Ethical & Legal Issues for Health IT in Thailand's Context

Ethical & Legal
Issues for Health IT
in Thailand’s Context

Nawanan Theera‐Ampornpunt, MD, PhD
August 23, 2012

Except where
citing other works

Why Important in Informatics?
 Leads to patient outcomes, including deaths
 Provider‐patient relationship threatened by IT?
 “Rationing” of health care through CDSS
 Information risks
 Research ethics
 Informatics practitioners as “professionals”
with specific skills, training, & competencies?
 Most common question “Who owns the data?”

Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).

Relevant Ethical Principles
 Non‐maleficence
 “Do no harm”
 Beneficence
 Provide benefits to patients
 Justice
 Fair distribution of benefits, risks & costs
 Respect for Autonomy
 Respect decisions made and rights to make
decisions by individual persons

Appropriate Use of Health IT
Standard view
 With uncertainties around new technology,
“scientific evidence counsels caution and
prudence.”
 Evidence & reason determine appropriate level
of caution
 If such systems improve care at acceptable cost
in time & money, there’s an obligation to use it
 Follows evolving evidence and standards of
care

Standard view
 For computer‐assisted clinical diagnosis CDS,
human cognitive processes are more suited to
complex task of diagnosis than machine, and
should not be overridden or trumped by
computers.
 When adequate CDS tools are developed, they
should be viewed and used as supplementary
and subservient to human clinical judgment


Fundamental Theorem of Informatics
(Friedman, 2009)

Standard view
 Practitioners have obligation to use tools
responsibly, through adequate training &
understanding the system’s abilities &
limitations
 Practitioners must not ignore their clinical
judgment reflexively when using CDS.


 Health IT “should be used in clinical practice
only after appropriate evaluation of its efficacy
and the documentation that it performs its
intended task at an acceptable cost in time &
money”
 Qualified (licensed, trained & experienced)
health professionals as users
 Systems should be used to
augment/supplement, rather than replace or
supplant individuals’ decision making
 Adequate training


Ethics for Developers
 Follow standard of care & scientific progress
(evidence‐based)
 System evaluation is ethically imperative


Privacy & Security
 Privacy: “The ability of an individual or group
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
 Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
 Information Security: “Protecting information
and information systems from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction”
(Wikipedia)

Information Security

 Confidentiality
 Integrity
 Availability

Security Safeguards
 Physical Security
 System Security
 Antivirus, Firewall, Intrusion Detection/Prevention
System, Log files, Monitoring
 Software Security
 Network Security
 Database Security
 User Security
 User account management

 Education against phishing/social engineering

 Encryption

Social Engineering Examples
Dear mail.mahidol.ac.th Email Account User,

We wrote to you on 11th January 2010 advising that you change the password on
your account in order to prevent any unauthorised account access following
the network instruction we previously communicated.

all Mailhub systems will undergo regularly scheduled maintenance. Access
to your e‐mail via the Webmail client will be unavailable for some time
during this maintenance period. We are currently upgrading our data base
and e‐mail account center i.e homepage view. We shall be deleting old
[https://mail.mahidol.ac.th/l accounts which are no longer active to create
more space for new accountsusers. we have also investigated a system wide
security audit to improve and enhance
our current security.

In order to continue using our services you are require to update and
re‐comfirmed your email account details as requested below. To complete
your account re‐comfirmation,you must reply to this email immediately and
enter your account
details as requested below.

Username :
Password :
Date of Birth:
Future Password :
Real social‐engineering e‐mail received by Speaker

Phishing

Real phishing e‐mail received by Speaker

Privacy Safeguards
 Security safeguards
 Informed consent
 Privacy culture
 User awareness building & education
 Organizational policy & regulations
 Enforcement
 Ongoing privacy & security assessments, monitoring,
and protection

Image: http://www.nurseweek.com/news/images/privacy.jpg

Other Security Concepts & Techniques
 Authentication & Authorization
 Role‐based access control
 Two‐factor authentication
 Audit trails

HIPAA
 Personal Health Information (PHI)

 Any individually identifiable health information about a
patient that is created, received, processed, or stored by a
health plan, clearinghouse, or provider
 Deidentified

HIPAA (U.S.)
 Health Insurance Portability and Accountability Act of 1996
 More stringent state privacy laws apply
 HIPAA Privacy Rule
 Regulates use & disclosure of protected health information held by
covered entities
 Covered Entities: Health plans, providers, clearing houses, and their
business associates
 Protected Health Information (PHI): Any individually identifiable
health information about a patient
 HIPAA Security Rule
 Lays out security safeguards required for compliance
 Administrative safeguards, Physical safeguards, Technical safeguards
 New in HITECH Act of 2009
 Breach notification

Protected Health Information –
Personal Identifiers in PHI
 Name  Account No.
 Address  Certificate/License No.
 Phone number  Device ID No.
 Fax number  Vehicle ID No.
 E‐mail address  Drivers license No.
 SSN  URL
 Birthdate  IP Address
 Medical Record No.  Biometric identifier
 Health Plan ID including fingerprints
 Treatment date  Full face photo

From a slide by David S. Pieczkiewicz for a Health Informatics II class (2006) at the University of Minnesota

Under HIPAA Privacy Rule
 Some permitted uses and disclosures
 Treatment, payment, health care operations
 Quality improvement
 Competency assurance
 Medical reviews & audits
 Insurance functions
 Business planning & administration
 General administrative activities

Health Information Privacy Law:
U.S. Challenges
 Conflicts between federal vs. state laws
 Variations among state laws of different
states
 HIPAA only covers “covered entities”
 No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA

Other Western Countries
 Canada ‐ The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
 EU Countries ‐ EU Data Protection Directive
 UK ‐ Data Protection Act 1998
 Austria ‐ Data Protection Act 2000
 Australia ‐ Privacy Act of 1988
 Germany ‐ Federal Data Protection Act of
2001

Hippocratic Oath
...

What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...

http://en.wikipedia.org/wiki/Hippocratic_Oath

Thai ICT Laws
 Copyright Act, B.E. 2537
 พรบ.ลิขสิทธิ ์ พ.ศ. 2537
 And other IP laws (e.g. Patent Act)
 Important for intellectual property
considerations (e.g. who owns the
software source code of an in‐house
or outsourced system?)

Not considered professional legal opinion

Thai ICT Laws
 Computer‐Related Crimes Act, B.E. 2550
 พรบ.การกระทําความผิดเกียวกับคอมพิวเตอร์ พ.ศ. 2550
่
 Focuses on prosecuting computer
crimes & computer‐related crimes
 Responsibility of organizations as IT
service provider: Logging &
provision of access data to authorities


Thai ICT Laws
 Electronic Transactions Acts, B.E. 2544 & 2551
 พรบ.ว่าด้วยธุรกรรมทางอิเล็กทรอนิกส์ พ.ศ. 2544 และ พรบ.ว่าด้วยธุรกรรม
ทางอิเล็กทรอนิกส์ (ฉบับที่ 2) พ.ศ. 2551
 Legal binding of electronic transactions and
electronic signatures
 Security & privacy requirements for
 Determining legal validity & integrity of
electronic transactions and documents, print‐
outs, & paper‐to‐electronic conversions
 Governmental & public organizations

 Critical infrastructures

 Financial sectors

 Electronic certificate authorities


Thai Privacy Laws
 No universal personal data privacy law
(Draft law has been proposed)
 National Health Act, B.E. 2550
 พรบ.สุขภาพแห่งชาติ พ.ศ. 2550
 “มาตรา 7 ข้อมูลด้านสุขภาพของบุคคล เป็ นความลับส่วนบุคคล
ผูใดจะนําไปเปิดเผยในประการทีน่าจะทําให้บุคคลนันเสียหายไม่ได้
้ ่ ้
เว้นแต่การเปิดเผยนันเป็ นไปตามความประสงค์ของบุคคลนัน
้ ้
โดยตรง หรือมีกฎหมายเฉพาะบัญญัตให้ตองเปิดเผย แต่ไม่วาใน
ิ ้ ่
กรณีใด ๆ ผูใดจะอาศัยอํานาจหรือสิทธิตามกฎหมายว่าด้วยข้อมูล
้
ข่าวสารของราชการหรือกฎหมายอืนเพือขอเอกสารเกียวกับข้อมูล
่ ่ ่
ด้านสุขภาพของบุคคลทีไม่ใช่ของตนไม่ได้”
่

Thai Privacy Laws
 The Sanatorium Acts, B.E. 2541 &
2547
 พรบ.สถานพยาบาล พ.ศ. 2541 และ พรบ.สถานพยาบาล
(ฉบับที่ 2) พ.ศ. 2547
 ประกาศกระทรวงสาธารณสุข ฉบับที่ 3 (พ.ศ. 2542) เรือง
่
ชนิดหรือประเภทของการรักษาพยาบาล การบริการอื่นของ
้ ่ ่ ้ั
สถานพยาบาลและสิทธิของผูปวยซึงผูรบอนุญาตจะต้องแสดง
ตามมาตรา 32 (3)

Thai Privacy Laws
คําประกาศสิทธิของผูป่วย ้
“...
้ ่
7. ผูปวยมีสทธิทจะได้รบการปกปิดข้อมูลเกียวกับตนเอง จากผู้
ิ ่ี ั ่
ประกอบวิชาชีพโดยเคร่งครัด เว้นแต่จะได้รบความยินยอมจากผูปวย
ั ้ ่
หรือการปฏิบตหน้าทีตามกฎหมาย
ั ิ ่
...
้ ่
9. ผูปวยมีสทธิทจะได้รบทราบข้อมูลเกียวกับรักษาพยาบาลเฉพาะ
ิ ่ี ั ่
ของตนทีปรากฏในเวชระเบียนเมือร้องขอ ทังนี้ ข้อมูลดังกล่าวต้องไม่
่ ่ ้
เป็ นการละเมิดสิทธิสวนตัวของบุคคลอืน
่ ่
...”

Thai Privacy Laws
 The Official Information Act, B.E. 2540
 พรบ.ข้อมูลข่าวสารของราชการ พ.ศ. 2540

 “เปิ ดเผยเป็ นหลัก ปกปิ ดเป็ นข้อยกเว้น”
“มาตรา 15 ข้อมูลข่าวสารของราชการทีมลกษณะอย่างหนึ่งอย่างใดดังต่อไปนี้
่ ีั
หน่วยงานของรัฐหรือเจ้าหน้าทีของรัฐอาจมีคาสังมิให้เปิดเผยก็ได้ โดยคํานึงถึง
่ ํ ่
การปฏิบตหน้าทีตามกฎหมาย...ประกอบกัน
ั ิ ่
...
(5) รายงานการแพทย์หรือข้อมูลข่าวสารส่วนบุคคลซึงการเปิดเผยจะเป็ นการรุก
่
ลํ้าสิทธิสวนบุคคลโดยไม่สมควร
่
(6) ข้อมูลข่าวสารของราชการทีมกฎหมายคุมครองมิให้เปิดเผย...
่ ี ้
...”


Thailand’s Challenges
 Official Information Act only covers
governmental organizations
 “Disclose as a rule, protect as an exception”
not appropriate mindset for health
information
 National Health Act: One blanket provision
with minimal exceptions: raising concerns
about enforceability (in exceptional
circumstances, e.g. disasters)

Thailand’s Challenges
 No general data privacy law in place
 Unclear implications from ICT laws (e.g.
Electronic Transactions Act)
 Governance: No governmental authority
responsible for oversight, enforcement &
regulation of health information privacy
protections
 Policy: No systematic national policy to
promote privacy protections

We Need A Better Information
Privacy Law That Takes Into
Account the Unique Nature of
Health Information and the
Various Use Cases &
Contingencies in Use & Disclosure
of Health Information in
Thailand’s Context
Nawanan Theera‐Ampornpunt

Privacy: The Cultural Aspect

From Flickr by Bikoy (Victor Villanueva)

Privacy: The Cultural Aspect

From Flickr by Saikofish

Extra
 Can the electronic data in EHRs be used in
court or for other legal purposes? If so, to
what extent and under what legal
provisions?

 I wrote a personal opinion on this in March
2012. Not a professional legal opinion and
only based on Ramathibodi’s context, but
would be happy to share.

Ethical & Legal Issues for Health IT in Thailand's Context

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (18)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Ethical & Legal Issues for Health IT in Thailand's Context

Ähnlich wie Ethical & Legal Issues for Health IT in Thailand's Context (20)

Mehr von Nawanan Theera-Ampornpunt

Mehr von Nawanan Theera-Ampornpunt (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Ethical & Legal Issues for Health IT in Thailand's Context