Healthcare Information Privacy & Confidentiality

How To Work Very Well With The New ActWith The New Act

Nawanan Theera-Ampornpunt, MD, MS (Health Informatics)( )

Faculty of Medicine Ramathibodi Hospital

Mahidol University

Strategic Healthcare Management & Informatics 2010 - July 23, 2010

Slides available at http://www.slideshare.net/nawananExcept copyrighted images reproduced under Fair Use

(Draft) Personal Data Protection Act

lDevelopmentAug 1, 2006 Cabinet approved in principleOct 6, 2009 Cabinet approved draft actNov 17, 2009 Sent to House of RepresentativesNov 17, 2009 Sent to House of Representatives

Di l i Th f ll i t i l b d d ft l i l tiDisclaimer: The following materials are based on draft legislation that is subject to change. There is no claim on the accuracy or 

completeness. It is not a professional legal opinion.completeness. It is not a professional legal opinion. All materials are unofficial translations

Key ConceptKey Concept• Personal data means

– Data specific to an individual, such as education, financial status, health records, criminal records, employment records, or activity records

– That contain the individual’s name or a number, code, or some other identifier that could identify the individual, such as fingerprints, voice patterns, or photosAl i l d l d f h d d– Also includes personal data of the deceased

ExclusionsExclusions• This legislation does not apply tog pp y

– Governmental organizations under the Official Information Act, except state enterprises

– Individuals or legal entities that collect personal data for their own use alone without letting others use them or disclose them to others

– Journalism, artistic, or literary work

Key MandatesKey Mandates• Informed consent for data collection/use/disclosure/ /

– With exceptions (Section 19)• (1) as required by law• (2) for the benefit of the personal data owner and the consent can’t be carried out in time

• (3) For purposes related to the personal data owner’s life health• (3) For purposes related to the personal data owner’s life, health, or safety

• (4) For the purpose of an officer’s investigation or court’s proceedings

• (5) For research or statistical purposes, where such data are kept confidential with prior notification to the Office as specifiedconfidential, with prior notification to the Office as specified

• (6) etc.

Key MandatesKey Mandates• Informed consent: What’s in it?

– Name, address, and status of data collector– Purpose of the collection/use/disclosure of personal data, without deception

N t f d t t b ll t d ( iti t)– Nature of data to be collected (sensitive or not)– Timeframe for data retention– Personal data owner’s rights– (for commercial entities) Operational procedures on collection/use/disclosure 

of personal data– Others, as the Committee specifiesOthers, as the Committee specifies

Key MandatesKey Mandates• Sensitive data

– Information about sexual behaviors, criminal records or any wrongdoings, health records, race/ethnicity, political opinions, religious beliefs

– Potentially negative, damaging, or discriminatory information

– etc.

• Can be collected with written consent or if– Permitted in Section 19– For medical purposes or treatment where such information is kept confidential

– Etc.

Key MandatesKey Mandates• Responsibilities for data integrity, currency & updatep g y, y p• Prohibits secondary use of personal data without consent or legal provisionconsent or legal provision

• Code of ethics for data stewardsA di l h h d f h & h• Audit logs: who got what data from whom & when

• Data retention permitted until as specified in consent or as necessary to carry out the objective, or if consent withdrawn

Key MandatesKey Mandates• Transfer of data to foreign countriesg

– Without consent or legal provision– To countries with lower standards of personal data pprotection unless otherwise permitted

• Security requirementsSecurity requirements– Physical security

k d b l– Backup and business continuity plans– Testing and risk assessments

Key MandatesKey Mandates• Commercial data stewards

– Higher standard of practice• Channel for abuse reports/data updates• Security management• Training• Responsible for employee or business associate’s actions

• Owner’s rights• Facilitating measures

– Training/counseling– Accreditation

• Liabilities & penaltiesLiabilities & penalties

Hippocratic OathHippocratic OathI swear by Apollo the Physician and Asclepius and Hygieia and Panaceia and all the gods, and goddesses, making them my witnesses, that I will fulfill according to my ability and judgment this oath and this covenant: To hold him who has taught me this art as equal to my parents and to live my life in partnership with him, and if he is in need of money to give him a share of mine, and to regard his offspring as equal to my brothers in male lineage and to teach them this art–if they desire to learn it–without fee andmoney to give him a share of mine, and to regard his offspring as equal to my brothers in male lineage and to teach them this art if they desire to learn it without fee and covenant; to give a share of precepts and oral instruction and all the other learning to my sons and to the sons of him who has instructed me and to pupils who have signed the covenant and have taken the oath according to medical law, but to no one else.

I will apply dietic measures for the benefit of the sick according to my ability and judgment; I will keep them from harm and injustice.

I will neither give a deadly drug to anybody if asked for it, nor will I make a suggestion to this effect. Similarly I will not give to a woman an abortive remedy. In purity and holiness I will guard my life and my art.

I will not use the knife, not even on sufferers from stone, but will withdraw in favor of such men as are engaged in this work.

Whatever houses I may visit, I will come for the benefit of the sick, remaining free of all intentional injustice, of all mischief and in particular of sexual relations with both female and male persons, be they free or slaves.

What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of gmen, which on no account one must spread abroad, I will keep myself holding such things shameful to be p y g gspoken about.If I fulfill this oath and do not violate it, may it be granted to me to enjoy life and art, being honored with fame among all men for all time to come; if I transgress it and swear falsely, may the opposite of all this be my lot.g ; g y, y pp y

http://en.wikipedia.org/wiki/Hippocratic_Oath

Declaration of Patient’s Rights(1998)

1. Every patient has the basic rights to receive health service as have been legally enacted in the Thai Constitution BE 2540. 2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social standing, p g , , y, g , g,political affiliation sex, age, and the nature of their illness from their medical practitioner. 3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly understand about their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse treatment from the medical practitioner treating him/her except in case of emergency or life threatening situation. 4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical practitioner as necessary, regardless of whether the patient requests assistance or not. 5. The patient has the rights to know the name-surname and the specialty of the practitioner under whose care he/she is in. 6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not involved in the immediate care of him/her as well as the right to change the place of medical service or treatment asinvolved in the immediate care of him/her as well as the right to change the place of medical service or treatment, as requested by the patient without prejudice.

7. The patient has the rights to expect that their personal i f ti k t fid ti l b th di linformation are kept confidential by the medical practitioner, the only exception being in cases with the consent of the patient or due to legal obligationconsent of the patient or due to legal obligation. 8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in order to make decision to participate in/or withdraw from the medical research being carried out by their health care provider. 9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in themedical record as requested With respect to this the information obtained must not infringe upon other individual's rightsmedical record as requested. With respect to this, the information obtained must not infringe upon other individual s rights.10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is physically or mentally handicapped wherein they could not exercise their own rights. Issued on April 16, 1998 (BE 2541)

National Health Act,B.E. 2550 (2007)Section 7. Personal health information shall be kept confidential. No person shall disclose it in such a manner as to cause damage to him or her, g ,unless it is done according to his or her will, or is required by a specific law to do so. Provided that, q y p ,in any case whatsoever, no person shall have the power or right under the law on official information p gor other laws to request for a document related to personal health information of any person other p y pthan himself or herself.

ImpactsImpactsPositive Impacts Negative Impactsp• Increased awareness• Better protection of

g p• Costs for compliance

– Technologiesppatient’s privacy

• Encouraging trust in – Expertise– Change in procedures

B i di tig g

legitimate transactions• Public image

– Business disruptions

• Legal oversensitivity?P hibiti ff t• Prohibitive effect on information exchange/collaborationexchange/collaboration

• Inhibiting research & education?education?

Is it the right thing to do?Is it the right thing to do?

“First Do No Harm”First, Do No Harm

Image: http://news.stanford.edu/news/2006/february22/med-aaas-022206.html

Where’s The Balance?Where s The Balance?

B fit Ri kBenefits Risks

How To Navigate?How To Navigate?•Embrace information privacy as today’s valueEmbrace information privacy as today s value

Image: http://www.nurseweek.com/news/images/privacy.jpg

Assess gaps between current practice and best practicesbest practices

Image: http://commons.wikimedia.org/wiki/File:Chasm_(PSF).jpg

Prioritize!Prioritize!Prioritize!Prioritize!

Use privacy law as guidance andguidance and prioritization tools

Image: http://4.bp.blogspot.com/_rgeZ_2I0PmE/S2ZiSTiCwvI/AAAAAAAAAk4/yMy1QoeZIqo/s1600-h/priority.jpg

L Cli i i

Balance the views of

Lawyers Clinicians

Patient Survival (& Health)

Business Survival Balance the views of 

lawyers vs. cliniciansQuality

(& Health)

Liabilities

Survival

Clinical Excellence

Business Reputation

T h l i t M t

Balance focus on Technologists Management

technology vs. management

Solve problems

with technologies

Solve problems

with proper management

and d managementprocedures

Don’t forget data on papers!!!papers!!!

Image: http://case-connect.com/blog/wp-content/uploads/2009/09/medical20records.jpg

Technology is a moving target

Keep eyes on new technologiestechnologies

The individual logos are trademarks or registered trademarks of their respective owners

Images: http://media.govtech.net/pub_images/emgmt/Aug_2006/Moving_Target.jpg

http://en.wikipedia.org/wiki/File:Steve_Jobs_Headshot_2010-CROP.jpg http://fmmobiles.ie/shop/images/300_blackberry_bold.jpg

A real Facebook post

[A junior doctor posting on an attending’s wall]

p(Translated from Thai)

[A junior doctor posting on an attending s wall]“Yesterday at the OPD I saw Mr. XYZ whom you operated on during a follow up visit He has nowoperated on, during a follow‐up visit. He has now recovered and wants to give thanks to you. He is a little busy so he is unable to go to Bangkok but oncelittle busy so he is unable to go to Bangkok, but once he’s ready, he’ll come for a follow‐up with you.”

What if the attending is a renowned erectile dysfunction surgeon?Why would it matter anyway? A patient’s privacy is his privacy!Why would it matter anyway? A patient s privacy is his privacy!

Challenges•Move from the status quo

ChallengesMove from the status quo

•Change the mindset/culture in organization•Find the weakest link•Find the weakest link•Resource/time constraintsT l d i i d•Turn costly mandate into strategic advantage

•But....It’s not the end of the world!!

The time to begin i !!is now!!

Image: http://blog.longnow.org/2007/07/19/the-watch-of-the-long-now/