds Alert IT if > 30s integration_message_log.sent_at

Note: Demographics updates modify the existing patient record through versioned snapshots. No separate state diagram is required; the update follows a linear path from edit to validation to approval (if critical) to propagation.

WF-EHRPATIENTMGMT-003: Patient Merge / Duplicate Resolution (MPI)

Process Flow

Actor: Medical Records Officer (MRO), HIM Supervisor
Trigger: System flags potential duplicates via MPI algorithm or staff reports duplicate MRNs
Pre-conditions:

  • Duplicate candidates exist in duplicate_suspects with status “new” or “in review”.
  • MRO authenticated with merge_records; HIM Supervisor with approve_merges.
  1. MRO opens Duplicate Resolution screen (SCR-EHR-010) and views duplicate_suspects list.
  2. MRO selects a suspect pair; system loads side-by-side comparison: - patients, patient_demographics, patient_identifiers, key encounter counts.
  3. MRO reviews identifiers (Emirates ID, passport, mobile, address, insurance) and clinical context.
  4. Decision: Are records duplicates?
    - If no, MRO marks suspect as “not duplicate” with reason; workflow ends.
    - If yes, proceed to select surviving record.
  5. MRO selects “primary/surviving” patient record and “secondary/to be merged” record.
  6. System generates merge preview: - Lists all linked entities to secondary patient: encounters, orders, results, clinical_notes, patient_documents, patient_allergies, patient_problems, patient_consents, etc.
  7. MRO reviews preview, adjusts field-level preferences if supported (e.g., choose preferred address).
  8. MRO submits merge request for approval; status of duplicate_suspects set to “pending_approval”.
  9. HIM Supervisor opens pending merge request, reviews comparison and merge impact.
  10. Decision: Approve merge?
    • If no, marks as “rejected” with reason; no data changes.
    • If yes, approves merge.
  11. System executes merge transactionally:
    • Updates all FKs in owned tables (patient_allergies, patient_problems, clinical_notes, patient_documents, patient_consents, audit_log) from secondary to primary patient_id.
    • Marks secondary patients.is_active = false and stores reference to primary (e.g., merged_into_patient_id).
  12. System updates duplicate_suspects:
    • status = 'resolved', resolution = 'merged', reviewed_by, reviewed_at.
  13. System broadcasts ADT A40 (merge) to:
    • NABIDH/Malaffi (INT-EHR-001/002).
    • Downstream modules via internal ADT (all modules referencing patient).
  14. System generates merge audit report and logs detailed events in audit_log.

Data Modified:

  • patients — UPDATE (secondary record deactivated, merged_into reference)
  • patient_allergies — UPDATE (patient_id)
  • patient_problems — UPDATE (patient_id)
  • clinical_notes — UPDATE (patient_id)
  • patient_documents — UPDATE (patient_id)
  • patient_consents — UPDATE (patient_id)
  • audit_log — INSERT (merge actions)
  • duplicate_suspects — UPDATE (status, resolution, reviewed_by, reviewed_at)

Mermaid Flowchart

flowchart TD A["Start Duplicate Resolution"] --> B["Open suspect pairs list"] B --> C["Select suspect pair"] C --> D["View side-by-side comparison"] D --> E{"Are records duplicates?"} E -->|"No"| F["Mark as not duplicate<br/>Update status"] F --> Z["End"] E -->|"Yes"| G["Select primary & secondary records"] G --> H["Generate merge preview<br/>List linked data"] H --> I["MRO submits merge for approval"] I --> J["HIM Supervisor reviews"] J --> K{"Approve merge?"} K -->|"No"| L["Mark as rejected<br/>Update status"] L --> Z K -->|"Yes"| M["Execute merge<br/>Repoint FKs, deactivate secondary"] M --> N["Update duplicate_suspects to resolved"] N --> O["Send ADT A40 to HIE & downstream"] O --> P["Log detailed merge in audit_log"] P --> Z["End"]

Decision Points

  1. Are records duplicates? - If no → mark suspect as “not duplicate”; no merge. - If yes → proceed to merge workflow.
  2. Approve merge? - If yes → execute merge and propagate. - If no → reject; keep both records active.
  3. Field-level preference (optional): - For conflicting demographics, system may allow choosing which value to keep (e.g., newer address vs older).

Integration Points

  • All downstream modules (via ADT A40)
  • Direction: Outbound
  • Data: Merge information (old MRN → new MRN, patient IDs).
  • Trigger: Successful merge.
  • NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002)
  • ADT A40 messages to maintain HIE MPI consistency.

Exception Handling

  • Merge conflict during FK updates:
  • System performs merge in a database transaction; on error, rolls back and logs incident; marks suspect as “error” for manual investigation.
  • Attempt to merge patients with conflicting Emirates IDs:
  • System enforces additional warning/hard stop; may require documented justification.
  • HIE merge message failure:
  • ADT A40 queued with retries; integration admin alerted; local merge still valid but flagged for reconciliation.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Paper merge request forms routed to HIM Electronic merge request and approval workflow Faster resolution, clear accountability
Manual physical chart consolidation Automated reassignment of all linked data to primary record Eliminates lost documents and misfiled charts
Handwritten notes on old MRNs System-level deactivation with merged_into reference Ensures all users see correct, single patient record
Separate paper logs of merges Structured duplicate_suspects and audit_log entries Supports regulatory audits and quality KPIs

Remaining Paper Touchpoints: None — fully digital.

Inputs and Outputs

Inputs:

Source Data Element Format
duplicate_suspects Candidate pair (patient_id_1, patient_id_2, match_score) SQL row
patients / patient_demographics / patient_identifiers Side-by-side identity and demographic data for each candidate SQL query results
MRO review decision Duplicate confirmed / not duplicate + justification UI form input
HIM Supervisor Merge approval / rejection + comments UI approval action
Linked entity counts Encounters, orders, results, notes, documents per candidate SQL aggregate queries

Outputs:

Destination Data Element Format
patients Secondary record deactivated (is_active = false, merged_into_patient_id) SQL UPDATE
All owned tables (patient_allergies, patient_problems, clinical_notes, patient_documents, patient_consents) FK repointed from secondary to primary patient_id SQL UPDATE (transactional)
duplicate_suspects Status updated to resolved / not_duplicate / rejected SQL UPDATE
audit_log Merge actions with before/after FK mappings SQL INSERT (multiple)
NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002) ADT A40 merge notification HL7 v2.5.1 over MLLP/TLS
Downstream modules (Scheduling, Billing, CPOE, LIS, RIS, PIS) ADT A40 internal merge notification Internal REST API / event bus

Post-conditions:

  • Secondary patient record is deactivated with merged_into_patient_id reference
  • All clinical and administrative records repointed to primary patient
  • duplicate_suspects entry resolved with reviewer and timestamp
  • ADT A40 transmitted to HIE and all downstream modules
  • Full audit trail documenting every FK change and approval decision

SLA and Timing

Step Target Time Escalation Measurement Source
MPI suspect pair review (MRO) < 24 hours from flagging Dashboard alert at 24h; escalate to HIM Supervisor at 48h duplicate_suspects.created_at vs reviewed_at
Side-by-side comparison and decision < 15 minutes per pair None — workflow metric audit_log timestamps
HIM Supervisor approval < 48 hours from submission Escalate to HIM Director at 72h audit_log.pending_approval_since
Merge execution (transactional) < 30 seconds Auto-rollback on timeout; alert DBA audit_log.created_at
ADT A40 to HIE < 5 seconds Retry queue; alert integration admin after 10 min integration_message_log.sent_at
ADT A40 to downstream modules < 5 seconds Alert IT if > 30s integration_message_log.sent_at

State Transition Diagram

stateDiagram-v2 [*] --> New : MPI algorithm flags suspect pair New --> InReview : MRO opens suspect pair InReview --> NotDuplicate : MRO determines records are distinct InReview --> PendingApproval : MRO confirms duplicate & submits merge request PendingApproval --> Rejected : HIM Supervisor rejects merge PendingApproval --> Approved : HIM Supervisor approves merge Rejected --> [*] NotDuplicate --> [*] Approved --> MergeExecuting : System begins transactional merge MergeExecuting --> Resolved : All FKs repointed, secondary deactivated MergeExecuting --> MergeError : Transaction failure (auto-rollback) MergeError --> InReview : MRO re-investigates after error resolution Resolved --> HIENotified : ADT A40 sent to NABIDH/Malaffi & downstream HIENotified --> [*]

WF-EHRPATIENTMGMT-004: Allergy Documentation

Process Flow

Actor: Physician, Nurse, Pharmacist
Trigger: Patient encounter (admission, clinic visit, ED) requiring allergy review; new allergy reported
Pre-conditions:

  • Patient and encounter context established.
  • Actor has manage_allergies permission.
  1. Clinician opens Allergy Management screen (SCR-EHR-005) from patient chart.
  2. System displays current allergy list from patient_allergies: - Active, inactive, entered-in-error, and NKA/NKDA flags.
  3. Clinician reviews existing entries with patient; updates status if needed (e.g., resolved, entered-in-error).
  4. Decision: New allergy or intolerance to add?
    - If no, clinician may confirm “reviewed” and exit.
    - If yes, proceed to add.
  5. Clinician searches allergen: - Drug allergens via RxNorm; food/environmental via SNOMED CT. - System suggests common allergens and maps codes to allergen_code / allergen_system.
  6. Clinician selects allergen and records: - Reaction type (allergy vs intolerance vs adverse event). - Severity (mild, moderate, severe, life-threatening). - Manifestation (coded SNOMED term, e.g., rash, anaphylaxis). - Onset date, verification status (confirmed, unconfirmed), reporter.
  7. System validates required fields and checks for duplicates (same allergen + similar reaction).
  8. Decision: Duplicate or near-duplicate found?
    - If yes, system prompts to update existing entry instead of creating new.
    - If no, proceed to save.
  9. System inserts new row into patient_allergies linked to current encounter_id and entered_by.
  10. If clinician records NKA/NKDA:
    • System inserts special-coded entries or flags in patient_allergies to represent NKA/NKDA status.
  11. System updates patient chart:
    • Allergy banner, CPOE CDS context (via INT-EHR-005), and risk alerts.
  12. System logs action in audit_log (add/update, old/new values).

Data Modified:

  • patient_allergies — INSERT/UPDATE
  • audit_log — INSERT

Mermaid Flowchart

flowchart TD A["Open Allergy Management"] --> B["Display current allergy list"] B --> C["Review with patient"] C --> D{"New allergy to add?"} D -->|"No"| E["Mark allergy list as reviewed<br/>Log in audit_log"] E --> Z["End"] D -->|"Yes"| F["Search allergen (RxNorm/SNOMED)"] F --> G["Select allergen & enter details<br/>reaction, severity, manifestation"] G --> H["Validate required fields"] H --> I{"Validation ok?"} I -->|"No"| I1["Show errors<br/>Return to edit"] I1 --> G I -->|"Yes"| J["Check for duplicate/near-duplicate"] J --> K{"Duplicate found?"} K -->|"Yes"| L["Prompt to update existing entry"] L --> M["Update existing allergy record"] M --> N["Update CDS context & chart banner"] N --> O["Log change in audit_log"] O --> Z["End"] K -->|"No"| P["Insert new allergy record"] P --> N

Decision Points

  1. New allergy to add? - If no → mark list as reviewed; no new entries.
  2. Validation ok? - If no → user must complete mandatory fields.
  3. Duplicate found? - If yes → encourage updating existing entry to avoid clutter and confusion.

Integration Points

  • CPOE (INT-EHR-005)
  • Direction: Outbound
  • Data: Updated allergy list for CDS (drug-allergy checks).
  • Trigger: Insert/update in patient_allergies.
  • NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002)
  • Direction: Outbound
  • Data: Allergy updates in ADT or CDA/clinical document payloads.
  • Trigger: Allergy list changes, note signing.

Exception Handling

  • Terminology service unavailable (RxNorm/SNOMED):
  • System allows free-text allergen entry with local code; flags for later normalization.
  • Conflicting NKA vs existing allergies:
  • System prevents setting NKA/NKDA if active allergies exist; requires deactivation or clarification.
  • Allergy entered in error:
  • Clinician can mark as “entered-in-error”; system retains record but excludes from CDS.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Handwritten allergy stickers on paper charts Structured patient_allergies records with coded allergens Enables automated CDS and HIE sharing
Verbal-only allergy communication Persistent, visible allergy banner in EHR Reduces risk of missed allergies
Paper allergy bands updated manually Electronic alerts integrated with CPOE and MAR Supports safer ordering and administration

Remaining Paper Touchpoints: Physical allergy wristbands may still be used at bedside but are driven by digital data.

Inputs and Outputs

Inputs:

Source Data Element Format
patient_allergies Current allergy list (active, inactive, NKA/NKDA flags) SQL query results
Clinician input Allergen selection, reaction type, severity, manifestation, onset date UI form input
RxNorm terminology service Drug allergen lookup and coding REST API / terminology service
SNOMED CT terminology service Food/environmental allergen and manifestation coding REST API / terminology service
Patient / caregiver report Allergy history and reaction description Verbal → structured entry

Outputs:

Destination Data Element Format
patient_allergies New or updated allergy record with coded allergen, reaction, severity SQL INSERT / UPDATE
audit_log Add/update/review actions with before/after values SQL INSERT
CPOE CDS context (INT-EHR-005) Updated allergy list for drug-allergy interaction checks Internal REST API / event
Patient chart Allergy banner update UI refresh
NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002) Allergy updates in ADT or CDA clinical document HL7 v2.5.1 / FHIR AllergyIntolerance

Post-conditions:

  • patient_allergies reflects current, coded allergy status with full provenance
  • CPOE CDS context updated for real-time drug-allergy checking
  • Allergy banner in patient chart reflects latest data
  • Full audit trail for every allergy add, update, or status change

SLA and Timing

Step Target Time Escalation Measurement Source
Allergy list display on chart open < 2 seconds Performance alert if > 5s Application performance monitoring
Allergen search (RxNorm/SNOMED) < 3 seconds per query Fallback to free-text if service unavailable Terminology service response log
Save new allergy record < 2 seconds None — system operation patient_allergies.created_at
CDS context propagation to CPOE < 5 seconds Alert IT if > 30s integration_message_log.sent_at
HIE allergy update transmission < 5 seconds Retry queue; alert integration admin after 10 min integration_message_log.sent_at

Note: Allergy documentation is a linear data-entry workflow that adds or updates individual records. No separate entity lifecycle or state diagram is required.

WF-EHRPATIENTMGMT-005: Problem List Management

Process Flow

Actor: Physician
Trigger: New diagnosis, encounter assessment, periodic problem list review
Pre-conditions:

  • Patient and encounter context established.
  • Physician has manage_problem_list permission.
  1. Physician opens Problem List screen (SCR-EHR-006) from patient chart.
  2. System displays current active and resolved problems from patient_problems with ICD-10-AM and SNOMED codes.
  3. Physician reviews list with patient; identifies outdated or incorrect entries.
  4. Decision: New problem to add?
    - If no, physician may update statuses or priorities and exit.
    - If yes, proceed to add.
  5. Physician searches for problem: - Free-text search mapped to ICD-10-AM and SNOMED CT via terminology service.
  6. Physician selects appropriate coded problem and enters attributes: - Onset date, status (active, resolved, ruled out), priority (chronic, acute, high-risk), treating provider.
  7. Physician links problem to current encounter and optionally to supporting evidence (labs, imaging, notes).
  8. System validates coding completeness (ICD-10-AM required; SNOMED optional but recommended).
  9. Decision: Problem already exists as active?
    - If yes, system suggests updating existing entry (e.g., adjust priority or add evidence) instead of creating duplicate.
    - If no, proceed to save.
  10. System inserts or updates patient_problems row with entered_by and encounter_id.
  11. Physician may resolve/inactivate problems:
    • Sets status = resolved and resolved_date, with reason (e.g., condition resolved, misdiagnosis).
  12. System updates:
    • Problem list view, CPOE indication-based ordering context, and case management flags.
  13. System logs all changes in audit_log.

Data Modified:

  • patient_problems — INSERT/UPDATE
  • audit_log — INSERT

Mermaid Flowchart

flowchart TD A["Open Problem List"] --> B["Display active/resolved problems"] B --> C["Review with patient"] C --> D{"New problem to add?"} D -->|"No"| E["Update statuses/priorities as needed"] E --> F["Save updates<br/>Log in audit_log"] F --> Z["End"] D -->|"Yes"| G["Search diagnosis (ICD-10-AM/SNOMED)"] G --> H["Select problem & enter attributes"] H --> I["Validate coding & required fields"] I --> J{"Validation ok?"} J -->|"No"| J1["Show errors<br/>Return to edit"] J1 --> H J -->|"Yes"| K["Check for existing active problem"] K --> L{"Active problem already exists?"} L -->|"Yes"| M["Prompt to update existing problem"] M --> N["Update existing problem record"] N --> P["Refresh problem list & CDS context"] P --> Q["Log change in audit_log"] Q --> Z["End"] L -->|"No"| O["Insert new problem record"] O --> P

Decision Points

  1. New problem to add? - If no → only updates to existing problems.
  2. Validation ok? - If no → enforce ICD-10-AM coding and required attributes.
  3. Active problem already exists? - If yes → encourage updating instead of duplicating.

Integration Points

  • CPOE (INT-EHR-005)
  • Direction: Outbound
  • Data: Updated problem list for indication-based ordering and CDS.
  • Trigger: Problem list changes.
  • Billing & Claims (INT-EHR-004)
  • Direction: Outbound
  • Data: ICD-10-AM codes for encounters.
  • Trigger: Problem list updates linked to encounters.
  • Case Management / Chronic Disease Programs
  • Direction: Outbound (internal)
  • Data: Chronic problem flags and priorities.

Exception Handling

  • Terminology service unavailable:
  • System allows temporary free-text problem with local code; flags for later coding.
  • Conflicting statuses (e.g., same problem active and resolved):
  • System warns and suggests consolidating entries.
  • Problem entered in error:
  • Physician can mark as “entered-in-error”; system retains record but excludes from active lists.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Handwritten problem lists on chart covers Structured, coded patient_problems table Supports analytics, billing, and CDS
Manual updates with strike-throughs Versioned updates with onset/resolution dates Clear longitudinal view of patient conditions
Separate paper lists for chronic disease registries Electronic flags and reports Facilitates population health management

Remaining Paper Touchpoints: None — fully digital.

Inputs and Outputs

Inputs:

Source Data Element Format
patient_problems Current active and resolved problem list with ICD-10-AM/SNOMED codes SQL query results
Physician input Diagnosis selection, onset date, status, priority, treating provider UI form input
ICD-10-AM terminology service Diagnosis code lookup and validation REST API / terminology service
SNOMED CT terminology service Clinical finding mapping REST API / terminology service
Supporting evidence (labs, imaging, notes) Linkable references for problem substantiation Internal references

Outputs:

Destination Data Element Format
patient_problems New or updated problem record with coded diagnosis, status, priority SQL INSERT / UPDATE
audit_log Add/update/resolve actions with before/after values SQL INSERT
CPOE CDS context (INT-EHR-005) Updated problem list for indication-based ordering Internal REST API / event
Billing & Claims (INT-EHR-004) ICD-10-AM codes linked to encounters Internal REST API
Case Management Chronic problem flags and priority changes Internal REST API / event
Patient chart Problem list view refresh UI refresh

Post-conditions:

  • patient_problems reflects current, coded problem status with full provenance
  • CPOE CDS context updated for indication-based ordering support
  • Billing module notified of ICD-10-AM codes for encounter coding
  • Chronic disease registries and case management flags updated
  • Full audit trail for every problem add, update, resolve, or status change

SLA and Timing

Step Target Time Escalation Measurement Source
Problem list display on chart open < 2 seconds Performance alert if > 5s Application performance monitoring
Diagnosis search (ICD-10-AM/SNOMED) < 3 seconds per query Fallback to free-text if service unavailable Terminology service response log
Save new/updated problem record < 2 seconds None — system operation patient_problems.updated_at
CDS context propagation to CPOE < 5 seconds Alert IT if > 30s integration_message_log.sent_at
Billing notification of ICD-10-AM codes < 5 seconds Alert IT if > 30s integration_message_log.sent_at

Note: Problem list management is a linear data-entry workflow that adds, updates, or resolves individual problem records. No separate entity lifecycle or state diagram is required.

WF-EHRPATIENTMGMT-006: Clinical Notes / Documentation

Process Flow

Actor: Physician, Nurse, Allied Health Professional
Trigger: Patient encounter requires documentation (H&P, progress note, discharge summary, nursing assessment, consultation)
Pre-conditions:

  • Patient and encounter context established.
  • User has appropriate documentation permissions (document_notes, document_nursing_notes, etc.).
  1. Clinician opens Clinical Notes screen (SCR-EHR-007) from patient chart.
  2. System prompts for note type (H&P, progress, discharge, nursing, allied health) and template.
  3. Clinician selects template; system loads structured sections and auto-populates: - Demographics, vitals, medications, allergies, problem list, recent results.
  4. Clinician documents: - Structured fields (e.g., ROS, physical exam) and free-text narrative; may use voice-to-text and smart phrases.
  5. Clinician may link note to specific problems, orders, or procedures.
  6. System validates: - Required sections completed for note type (e.g., discharge summary must include diagnosis, medications, follow-up).
  7. Decision: Save as draft or sign?
    - If draft, note remains editable; status = “draft”.
    - If sign, proceed to signature workflow.
  8. For signing: - System confirms user identity and checks sign_notes permission. - For trainees, system may require co-signature by supervising physician.
  9. Clinician signs note electronically: - System sets status = 'signed', records signed_by, signed_datetime.
  10. Decision: Co-signature required?
    • If yes, system notifies cosigner and sets cosigner_id pending.
    • If no, note considered final.
  11. After signing, note content becomes immutable; corrections require addendum:
    • New clinical_notes row with addendum_of referencing original.
  12. System:
    • Updates patient chart timeline.
    • Generates CDA or FHIR DocumentReference for HIE (NABIDH/Malaffi) where applicable.
  13. System logs all actions (create, edit, sign, addendum) in audit_log.

Data Modified:

  • clinical_notes — INSERT/UPDATE
  • audit_log — INSERT

Mermaid Flowchart

flowchart TD A["Open Clinical Notes"] --> B["Select note type & template"] B --> C["Auto-populate demographics, vitals, meds, problems"] C --> D["Enter structured & free-text content"] D --> E["Validate required sections"] E --> F{"Validation ok?"} F -->|"No"| F1["Highlight missing sections<br/>Return to edit"] F1 --> D F -->|"Yes"| G{"Save as draft or sign?"} G -->|"Draft"| H["Save note as draft<br/>status = draft"] H --> Z["End"] G -->|"Sign"| I["Check sign_notes permission"] I --> J["Apply electronic signature<br/>status = signed"] J --> K{"Co-signature required?"} K -->|"Yes"| L["Set cosigner_id<br/>Notify supervisor"] L --> M["Note final after co-sign"] K -->|"No"| M["Note final"] M --> N["Generate CDA/FHIR document for HIE"] N --> O["Log actions in audit_log"] O --> Z["End"]

Decision Points

  1. Validation ok? - If no → enforce completion of mandatory sections.
  2. Save as draft or sign? - Draft → editable; Signed → immutable.
  3. Co-signature required? - Based on user role, note type, and facility policy.

Integration Points

  • NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002)
  • Direction: Outbound
  • Data: CDA clinical documents or FHIR resources representing signed notes.
  • Trigger: Note signed.
  • CPOE / RIS / LIS
  • Direction: Internal
  • Data: Notes may reference orders/results; no direct write-back but used for context.

Exception Handling

  • Attempt to edit signed note:
  • System blocks direct edits; offers addendum workflow.
  • HIE document submission failure:
  • CDA/FHIR document queued; retries; integration admin alerted if persistent.
  • Signature failure (session timeout):
  • User prompted to re-authenticate before signing.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Handwritten progress notes and H&P forms Structured electronic notes with templates Improves legibility and completeness
Dictation tapes and manual transcription Direct entry with voice-to-text and smart phrases Reduces turnaround time and cost
Paper discharge summaries sent by fax CDA/FHIR documents shared via NABIDH/Malaffi Enhances continuity of care across facilities

Remaining Paper Touchpoints: Printed discharge summaries may still be provided to patients who request paper copies.

Inputs and Outputs

Inputs:

Source Data Element Format
Clinician selection Note type (H&P, progress, discharge, nursing, allied health) and template UI form input
Auto-populated data Demographics, vitals, medications, allergies, problem list, recent results SQL query results (from multiple tables)
Clinician documentation Structured fields (ROS, exam), free-text narrative, voice-to-text UI form input / voice capture
Problem/order linkages References to patient_problems, orders, procedures Internal references
Cosigner identity (if required) Supervising physician for trainee notes providers lookup

Outputs:

Destination Data Element Format
clinical_notes New note record (draft or signed) with structured and narrative content SQL INSERT / UPDATE
clinical_notes (addendum) Addendum row referencing original note SQL INSERT
audit_log Create, edit, sign, co-sign, addendum actions SQL INSERT
NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002) CDA clinical document or FHIR DocumentReference HL7 CDA / FHIR R4
Patient chart timeline Updated note listing UI refresh

Post-conditions:

  • Signed note is immutable; corrections require addendum
  • CDA/FHIR document generated and queued for HIE submission (for signed notes)
  • Co-signature workflow initiated if required by role/note type
  • Full audit trail for every note lifecycle event

SLA and Timing

Step Target Time Escalation Measurement Source
Template load and auto-population < 3 seconds Performance alert if > 10s Application performance monitoring
Draft save < 2 seconds None — system operation clinical_notes.updated_at
Electronic signature processing < 2 seconds Re-authentication prompt if session expired clinical_notes.signed_datetime
Co-signature completion < 24 hours Dashboard alert to cosigner at 24h; escalate to department head at 48h clinical_notes.cosigned_datetime
CDA/FHIR document submission to HIE < 30 seconds Retry queue; alert integration admin after 10 min integration_message_log.sent_at
Discharge summary completion (for discharge encounters) Before patient leaves facility Alert attending physician if unsigned at discharge clinical_notes.signed_datetime vs encounters.discharge_datetime

Note: Clinical notes follow a simple linear lifecycle (Draft → Signed → optionally Addendum). This progression is managed through the status field on clinical_notes and does not warrant a separate state diagram.

WF-EHRPATIENTMGMT-007: Document Management (Scanned/Uploaded)

Process Flow

Actor: Medical Records Clerk, Nurse, Patient (via Portal)
Trigger: External documents received (referral letters, outside records, consent forms), patient uploads via portal
Pre-conditions:

  • Patient exists in patients.
  • Scanners and upload endpoints available.
  • User has scan_documents or upload_documents permission.
  1. User opens Document Management screen (SCR-EHR-008) for selected patient.
  2. User clicks “Scan/Upload” and selects source: - Scanner (for paper), file upload (PDF, image), or portal upload.
  3. System prompts for metadata: - Document type (from master data), title/description, document date, source (external provider, patient), language.
  4. User optionally links document to specific encounter.
  5. System validates: - File type (PDF, JPEG, PNG, TIFF), size limits, required metadata.
  6. Decision: Validation passed?
    - If no, system shows errors and prevents upload.
    - If yes, proceed.
  7. System stores file in secure repository and creates patient_documents row: - file_path, mime_type, file_size, upload_date, uploaded_by, document_type, encounter_id.
  8. System triggers OCR (Arabic + English) for text-extractable formats: - Stores OCR text in ocr_text field.
  9. Decision: Clinical relevance review required? (e.g., external reports)
    - If yes, system routes document to responsible provider’s review queue.
    - If no, document immediately visible in chart.
  10. Provider reviews document (if required) and may:
    • Mark as “reviewed”, add note, or link to specific problems.
  11. System applies retention policy:
    • Sets retention_date based on document type and UAE regulations/facility policy.
  12. System logs all actions in audit_log.

Data Modified:

  • patient_documents — INSERT/UPDATE
  • audit_log — INSERT

Mermaid Flowchart

flowchart TD A["Open Document Management"] --> B["Click Scan/Upload"] B --> C["Select source & file"] C --> D["Enter metadata<br/>type, date, source, encounter"] D --> E["Validate file & metadata"] E --> F{"Validation passed?"} F -->|"No"| F1["Show errors<br/>Prevent upload"] F1 --> D F -->|"Yes"| G["Store file & create patient_documents row"] G --> H["Run OCR (EN/AR)"] H --> I{"Clinical review required?"} I -->|"Yes"| J["Route to provider review queue"] J --> K["Provider reviews & marks status"] K --> L["Apply retention policy"] I -->|"No"| L["Apply retention policy"] L --> M["Log actions in audit_log"] M --> Z["End"]

Decision Points

  1. Validation passed? - If no → user must correct metadata or file issues.
  2. Clinical review required? - Based on document type; e.g., external clinical reports require review.
  3. Provider review outcome (implicit): - May influence how document is displayed or linked in chart.

Integration Points

  • Patient Portal (INT-EHR-006)
  • Direction: Bidirectional
  • Data: Patient-uploaded documents and provider-reviewed status.
  • Trigger: Portal upload or provider review.
  • NABIDH
  • Direction: Outbound
  • Data: Certain document types may be shared as CDA or PDF attachments.
  • Trigger: Document classification and facility policy.

Exception Handling

  • Unsupported file type or oversized file:
  • System rejects upload with clear message and allowed formats.
  • OCR failure:
  • System logs error; document remains available without searchable text.
  • Accidental upload to wrong patient:
  • User with appropriate permission can reassign document to correct patient; action fully audited.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Physical filing cabinets with paper records Centralized digital repository (patient_documents) Reduces storage costs and retrieval time
Manual chart transport between departments Instant electronic access from any location Improves care coordination
Paper-based external reports stored in separate folders Integrated into patient chart with OCR search Enhances information availability and searchability

Remaining Paper Touchpoints: Incoming paper documents from external providers; these are scanned at point of receipt and not retained beyond required archival policies.

Inputs and Outputs

Inputs:

Source Data Element Format
User action Scan, file upload, or portal upload trigger UI action
File source Document file (PDF, JPEG, PNG, TIFF) Binary file
User input Document type, title, date, source, language, encounter linkage UI form input
Master data Document type catalog with retention rules document_types lookup
Patient Portal (INT-EHR-006) Patient-uploaded documents REST API / file upload

Outputs:

Destination Data Element Format
Secure file repository Stored document file Binary file (encrypted at rest)
patient_documents Metadata row (file_path, mime_type, file_size, document_type, OCR text) SQL INSERT
audit_log Upload, review, reassignment actions SQL INSERT
Provider review queue Routing notification for clinical review (if required) Internal notification
NABIDH (selected document types) CDA or PDF attachment for HIE sharing HL7 CDA / attachment

Post-conditions:

  • Document securely stored with full metadata and encounter linkage
  • OCR text extracted and searchable (for text-extractable formats)
  • Clinical review routed if document type requires provider review
  • Retention date set based on document type and UAE regulatory policy
  • Full audit trail for upload, review, and any reassignment

SLA and Timing

Step Target Time Escalation Measurement Source
File upload and storage < 10 seconds (for files up to 25 MB) Alert IT if storage service unavailable patient_documents.upload_date
Metadata validation < 2 seconds None — immediate UI feedback Application log
OCR processing < 60 seconds per page Log OCR failure; document remains available without text OCR service log
Clinical review routing < 1 minute after upload None — automatic patient_documents.review_status
Provider review completion < 48 hours Dashboard alert at 48h; escalate to department head at 72h patient_documents.reviewed_at

Note: Document management is a linear upload-and-review workflow. No separate entity lifecycle or state diagram is required.

Process Flow

Actor: Registration Clerk, Nurse, Patient (via Portal), HIM Supervisor, Privacy Officer
Trigger: Registration, procedure scheduling, data sharing with HIE, PDPL data processing requirements
Pre-conditions:

  • Patient exists in patients.
  • Consent templates configured in master data (general treatment, PDPL data processing, HIE sharing, procedure-specific).
  1. User opens Consent Management screen (SCR-EHR-009) for patient.
  2. System lists existing consents from patient_consents with type, scope, status, expiry.
  3. User selects consent type to obtain: - General treatment, PDPL data processing, specific procedure, HIE data sharing, research (if applicable).
  4. System presents consent form: - In patient’s preferred language (Arabic/English), using configured template.
  5. User explains consent; patient reviews on tablet/terminal or via portal.
  6. Patient provides electronic signature: - On-screen signature pad, or OTP-based confirmation for portal.
  7. System captures: - signature_data, signature_method, granted_datetime, consent_scope, witness_id (if required).
  8. System inserts new patient_consents row and stores signed document in patient_documents (linked by consent_id).
  9. System evaluates expiry rules: - Sets expiry_datetime based on consent type (e.g., general treatment valid for episode; PDPL consent until withdrawn).
  10. Decision: Existing conflicting consent? (e.g., previous refusal for HIE sharing)
    • If yes, system marks previous consent as superseded or withdrawn per policy.
  11. System updates consent indicators in patient chart and access control logic:
    • E.g., restrict HIE sharing if consent not granted.
  12. Patient may later withdraw consent:
    • User records withdrawal with withdrawn_datetime and withdrawal_reason.
    • System updates status and triggers downstream impact assessment (e.g., stop sending to HIE).
  13. System logs all consent events in audit_log.

Data Modified:

  • patient_consents — INSERT/UPDATE
  • patient_documents — INSERT (signed consent file)
  • audit_log — INSERT

Mermaid Flowchart

flowchart TD A["Open Consent Management"] --> B["View existing consents"] B --> C["Select consent type to obtain"] C --> D["Display consent form<br/>in preferred language"] D --> E["Patient reviews & provides e-signature"] E --> F["Create patient_consents record<br/>Store signature & metadata"] F --> G["Store signed document in patient_documents"] G --> H["Set expiry based on consent type"] H --> I{"Conflicting prior consent?"} I -->|"Yes"| J["Mark prior consent superseded/withdrawn"] J --> K["Update consent indicators & access rules"] I -->|"No"| K["Update consent indicators & access rules"] K --> L["Log event in audit_log"] L --> Z["End"] %% Withdrawal path B --> M["Select existing consent to withdraw"] M --> N["Record withdrawal reason & datetime"] N --> O["Update consent status"] O --> K

Decision Points

  1. Conflicting prior consent? - If yes → supersede or withdraw older consent to avoid ambiguity.
  2. Withdrawal requested? (alternate path) - If yes → update status and adjust access/sharing rules.

Integration Points

  • Patient Portal (INT-EHR-006)
  • Direction: Bidirectional
  • Data: Consent records and digital signatures; patient-initiated consent/withdrawal.
  • Trigger: Portal interactions.
  • NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002)
  • Direction: Outbound
  • Data: Consent status may influence which data is shared.
  • Trigger: Consent grant/withdrawal.
  • Billing & Claims (INT-EHR-004)
  • Direction: Outbound
  • Data: Certain consents (e.g., release of information) may affect claim attachments.

Exception Handling

  • Patient declines consent:
  • System records status “declined” with reason; may restrict services or data sharing per facility policy; staff alerted.
  • Signature capture failure (device issue):
  • System allows fallback to OTP-based consent or defers consent with clear flag.
  • Regulatory change in consent templates:
  • HIM Supervisor updates templates; system may prompt re-consent for affected patients.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
Multiple paper consent forms per admission Digital consent templates with e-signature Reduces paperwork and storage
Physical storage of signed forms in folders patient_consents + patient_documents with retention rules Easier retrieval and audit
Manual tracking of consent expiry Automated expiry dates and alerts Supports PDPL and local regulatory compliance
Verbal consent without documentation Structured, timestamped records with signatures Stronger medico-legal protection

Remaining Paper Touchpoints: Optional printed copies of signed consents for patient; not required for system operation.

Inputs and Outputs

Inputs:

Source Data Element Format
patient_consents Existing consent records (type, scope, status, expiry) SQL query results
Master data Consent templates (general treatment, PDPL, HIE sharing, procedure-specific) consent_templates lookup
User selection Consent type to obtain or withdraw UI form input
Patient Electronic signature (on-screen pad or OTP) Signature capture / OTP verification
Witness (if required) Witness identity confirmation users / providers lookup
Patient Portal (INT-EHR-006) Patient-initiated consent or withdrawal REST API

Outputs:

Destination Data Element Format
patient_consents New consent record with signature, scope, expiry, status SQL INSERT
patient_consents Prior conflicting consent marked superseded/withdrawn SQL UPDATE
patient_documents Signed consent document (PDF with signature) SQL INSERT + file storage
audit_log Consent grant, withdrawal, supersede actions SQL INSERT
Access control logic Consent indicators for HIE sharing, data processing restrictions Internal rule evaluation
NABIDH / Malaffi (INT-EHR-001 / INT-EHR-002) Consent status influencing data sharing HL7 / FHIR Consent resource
Billing & Claims (INT-EHR-004) Release-of-information consent status Internal REST API

Post-conditions:

  • Active consent recorded with digital signature, scope, and expiry
  • Any conflicting prior consents superseded or withdrawn
  • Access control and HIE sharing rules updated based on consent status
  • Signed consent document stored in patient documents
  • Full audit trail for consent lifecycle events

SLA and Timing

Step Target Time Escalation Measurement Source
Consent form presentation (template load) < 3 seconds Performance alert if > 10s Application performance monitoring
Signature capture and validation < 30 seconds Device fallback if capture fails patient_consents.granted_datetime
Consent record creation < 2 seconds None — system operation patient_consents.created_at
Access control rule update < 5 seconds Alert IT if rules not applied Access control service log
Portal-initiated consent processing < 1 minute Alert registration if OTP fails patient_consents.created_at
Consent expiry evaluation (batch) Daily at 02:00 Alert HIM if batch job fails Scheduler log

Note: Consent management follows a linear lifecycle (Pending → Active → Expired/Withdrawn/Superseded). This progression is managed through the status and expiry_datetime fields on patient_consents and does not warrant a separate state diagram.

WF-EHRPATIENTMGMT-009: Patient Record Access / Break-the-Glass (BTG)

Process Flow

Actor: All Clinical Users (Physician, Nurse, Allied Health), Privacy Officer
Trigger: Clinician attempts to access patient record without normal care relationship (e.g., emergency, on-call consult)
Pre-conditions:

  • User authenticated with clinical role.
  • RBAC and patient-provider relationship rules configured.
  • BTG policy defined by Privacy Officer.
  1. Clinician searches for patient and attempts to open chart.
  2. System evaluates access: - Checks user roles, assigned patients, current encounters, and consent restrictions.
  3. Decision: Normal access allowed?
    - If yes, system opens chart; standard audit logging; workflow ends.
    - If no, proceed to BTG prompt.
  4. System displays access-denied message with BTG option: - Explains that access is restricted and will be specially audited.
  5. Clinician selects BTG option: - System presents list of allowed BTG reasons (emergency, on-call, consult, public health, etc.).
  6. Clinician selects reason and may enter free-text justification.
  7. System checks: - User has BTG permission (implicit via role) and BTG not blocked for this patient (e.g., VIP with stricter rules).
  8. Decision: BTG permitted?
    - If no, system denies access; logs attempt; may notify Privacy Officer.
    - If yes, proceed.
  9. System grants temporary access: - Opens patient chart with BTG banner indicating elevated privacy sensitivity.
  10. System logs BTG event in audit_log:
    • is_btg = true, access_reason, timestamp, user, patient, IP, user_agent.
  11. System may notify Privacy Officer automatically (email/dashboard) for real-time or periodic review.
  12. Privacy Officer periodically reviews BTG events:
    • Uses Access Audit Log screen (SCR-EHR-011) to filter is_btg = true.
    • Investigates suspicious access; may initiate incident response per PDPL.

Data Modified:

  • audit_log — INSERT (BTG access events and denied attempts)

Mermaid Flowchart

flowchart TD A["Clinician attempts to open patient chart"] --> B["Evaluate normal access rights"] B --> C{"Normal access allowed?"} C -->|"Yes"| D["Open chart<br/>Standard audit logging"] D --> Z["End"] C -->|"No"| E["Show access denied + BTG option"] E --> F{"User selects BTG?"} F -->|"No"| G["Deny access<br/>Log attempt"] G --> Z F -->|"Yes"| H["Prompt for BTG reason & justification"] H --> I["Check BTG permissions & patient restrictions"] I --> J{"BTG permitted?"} J -->|"No"| G J -->|"Yes"| K["Grant temporary access<br/>Show BTG banner"] K --> L["Log BTG event in audit_log<br/>is_btg = true"] L --> M["Notify Privacy Officer for review"] M --> Z["End"]

Decision Points

  1. Normal access allowed? - Based on care relationship, role, and consent.
  2. User selects BTG? - If no → access denied.
  3. BTG permitted? - If yes → temporary access granted; if no → deny and escalate.

Integration Points

  • All modules
  • BTG flag influences access decisions across modules (e.g., CPOE, LIS, RIS) but is centrally logged in audit_log.
  • Privacy / Security Monitoring Systems
  • Direction: Outbound (reports/feeds)
  • Data: BTG events for security analytics and PDPL breach detection.

Exception Handling

  • Misuse of BTG (non-emergency):
  • Detected via Privacy Officer review; may trigger disciplinary process; system supports exporting logs.
  • System misconfiguration (overly restrictive):
  • Excessive BTG usage rate (KPI) may indicate need to adjust access rules.
  • Audit log write failure:
  • System must treat as critical error; deny BTG access if audit cannot be recorded.

Paperless Transformation

Previously Paper-Based Now Digital In-System Notes
No formal mechanism; ad-hoc access Structured BTG workflow with reasons and audit trail Enhances privacy and PDPL compliance
Paper logs of VIP chart access Centralized audit_log with filters and exports Easier monitoring and reporting
Manual incident tracking Automated BTG notifications to Privacy Officer Faster detection of inappropriate access

Remaining Paper Touchpoints: None — BTG is inherently digital.

Inputs and Outputs

Inputs:

Source Data Element Format
Clinician action Patient chart access attempt System event
RBAC engine User roles, assigned patients, current encounters, consent restrictions users, roles, permissions, patient_consents query
Clinician input BTG reason (emergency, on-call, consult, public health) and free-text justification UI form input
BTG policy configuration Allowed reasons, restricted patients (VIP), notification rules Master data / configuration

Outputs:

Destination Data Element Format
audit_log BTG event (is_btg = true, reason, justification, user, patient, IP, user_agent) SQL INSERT
audit_log Denied access attempt (if BTG not permitted) SQL INSERT
Patient chart Temporary access with BTG banner UI session grant
Privacy Officer BTG notification for review Email / dashboard notification
Security monitoring BTG event feed for analytics and PDPL breach detection Outbound feed / report

Post-conditions:

  • BTG access event recorded with full context (reason, justification, user, patient, timestamp, IP)
  • Patient chart accessible with BTG banner for duration of session
  • Privacy Officer notified for retrospective review
  • Denied attempts logged for security analytics
  • No persistent access change — BTG is session-scoped

SLA and Timing

Step Target Time Escalation Measurement Source
Access evaluation (RBAC check) < 1 second Performance alert if > 3s Application performance monitoring
BTG prompt display < 1 second after denial None — immediate Application log
BTG reason submission and access grant < 5 seconds None — user-driven audit_log.created_at
Privacy Officer notification < 5 minutes Alert IT if notification service fails Notification service log
Privacy Officer retrospective review < 72 hours Escalate to CISO at 72h for unreviewed BTG events audit_log BTG review timestamps

Note: Break-the-glass is a linear access-control workflow (access attempt → evaluation → denial → BTG prompt → grant/deny). No separate entity lifecycle or state diagram is required.

These workflows collectively define how the EHR & Patient Management module supports safe, compliant, and paperless operations in UAE healthcare facilities, while integrating with NABIDH, Malaffi, Scheduling, Billing, and other clinical modules.

Next → EHR & Patient Management User Roles & Permissions
content/clinical/ehr-patient-mgmt/01-workflows.md Generated 2026-02-20 22:54