A presentation about health information privacy and personal data protection laws in Thailand

1. Healthcare Information
Privacy & Confidentiality
How To Work Very Well
With The New Act
Nawanan Theera-Ampornpunt, MD, MS (Health Informatics)
( )
Faculty of Medicine Ramathibodi Hospital
Mahidol University
Strategic Healthcare Management & Informatics 2010 - July 23, 2010
Except copyrighted images Slides available at http://www.slideshare.net/nawanan
reproduced under Fair Use

2. (Draft) Personal Data
Protection Act
Development
l
Aug 1, 2006 Cabinet approved in principle
Oct 6, 2009 Cabinet approved draft act
Nov 17, 2009
Nov 17, 2009 Sent to House of Representatives
Sent to House of Representatives
Disclaimer: The following materials are based on draft legislation
Di l i Th f ll i t i l b d d ft l i l ti
that is subject to change. There is no claim on the accuracy or
completeness. It is not a professional legal opinion.
completeness. It is not a professional legal opinion.
All materials are unofficial translations

3. Key Concept
• Personal data means
– Data specific to an individual, such as education, financial
status, health records, criminal records, employment
records, or activity records
– That contain the individual’s name or a number, code, or
some other identifier that could identify the individual,
such as fingerprints, voice patterns, or photos
– Al i l d
Also includes personal data of the deceased
ld f h d d

4. Exclusions
• This legislation does not apply to
g pp y
– Governmental organizations under the Official Information
Act, except state enterprises
– Individuals or legal entities that collect personal data for
their own use alone without letting others use them or
disclose them to others
– Journalism, artistic, or literary work

5. Key Mandates
• Informed consent for data collection/use/disclosure
/ /
– With exceptions (Section 19)
• (1) as required by law
• (2) for the benefit of the personal data owner and the consent
can’t be carried out in time
• (3) For purposes related to the personal data owner’s life health
(3) For purposes related to the personal data owner’s life, health,
or safety
• (4) For the purpose of an officer’s investigation or court’s
proceedings
• (5) For research or statistical purposes, where such data are kept
confidential, with prior notification to the Office as specified
confidential with prior notification to the Office as specified
• (6) etc.

6. Key Mandates
• Informed consent: What’s in it?
– Name, address, and status of data collector
– Purpose of the collection/use/disclosure of personal data, without deception
– Nature of data to be collected (sensitive or not)
N t fd t t b ll t d ( iti t)
– Timeframe for data retention
– Personal data owner’s rights
– (for commercial entities) Operational procedures on collection/use/disclosure
of personal data
– Others, as the Committee specifies
Others, as the Committee specifies

7. Key Mandates
• Sensitive data
– Information about sexual behaviors, criminal records or
any wrongdoings, health records, race/ethnicity, political
opinions, religious beliefs
– Potentially negative, damaging, or discriminatory
information
– etc.
• Can be collected with written consent or if
– Permitted in Section 19
– For medical purposes or treatment where such
information is kept confidential
– Etc.

8. Key Mandates
• Responsibilities for data integrity, currency & update
p g y, y p
• Prohibits secondary use of personal data without
consent or legal provision
consent or legal provision
• Code of ethics for data stewards
• A di l
Audit logs: who got what data from whom & when
h h d f h & h
• Data retention permitted until as specified in
consent or as necessary to carry out the objective, or
if consent withdrawn

9. Key Mandates
• Transfer of data to foreign countries
g
– Without consent or legal provision
– To countries with lower standards of personal data
p
protection unless otherwise permitted
• Security requirements
Security requirements
– Physical security
– Backup and business continuity plans
k db l
– Testing and risk assessments

10. Key Mandates
• Commercial data stewards
– Higher standard of practice
• Channel for abuse reports/data updates
• Security management
• Training
• Responsible for employee or business associate’s actions
• Owner’s rights
• Facilitating measures
– Training/counseling
– Accreditation
• Liabilities & penalties
Liabilities & penalties

11. Hippocratic Oath
I swear by Apollo the Physician and Asclepius and Hygieia and Panaceia and all the gods, and goddesses, making them my witnesses, that I will fulfill according to my ability
and judgment this oath and this covenant: To hold him who has taught me this art as equal to my parents and to live my life in partnership with him, and if he is in need of
money to give him a share of mine, and to regard his offspring as equal to my brothers in male lineage and to teach them this art if they desire to learn it without fee and
money to give him a share of mine, and to regard his offspring as equal to my brothers in male lineage and to teach them this art–if they desire to learn it–without fee and
covenant; to give a share of precepts and oral instruction and all the other learning to my sons and to the sons of him who has instructed me and to pupils who have signed
the covenant and have taken the oath according to medical law, but to no one else.
I will apply dietic measures for the benefit of the sick according to my ability and judgment; I will keep them from harm and injustice.
I will neither give a deadly drug to anybody if asked for it, nor will I make a suggestion to this effect. Similarly I will not give to a woman an abortive remedy. In purity and
holiness I will guard my life and my art.
I will not use the knife, not even on sufferers from stone, but will withdraw in favor of such men as are engaged in this work.
Whatever houses I may visit, I will come for the benefit of the sick, remaining free of all intentional injustice, of all mischief and in particular of sexual relations with both
female and male persons, be they free or slaves.
What I may see or hear in the course of treatment or
even outside of the treatment in regard to the life of
g
men, which on no account one must spread abroad,
I will keep myself holding such things shameful to be
p y g g
spoken about.
If I fulfill this oath and do not violate it, may it be granted to me to enjoy life and art, being honored with fame
among all men for all time to come; if I transgress it and swear falsely, may the opposite of all this be my lot.
g ; g y, y pp y
http://en.wikipedia.org/wiki/Hippocratic_Oath

12. Declaration of Patient’s Rights
(1998)
1. Every patient has the basic rights to receive health service as have been legally enacted in the Thai Constitution BE 2540.
2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social standing,
p g , , y, g , g,
political affiliation sex, age, and the nature of their illness from their medical practitioner.
3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly
understand about their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse
treatment from the medical practitioner treating him/her except in case of emergency or life threatening situation.
4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical
practitioner as necessary, regardless of whether the patient requests assistance or not.
5. The patient has the rights to know the name-surname and the specialty of the practitioner under whose care he/she is in.
6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not
involved in the immediate care of him/her as well as the right to change the place of medical service or treatment, as
treatment
requested by the patient without prejudice.
7. The patient has the rights to expect that their personal
information are kept confidential by the medical
i f ti k t fid ti l b th di l
practitioner, the only exception being in cases with the
consent of the patient or due to legal obligation.
obligation
8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in
order to make decision to participate in/or withdraw from the medical research being carried out by their health care provider.
9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in the
medical record as requested With respect to this the information obtained must not infringe upon other individual's rights
requested. this, individual s rights.
10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is
physically or mentally handicapped wherein they could not exercise their own rights.
Issued on April 16, 1998 (BE 2541)

13. National Health Act,
B.E. 2550 (2007)
Section 7. Personal health information shall be
kept confidential. No person shall disclose it in
such a manner as to cause damage to him or her,
g ,
unless it is done according to his or her will, or is
required by a specific law to do so. Provided that,
q y p ,
in any case whatsoever, no person shall have the
p
power or right under the law on official information
g
or other laws to request for a document related to
p
personal health information of any p
y person other
than himself or herself.

14. Impacts
Positive Impacts
p Negative Impacts
g p
• Increased awareness • Costs for compliance
• Better protection of
p – Technologies
patient’s privacy – Expertise
– Change in procedures
• Encouraging trust in
g g
– Business di
B i disruptions
ti
legitimate transactions
• Public image • Legal oversensitivity?
• P hibiti effect on
Prohibitive ff t
information
exchange/collaboration
• Inhibiting research &
education?

15. Is it the right thing to do?
“First Do No Harm”
First, Harm
Image: http://news.stanford.edu/news/2006/february22/med-aaas-022206.html

16. Where s
Where’s The Balance?
Benefits
B fit Risks
Ri k

17. How To Navigate?
•Embrace information privacy as today’s value
Embrace information privacy as today s value
Image: http://www.nurseweek.com/news/images/privacy.jpg

18. Assess gaps between
current practice and
best practices
best practices
Image: http://commons.wikimedia.org/wiki/File:Chasm_(PSF).jpg

19. Prioritize!
Prioritize!
Prioritize!
Use privacy law as
guidance and
guidance and
prioritization tools
Image: http://4.bp.blogspot.com/_rgeZ_2I0PmE/S2ZiSTiCwvI/AAAAAAAAAk4/yMy1QoeZIqo/s1600-h/priority.jpg

20. Lawyers
L Clinicians
Cli i i
Business
Survival
Patient Survival
(& Health) Balance the views of
Balance the views of
Liabilities Quality
lawyers vs. clinicians
Business Clinical
Reputation Excellence

21. Technologists
T h l i t Management
M t
Balance focus on
Solve
problems
Solve
problems
with proper
technology vs.
with management
technologies and
procedures
d management

22. Don’t forget data on
papers!!!
Image: http://case-connect.com/blog/wp-content/uploads/2009/09/medical20records.jpg

23. Technology is
a moving target
Keep eyes on new
technologies
The individual logos are trademarks or registered trademarks of their respective owners
Images: http://media.govtech.net/pub_images/emgmt/Aug_2006/Moving_Target.jpg
http://en.wikipedia.org/wiki/File:Steve_Jobs_Headshot_2010-CROP.jpg http://fmmobiles.ie/shop/images/300_blackberry_bold.jpg

24. A real Facebook post
p
(Translated from Thai)
[A junior doctor posting on an attending s
[A junior doctor posting on an attending’s wall]
“Yesterday at the OPD I saw Mr. XYZ whom you
operated on, during a follow‐up visit. He has now
operated on during a follow up visit He has now
recovered and wants to give thanks to you. He is a
little busy so he is unable to go to Bangkok, but once
little busy so he is unable to go to Bangkok but once
he’s ready, he’ll come for a follow‐up with you.”
What if the attending is a renowned erectile dysfunction surgeon?
Why would it matter anyway? A patient s privacy is his privacy!
Why would it matter anyway? A patient’s privacy is his privacy!

25. Challenges
•Move from the status quo
Move from the status quo
•Change the mindset/culture in organization
•Find the weakest link
•Find the weakest link
•Resource/time constraints
•Turn costly mandate into strategic advantage
T l d i i d
•But....It’s not the end of the world!!

26. The time to begin
is now!!
i !!
Image: http://blog.longnow.org/2007/07/19/the-watch-of-the-long-now/