2. Why Important in Informatics?
Leads to patient outcomes, including deaths
Provider‐patient relationship threatened by IT?
“Rationing” of health care through CDSS
Information risks
Research ethics
Informatics practitioners as “professionals”
with specific skills, training, & competencies?
Most common question “Who owns the data?”
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
3. Relevant Ethical Principles
Non‐maleficence
“Do no harm”
Beneficence
Provide benefits to patients
Justice
Fair distribution of benefits, risks & costs
Respect for Autonomy
Respect decisions made and rights to make
decisions by individual persons
4. Appropriate Use of Health IT
Standard view
With uncertainties around new technology,
“scientific evidence counsels caution and
prudence.”
Evidence & reason determine appropriate level
of caution
If such systems improve care at acceptable cost
in time & money, there’s an obligation to use it
Follows evolving evidence and standards of
care
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
5. Appropriate Use of Health IT
Standard view
For computer‐assisted clinical diagnosis CDS,
human cognitive processes are more suited to
complex task of diagnosis than machine, and
should not be overridden or trumped by
computers.
When adequate CDS tools are developed, they
should be viewed and used as supplementary
and subservient to human clinical judgment
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
7. Appropriate Use of Health IT
Standard view
Practitioners have obligation to use tools
responsibly, through adequate training &
understanding the system’s abilities &
limitations
Practitioners must not ignore their clinical
judgment reflexively when using CDS.
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
8. Appropriate Use of Health IT
Health IT “should be used in clinical practice
only after appropriate evaluation of its efficacy
and the documentation that it performs its
intended task at an acceptable cost in time &
money”
Qualified (licensed, trained & experienced)
health professionals as users
Systems should be used to
augment/supplement, rather than replace or
supplant individuals’ decision making
Adequate training
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
9. Ethics for Developers
Follow standard of care & scientific progress
(evidence‐based)
System evaluation is ethically imperative
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
10. Privacy & Security
Privacy: “The ability of an individual or group
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
Information Security: “Protecting information
and information systems from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction”
(Wikipedia)
13. Social Engineering Examples
Dear mail.mahidol.ac.th Email Account User,
We wrote to you on 11th January 2010 advising that you change the password on
your account in order to prevent any unauthorised account access following
the network instruction we previously communicated.
all Mailhub systems will undergo regularly scheduled maintenance. Access
to your e‐mail via the Webmail client will be unavailable for some time
during this maintenance period. We are currently upgrading our data base
and e‐mail account center i.e homepage view. We shall be deleting old
[https://mail.mahidol.ac.th/l accounts which are no longer active to create
more space for new accountsusers. we have also investigated a system wide
security audit to improve and enhance
our current security.
In order to continue using our services you are require to update and
re‐comfirmed your email account details as requested below. To complete
your account re‐comfirmation,you must reply to this email immediately and
enter your account
details as requested below.
Username :
Password :
Date of Birth:
Future Password :
Real social‐engineering e‐mail received by Speaker
16. Other Security Concepts & Techniques
Authentication & Authorization
Role‐based access control
Two‐factor authentication
Audit trails
HIPAA
Personal Health Information (PHI)
Any individually identifiable health information about a
patient that is created, received, processed, or stored by a
health plan, clearinghouse, or provider
Deidentified
17. HIPAA (U.S.)
Health Insurance Portability and Accountability Act of 1996
More stringent state privacy laws apply
HIPAA Privacy Rule
Regulates use & disclosure of protected health information held by
covered entities
Covered Entities: Health plans, providers, clearing houses, and their
business associates
Protected Health Information (PHI): Any individually identifiable
health information about a patient
HIPAA Security Rule
Lays out security safeguards required for compliance
Administrative safeguards, Physical safeguards, Technical safeguards
New in HITECH Act of 2009
Breach notification
18. Protected Health Information –
Personal Identifiers in PHI
Name Account No.
Address Certificate/License No.
Phone number Device ID No.
Fax number Vehicle ID No.
E‐mail address Drivers license No.
SSN URL
Birthdate IP Address
Medical Record No. Biometric identifier
Health Plan ID including fingerprints
Treatment date Full face photo
From a slide by David S. Pieczkiewicz for a Health Informatics II class (2006) at the University of Minnesota
19. Under HIPAA Privacy Rule
Some permitted uses and disclosures
Treatment, payment, health care operations
Quality improvement
Competency assurance
Medical reviews & audits
Insurance functions
Business planning & administration
General administrative activities
20. Health Information Privacy Law:
U.S. Challenges
Conflicts between federal vs. state laws
Variations among state laws of different
states
HIPAA only covers “covered entities”
No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
21. Health Information Privacy Law:
Other Western Countries
Canada ‐ The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
EU Countries ‐ EU Data Protection Directive
UK ‐ Data Protection Act 1998
Austria ‐ Data Protection Act 2000
Australia ‐ Privacy Act of 1988
Germany ‐ Federal Data Protection Act of
2001
22. Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
23. Thai ICT Laws
Copyright Act, B.E. 2537
พรบ.ลิขสิทธิ ์ พ.ศ. 2537
And other IP laws (e.g. Patent Act)
Important for intellectual property
considerations (e.g. who owns the
software source code of an in‐house
or outsourced system?)
Not considered professional legal opinion
24. Thai ICT Laws
Computer‐Related Crimes Act, B.E. 2550
พรบ.การกระทําความผิดเกียวกับคอมพิวเตอร์ พ.ศ. 2550
่
Focuses on prosecuting computer
crimes & computer‐related crimes
Responsibility of organizations as IT
service provider: Logging &
provision of access data to authorities
Not considered professional legal opinion
25. Thai ICT Laws
Electronic Transactions Acts, B.E. 2544 & 2551
พรบ.ว่าด้วยธุรกรรมทางอิเล็กทรอนิกส์ พ.ศ. 2544 และ พรบ.ว่าด้วยธุรกรรม
ทางอิเล็กทรอนิกส์ (ฉบับที่ 2) พ.ศ. 2551
Legal binding of electronic transactions and
electronic signatures
Security & privacy requirements for
Determining legal validity & integrity of
electronic transactions and documents, print‐
outs, & paper‐to‐electronic conversions
Governmental & public organizations
Critical infrastructures
Financial sectors
Electronic certificate authorities
Not considered professional legal opinion
26. Thai Privacy Laws
No universal personal data privacy law
(Draft law has been proposed)
National Health Act, B.E. 2550
พรบ.สุขภาพแห่งชาติ พ.ศ. 2550
“มาตรา 7 ข้อมูลด้านสุขภาพของบุคคล เป็ นความลับส่วนบุคคล
ผูใดจะนําไปเปิดเผยในประการทีน่าจะทําให้บุคคลนันเสียหายไม่ได้
้ ่ ้
เว้นแต่การเปิดเผยนันเป็ นไปตามความประสงค์ของบุคคลนัน
้ ้
โดยตรง หรือมีกฎหมายเฉพาะบัญญัตให้ตองเปิดเผย แต่ไม่วาใน
ิ ้ ่
กรณีใด ๆ ผูใดจะอาศัยอํานาจหรือสิทธิตามกฎหมายว่าด้วยข้อมูล
้
ข่าวสารของราชการหรือกฎหมายอืนเพือขอเอกสารเกียวกับข้อมูล
่ ่ ่
ด้านสุขภาพของบุคคลทีไม่ใช่ของตนไม่ได้”
่
Not considered professional legal opinion
27. Thai Privacy Laws
The Sanatorium Acts, B.E. 2541 &
2547
พรบ.สถานพยาบาล พ.ศ. 2541 และ พรบ.สถานพยาบาล
(ฉบับที่ 2) พ.ศ. 2547
ประกาศกระทรวงสาธารณสุข ฉบับที่ 3 (พ.ศ. 2542) เรือง
่
ชนิดหรือประเภทของการรักษาพยาบาล การบริการอื่นของ
้ ่ ่ ้ั
สถานพยาบาลและสิทธิของผูปวยซึงผูรบอนุญาตจะต้องแสดง
ตามมาตรา 32 (3)
Not considered professional legal opinion
29. Thai Privacy Laws
The Official Information Act, B.E. 2540
พรบ.ข้อมูลข่าวสารของราชการ พ.ศ. 2540
“เปิ ดเผยเป็ นหลัก ปกปิ ดเป็ นข้อยกเว้น”
“มาตรา 15 ข้อมูลข่าวสารของราชการทีมลกษณะอย่างหนึ่งอย่างใดดังต่อไปนี้
่ ีั
หน่วยงานของรัฐหรือเจ้าหน้าทีของรัฐอาจมีคาสังมิให้เปิดเผยก็ได้ โดยคํานึงถึง
่ ํ ่
การปฏิบตหน้าทีตามกฎหมาย...ประกอบกัน
ั ิ ่
...
(5) รายงานการแพทย์หรือข้อมูลข่าวสารส่วนบุคคลซึงการเปิดเผยจะเป็ นการรุก
่
ลํ้าสิทธิสวนบุคคลโดยไม่สมควร
่
(6) ข้อมูลข่าวสารของราชการทีมกฎหมายคุมครองมิให้เปิดเผย...
่ ี ้
...”
Not considered professional legal opinion
30. Health Information Privacy Law:
Thailand’s Challenges
Official Information Act only covers
governmental organizations
“Disclose as a rule, protect as an exception”
not appropriate mindset for health
information
National Health Act: One blanket provision
with minimal exceptions: raising concerns
about enforceability (in exceptional
circumstances, e.g. disasters)
Not considered professional legal opinion
31. Health Information Privacy Law:
Thailand’s Challenges
No general data privacy law in place
Unclear implications from ICT laws (e.g.
Electronic Transactions Act)
Governance: No governmental authority
responsible for oversight, enforcement &
regulation of health information privacy
protections
Policy: No systematic national policy to
promote privacy protections
Not considered professional legal opinion
32. We Need A Better Information
Privacy Law That Takes Into
Account the Unique Nature of
Health Information and the
Various Use Cases &
Contingencies in Use & Disclosure
of Health Information in
Thailand’s Context
Nawanan Theera‐Ampornpunt
Not considered professional legal opinion
35. Extra
Can the electronic data in EHRs be used in
court or for other legal purposes? If so, to
what extent and under what legal
provisions?
I wrote a personal opinion on this in March
2012. Not a professional legal opinion and
only based on Ramathibodi’s context, but
would be happy to share.
Not considered professional legal opinion