ethical & legal issues for health it in thailand's context
TRANSCRIPT
Ethical & Legal Issues for Health IT in Thailand’s Context
Nawanan Theera‐Ampornpunt, MD, PhDAugust 23, 2012
Except where citing other works
Leads to patient outcomes, including deaths Provider‐patient relationship threatened by IT? “Rationing” of health care through CDSS Information risks Research ethics Informatics practitioners as “professionals” with specific skills, training, & competencies?
Most common question “Who owns the data?”
Why Important in Informatics?
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
Non‐maleficence “Do no harm”
Beneficence Provide benefits to patients
Justice Fair distribution of benefits, risks & costs
Respect for Autonomy Respect decisions made and rights to make decisions by individual persons
Relevant Ethical Principles
Standard view With uncertainties around new technology, “scientific evidence counsels caution and prudence.”
Evidence & reason determine appropriate level of caution
If such systems improve care at acceptable cost in time & money, there’s an obligation to use it
Follows evolving evidence and standards of care
Appropriate Use of Health IT
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
Standard view For computer‐assisted clinical diagnosis CDS, human cognitive processes are more suited to complex task of diagnosis than machine, and should not be overridden or trumped by computers.
When adequate CDS tools are developed, they should be viewed and used as supplementary and subservient to human clinical judgment
Appropriate Use of Health IT
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
Fundamental Theorem of Informatics(Friedman, 2009)
Standard view Practitioners have obligation to use tools responsibly, through adequate training & understanding the system’s abilities & limitations
Practitioners must not ignore their clinical judgment reflexively when using CDS.
Appropriate Use of Health IT
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
Health IT “should be used in clinical practice only after appropriate evaluation of its efficacy and the documentation that it performs its intended task at an acceptable cost in time & money”
Qualified (licensed, trained & experienced) health professionals as users
Systems should be used to augment/supplement, rather than replace or supplant individuals’ decision making
Adequate training
Appropriate Use of Health IT
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
Follow standard of care & scientific progress (evidence‐based)
System evaluation is ethically imperative
Ethics for Developers
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes. In Shortliffe (3rd Edition).
Privacy: “The ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.” (Wikipedia)
Security: “The degree of protection to safeguard ... person against danger, damage, loss, and crime.” (Wikipedia)
Information Security: “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” (Wikipedia)
Privacy & Security
Information Security
Confidentiality Integrity Availability
Physical Security System Security
Antivirus, Firewall, Intrusion Detection/Prevention System, Log files, Monitoring
Software Security Network Security Database Security User Security
User account management Education against phishing/social engineering
Encryption
Security Safeguards
Dear mail.mahidol.ac.th Email Account User,
We wrote to you on 11th January 2010 advising that you change the password onyour account in order to prevent any unauthorised account access followingthe network instruction we previously communicated.
all Mailhub systems will undergo regularly scheduled maintenance. Accessto your e‐mail via the Webmail client will be unavailable for some timeduring this maintenance period. We are currently upgrading our data baseand e‐mail account center i.e homepage view. We shall be deleting old[https://mail.mahidol.ac.th/l accounts which are no longer active to createmore space for new accountsusers. we have also investigated a system widesecurity audit to improve and enhanceour current security.
In order to continue using our services you are require to update andre‐comfirmed your email account details as requested below. To completeyour account re‐comfirmation,you must reply to this email immediately andenter your accountdetails as requested below.
Username :Password :Date of Birth:Future Password :
Social Engineering Examples
Real social‐engineering e‐mail received by Speaker
Phishing
Real phishing e‐mail received by Speaker
Privacy Safeguards
Image: http://www.nurseweek.com/news/images/privacy.jpg
Security safeguards Informed consent Privacy culture User awareness building & education Organizational policy & regulations Enforcement Ongoing privacy & security assessments, monitoring, and protection
Authentication & Authorization Role‐based access control Two‐factor authentication Audit trails
HIPAA Personal Health Information (PHI)
Any individually identifiable health information about a patient that is created, received, processed, or stored by a health plan, clearinghouse, or provider
Deidentified
Other Security Concepts & Techniques
Health Insurance Portability and Accountability Act of 1996 More stringent state privacy laws apply HIPAAPrivacy Rule
Regulates use & disclosure of protected health information held by covered entities
Covered Entities: Health plans, providers, clearing houses, and their business associates
Protected Health Information (PHI): Any individually identifiable health information about a patient
HIPAA Security Rule Lays out security safeguards required for compliance
Administrative safeguards, Physical safeguards, Technical safeguards
New in HITECHAct of 2009 Breach notification
HIPAA (U.S.)
Name Address Phone number Fax number E‐mail address SSN Birthdate Medical Record No. Health Plan ID Treatment date
Account No. Certificate/License No. Device ID No. Vehicle ID No. Drivers license No. URL IP Address Biometric identifier
including fingerprints Full face photo
Protected Health Information –Personal Identifiers in PHI
From a slide by David S. Pieczkiewicz for a Health Informatics II class (2006) at the University of Minnesota
Some permitted uses and disclosures Treatment, payment, health care operations Quality improvement Competency assurance Medical reviews & audits Insurance functions Business planning & administration General administrative activities
Under HIPAAPrivacy Rule
Conflicts between federal vs. state laws Variations among state laws of different states
HIPAA only covers “covered entities” No general privacy laws in place, only a few sectoral privacy laws e.g. HIPAA
Health Information Privacy Law: U.S. Challenges
Canada ‐ The Privacy Act (1983), Personal Information Protection and Electronic Data Act of 2000
EU Countries ‐ EU Data Protection Directive UK ‐ Data Protection Act 1998 Austria ‐ Data Protection Act 2000 Australia ‐ Privacy Act of 1988 Germany ‐ Federal Data Protection Act of 2001
Health Information Privacy Law: Other Western Countries
Hippocratic Oath...
What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep myself holding such things shameful to be spoken about....
http://en.wikipedia.org/wiki/Hippocratic_Oath
Copyright Act, B.E. 2537 พรบ.ลขสทธ พ.ศ. 2537 And other IP laws (e.g. Patent Act) Important for intellectual property considerations (e.g. who owns the software source code of an in‐house or outsourced system?)
Thai ICT Laws
Not considered professional legal opinion
Computer‐Related Crimes Act, B.E. 2550 พรบ.การกระทาความผดเกยวกบคอมพวเตอร พ.ศ. 2550 Focuses on prosecuting computer crimes & computer‐related crimes
Responsibility of organizations as IT service provider: Logging & provision of access data to authorities
Thai ICT Laws
Not considered professional legal opinion
Electronic Transactions Acts, B.E. 2544 & 2551 พรบ.วาดวยธรกรรมทางอเลกทรอนกส พ.ศ. 2544 และ พรบ.วาดวยธรกรรมทางอเลกทรอนกส (ฉบบท 2) พ.ศ. 2551 Legal binding of electronic transactions and electronic signatures
Security & privacy requirements for Determining legal validity & integrity of electronic transactions and documents, print‐outs, & paper‐to‐electronic conversions
Governmental & public organizations Critical infrastructures Financial sectors Electronic certificate authorities
Thai ICT Laws
Not considered professional legal opinion
No universal personal data privacy law (Draft law has been proposed)
National Health Act, B.E. 2550 พรบ.สขภาพแหงชาต พ.ศ. 2550 “มาตรา 7 ขอมลดานสขภาพของบคคล เปนความลบสวนบคคล ผใดจะนาไปเปดเผยในประการทนาจะทาใหบคคลนนเสยหายไมได เวนแตการเปดเผยนนเปนไปตามความประสงคของบคคลนนโดยตรง หรอมกฎหมายเฉพาะบญญตใหตองเปดเผย แตไมวาในกรณใด ๆ ผใดจะอาศยอานาจหรอสทธตามกฎหมายวาดวยขอมลขาวสารของราชการหรอกฎหมายอนเพอขอเอกสารเกยวกบขอมลดานสขภาพของบคคลทไมใชของตนไมได”
Thai Privacy Laws
Not considered professional legal opinion
The Sanatorium Acts, B.E. 2541 & 2547
พรบ.สถานพยาบาล พ.ศ. 2541 และ พรบ.สถานพยาบาล
(ฉบบท 2) พ.ศ. 2547 ประกาศกระทรวงสาธารณสข ฉบบท 3 (พ.ศ. 2542) เรอง ชนดหรอประเภทของการรกษาพยาบาล การบรการอนของ
สถานพยาบาลและสทธของผปวยซงผรบอนญาตจะตองแสดง
ตามมาตรา 32 (3)
Thai Privacy Laws
Not considered professional legal opinion
คาประกาศสทธของผปวย
“...7. ผปวยมสทธทจะไดรบการปกปดขอมลเกยวกบตนเอง จากผประกอบวชาชพโดยเครงครด เวนแตจะไดรบความยนยอมจากผปวยหรอการปฏบตหนาทตามกฎหมาย
...9. ผปวยมสทธทจะไดรบทราบขอมลเกยวกบรกษาพยาบาลเฉพาะของตนทปรากฏในเวชระเบยนเมอรองขอ ทงน ขอมลดงกลาวตองไมเปนการละเมดสทธสวนตวของบคคลอน
...”
Thai Privacy Laws
Not considered professional legal opinion
The Official Information Act, B.E. 2540 พรบ.ขอมลขาวสารของราชการ พ.ศ. 2540 “เปดเผยเปนหลก ปกปดเปนขอยกเวน”“มาตรา 15 ขอมลขาวสารของราชการทมลกษณะอยางหนงอยางใดดงตอไปน หนวยงานของรฐหรอเจาหนาทของรฐอาจมคาสงมใหเปดเผยกได โดยคานงถงการปฏบตหนาทตามกฎหมาย...ประกอบกน
...
(5) รายงานการแพทยหรอขอมลขาวสารสวนบคคลซงการเปดเผยจะเปนการรกลาสทธสวนบคคลโดยไมสมควร
(6) ขอมลขาวสารของราชการทมกฎหมายคมครองมใหเปดเผย...
...”
Thai Privacy Laws
Not considered professional legal opinion
Official Information Act only covers governmental organizations
“Disclose as a rule, protect as an exception” not appropriate mindset for health information
National Health Act: One blanket provision with minimal exceptions: raising concerns about enforceability (in exceptional circumstances, e.g. disasters)
Health Information Privacy Law: Thailand’s Challenges
Not considered professional legal opinion
No general data privacy law in place Unclear implications from ICT laws (e.g. Electronic Transactions Act)
Governance: No governmental authority responsible for oversight, enforcement & regulation of health information privacy protections
Policy: No systematic national policy to promote privacy protections
Health Information Privacy Law: Thailand’s Challenges
Not considered professional legal opinion
We Need A Better Information Privacy Law That Takes Into Account the Unique Nature of Health Information and the
Various Use Cases & Contingencies in Use & Disclosure
of Health Information in Thailand’s Context
Nawanan Theera‐AmpornpuntNot considered professional legal opinion
From Flickr by Bikoy (Victor Villanueva)
Privacy: The Cultural Aspect
From Flickr by Saikofish
Privacy: The Cultural Aspect
Can the electronic data in EHRs be used in court or for other legal purposes? If so, to what extent and under what legal provisions?
I wrote a personal opinion on this in March 2012. Not a professional legal opinion and only based on Ramathibodi’s context, but would be happy to share.
Extra
Not considered professional legal opinion