WO1987002160A1 - Distributed data system for medical records - Google Patents

Abstract

The data records of individuals are distributed on personal storage means (26) which can be carried by the individual. Preferably, the storage means are card shaped carriers of a magnetic storage area which can be read from and written to with magnetic read/write heads of an access device (14). The access device is controlled by a microprocessor (12) based terminal which executes system software to limit the access of particular files on the cards according to a hierarchal coding scheme. An identification file on the cards is accessible by an operator with a user password while a general file, an emergency file, and a private file are available only by having other passwords. A personal password generally known only by the individual carrying the card can be used to access any of the restricted files. An emergency password is used to access the emergency files and is provided to those selected individuals which interface with the public in emergency situations. A master password is provided to authorized personnel in the medical community to be able to access the general file.

Description

DISTRIBUTED DATA SYSTEM FOR MEDICAL RECORDS The invention pertains generally to a system for storing the medical records of individuals and is more specifically directed to a medical record system comprising a distributed data system wherein the means for storing the data base is adapted for transportation on the person of those individuals having records in the base.

The medical histories of a population form a large and generally diverse and nonsystematized data base. This large data base is very difficult to access comprehensively with accuracy because of its nonstandardization and storage at various locations. In the present medical system records are kept and handled by various organizations and personnel at any number of different locations. At any one time an individual may have a portion of his overall medical records at a hospital, at the office of one or several doctors, at his home or office, with his employer or elsewhere. These records may be in different sizes and formats on different media and have varying degrees of accuracy. The lack of accuracy or completeness at any particular location of a record can be attributed to a loss of information, the lack of recent updating, or mistakes in the recording of the information in the initial record. Further, these records are not generally transportable or transferable. It is difficult to accumulate a complete record because the custodians of the portions of a complete record may cooperate to a greater and lesser degree with a party requesting consolidation. The difficulty lies not only in locating the record in the diverse locations but also in the time it takes to transfer these records and their noncompatability with the retention center where they finally are housed. in some situations where the individual is undergoing a medical emergency his entire medical history or that part needed in his immediate treatment may be unavailable because it resides only in a place that is unknown or unaccessible to the treating physician. To some extent medic alert tags now available alleviate these situations, but there is only a small amount of information that can be readily stored on these tags. This type of medical data carrier cannot, as presently constituted, provide all the contraindications to specific medications and the guidance for treatment which a full medical history could provide.

Additionally the space consumed and the duplication of efforts that medical records cause today cannot be overlooked. As a matter of course the first task that an individual is required to perform when visiting a new location in the medical system is to provide a basic medical history. Many times, particularly in the case of the infirm or the elderly, individuals may be mistaken about their -past medical histories or may have just forgotten important facts. Additionally, members of a family or other persons who are unaware of the actual medical facts may provide erroneous information to a record keeper. Medical ^■ histories after they are recorded are put into a file for an individual and then stored in a central area for retrieval when the individual is seen again. With the advent of more specialists in the medical practice, more walk in type clinics, and the increasing mobility of the populace it is becoming more probable that a particular medical practitioner may see a patient but once. All of these reasons, of course, proliferate the number of records being kept- for a single individual and cause an immense duplication of effort.

One of the concerns of the individual for his medical records is one of confidentiality. The individual can suffer embarass ent, loss of status, reputation or even employment if certain medical facts become generally known about him. Although most medical records contain innoccuous facts, they are still matters about which individuals hold the strong conviction that they are entitled to a strict right of privacy. Most controlled depositories including those in the offices of doctors or hospitals are generally restricted to access by certain personnel. However, this is only a single level of security, and once physical access to a record has been obtained the information is in readily ascertainable form. An individual must worry about the security of his medical records not only because of a lack of total security for such personal data but also because he has no control over the data himself. He must rely on another party, who may have- less of an interest in keeping the information confidential than he does, to bar access by third parties.

From a doctors point of view the basic requirement for a medical record or history is that it be accurate and timely. Factual data which are wrong or out of date may be detrimental or of less assistance to a treating physician than no data at all. Secondly, if the physician can be assured that the data are accurate, he would prefer them to be complete such that the latest developments in the treatment of an individual and all other relevant data are included. Finally, if the requirements of accuracy and completeness can be accomplished, it would be of great assistance to a physician to have this information readily available from a single source. From a patient's point of view, a medical record system which provides the record of his interface with the medical system should be available. This is true not only when he is able to transmit the information to.a physician but also in an emergency situation when he may be unable to indicate even his identity. It may be critical, such as in cases with contraindications to certain medications, that this infor ation be available to a physician providing emergency treatment. A lack of information on these critical points could be hazardous or at least increase discomfort or delay his treatment. In connection with his medical records being available, an individual would prefer that the records also be portable and available from a single source so that he could be the individual that stores the record and transmits them in most cases. To accomplish this task the records would have to be miniaturized or more densely packaged than is the present case. Certainly as a-consideration the person would want his records to remain confidential but not to the point of making them unavailable to a treating physician who really needed them.

Summary of the Invention In accordance with the invention many of the objectives of an advantageous medical recordation system have been achieved and many of the problems of prior art recordation systems have been overcome.

The invention provides a distributed data system for medical records, such as patient records, which is secure from alteration by unauthorized sources and at least part of which is available only to designated persons of authorized sources. The system provides a distributed data base by providing a personal storage means for each individual which is adapted for transportation on the person of that individual. The personal storage means can store the personal information unique to an individual relating to his medical records in the form of coded areas of which at least a portion are normally decodeable only by a personal password known to the individual. The advantages of such a system are the portability of the data and the availability of a complete medical record from a single source. In accordance with the _.invention the system provides a means for reading from the personal storage means and for writing to the personal storage means. The reading and writing means is under the 'control of a control means preferably in the form f a programmable terminal which has a plurality of user selectable functions. The terminal is adapted to decode the stored information in response to a password or user code from an operator and is adapted to encode stored information for writing on the personal storage means in response to the password.

In a preferred form the terminal also includes a means for displaying the decoded information in a human understandable form such as on a CRT, or printer and includes means for inputting information to the control means to select the function to be performed by the system, and means to change or alter data on the personal storage means. The control means is based on a software operating system which performs the basic functions of reading data from and writing data to the personal storage means. The operating software also controls access to the system by a hierarchal coding scheme which limits predetermined information to selected individuals. To enter into dialog with the operating system, an operator must first know a user password unique to the particular terminal or subsystem being used to read from or write to a personal storage means. This first level of protection limits access to information on the personal storage means to those medical personnel authorized to use the system. The information able to be read knowing the user password is limited to an identification file.

In addition, the personal storage means includes general, emergency, and private data files that are coded such that normally only a personal password from the individual can be used to unlock the information stored therein. Because the emergency data file may be critical for emergency use, the system codes the emergency file such that a emergency key or password can be used to unlock the data in these situations. The emergency password would be authorized for use and known by a small select group such as the physician in charge of an emergency section of a hospital, or optionally, by those in charge of rescue vehicles, etc. The, general file which contains the complete medical records of the patient is also coded such that senior hospital physicians, perhaps only the highest hospital echelon, have the ability to access the file with a master password. This may be necessary where the patient is unable to give the personal password or whenever it is legal and medically expedient to overrule the patient's decision not to give his password. The private data file is not accessible without the personal password.

This five level. ierarchy provides an advantageous combination of availability and confidentiality. The first level, the coding of the data on the personal storage means, prevents those not having a system terminal from easily accessing the data. The general public is thus excluded from readily reading the record even with physical possession of the personal storage means. The second level, the password of a user to access a particular terminal or subsystem, limits the identification information in a personal storage means to those who have been cleared to operate the system. The general and emergency information is, however, available at the facility where it is needed. The levels three and four, or the master and emergency password provide availability of the private information in emergency and other abnormal situations while strictly limiting those in possession of the key. The highest level, the personal password, allows a person to protect selected information such that it is available to only those to whom he wishes to give the password. In the preferred embodiment the personal storage means comprises a generally rectangular sheetlike member having a^" data storage medium covering at least one portion of at least one side. ' Preferably the data storage medium is a magnetic\surface capable of being written on and read by commercially available magnetic recording heads. The '_\fcfrmat of the storage means is useful in that it is of a shape and size which is readily recognizable as an object that is carried on the person, such as a credit card or drivers license. This is to advantage because a person will readily accept such a size and shaped object to either carry in a wallet or somewhere else on his person.

Medical records can be stored on the personal storage means in the form of tracks where individual bits are magnetized or demagnetized in accordance with the digital data input from the medical record source. In one form, the tracks may be successively applied as longitudinal data strings along the long axis of the rectangular surface. This method" would provide a number of horizontal tracks where the number of such tracks would be determined by the width of the personal storage means. The data strings can alternatively be applied vertically across the length of the personal storage means. This storage method provides a very dense data packaging of the information enabling more data to be stored in a smaller area.

As an alternative, the magnetic storage medium could be applied on the rectangular surface as a circular area and the tracks provided as concentric recording areas with guard bands between each one. As another alternative, the magnetic medium could be applied to the rectangular surface as an arcuate shaped area which has tracks of arcuate curvature equal to that of the major and minor arcs of the sector. In any of the embodiments, the personal storage means may use both sides of the generally rectangular sheet. These and other objects,, features and aspects of the invention will be more fully understood and better described if a reading of the following detailed description is undertaken in conjunction with the appended drawings wherein: \

Brief Description of the Drawings FIGURE 1 is a system blσck diagram of a terminal apparatus useful in a medical record- system constructed in accordance with the invention; FIGURE 2 is a system block diagram of a hospital based record system comprising a plurality of the terminals illustrated in FIGURE 1;

FIGURE 3 is a system block diagram showing the linkage of a plurality of hospital based record systems illustrated in FIGURE 2;

FIGURES 4, 5, and 6 are pictorial representations of different embodiments of the personal storage means;

FIGURE 7 is a illustrative representation of the format for the storage of records on the personal storage means shown in FIGURES 4, 5, and 6;

FIGURE 8 is a plan view of an apparatus for reading and writing on the personal storage means illustrated in FIGURES 4, 5, and 6; FIGURE 9 is a cross sectional view along section line 9-9 of the reader/writer apparatus illustrated in FIGURE 8;

FIGURE 10 is a cross sectional view of along section line 10-10 of the reader/writer apparatus illustrated in FIGURE 8;

FIGURE 11 is an enlarged fragmented isometric view of the marking and detecting means for the reader/writer apparatus illustrated in FIGURE 8;

FIGURES 12A, 12B, and 12C together comprise a system flow chart of the software which controls a terminal such as the one illustrated in FIGURE 1; and FIGURE 13A and FIGURE 13B together comprise a system flow chart for the subroutine USER R/w called from the software illustrated in FIGURES 12A, 12B, and 12C. Detailed Description of the Preferred Embodiments The distributed data system for medical information includes a number of programmable data devices one of which is shown to advantage in FIGURE 1. Generally, the system is configured around these devices or user terminals 10 which perform the operations of reading data from a personal storage means 26 and writing data to the personal storage means. The terminal 10 can be of the general purpose type and can be located at any of a number of different locations such as hospitals, doctors offices, clinics and possibly in emergency vehicles. The terminal 10 is the tool that is used by the system for communication when an authorized person needs to access a medical record on a personal storage means or to change or verify ^• information thereon.

In the implementation of a terminal 10 there is illustrated a microprocessor based communications apparatus which includes a reader/writer 14 to read and store' information on the personal storage means and elements 18, 20 to communicate the operation desired by an authorized person to a microprocessor 12. In the implementation shown, the device for reading and storing information on the personal storage means is a magnetic card reader/writer which will be explained more fully hereinafter. The personal storage means used in the implementation shown is magnetic card 26 which is capable of having digital information stored thereon in the format of medical records. The format and protective coding of the information stored on the magnetic card 26 will also be discussed more fully hereina ter. The means for communicating with the system and indicating a desired operation are embodied by a video monitor or CRT 18 and a keyboard 20. In response to operator commands typed on the keyboard 20/, the microprocessor 12 controls the readers/writer 14 for specific operations on the personal storage means. In connection with these operationsIthe CRT 18 is able to display messages- which assist the_. ser in control of the modes and operational capabilities of the system. In addition to the reader/writer functions, the operator through keyboard messages may select a printer function which causes a hard copy output on a printer 24. Similarly the operator may choose a hard copy output on a disk drive 16 which produces storage on a floppy disk 22. The communication scheme between the peripheral devices 14, 16, 18, 20 and 24 and the microprocessor 12 is a conventional interrupt scheme whereby data reception and transmission takes place over the microprocessor data bus, address .bus, and control bus via standard data transceivers, such as UART devices and with a conventional serial data protocol such as RS 232 C format.

FIGURE 2 shows another embodiment of the system which has been expanded into a user subsystem 28. The user subsystem includes 1,2,3...N, user terminals 10 connected through separate interfaces 32 to a host or central computer 34. The terminals 10 are identical to the terminal described in connection with FIGURE 1 which would further include the interface 32 as a separate peripheral device. The purpose of networking over a local area such as a hospital user is to allow access of the central medical record data base of the hospital by all the terminals 10. This capability will allow the distribution of the recorded information of the user onto the personal storage means afterwhich it can be erased.from the central data base. Further, the network would allow a convenient method for distributing medical data to the personal storage means from other sources. Hard copies of records from files and other data from noncomputer sources can be key punched or converted into computer readable form and stored in the hospital central computer memory until they can be distributed to a personal storage means.

In FIGURE 3 an extension of the local area networking shown in FIGURE 2 is illustrated. A number of user subsystems 28 have been linked via communication links 38 to form a universal medical data base system. The communication links 38 would normally be implemented in the form of modems and telecommunication lines. Also viable are any of the other modern communication links for data such as microwave, satellite systems, or the like. The purpose of the system is to allow one user subsystem 28 to communicate with any other subsystem 28 such that any terminal 10 in a subsystem can access any medical record within the communication area. Conventional apparatus can be used to accomplish the linkages of the system.

The medical information that is stored in any one of the subsystems is thereby accessible by any other subsystem so that an individual wanting to unify his medical records from any of the data bases would find it easy to accomplish the same. Additionally, this embodiment provides another aid to the distribution of data from the present medical recordation system where as hospital files are down loaded to an individual personal storage means, such as magnetic card 26', they could be eliminated from the various subsystems 28 at which they were previously stored. Thus, the system of FIGURE 3 provides means for consolidating records separated by great distances.

With reference to FIGURES 4, 5 and 6 there are illustrated representative implementations of the personal storage means 26. In these three figures the personal storage means is illustrated as a generally rectangular sheet like member, for example, sheet 100 in FIGURE 4 which has a area of storage medium 104 overlayered on at least one side of the sheet. For the implementation shown, the sheet 100 can be either a plastic base or some other insulative material on which the storage medium can be overlaid. The storage medium area 104 is generally rectangular, like the sheet, and comprises a magnetic storage material such as that commonly found on magnetic tape and floppy disk surfaces. Additionally, it is to be understood that the storage area may extend on the back of the card and thus comprises a medium which has two generally rectangular surfaces for the storage of data.

In this embodiment digital data may be stored in tracks situated parallel to each other along the longitudinal axis of the rectangular card but could just as well be stored in tracks parallel to the lesser axis of the card along the surface. Whatever the orientation of the tracks on the card, it is assumed that these tracks can be written in groups of serialized bit strings forming characters and other data from the medical records of an individual. The code format for the character strings can be standard,^' such as ASCII, or another more specialized character code. Generally, although the characters of a bit string are in a standard character code, the strings are coded such that they are not readable without a code key.

The size of the card is envisioned as easily portable in a wallet or a purse of an indivdual such that its usage will be enhanced. According to one of the advantages of the invention the card could be sized as standard credit card which is approximately 5.4 cm. by 8.5 cm. If the personal storage means is made in this size, recognizable as an easily portable format, individuals will be encouraged to carry them in the places they now reserve for credit cards and the like. The amount of storage base needed for the complete medical record of an individual is determined to be

4 5 between 10 -10 bytes. With a standard credit card size and magnetic storage media covering both sides of the card, this storage capacity is well within the bit density of conventional magnetic recording techniques.

To assist in the protection of this data from unauthorized users, the system\may use an alignment mark

105 which can either be a hardware mark such as a hole, piece of reflective tape, notch, etc. or some other marking indicating the track on the card which begins the start of the data. Additionally this protective mark could be made in any one of the words in the bit strings of a track such that software can be provided to scan the card and determine where the actual data begins. The alignment mark can be used as an additional means for protection from unauthorized users in the following way: the actual data string begins a predetermined number of bytes away from the mark. This number, for any particular card, will be made available to the user. To properly read the card, this code number will have to be given to the system in order to correctly align the reading head. This alignment mark will not prevent unauthorized users of terminals made for the system, but will prevent others which do not have access to these terminals from easily reading the information on the cards with other types of magnetic card readers.

Further, because many of the files stored on the card will not be available from a source other than the card once the central data bases have been distributed, it is imperative that some of the files written thereon be protected from accidental overwriting. Therefore, those files which contain archival records which should not be changed or updated are protected from the reader/writer 14 by a write protect mark 107 which indicates the particular file along those tracks or the next following N number of tracks are not to be written on.. Note that mark 107 may physically prevent the writing in the protected area as described above.

As an alternative to the storage medium being provided on the card as a rectangular area, FIGURE 5 illustrates that a generally circular area 108 can be used. The storage medium in area 108 is similar to that used for the card in FIGURE 4 and the sheet 106 comprises identical material to that of the sheet 100. In this implementation the data tracks 110 are concentrically arranged around an aperture 111 in the center of the circular area 108. It is evident that this personal storage means may be read in the manner of a floppy disk by rotating it about the aperture 111 and reading the concentric tracks as they pass a moveable head which can scan from the outer diameter to the center of the circular area 108. This alternative can be used to advantage where commercially available disk drives would be used to read the data off the surface. As with the previous embodiment, an alignment mark 118, either hardware or software compatable is used. In addition, any of the concentric tracks or groups of concentric tracks containing a record file which should not be changed can be protected by write protect marks 120.

In FIGURE 6 still another embodiment of the magnetic card implementation for the personal storage means is illustrated which is similar to the embodiment illustrated in FIGURE 4. A sheet like base 112 of insulative material is used to underlay a magnetic storage medium area 116 which covers at least a portion of at least one side of the card. The difference between the implementations is that the area 116 is arcuate in shape and the data tracks 114 follow the arcuate sectors of the area. Mark 122 corresponds to mark 105, and marks 124, 126 correspond to marks 107. FIGURE 7 illustrates an advantageously formated personal storage means. The storage area is partitioned basically into four files, an identification file, an emergency file, a private file, and a general file. Portions of the private, emergency, and general file are in fixed and free format which causes them to be variable in length, whereas the identification file is a fixed format file of constant length.

The identification file, which is uncoded and thus readable by anyone who can access the system with the user code, contains digital data concerning the physical attributes of the individual. Representative examples of such data include his name, address, sex, birth date, height, weight, eye and hair color, race and person to notify in case of emergency. This file is a basic screen to determine whether the person having the card in his possession is the individual whose records are stored on the personal storage means.

The general file which is partially in fixed and partially in free format is coded where users with access to a terminal and either a master password or the personal password will be able to use it. The general file contains complete medical data which provides a basic medical history of the patient without disclosing any particular data he would feel uncomfortable about making generally known. Representative examples of the information contained in this file include diagnoses, allergies, medications, contraindications, lab tests, special tests, physical exam, hospitalizations, history of illnesses, and treatments.

Thereafter, a private file in free format is stored on the personal storage means. The private file is coded such that only with a personal password from the individual can it be read. Private data selected by the individual is stored here possibly including diagnoses, current medications, and contraindications. Other private data can be stored in this area depending on the preference of the individual. This is a place in the record system upon which the individual maintains the lock and determines who has access to the information stored therein. It is noted generally, but not necessarily, the private file will comprise a deleted subset of the information in the general file.

An emergency file containing information useful in emergency situations is then provided in fixed and free format. Information which is exemplary, but not exclusive for this file, can be diagnoses, allergies, medications, and contraindications, etc. It is noted that generally, but not necessarily, this file will be an included subset of the general file. The file may be accessed by a person having a user code and either the personal password or an emergency password. An emergency password would be provided to emergency staff of hospital emergency wards and optionally to .paramedics or the like in emergency vehicles.

The access hierarchy is then as follows: System Access - user code

ID File - user code only

Emergency file - user code plus emergency or personal code

General File - user code plus master or personal code

Private File - user code plus personal code only.

At the highest addresses of the memory in fixed format are three reference texts. One text is for the general file decoder, one for the emergency file decoder, and the other text is for the private file decoder. The reference text is used as a comparison for text stored in the medical record system to insure that the decoding process is taking place normally. The reference text may be as short as one keyword or as long as several paragraphs depending upon the complexity of the coding scheme chosen. The coding schemes for the files have not been described but there are a number of encryption schemes generally known and the use of one of them is contemplated. Particularly, a mathematical algorithm with related a number to a letter, could be used. '^' As an example which illustrates an advantageous use but is not meant to be limiting in any sense, a typical card may contain about 100 tracks. Of these tracks, 1-2 tracks may serve as the ID file, 2-5 tracks serve as the emergency file, and 3-5 tracks serve as the personal file thereby leaving approximately 88-94 tracks for the general file.

A more detailed description of the reader/writer 14 will now be set forth with respeot to the apparatus illustrated in FIGURES 8, 9, 10 and 11. FIGURE 8 shows a top or plan view of the reader/writer 14 where a personal storage means 26 has been inserted into a receiver assembly of the reader/writer. As better seen in FIGURES 9 and 10 the personal storage means is received into the apparatus through. an aperture 206 which forms a slot. When inserted through the slot the storage means 26 has peripheral edges 207 and 208 which constrain the card to travel in channels 210 and 212. Spring clips 214 and 216 bias the card downward in the channels 210 and 212 against the upward pressure of a drive roller 218. The drive roller 218 is driven by a motor 220 such that when the card is inserted into the slot 206, pressure on the card by the roller and by the bias members 214 and 216 will cause the card to be propelled along the channels until it abuts a mating surface particularly designed to receive special cut out portions on the end of the card.

The drive operation of roller 218 is under the control of a R/W control 224 which produces an analog voltage for controlling the operation of the motor 220. The analog voltage can be either positive or negative thereby reversing the direction of travel of the drive roller 218. Normally for loading the card in the reader/writer apparatus 14, the drive roller 218 travels in the clockwise direction as seen in FIGURE 9, and for unloading the card, the roller 218 travels in the counterclockwise direction. The portion of the R/W control 224 which is used for loading and unloading the card includes a photodetector device 226 in combination with a photoemissive source such as an LED 228. The photo detector 226 and LED 228, respectively, are connected such that a circuit path is maintained between the two in the absence of the blockage of the light emitted by the LED. These signals communicate with the R/W control 224 via a signal line 230 to allow the control 224 to detect whether the circuit is open or closed. The read/write control 224 can read these signals from the photodetector and the LED and command the R/W control 224 to produce the drive roller control signal which turns the drive motor 220 on or off.

In operation the drive roller motor 220 is usually in an off state, and the photodetector 226 and the LED 228 are indicating a closed circuit, where current is being drawn by the LED and transferred across the gap between the LED and photodectector in the form of light. However, when an individual inserts a personal storage means 26 into the slot 206, the circuit is broken and the R/W control 224 starts the motor 220 to turn the drive roller 218. This loads the card until the front surface of the card abuts the specially shaped projections, afterwhich the motor 220 is stopped. The R/W control 224 is able to determine when the card has been fully loaded because the open circuit condition caused by inserting the card becomes a closed circuit condition once again after the trailing edge of the card leaves the gap between the LED 228 and the photodetector 226.

To unload the card from the reader/writer 224 the process is reversed, where the R/W control 224 has remembered that it has a card contained therein. The control 214, at an appropriate time commanded by the terminal, reverses the polarity of the drive signal to the motor 220. The reversal is needed for 'disengaging the card after an operation is completed. For example, after a read/write operation has been completed, a closed circuit between LED 228 -and the photodetector 226 indicates to the system that the card is still in the reader. Therefore, the R/W control 224 reverses the drive direction of the motor 220 and begins to propel the card 26 from the slot 206. The control recognizes the output operation by the polarity of the drive signal and an open condition of the LED and detector. When the card clears the LED detector combination, the R/W control 224 recognizes that the card has been output by a closed circut and the motor can be shut off.

While the personal storage means 26 is in the reader/writer 14, the memory contained, thereon may be written to or read from by means of a conventional magnetic read/write head 234. The head 234 is mounted on a transport member 232 adapted for carrying the head 234 within a predetermined distance of the storage medium on the card. By scanning the head 234 over any X-Y position all the bit locations on the card are readily accessible. The head 234 communicates with the R/W control 224 via the signal information line 236 with information from the terminal 10. Depending upon whether a signal is read from the transmission line 236 or applied to that line, the read/write head 234 can supply digital information to the control 224 or write information on the media. The digital information read from or written onto the personal storage means 26 enters and leaves the read/write control 224 via the transmitter receiver connection of the control with the microprocessor.

An X-Y positioning assembly is illustrated for the reader/writer apparatus 14 whereby the head carrier 232 slides along the top of a support bar 238 which has a channel 240 cut in the center ^thereof along its longitudinal axis. The read/write head 234 protrudes through the channel 240 such that any bit position of the X coordinate direction can be redd or written to by sliding the head carrier along the top of the support bar 238. Movement in this direction of the head carrier 232 is provided by a X position stepper motor- 242 which has its armature connected to a pivotable arm 244 which is inserted through a bore 246 in the carrier 232. An upper portion of the head carrier 232, connected by the arm 244 to the stepping motor 242, is additionally pivotable around the read/write head 234. When the stepping motor 242 is energized, via control lines 248 from signals of the R/W control 224, the head carrier 232 will move in the longitudinal direction of the support bar 238. The read/write control 224 can position the head carrier 232 and thus the read/write ^' head 234 at any X position along the card by knowing the angular position of the motor 242. The positional information of the motor 242 is fed back to the R/W control 224 via the signal line 250. The microprocessor 12 of the terminal 10 can control the R/W control 224 to position the read/write head 234 in any X coordinate position on the memory that is desired. At any particular position, the R/W control 224 is then able either to read a bit from the memory location or to write a bit to that memory location via the signal line 236. To position the head carrier 232 in the Y direction as shown in FIGURE 8, the reader/writer apparatus 14 includes a Y position stepper motor 252 which communicates with the R/W control 224 via a control line 254 and a feedback position signal line 256. Signals from the R/W control 224 control the angular position of the motor armature via the signal line 254 and the control receives signals from the motor 252 via line 256 to indicate its actual position. The armature of the Y position stepper motor 252 is connected to a drive block 260 fixed to the support bar 238 by means of a lead screw 258. At each' end of the support bar 238, roller bearings 262 permit the support bar to move in the Y direction as seen in FIGURE 8. By controlling the angular position of the stepper motor 252 the R/W control 224 may position the support bar 238 at any position along the Y axis of the personal storage member 26.

An enlargement of a mounting assembly 268 for the LED 226 and photodetector 228 is illustrated in FIGURE 11. The mounting assembly is disposed on the top portion of the support bar such that a circuit is connected by the light between the LED and the photodetector. Additionally included in the assembly 268 is a punch mechanism 270 which is adapted to cut a notch or hole in the end of the- personal storage means. This notch can be cut at any track position along the Y axis of the personal storage means and thus forms an indication that the adjacent or N following tracks are write protected. This indication may be detected by a second LED and photodetector pair_.272 and 274, respectively which are open circuited in the absence of a notch or hole cut by the punch 270. The LED and photodetector pair communicate with the R/W control 224 via a signal line 276 shown in FIGURE 8 and the punch 270 is controlled by the control 224 via a control line 278. With respect now to FIGUESs 12A, 12B, and 12C and in combination with FIGURES 13A, 13B there is illustrated a system flow chart for the program stored within the microprocessor 12 of the terminal 10. The flow chart is a functional description of the software and can be implemented by those skilled in art in many programming languages depending upon the particular microprocessor and other hardware used. The program starts out in a functional block A10 with an initialization and start up routine which sets the constants and variables of the system to initial values and permits the system to begin in a running state. Next in block A12 the program displays a message on the CRT indicating that the operator may start the program by striking the "S" key. In block A14 the input buffer for the keyboard is checked until a correct character is found before continuing in Block A16. If no character is input or the correct character is not found then the program loops through the message and test block until the terminal is shut off.

However, if a user does wish to operate the system and has entered the correct descriptor to get to block A16 the system prints out an identifier message which asks for a user code, the date, hour and the name of the facility which may then be input by the keyboard. The program thereafter sequences to block A20 where the password input from the user^' is tested to determine if it is legal. If not the system outputs a message that the user code is invalid and will then cycle back to block A16. This sequence continues until a valid user code is input to pass the test in block A20. The user code restricts access of the system terminals to those who are authorized to operate them. As in any data processing system these passwords may be changed frequently to maintain the security of the system.

Once the user has input a legal code he is then requested in block A24 to insert a personal storage means 26 into the reader. Block A28 is representative of the insertion of the card 26 in the reader and its subsequent positioning by the automatic feed mechanism. This operation was described previously with respect to the description relating to the loading and unloading of the personal storage means with the reader/writer apparatus 14. After the card has been loaded the system checks to determine if the position of -the card is proper in block A30. If the position is incorrect, this problem is communicated to the user by means of a message printed on the CRT in block A26. This loop continues until the user has inserted¹ the card correctly and the test in block A30 is passed.

The control electronics which activate the read/write head 234 are turned on in block A32 in order that the reader/writer apparatus 14 can scan the personal storage means 26 for a software or hardware coded initial position. After the scanning of the card has taken place, a test is performed in block A36 to determine whether a hardware coded position has been found. If the answer is affirmative, then the read/write head 234 is positioned to the appropriate starting position in block A46.

If no hardware initial position mark is found during the scanning then a path to block A38 is taken by the program. In that block a message requesting the ^"user to input the software position where he desires to start is given via the CRT. The user then inputs the starting position of the information on the personal -storage means via keyboard input in block A40. The program then tests the user input to determine whether this is a valid position code in block A42. If a valid position code has been entered by the user, then the program continues to block A46 where the read/write head 234 is positioned as previously described. If, however, the position code is invalid, a message to that effect is output on the CRT in block A44 and the program loops back to block A38 where the message to input the position code is again given.

Once the reader/writer apparatus 14 has been positioned to begin receiving valid text, then the identification file information is read in block A48.

Because the identification file information is not coded or scrambled in any manner, it can be immediately output to the CRT in a conventional format. The file contains such information as the patient's name, address and possibly description as to height, weight, eye color, and other physically descriptive identifiers which will associate the actual person with the medical records on the card. This identification file which can be read without other authorization will prevent mistakes in identifying a medical record as belonging to a particular person just because he is in possession of the personal storage means.

Next, in block A54, the system outputs a message to the user on the CRT which requests an input password if the user wants to read the emergency file or read/write any of the protected records in the private file or the general file. The keyboard input from the user is received in block A56 and in the next three blocks A58, A64 and A66 the system decodes that user input. Generally, if the input password is that used by the hospital to access cards of a similar type, it is ^■ termed a master code, and an affirmative path in block A64 transfers program control to block A60.

This is taken as a determination that the general file records are to be read. Therefore, the system decodes the general reference file in block A80 and matches it against the reference text in block A82. If the reference match is passed, as tested in block A84, then the subroutine USER R/W is called in block A86. If the^'reference match fails, the negative branch of block A84 causes the program to output a CRT message that the reference is invalid in block A62. After generating an invalid reference message the program transfers control back to block A54 where the user may once again initiate the protected read/write file accessing loop. However, if the input code word is -not the master code, it possibly is the personal code to be used for accessing the highly private data in the restricted file of the personal storage means 26 or it could be the emergency code. Therefore, the program first checks if the personal code has been input in block A58 and if not then checks if an emergency code has been input in block A66. If the answer to either one of V_hese tests is affirmative, the program transfers control to another path of the program. However, U£ the program finds that all of the previous code tests have failed, it outputs a message by block A68 indicating that an invalid code has been received. If an invalid code has been entered, the program continues by asking the user to input another code word by looping back to block A54.

Assuming that the code word input is the emergency code, the program continues by reading the emergency reference file in block A70 and decoding this reference file in block A72. The file is then matched against the private reference text in block A74 to provide a test for determining its validity. If the reference text and file data do not match; then the program takes an escape path via block A78 after outputting a message to the CRT that the reference is invalid. The escape path brings the program back to the beginning of the operation for reading or writing the protected records in block A54. If the reference file is proper as shown in block A76, the program then reads the emergency file in block A88 and decodes that file in block A90. Thereafter, the data of the emergency file area is output to the CRT in block A92.

After the emergency file has been output, the program produces a CRT message which requests the operator to strike a key for additional data. If a key representing an affirmative response is struck, as indicated in block A96, the program continues to a point in the program which leads to block A54. If the user does not desire additional data, then the negative path from block A96 causes the program to revert to the starting point in block A12. An input code word that is the personal code causes a program branch to block A57 where a message is output asking the user to^" select the file which he wishes to access. Since the personal code word allows access to any file, the user may input in block A59 a request for the general file, the emergency file, or the private file. Blocks A61, A63, and A65 decode this input to provide branches to the respective software loops which handle the specific files. An affirmative response to the test in block A61 that the user desires the general file will cause a branch to the path beginning with block a60 which was previously explained. An affirmative response to the test in block A63 indicating that the user desires the emergency file will cause a branch to the path beginning with block A70 which was previously explained.

An affirmative branch from block A65 is taken as a determination that the private file records .are to be read. Therefore, the system decodes the private file reference text in block A69, A71 and matches it against the reference text in block A73. If the reference match is passed, as tested in block A75, then the subroutine USER R/W is called in block A77. If the reference match fails, the negative branch of block A75 causes the program to output a CRT message that the reference is invalid in block A79. After generating an invalid reference message, the program transfers control back to block A54 where the user may once again initiate the protected read/write file accessing loop. - The subroutine USER R/W is basically the program actually used to read and write data on the personal storage means. The USER R/W routine is called as a subroutine of the main loop and is entered in block A200 of FIGURE 13A and 13B where the program asks the user by means of the CRT to enter the mode desired. The user via the keyboard (block A202) enters a command for a mode of a search, a display or an input operation. The next three blocks A204, A206 and A208 determine which mode is requested. If a display mode is requested, in block A204 the program control is transferred to block A210. If a search mode is requested, in block A206 the program control is transferred to block A228. Similarly, if an input mode is requested, in block A208 the program control is transferred to block A246. If, however, none of these codes are found, the program loops back to the beginning of the subroutine at block A200 via block A226. Prior to requesting that the user again input a valid mode, the system via block A226 outputs a message to the CRT indicating that the mode previously entered is invalid. With regard now to the operation of the display mode, in block A210 the previously input general file is output to the CRT by way of the output buffer. Next, in block A212 the program inquires whether the user would like a hard copy of the data output by a prompt on the CRT. If the keyboard input in block A218 is affirmative, then the file is printed on the disk or printer in block A216. However, if the answer to the test in block A214 is negative, then a message inquiring whether the user is done is output in block A220. The input from the keyboard at block A222 is tested in block A224 to determine the answer of the user. If the answer is negative indicating that the user wishes to continue either a search, display, or input mode, then the program path returns to block A200. If the answer to the test is affirmative which indicates that the user is done with the search, display, and input modes, then the subroutine returns to the start of the program via block A12.

The search mode will now be more fully explained by describing the portion of the program initiating at block A228. In that block a message by the CRT is output to the user which requests whether his search is to be accomplished by category or chronologically. Next, in response to a keyboard input " in block A231, a test to determine which request was made is accomplished in block A230. If a category request was made, in block A240 a message to enter which category is output to the CRT. In response to the keyboard input via block A242, the category that is entered is then searched in block A244 and output to the CRT in block A238. If, however, the test in block A230 was negative indicating that a chronological search was necessary, then in block A232 a message from the CRT is output to the user requesting him to enter the dates of the chronological search. In response to the entered dates via the keyboard input block A234, a search is made in block A236 for the desired data. Thereafter, the program flow is to block A238 where the identified data are output to the CRT.

When finished with either a category or chronological search, and after outputting the recovered data to the CRT, the program returns to block A212 where an inquiry is made of the user via a message on the CRT about whether he desires a hard copy of the found data. The inquiry is handled as previously described with respect to blocks A214, A216 and A218. Thereafter, a message from block A220 is output on the CRT screen inquiring whether the user is done. Again the response to this inquiry is handled by blocks A222 and A224 which either return the user to the beginning of the program in block A12 or allow him to enter another request for a search, display, or input mode in block A200. _ With respect now to the input data mode which begins at block A246, the program requests the user to designate the input source that will be used for data via a CRT message. In this block either the keyboard or an external source can be designated by the input block A248. The external source as mentioned previously with respect to FIGURE 2 and FIGURE 3 can be another terminal in a user subsystem or another entirely different subsystem. Thereafter the program tests to determine the choice of the user via block A252 and block A254. If keyboard input is requested, the program waits in block A256 until all keyboard input has been received. If, however, an external source has been designated, as indicated by an affirmative branch from block A254, then the program will wait in block A258 until a file from the external source has been received. If neither the keyboard nor an external source is designated, a invalid source message will be output to the user via the CRT in block A250 prior to returning to block A246. The return to block A246 provides the user with another chance to pick a valid input source.

After the input file has been stored, the system outputs a message to the user which requests him to select the area in which he wants the input data stored. The choice of the file area on the personal storage means is made by the keyboard in block A262. The choice of the area is tested in block A264 to determine whether it is write protected and cannot be written to. If the area is protected, the CRT will output a message in block A266 indicating such is the case. The program will then cycle back to block A260 where the select area request is again printed. However, if after a decision has been made that the area to be written on is not write protected, a message is output to the user on the CRT requesting him to enter whether the correction is in addition to the material already in the file or a correction to that material. The user inputs in block A270 an indication of whether the material is to be written in a particular file is a correction or is an addition according to the program test in block A272. If the new material is a correction, then in block A286 the old file is erased and the new file written in its place in block A288.

If, however, the new material is an addition rather than a correction, the program branches to block A274 where the file to which the information is to be added is tested to determine whether it i-s full. If the file is not full, then the addition is written on the available space in block A276. A file full indication transfers program control to block A278 where ahother test is accomplished to determine whether the entire personal storage means is full. If the ieritire personal storage means is full, an affirmative branch of the program transfers control to block A280 where a message to the user concerning the lack of file space is output. If the card is full the program will return to block A200 such that the search and display modes can be used to determine what other files may be available for deletion. If, however, in block A278 the personal storage means is not full then a new file area is formed in block A282 and the requested file written into that new area in block A284.

The path from block A276, A284 and A288 after correcting or adding to the files of the personal storage means come together at a common point at block A290 where an output message inquires of the user whether the file just written, whether an addition or a correction, should be write protected. The user enters his answer in block A292 and that answer is tested in block A294. If the answer to the inquiry is affirmative then the file is write protected in block A296 by activating the write protect mechanism, as shown in the implementation as a punch. However, if the response to the inquiry is negative, then the program will return to block A212. Thereafter, an inquiry is made via the CRT whether hard copy output is desired for the modified data files. The response to this inquiry is handled in blocks A218, A214 and A216, as indicated previously. The program then inquires via block A220 whether the user is done with this portion of the program. In response to an affirmative answer the program returns to the start of the routine in block A12 and in response to a negative answer transfers control to the starting program sequence of the R/W program in block A200.

While the present invention has been illustrated and described in conjunction with the various preferred embodiments, it is to be understood that numerous changes and modifications may be made thereto without departing from the spirit and scope of the present invention as is hereinafter defined in the apended claims.

Claims

WHAT IS CLAIMED IS: ,

1. A distributed data system for*^' medical information, such as patient recordsA which is secure from alteration by unauthorized sources and at least part of which is available only to designated persons of authorized sources, said system comprising; a personal storage means adapted for transportation on the person of an individual, said storage means storing personal information unique to an individual relating at least to his medical records, said information being stored in the form of coded areas normally decodeable by a password known only to the individual; a means for reading from said storage means and writing to said storage means; control means, having a plurality of operator selectable functions, including means controlling said reading and writing means to read data from or write data to said storage means, said control means additionally including means for decoding said stored information in response to the input of the individual password; means for displaying the decoded information or other information from said control means in a human understandable form; and means for inputting information from an operator to said control means to select the function to be performed by the control means.

2. A distributed data system as defined in Claim 1 wherein: said personal storage means is in the form of a sheet with a data storage medium covering at least part of one side of the sheet.

3. A distributed data system as defined in Claim 2 wherein said data storage medium is: a magnetic storage medium where areas of magnetization indicate the presence of information and unmagnetized areas indicate the absence of information.

4. A distributed data system as defined in Claim 2 wherein said data storage medium is: a magnetic storage medium where areas of magnetization indicate the absence, of information and un agnetized areas indicate the presence of information.

5. A distributed data system as defined in Claim 2 wherein said personal storage means includes: a data storage medium covering both sides of said sheet form.

6. A distributed data system as defined in Claim 5 wherein: said sheet form is generally rectangular and of a size adapted to be carried in the wallet of the individual.

7. A distributed data system as defined^' in Claim 2 wherein: said sheet form is generally rectangular and of a size adapted to be carried in the wallet of the individual.

8. A distributed data system as defined in claim 7 wherein: said storage medium is generally rectangular in shape and ^"is adapted to stored digital information in sucessive tracks.

9. A distributed data system as defined in

Claim 8 wherein: said tracks are generally parallel and run lengthwise along said generally rectangular shape.

10. A distributed data system as defined in Claim 8 wherein: said tracks are generally parallel and run widthwise across said generally rectangular shape.

11. A distributed data system as defined in Claim 7 wherein: said storage medium is generally circular in shape and is adapted to store digital information in sucessive circular tracks. -

12. A distributed data system as defined in Claim 2 wherein: said storage medium is in the form of a semiconductor memory.

13. A distributed data system as defined in Claim 12 wherein: said semiconductor memory is a random access memory.

14. A distributed data system as defined in Claim 12 wherein: said semiconductor memory is an electrically erasable programmable read only memory.

15. A distributed data' system as defined in Claim 12 wherein: said semiconductor memory is an electrically alterable programmable read only memory.

16. A distributed data system as defined in

Claim 2 wherein: said storage medium is in the form of an optically readable and light, writable medium.

17. A method of decentralizing the medical records of individuals from a data base comprising the steps of: identifying the medical records of an individual from a compiled data base; storing the identified record on a personal storage means which is adapted for transportation on the person of the individual; deleting the identified record from the compiled data based; and activating protecting means on said personal storage means for making said identified records secure from alteration by unauthorized sources and for making said identified records available only to designated persons of authorized sources.

18. A method as set forth in Claim 17 wherein the step of identifying the medical records of an individual includes: identifying the medical records of an individual from a complied data base at a hospital.

19. A method as set forth in Claim 17 wherein the step of identifying the medical records of an individual includes: identifying the medical records of an individual from a compiled data base at an office of a physician.

20. A method as set forth in Claim 17 wherein said step of storing includes: storing said medical records on a personal storage means in the form of a generally rectangular sheet with a magnetic recording media covering substantially at least one side of said sheet.

21. A method as set forth in Claim 20 wherein said step of storing includes: storing said medical records on said magnetic recording media in the form of parallel tracks of digital bits.

22. A method as set forth in Claims 20 wherein said step of storing includes: storing said medical records on said magnetic media in the form of a memory space having predetermined areas to serve different functions.

23. A method as set forth in Claim 22 wherein the step of storing further includes the step of: protecting at least one of said predetermined areas from having data stored in after it has been written to once.

24. A method as set forth in Claim 20 wherein said step of storing includes the step of: storing said medical records on said magnetic media in a standard digital code.

25. A method as set forth in Claim 24 wherein said step of storing further includes the step of: storing at least one of said medical records in a protected code.

26. A method as set forth in Claim 20 wherein said step of storing includes: storing said medical records on said magnetic media in code where specific data is stored with specific codes.

27. A method as set forth in Claim 20 wherin said step of storing includes: storing said medical records on said magnetic media in a special code which is generated in response to a password given by the individual.

28. A method as set forth in Claim 27 wherein said step of storing further includes the step of: generating said special code from a mathematical algorithm which uses said password as a basis of the generation;

29. A method as set forth in Claim 28 which further includes: restricting at least one master password to designated persons wherein said generation of the special code is based on said master password.

30. A medical information storage system comprising: a hospital medical data base including a multiplicity of medical records for different individuals; a computerized means for storing, sorting, classifying, and changing said data base; a plurality of terminal means, interfacing with said comperterized means, adapted to read from and write to the medical records of individuals on said data base and further adapted to read from and write to a personal storage means which can be transported on the person of an individual and which can store the medical records unique to that individual; said terminal means being able to access information on said personal storage means in response to a password known to the individual.

31. A universal system for storing the medical records of individuals comprising: a multiplicity of independently stored medical data bases, each including a multiplicity of medical records for different individuals, and each located remotely from one another; a multiplicity of computerized means, each associated with a corresponding independent data base, for storing, sorting, classifying, and changing its corresponding data base; means, associated with each computerized means, for communicating with other computerized means in order to transfer medical records between said multiplicity of data bases in response to a transfer request when authorized; and at least one terminal means, associated and interfacing with one of said computerized means, which is adapted to read from and write to the medical records of individuals on said corresponding data base, is adapted to initiate said transfer request when authorized to transfer medical records from one data base to another, and is further adapted to read from and write to a personal storage means transportable on the person of an individual and which stores the medical records unique to that individual, said terminal means being able to access information on said personal storage means in response to a password known to the individual, and said terminal means being authorized to transfer medical -records only for that individual from any other data base in response to said individual password. ^

32. A method of protecting medical information in a storage system from unauthorized access and use, comprising the steps of: distributing the medical information for each of the individuals having records^' in the system onto a personal storage means which can be transported on the person of the individual and which can store the medical records unique to that individual; providing a processor means for storing, sorting, classifying, and changing said medical information; providing a plurality of terminal means, interfacing with said processor means, which are adapted to read from and write to said personal storage means; configuring said personal storage means to contain a plurality of different files; limiting access to the information on said personal storage means to those persons having access to one of said terminal means; limiting access to said terminal means to those persons having access to a user code; and limiting access to at least one file on the personal storage means to those persons having access to the user code and a personal code uniquely related to a particular personal storage means of an individual.

33. A method as defined in Claim 32 wherein said step of configuring further includes the steps of: providing an identification file; providing an emergency file; providing a general file; and providing a private file.

34. A method as defined in Claim 33 wherein said protection method further includes the steps of: limiting access to said identification file to those persons having access to said user code.

35. A method as defined in Claim 33 wherein said protection method further includes the steps of: limiting access to said emergency file to those persons having access to said user code and said personal code or an emergency code.

36. A method as defined in Claim 33 wherein said protection method further includes the steps of: limiting access to said general file to those persons having access to said user code and said personal code or a master code.

37. A method as defined in Claim 33 wherein said protection method further includes the steps of: limiting access to said private file to those persons having access to said user code and to said personal code.

38. An apparatus for reading and writing digital information on a storage means adapted to be carried by an individual,- said storage means being generally rectarigular in shape and having an area covered by a magnetic recording medium, said apparatus comprising: means for receiving said storage means and for positioning storage means such that said surface area is located with respect to a reference; read/write means for writing a digital bit on said surface area or for reading a digital bit from said surface area; and scanning means for moving said read/write means parallel to one of the axes of said card to read or write a track of said digital bits across said surface area, and for incrementally moving said read/write means perpendicular to said parallel movement one track distance to position said read/write means to scan across another track.

39. An apparatus for reading and writing digital information as defined in Claim 38 wherein said scanning means includes: a moveable bar member which carries said read/write means and includes a slot parallel to one of the axes of said card in which said read/write means slides; means to move said bar with said incremental perpendicular movement; means to move said read/write means along said slot; and wherein movement of the read/write means in said slot defines a storage track position on the surface area^;and movement of the bar member defines a storage tVack on the surface area.

40. An apparatus for \reading and writing digital information as defined in_.Claim 39 which further includes: means for physically marking at least one track location on said surface area to indicate the starting position of information stored thereon.

41. An apparatus for reading and writing digital information as defined in Claim 39 which further includes: means for physically marking at least one track location on said surface area, to indicate that a particular area should be protected from being written on.

42. An apparatus for reading and writing digital information as defined in Claim 41 which further includes: means for detecting the physical markings of said starting position marking means and said write protect marking means.

43. An apparatus for reading and writing digital information as defined in Claim 38 further including: means for detecting whether said storage means is positioned such that the surface area is located with respect to said reference.

44. An apparatus for reading and writing digital information as defined in Claim 43 wherein: said reference position detecting means includes a light emitting diode and photo receptor forming a closed circuit when said storage means is positioned correctly and an open circuit when said storage means is not positioned correctly.

45. An apparatus for reading and writing digital information as defined in Claim 40 wherein: said starting position marking means comprises a punch which removes a portion of an edge of said storage means when energized.

46. An apparatus for reading and writing digital information as defined in Claim 41 wherein: said write protect marking means includes a punch which removes a portion of an edge of said storage means when energized.

47. An apparatus for reading and writing digital information as defined in Claim 46 wherein: said detecting means includes a light emitting diode and plate receptor forming a closed circuit when said mark is present and an open circuit when said mark is absent.