Legal Aspects in Health Informatics

TMHG 529
Legal Aspects in
Health Informatics
Nawanan Theera‐Ampornpunt, M.D., Ph.D.
Faculty of Medicine Ramathibodi Hospital
Mahidol University
December 16, 2014
http://www.SlideShare.net/Nawanan

Outline
 Basics of Legal Systems
 Law & Informatics
 Privacy Laws
 HIPAA
 Thailand’s Health Information Privacy Law

Disclaimer
 No part of the contents is to be considered
a professional legal opinion. I’m not
responsible for the lack of completeness,
accuracy, correctness, or validity of the
contents for legal or organizational use.
Seek professional counsels or legal
experts for legal advices.

National Legal Systems
 Civil Law
 Central source of law recognized as authoritative is
codifications in a constitution or statute passed by
legislature, to amend a code
 Common Law
 Sources of law are the decisions in cases by judges,
plus laws & statutes passed by legislature
 Religious Law
 A religious system or document used as a legal
source
 Pluralistic Systems
 Thailand is a civil law system influenced by common
law
http://en.wikipedia.org/wiki/List_of_national_legal_systems

Legal Systems of the World
http://en.wikipedia.org/wiki/List_of_national_legal_systems

Sources of Law
 Enacted Law
 Constitutions
 Statutes
 Court Rules (for court procedures)
 Administrative Agency Rules
 Caselaw
 Judicial
 Common Law Caselaw
 Caselaw Interpreting Enacted Law
 Administrative Agency Decisions
http://lawandborder.com/wp‐content/uploads/2009/01/Sources‐and‐Hierarchy‐of‐U.S.‐Law.pdf

Hierarchy of Sources of Law
 National Constitution
 Federal statutes, treaties, and court rules
 Federal administrative agency rules
 Federal common law caselaw
 State constitutions
 State statutes and court rules
 State agency rules
 State common law caselaw
 Secondary authorities (Treatises, law reviews,
legal encyclopedias, digests, etc.)

Caselaw
 Future cases should be decided the same way as
similar past cases
 Policy goals
 Fairness: Equality before the law
 Predictability
 Judicial efficiency

Forms of Government
 Unitary States
 A state governed as one single
unit in which central government
is supreme and any
administrative divisions exercise
only powers their central
government chooses to delegate
http://en.wikipedia.org/wiki/Unitary_state

Forms of Government
 Federal states (federalism)
 States or other subnational units
share sovereignty with the central
government, and the states
constituting the federation have
an existence and power functions
that cannot be unilaterally
changed by central government
http://en.wikipedia.org/wiki/Federalism http://en.wikipedia.org/wiki/Unitary_state

Levels of Government
In federal states
 Federal government
 State government
 Local government

Branches of Government
 Executive Branch
 Part of government with sole authority and
responsibility for daily administration of the
state. It executes the law.
 Legislative Branch
(Legislature/Parliament/Congress)
 An assembly with power to pass, amend, and
repeal laws
 Law created by a legislature is called legislation
or statutory law
https://en.wikipedia.org/wiki/Executive_(government) https://en.wikipedia.org/wiki/Legislature

Branches of Government
 Judicial Branch
 A system of courts that interprets and applies the
law to the facts of each case in the name of the
state
 Generally does not make law (legislative branch)
or enforce law (executive branch)
 Separation of Powers doctrine
https://en.wikipedia.org/wiki/Judiciary

Systems of Government
 Presidential system
 Leader of executive branch as head
of state & head of government
 Parliamentary system
 Prime minister responsible to
legislature as head of government
 Monarch or president as head of
state, largely ceremonial
https://en.wikipedia.org/wiki/Presidential_system https://en.wikipedia.org/wiki/Parliamentary_system

Laws Related to Informatics
 Computer/ICT Laws
 Intellectual Property Laws
 Laws on Access to Information
 Health Laws

Computer/ICT Laws
 Computer Crimes
 Electronic Transactions &
Electronic Signatures
 E‐commerce, Cyber Law
 Privacy/Data Protection Law
(Generic)

Thai ICT Laws
 Computer‐Related Crimes Act, B.E. 2550
 Focuses on prosecuting computer
crimes & computer‐related crimes
 Responsibility of organizations as IT
service provider: Logging &
provision of access data to authorities

Thai ICT Laws
 Electronic Transactions Acts, B.E. 2544 & 2551
 Legal binding of electronic transactions and
electronic signatures
 Security & privacy requirements for
 Determining legal validity & integrity of
electronic transactions and documents, print‐outs,
& paper‐to‐electronic conversions
 Governmental & public organizations
 Critical infrastructures
 Financial sectors
 Electronic certificate authorities

IP Laws
 Copyright Law
 Patent Law
 Industrial Design Law
 Trademark Law
 Trade Secret Laws
 etc.

Thai IP Laws
 Copyright Act, B.E. 2537
 And other IP laws (e.g. Patent Act)
 Important for intellectual property
considerations (e.g. who owns the
software source code of an in‐house
or outsourced system?)

Laws on Access to Information
Examples
 Freedom of Information Act
(U.S.)
 Official Information Act
(Thailand)

Health Laws
 Laws governing health care facilities
 Laws governing health care
professionals
 Other health laws
 Laws on Food, Drugs, Medical
Devices
 Laws on Health Care Systems
 Laws on Emergency Medicine
 etc.

Thai Health Laws
 The Sanatorium Acts, B.E. 2541 & 2547
 The Medical Profession Act, B.E. 2525
 Professional Nursing & Midwifery Acts,
B.E. 2528 & 2540
 Laws for other healthcare professionals
 National Health Security Act, B.E. 2545
 National Health Acts, B.E. 2550 & 2553
 Emergency Medicine Act, B.E. 2551
 Medical Devices Act, B.E. 2551

Health Information
Privacy Laws

Privacy & Security
 Privacy: “The ability of an individual or group
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
 Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)

Privacy Protections: Why?
http://www.aclu.org/ordering‐pizza

Ethical Principles in Bioethics
 Respect for Persons (Autonomy)
 Beneficence
 Justice
 Non‐maleficence

Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath

Privacy Safeguards
 Security safeguards
 Informed consent
 Privacy culture
 User awareness building & education
 Organizational policy & regulations
 Enforcement
 Ongoing privacy & security assessments, monitoring,
and protection
Image: http://www.nurseweek.com/news/images/privacy.jpg

U.S. Health Information Privacy Law
 Health Insurance Portability and Accountability Act of
1996 http://www.gpo.gov/fdsys/pkg/PLAW‐
104publ191/pdf/PLAW‐104publ191.pdf
 More stringent state privacy laws apply
 HIPAAGoals
 To protect health insurance coverage for workers &
families when they change or lose jobs (Title I)
 To require establishment of national standards for
electronic health care transactions and national
identifiers for providers, health insurance plans, and
employers (Title II: “Administrative Simplification”
provisions)
 Administrative Simplification provisions also address
security & privacy of health data
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

HIPAA(U.S.)
 Title I: Health Care Access, Portability, and
Renewability
 Title II: Preventing Health Care Fraud and
Abuse; Administrative Simplification;
Medical Liability Reform
 Requires Department of Health & Human
Services (HHS) to draft rules aimed at increasing
efficiency of health care system by creating
standards for use and dissemination of health
care information

HIPAA(U.S.)
 Title III: Tax‐Related Health Provisions
 Title IV: Application and Enforcement
of Group Health Plan Requirements
 Title V: Revenue Offsets

HIPAA(U.S.)
 HHS promulgated 5 Administrative
Simplification rules
 Privacy Rule
 Transactions and Code Sets Rule
 Security Rule
 Unique Identifiers Rule
 Enforcement Rule

Some HIPAADefinitions
 Covered Entities
 A health plan
 A health care clearinghouse
 A healthcare provider who transmits any health
information in electronic form in connection with a
transaction to enable health information to be exchanged
electronically
 Business Associates

Some HIPAADefinitions
 Protected Health Information (PHI)
 Individually identifiable health information transmitted or
maintained in electronic media or other form or medium
 Individually Identifiable Health Information
 Any information, including demographic information collected from
an individual, that—
 (A) is created or received by a CE; and
 (B) relates to the past, present, or future physical
 or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment
for the provision of health care to an individual, and—
 (i) identifies the individual; or
 (ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify the individual.

Protected Health Information –
Personal Identifiers in PHI
 Name
 Address
 Phone number
 Fax number
 E‐mail address
 SSN
 Birthdate
 Medical Record No.
 Health Plan ID
 Treatment date
 Account No.
 Certificate/License No.
 Device ID No.
 Vehicle ID No.
 Drivers license No.
 URL
 IP Address
 Biometric identifier
including fingerprints
 Full face photo

HIPAAPrivacy Rule
 Establishes national standards to protect PHI; applies to CE &
business associates
 Requires appropriate safeguards to protect privacy of PHI
 Sets limits & conditions on uses & disclosures that may be made
without patient authorization
 Gives patients rights over their health information, including
rights to examine & obtain copy of health records & to request
corrections
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

HIPAAPrivacy Rule
 Timeline
 November 3, 1999 Proposed Privacy Rule
 December 28, 2000 Final Privacy Rule
 August 14, 2002 Modifications to Privacy Rule
 April 14, 2003 Compliance Date for most CE
 Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf

HIPAAPrivacy Rule
 Some permitted uses and disclosures
 Use of PHI
 Sharing, application, use, examination or
analysis within the entity that maintains the
PHI
 Disclosure of PHI
 Release or divulgence of information by an
entity to persons or organizations outside of
that entity.

HIPAAPrivacy Rule
 A covered entity may not use or disclose
PHI, except
 with individual consent for treatment,
payment or healthcare operations (TPO)
 with individual authorization for other
purposes
 without consent or authorization for
governmental and other specified
purposes

HIPAAPrivacy Rule
 Treatment, payment, health care operations
(TPO)
 Quality improvement
 Competency assurance
 Medical reviews & audits
 Insurance functions
 Business planning & administration
 General administrative activities

HIPAAPrivacy Rule
 Uses & disclosures without the need for patient
authorization permitted in some circumstances
 Required by law
 For public health activities
 About victims of abuse, neglect, or domestic
violence
 For health oversight activities
 For judicial & administrative proceedings
 For law enforcement purposes
 About decedents

HIPAAPrivacy Rule
 Uses & disclosures without the need for patient
authorization permitted in some circumstances
 For cadaveric organ, eye, or tissue donation purposes
 For research purposes
 To avert a serious threat to health or safety
 For workers’ compensation
 For specialized government functions
 Military & veterans activities
 National security & intelligence activities
 Protective services for President & others
 Medical suitability determinants
 Correctional institutions
 CE that are government programs providing public benefits

Responsibilities of a CE
 Control use and disclosure of PHI
 Notify patients of information practices (NPP, Notice of Privacy
Practices)
 Specifies how CE can use and share PHI
 Specifies patient’s rights regarding their PHI
 Provide means for patients to access their own record
 Obtain authorization for non‐TPO uses and disclosures
 Log disclosures
 Restrict use or disclosures
 Minimum necessary
 Privacy policy and practices
 Business Associate agreements
 Other applicable statutes
 Provide management oversight and response to minimize threats and
breaches of privacy
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz

HIPAA& Research
 Individually identifiable health information
collected and used solely for research IS NOT PHI
 Researchers obtaining PHI from a CE must obtain
the subject’s authorization or must justify an
exception:
 Waiver of authorization (obtain from the IRB)
 Limited Data Set (with data use agreement)
 De‐identified Data Set
 HIPAAPrivacy supplements the Common Rule
and the FDA’s existing protection for human
subjects

Research Data Sets
 De‐identified Data Set
 Remove all 18 personal identifiers of subjects,
relatives, employers, or household members
 OR biostatistician confirms that individual cannot be
identified with the available information
 Limited Data Set
 May include Zip, Birthdate, Date of death, date of
service, geographic subdivision
 Remove all other personal identifiers of subject, etc.
 Data Use Agreement signed by data recipient that
there will be no attempt to re‐identify the subject

IRB’s New Responsibility
 Assure the CE that all research‐initiated HIPAA
requirements have been met
 Provide letter of approval to the researcher to
conduct research using PHI
 OR, Certify and document that waiver of
authorization criteria have been met
 Review and approve all authorizations and data
use agreements
 Retain records documenting HIPAAactions for 6
years

HIPAASecurity Rule
 Establishes national standards to protect
individuals’ electronic PHI that is created,
received, used, or maintained by a CE.
 Requires appropriate safeguards to ensure
confidentiality, integrity & security of
electronic PHI
 Administrative safeguards
 Physical safeguards
 Technical safeguards

HIPAASecurity Rule
 Timeline
 August 12, 1998 Proposed Security Rule
 February 20, 2003 Final Security Rule
 April 21, 2005 Compliance Date for most CE
 Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

HIPAASecurity Rule: Meaning
 The HIPAASecurity Rule is:
 A set of information security “best practices”
 A minimum baseline for security
 An outline of what to do, and what procedures
should be in place
 The HIPAASecurity Rule is not:
 A set of specific instructions
 A set of rules for universal, unconditional
implementation
 A document outlining specific implementations
(vendors, equipment, software, etc.)

 The HIPAASecurity Rule is designed to be:
 Technology‐neutral
 Scalable (doesn’t require all CEs to apply the same
policies)
 Flexible (allows CEs to determine their own needs)
 Comprehensive (covers technical, business, and
behavioral issues)

 Many rules are either Required or Addressable
 Required:
 Compliance is mandatory
 Addressable:
 If a specification in the Rule is reasonable and
appropriate for the CE, then the CE must implement
 Otherwise, documentation must be made of the
reasons the policy cannot/will not be implemented,
and when necessary, offer an alternative

New in HITECH Act of 2009
 Breach notification
 Extension of complete Privacy & Security
HIPAAprovisions to business associates of
covered entities
 New rules for accounting of disclosures of a
patient’s health information

Health Information Privacy Law:
U.S. Challenges
 Conflicts between federal vs. state laws
 Variations among state laws of different
states
 HIPAAonly covers “covered entities”
 No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA

Other Western Countries
 Canada ‐ The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
 EU Countries ‐ EU Data Protection Directive
 UK ‐ Data Protection Act 1998
 Austria ‐ Data Protection Act 2000
 Australia ‐ Privacy Act of 1988
 Germany ‐ Federal Data Protection Act of
2001

Two Systems of Privacy Laws
 General Data Privacy Law
 There exists general law protecting privacy
of all types of information (financial,
educational, health, etc.)
 Sectoral Data Privacy Law
 Each sector (e.g. health sector) has its own
information privacy laws without a
general law

{ {
General Data
Privacy Law
 Pros: Covers all types
of information with
uniform standard of
protection
 Cons: May not be
flexible for specific
requirements in each
industry or for each
type of information
(e.g. health)
Pros & Cons
Sectoral Data
Privacy Law
 Pros: Protections
specific to each type of
information (e.g.
health information) or
nature of each
industry
 Cons: Not covering
other types of
information or those
kept by other
organizations outside
the sector, and no
uniform standard of
protections

Thailand’s Health
Information Privacy
Law

Declaration of Patient’s Rights (1998)
1. Every patient has the basic rights to receive health service as have been legally enacted in the Thai Constitution BE 2540.
2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social standing, political
affiliation sex, age, and the nature of their illness from their medical practitioner.
3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly understand
about their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse treatment from the
medical practitioner treating him/her except in case of emergency or life threatening situation.
4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical practitioner as
necessary, regardless of whether the patient requests assistance or not.
5. The patient has the rights to know the name‐surname and the specialty of the practitioner under whose care he/she is in.
6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not involved in the
immediate care of him/her as well as the right to change the place of medical service or treatment, as requested by the patient without
prejudice.
7. The patient has the rights to expect that their personal
information are kept confidential by the medical practitioner, the
only exception being in cases with the consent of the patient or
due to legal obligation.
8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in order to
make decision to participate in/or withdraw from the medical research being carried out by their health care provider.
9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in the medical
record as requested. With respect to this, the information obtained must not infringe upon other individualʹs rights.
10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is physically or
mentally handicapped wherein they could not exercise their own rights.
Issued on April 16, 1998 (BE 2541)

Thailand’s Official Information Act
(1997)
 Ascertains rights of the public to request and
obtain access to official information in a
government’s control (including public
providers)
 Except
 When disclosure would jeopardize law
enforcement or may harm others, etc.
 Disclosure of personal information without
consent (except otherwise permitted by law)

National Health Act, B.E. 2550 (2007)
Section 7. Personal health information shall be
kept confidential. No person shall disclose it in
such a manner as to cause damage to him or her,
unless it is done according to his or her will, or is
required by a specific law to do so. Provided that,
in any case whatsoever, no person shall have the
power or right under the law on official
information or other laws to request for a
document related to personal health information
of any person other than himself or herself.

Thailand’s Challenges
 Official Information Act only covers
governmental organizations
 “Disclose as a rule, protect as an exception”
not appropriate mindset for health
information
 National Health Act: One blanket provision
with minimal exceptions: raising concerns
about enforceability (in exceptional
circumstances, e.g. disasters)
Not considered professional legal opinion

Thailand’s Challenges
 No general data privacy law in place
 Unclear implications from ICT laws (e.g.
Electronic Transactions Act)
 Governance: No governmental authority
responsible for oversight, enforcement &
regulation of health information privacy
protections
 Policy: No systematic national policy to
promote privacy protections
Not considered professional legal opinion

Summary
 Each country has its unique context,
including legal systems, national priorities,
public mindset, and infrastructure
 A comprehensive & systematic approach to
data privacy and health information privacy
is still lacking in some countries such as
Thailand
 Key issues include enforceable regulations,
governance, and national policy

Legal Aspects in Health Informatics

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Legal Aspects in Health Informatics

Similar to Legal Aspects in Health Informatics (20)

More from Nawanan Theera-Ampornpunt

More from Nawanan Theera-Ampornpunt (20)

Recently uploaded

Recently uploaded (20)

Legal Aspects in Health Informatics