Presented at the PDPA for Mahidol University Workshop for Healthcare Faculties by the Division of Information Technology, Office of the President, Mahidol University, Nakhon Pathom, Thailand on January 29, 2021
World Cafe Subgroup Workshop Summary on Health Information Exchange Platform ...
Â
Personal Data Protection Act (PDPA) for Health Care Service (January 29, 2021)
1. 1
PDPA for Health Care Service
āļāļ.āļāļ§āļāļĢāļĢāļ āļāļĩāļĢāļ°āļāļąāļĄāļāļĢāļāļąāļāļāļļāđ
āļāļāļ°āđāļāļāļĒāļĻāļēāļŠāļāļĢāđāđāļĢāļāļāļĒāļēāļāļēāļĨāļĢāļēāļĄāļēāļāļīāļāļāļĩ āļĄāļŦāļēāļ§āļīāļāļĒāļēāļĨāļąāļĒāļĄāļŦāļīāļāļĨ
29 āļĄāļāļĢāļēāļāļĄ 2564
āđāļāļĢāļāļāļēāļĢāļāļāļĢāļĄāđāļāļīāļāļāļāļīāļāļąāļāļīāļāļēāļĢāļŦāļąāļ§āļāđāļ âāđāļāļ§āļāļēāļāļāļēāļĢāļāļļāđāļĄāļāļĢāļāļāļāđāļāļĄāļđāļĨāļŠāđāļ§āļāļāļļāļāļāļĨ āļŠāļēāļŦāļĢāļąāļāļāļļāļāļĨāļēāļāļĢāļĄāļŦāļēāļ§āļīāļāļĒāļēāļĨāļąāļĒāļĄāļŦāļīāļāļĨ
(āļŠāđāļ§āļāļāļēāļāļāļĩāđāļĄāļĩāļāļēāļĢāđāļŦāđāļāļĢāļīāļāļēāļĢāļāļēāļāļāļēāļĢāđāļāļāļĒāđ)â
32. 32
âŠSome permitted uses and disclosures
âŠUse of PHI
âŠSharing, application, use, examination or analysis within the entity
that maintains the PHI
âŠDisclosure of PHI
âŠRelease or divulgence of information by an entity to persons or
organizations outside of that entity.
HIPAA Privacy Rule
33. 33
âŠA covered entity may not use or disclose PHI, except
âŠwith individual consent for treatment, payment or healthcare
operations (TPO)
âŠwith individual authorization for other purposes
âŠwithout consent or authorization for governmental and other
specified purposes
HIPAA Privacy Rule
34. 34
âŠTreatment, payment, health care operations (TPO)
⊠Quality improvement
⊠Competency assurance
⊠Medical reviews & audits
⊠Insurance functions
⊠Business planning & administration
⊠General administrative activities
HIPAA Privacy Rule
35. 35
⊠Uses & disclosures without the need for patient authorization permitted in
some circumstances
⊠Required by law
⊠For public health activities
⊠About victims of abuse, neglect, or domestic violence
⊠For health oversight activities
⊠For judicial & administrative proceedings
⊠For law enforcement purposes
⊠About decedents
HIPAA Privacy Rule
36. 36
⊠Uses & disclosures without the need for patient authorization permitted in some
circumstances
⊠For cadaveric organ, eye, or tissue donation purposes
⊠For research purposes
⊠To avert a serious threat to health or safety
⊠For workersâ compensation
⊠For specialized government functions
⊠Military & veterans activities
⊠National security & intelligence activities
⊠Protective services for President & others
⊠Medical suitability determinants
⊠Correctional institutions
⊠CE that are government programs providing public benefits
HIPAA Privacy Rule
37. 37
⊠Control use and disclosure of PHI
⊠Notify patients of information practices (NPP, Notice of Privacy Practices)
⊠Specifies how CE can use and share PHI
⊠Specifies patientâs rights regarding their PHI
⊠Provide means for patients to access their own record
⊠Obtain authorization for non-TPO uses and disclosures
⊠Log disclosures
⊠Restrict use or disclosures
⊠Minimum necessary
⊠Privacy policy and practices
⊠Business Associate agreements
⊠Other applicable statutes
⊠Provide management oversight and response to minimize threats and breaches of privacy
From a teaching slide in UMNâs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Responsibilities of a Covered Entity
38. 38
⊠Individually identifiable health information collected and used solely for
research IS NOT PHI
⊠Researchers obtaining PHI from a CE must obtain the subjectâs authorization
or must justify an exception:
⊠Waiver of authorization (obtain from the IRB)
⊠Limited Data Set (with data use agreement)
⊠De-identified Data Set
⊠HIPAA Privacy supplements the Common Rule and the FDAâs existing
protection for human subjects
From a teaching slide in UMNâs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
HIPAA & Research
39. 39
⊠De-identified Data Set
⊠Remove all 18 personal identifiers of subjects, relatives, employers, or
household members
⊠OR biostatistician confirms that individual cannot be identified with the
available information
⊠Limited Data Set
⊠May include Zip, Birthdate, Date of death, date of service, geographic
subdivision
⊠Remove all other personal identifiers of subject, etc.
⊠Data Use Agreement signed by data recipient that there will be no attempt
to re-identify the subject
From a teaching slide in UMNâs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Research Datasets
40. 40
⊠Assure the CE that all research-initiated HIPAA requirements have been met
⊠Provide letter of approval to the researcher to conduct research using PHI
⊠OR, Certify and document that waiver of authorization criteria have been
met
⊠Review and approve all authorizations and data use agreements
⊠Retain records documenting HIPAA actions for 6 years
From a teaching slide in UMNâs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
IRBâs New Responsibilities
89. 89
Common Healthcare Use Cases
âĒ Patient Care (Including Referrals)
âĒ Emergency/Life-Saving
âĒ Non-Emergency
âĒ Occupational Health & Medicine / Welfare
âĒ Healthcare Service Required by Law
âĒ Elective
âĒ Claims & Reimbursements / Public & Private Health Insurance
âĒ Disease Control
âĒ Disaster Management
âĒ Public Health / Health Systems Management
âĒ Health Professionals Training
âĒ Quality Improvement/Audit/Quality Survey/Accreditation
âĒ Human Subjects Research
âĒ Medico-Legal & Ethical/Disciplinary/Investigative Uses
âĒ Public Safety & National Security
90. 90
PDPA āļāļąāļāļāļēāļĢāļ§āļīāļāļąāļĒ
âĒ Research Not Involving Personally Identifiable Information (PII)
âĒ Human Subject Research Involving Personally Identifiable
Information (PII)
âĒ Authorized by Law (Legal Obligation, Public Task, Legitimate Interst vs.
Requiring Informed Consent)
âĒ Prospective Research
âĒ Informed Consent Feasible
âĒ Informed Consent Not Feasible
âĒ Retrospective Research
âĒ De-identification Feasible
âĒ De-identification Not Feasible
106. 106
âŠPrivacy: âThe ability of an individual or group to seclude
themselves or information about themselves and thereby
reveal themselves selectively.â (Wikipedia)
âŠSecurity: âThe degree of protection to safeguard ... person
against danger, damage, loss, and crime.â (Wikipedia)
âŠInformation Security: âProtecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destructionâ
(Wikipedia)
Security & Privacy