This document outlines a lecture on legal aspects of health informatics. It begins by discussing different types of legal systems such as civil law and common law. It then covers laws related to informatics including computer crimes laws, intellectual property laws, and health privacy laws. A significant portion of the document focuses on explaining the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which established national standards for electronic health information in the United States to protect individuals' medical records and other personal health information.
Anyone who has been in the nursing field for an extended period of time will tell you that a lot has changed. In fact, the twentieth century brought – literally – a technological “invasion” to nursing.
Anyone who has been in the nursing field for an extended period of time will tell you that a lot has changed. In fact, the twentieth century brought – literally – a technological “invasion” to nursing.
Nursing informatics: background and applicationjhonee balmeo
Healthcare Information System (HIM)
Electronic Medical Record System (EMR)
Electronic Health Record System (EHR)
Historical Background (Nicholas E. Davis Awards of Excellence Program)
Practice Application (CCIS, ACIS, CHIS)
Presented at the 7th Healthcare CIO Certificate Program, Hospital Administration School, Faculty of Medicine Ramathibodi Hospital, Mahidol University on August 11, 2016
Nursing informatics: background and applicationjhonee balmeo
Healthcare Information System (HIM)
Electronic Medical Record System (EMR)
Electronic Health Record System (EHR)
Historical Background (Nicholas E. Davis Awards of Excellence Program)
Practice Application (CCIS, ACIS, CHIS)
Presented at the 7th Healthcare CIO Certificate Program, Hospital Administration School, Faculty of Medicine Ramathibodi Hospital, Mahidol University on August 11, 2016
1ITC358ICT Management and Information SecurityChapter 12.docxhyacinthshackley2629
1
ITC358
ICT Management and Information Security
Chapter 12
Law and Ethics
In law a man is guilty when he violates the rights of others.
In ethics he is guilty if he only thinks of doing so. – Immanuel Kant
1
Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations
2
Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology
3
Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group
4
Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates
5
Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury
6
Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law
7
Table 12-1a: Key U.S. laws of interest to information security professionals
8
Table 12-1b: Key U.S. laws of interest to information security professionals
9
Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for se.
Theera-Ampornpunt N. Health information privacy: Asia's viewpoint. Presented at: Globalizing Asia: Health Law, Governance, and Policy - Issues, Approaches, and Gaps!; 2012 Apr 16-18; Bangkok, Thailand.
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...Quinnipiac University
HIPAA Title II, The Administrative Simplification provisions were establish for a variety of reasons. The main rationale was to take advantage of twenty-first century technology, and increase efficiency by eliminating redundant and manual processes. By establishing electronic health information systems, electronic protected health information (ePHI) became Congress’ top priority, on how healthcare organizations should deal with such vital and confidential information.
The aim of this paper is to examine an in-depth look at HIPAA’s Title II on how technology has enhanced the way healthcare organizations conduct their business activities on a daily basis, while specifically addressing the privacy and security issues that many are concerned about. This paper will explain the background and history behind HIPAA and Title II, including Congress’ goals and objectives for this act, and then will go into great detail about the three basic rules that HIPAA, and more specifically Title II, are all about.
SUMMARY OF THE HIPAA PRIVACY RULE HIPAA Com.docxpicklesvalery
SUMMARY OF THE
HIPAA PRIVACY RULE
HIPAA Compliance Assistance
O C R P R I V A C Y B R I E F
i
SUMMARY OF
THE HIPAA PRIVACY RULE
Contents
Introduction ......................................................................................................................... 1
Statutory & Regulatory Background................................................................................... 1
Who is Covered by the Privacy Rule .................................................................................. 2
Business Associates............................................................................................................. 3
What Information is Protected ............................................................................................ 3
General Principle for Uses and Disclosures ........................................................................ 4
Permitted Uses and Disclosures .......................................................................................... 4
Authorized Uses and Disclosures........................................................................................ 9
Limiting Uses and Disclosures to the Minimum Necessary ............................................. 10
Notice and Other Individual Rights .................................................................................. 11
Administrative Requirements............................................................................................ 14
Organizational Options ..................................................................................................... 15
Other Provisions: Personal Representatives and Minors .................................................. 16
State Law........................................................................................................................... 17
Enforcement and Penalties for Noncompliance ................................................................ 17
Compliance Dates ............................................................................................................. 18
Copies of the Rule & Related Materials............................................................................ 18
End Notes .......................................................................................................................... 19
OCR Privacy Rule Summary 1 Last Revised 05/03
SUMMARY OF
THE HIPAA PRIVACY RULE
Introduction
The Standards for Privacy of Individually Identifiable Health Information (“Privacy
Rule”) establishes, for the first time, a set of national standards for the protection of
certain health information. The U.S. Department of Health and Human Services
(“HHS”) issued the Privacy Rule to implement the requirement of the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA ...
What is HIPAA Compliance?
HIPAA stands for the Healthcare Insurance Portability and Accountability Act of 1996. This specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) - essentially, your medical record. HIPAA sets the standard for protecting sensitive patient data. The Administrative Simplification provisions of the Act (HIPAA, Title II) require the U.S. Department of Health and Human Services (HHS) to adopt certain national standards. These cover electronic health care transactions, and national identifiers for providers, health plans, and employers.
Physical, network, and process security measures are involved. The HIPAA Privacy Rule covers the saving, accessing and sharing of medical and personal information for any individual. The HIPAA Security Rule outlines national security standards to protect health data created, received, maintained or transmitted electronically - also known as electronic protected health information (ePHI).
Meeting these standards? That's compliance.
Critique a Criminal Justice Policy at the Federal or State LevelMargenePurnell14
Critique a Criminal Justice Policy at the Federal or State Level
Instructions
Critique a criminal justice policy used at the federal or state level that has notably been determined as failing to meet its objectives for improvement after an implementation plan was carried out to support that policy.
For this assignment, you will reflect on what you have learned this week and will develop a 3-page memo to explain and summarize why a criminal justice policy failed to meet its strategic goals. The purpose here is to become familiar with the parts of a criminal justice policy and to learn how the implementation of a new criminal justice policy using a strategic plan led to its failure so you can evaluate how to avoid such mistakes in your planning efforts.
Be sure to incorporate the following into a memo:
• Provide reasoning about the purpose of the criminal justice policy and how it was implemented.
• Discuss the basis for the plan's failure and what resources were used to carry out the implementation of that plan.
Length: 3-page memo
References: Include a minimum of 5 scholarly resources.
The completed assignment should address all the assignment requirements, exhibit evidence of concept knowledge, and demonstrate thoughtful consideration of the content presented in the course. The writing should integrate scholarly resources, reflect academic expectations, and current APA standards, and adhere to the Northcentral University's Academic Integrity Policy.
207
Health Information Ownership: Legal
Theories and Policy Implications
Lara Cartwright-Smith, Elizabeth Gray, and Jane Hyatt Thorpe*
ABSTRACT
This Article explores the nature and characteristics of health
information that make it subject to federal and state laws and the existing
legal framework that confers rights and responsibilities with respect to
health information. There are numerous legal and policy considerations
surrounding the question of who owns health information, including
whether and how to confer specific ownership rights to health
information. Ultimately, a legal framework is needed that reflects the
rights of a broad group of stakeholders in the health information
marketplace, from patients to providers to payers, as well as the public’s
interest in appropriate sharing of health information.
TABLE OF CONTENTS
I. INTRODUCTION .................................................................... 208
II. THE UNIQUE NATURE OF HEALTH INFORMATION ................ 209
A. Definitions of Health Information .................................. 210
1. Health Information Characteristics .................... 210
2. Health Information Types ................................... 212
III. THE LEGAL AND POLICY LANDSCAPE FOR HEALTH
INFORMATION ...................................................................... 214
IV. LEGAL THEORIES OF INFORMATION OWNERSHIP ................. 219
A. Property law ................. ...
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
Describe one safeguard that should be in place to protect the confidentiality of health information
when a health care organization uses a home-based medical transcriptionist and one safeguard
that should be in place to protect the security of that health information.Please support your
answer with APA references.Thanks
Solution
This is a summary of key elements of the Security Rule including who is covered, what
information is protected, and what safeguards must be in place to ensure appropriate protection
of electronic protected health information. Because it is an overview of the Security Rule, it does
not address every detail of each provision.
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the
Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations
protecting the privacy and security of certain health information.1 To fulfill this requirement,
HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security
Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information,
establishes national standards for the protection of certain health information. The Security
Standards for the Protection of Electronic Protected Health Information (the Security Rule)
establish a national set of security standards for protecting certain health information that is held
or transferred in electronic form. The Security Rule operationalizes the protections contained in
the Privacy Rule by addressing the technical and non-technical safeguards that organizations
called “covered entities” must put in place to secure individuals’ “electronic protected health
information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for
enforcing the Privacy and Security Rules with voluntary compliance activities and civil money
penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for
protecting health information existed in the health care industry. At the same time, new
technologies were evolving, and the health care industry began to move away from paper
processes and rely more heavily on the use of electronic information systems to pay claims,
answer eligibility questions, provide health information and conduct a host of other
administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry
(CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory
systems. Health plans are providing access to claims and care management, as well as member
self-service applications. While this means that the medical workforce can be more mobile and
efficient (i.e., physicians can check patient records and test results from wherever they are), the
rise in the adoption rate of these technologies increases the potential security risks.
A major goal of the Security Rule is to protect th.
A general talk on privacy in early 2009, with quite a few slides summarizing the US National Research Council\'s report "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment" that was issued in late 2008
Presented at the BDMS Golden Jubilee Scientific Conference 2022 "BDMS Beyond 50 years: Looking towards the centennial," Bangkok Dusit Medical Services Public Company Limited (BDMS), Bangkok, Thailand on October 19, 2022
Presented at The Thai Medical Informatics Association Annual Conference and The National Conference on Medical Informatics (TMI-NCMedInfo) 2021, Bangkok, Thailand on November 26, 2021
Presented at the Master of Science Program in Medical Epidemiology and the Doctor of Philosophy Program in Clinical Epidemiology, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 25, 2021
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 15, 2021
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
Navigating Challenges: Mental Health, Legislation, and the Prison System in B...Guillermo Rivera
This conference will delve into the intricate intersections between mental health, legal frameworks, and the prison system in Bolivia. It aims to provide a comprehensive overview of the current challenges faced by mental health professionals working within the legislative and correctional landscapes. Topics of discussion will include the prevalence and impact of mental health issues among the incarcerated population, the effectiveness of existing mental health policies and legislation, and potential reforms to enhance the mental health support system within prisons.
Global launch of the Healthy Ageing and Prevention Index 2nd wave – alongside...ILC- UK
The Healthy Ageing and Prevention Index is an online tool created by ILC that ranks countries on six metrics including, life span, health span, work span, income, environmental performance, and happiness. The Index helps us understand how well countries have adapted to longevity and inform decision makers on what must be done to maximise the economic benefits that comes with living well for longer.
Alongside the 77th World Health Assembly in Geneva on 28 May 2024, we launched the second version of our Index, allowing us to track progress and give new insights into what needs to be done to keep populations healthier for longer.
The speakers included:
Professor Orazio Schillaci, Minister of Health, Italy
Dr Hans Groth, Chairman of the Board, World Demographic & Ageing Forum
Professor Ilona Kickbusch, Founder and Chair, Global Health Centre, Geneva Graduate Institute and co-chair, World Health Summit Council
Dr Natasha Azzopardi Muscat, Director, Country Health Policies and Systems Division, World Health Organisation EURO
Dr Marta Lomazzi, Executive Manager, World Federation of Public Health Associations
Dr Shyam Bishen, Head, Centre for Health and Healthcare and Member of the Executive Committee, World Economic Forum
Dr Karin Tegmark Wisell, Director General, Public Health Agency of Sweden
Deep Leg Vein Thrombosis (DVT): Meaning, Causes, Symptoms, Treatment, and Mor...The Lifesciences Magazine
Deep Leg Vein Thrombosis occurs when a blood clot forms in one or more of the deep veins in the legs. These clots can impede blood flow, leading to severe complications.
The Importance of Community Nursing Care.pdfAD Healthcare
NDIS and Community 24/7 Nursing Care is a specific type of support that may be provided under the NDIS for individuals with complex medical needs who require ongoing nursing care in a community setting, such as their home or a supported accommodation facility.
Health Education on prevention of hypertensionRadhika kulvi
Hypertension is a chronic condition of concern due to its role in the causation of coronary heart diseases. Hypertension is a worldwide epidemic and important risk factor for coronary artery disease, stroke and renal diseases. Blood pressure is the force exerted by the blood against the walls of the blood vessels and is sufficient to maintain tissue perfusion during activity and rest. Hypertension is sustained elevation of BP. In adults, HTN exists when systolic blood pressure is equal to or greater than 140mmHg or diastolic BP is equal to or greater than 90mmHg. The
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdfSachin Sharma
This content provides an overview of preventive pediatrics. It defines preventive pediatrics as preventing disease and promoting children's physical, mental, and social well-being to achieve positive health. It discusses antenatal, postnatal, and social preventive pediatrics. It also covers various child health programs like immunization, breastfeeding, ICDS, and the roles of organizations like WHO, UNICEF, and nurses in preventive pediatrics.
Medical Technology Tackles New Health Care Demand - Research Report - March 2...pchutichetpong
M Capital Group (“MCG”) predicts that with, against, despite, and even without the global pandemic, the medical technology (MedTech) industry shows signs of continuous healthy growth, driven by smaller, faster, and cheaper devices, growing demand for home-based applications, technological innovation, strategic acquisitions, investments, and SPAC listings. MCG predicts that this should reflects itself in annual growth of over 6%, well beyond 2028.
According to Chris Mouchabhani, Managing Partner at M Capital Group, “Despite all economic scenarios that one may consider, beyond overall economic shocks, medical technology should remain one of the most promising and robust sectors over the short to medium term and well beyond 2028.”
There is a movement towards home-based care for the elderly, next generation scanning and MRI devices, wearable technology, artificial intelligence incorporation, and online connectivity. Experts also see a focus on predictive, preventive, personalized, participatory, and precision medicine, with rising levels of integration of home care and technological innovation.
The average cost of treatment has been rising across the board, creating additional financial burdens to governments, healthcare providers and insurance companies. According to MCG, cost-per-inpatient-stay in the United States alone rose on average annually by over 13% between 2014 to 2021, leading MedTech to focus research efforts on optimized medical equipment at lower price points, whilst emphasizing portability and ease of use. Namely, 46% of the 1,008 medical technology companies in the 2021 MedTech Innovator (“MTI”) database are focusing on prevention, wellness, detection, or diagnosis, signaling a clear push for preventive care to also tackle costs.
In addition, there has also been a lasting impact on consumer and medical demand for home care, supported by the pandemic. Lockdowns, closure of care facilities, and healthcare systems subjected to capacity pressure, accelerated demand away from traditional inpatient care. Now, outpatient care solutions are driving industry production, with nearly 70% of recent diagnostics start-up companies producing products in areas such as ambulatory clinics, at-home care, and self-administered diagnostics.
ICH Guidelines for Pharmacovigilance.pdfNEHA GUPTA
The "ICH Guidelines for Pharmacovigilance" PDF provides a comprehensive overview of the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) guidelines related to pharmacovigilance. These guidelines aim to ensure that drugs are safe and effective for patients by monitoring and assessing adverse effects, ensuring proper reporting systems, and improving risk management practices. The document is essential for professionals in the pharmaceutical industry, regulatory authorities, and healthcare providers, offering detailed procedures and standards for pharmacovigilance activities to enhance drug safety and protect public health.
1. TMHG 529
Legal Aspects in
Health Informatics
Nawanan Theera‐Ampornpunt, M.D., Ph.D.
Faculty of Medicine Ramathibodi Hospital
Mahidol University
December 16, 2014
http://www.SlideShare.net/Nawanan
2. Outline
Basics of Legal Systems
Law & Informatics
Privacy Laws
HIPAA
Thailand’s Health Information Privacy Law
3. Disclaimer
No part of the contents is to be considered
a professional legal opinion. I’m not
responsible for the lack of completeness,
accuracy, correctness, or validity of the
contents for legal or organizational use.
Seek professional counsels or legal
experts for legal advices.
5. National Legal Systems
Civil Law
Central source of law recognized as authoritative is
codifications in a constitution or statute passed by
legislature, to amend a code
Common Law
Sources of law are the decisions in cases by judges,
plus laws & statutes passed by legislature
Religious Law
A religious system or document used as a legal
source
Pluralistic Systems
Thailand is a civil law system influenced by common
law
http://en.wikipedia.org/wiki/List_of_national_legal_systems
6. Legal Systems of the World
http://en.wikipedia.org/wiki/List_of_national_legal_systems
7. Sources of Law
Enacted Law
Constitutions
Statutes
Court Rules (for court procedures)
Administrative Agency Rules
Caselaw
Judicial
Common Law Caselaw
Caselaw Interpreting Enacted Law
Administrative Agency Decisions
http://lawandborder.com/wp‐content/uploads/2009/01/Sources‐and‐Hierarchy‐of‐U.S.‐Law.pdf
8. Hierarchy of Sources of Law
National Constitution
Federal statutes, treaties, and court rules
Federal administrative agency rules
Federal common law caselaw
State constitutions
State statutes and court rules
State agency rules
State common law caselaw
Secondary authorities (Treatises, law reviews,
legal encyclopedias, digests, etc.)
http://lawandborder.com/wp‐content/uploads/2009/01/Sources‐and‐Hierarchy‐of‐U.S.‐Law.pdf
9. Caselaw
Future cases should be decided the same way as
similar past cases
Policy goals
Fairness: Equality before the law
Predictability
Judicial efficiency
http://lawandborder.com/wp‐content/uploads/2009/01/Sources‐and‐Hierarchy‐of‐U.S.‐Law.pdf
10. Forms of Government
Unitary States
A state governed as one single
unit in which central government
is supreme and any
administrative divisions exercise
only powers their central
government chooses to delegate
http://en.wikipedia.org/wiki/Unitary_state
11. Forms of Government
Federal states (federalism)
States or other subnational units
share sovereignty with the central
government, and the states
constituting the federation have
an existence and power functions
that cannot be unilaterally
changed by central government
http://en.wikipedia.org/wiki/Federalism http://en.wikipedia.org/wiki/Unitary_state
12. Levels of Government
In federal states
Federal government
State government
Local government
13. Branches of Government
Executive Branch
Part of government with sole authority and
responsibility for daily administration of the
state. It executes the law.
Legislative Branch
(Legislature/Parliament/Congress)
An assembly with power to pass, amend, and
repeal laws
Law created by a legislature is called legislation
or statutory law
https://en.wikipedia.org/wiki/Executive_(government) https://en.wikipedia.org/wiki/Legislature
14. Branches of Government
Judicial Branch
A system of courts that interprets and applies the
law to the facts of each case in the name of the
state
Generally does not make law (legislative branch)
or enforce law (executive branch)
Separation of Powers doctrine
https://en.wikipedia.org/wiki/Judiciary
15. Systems of Government
Presidential system
Leader of executive branch as head
of state & head of government
Parliamentary system
Prime minister responsible to
legislature as head of government
Monarch or president as head of
state, largely ceremonial
https://en.wikipedia.org/wiki/Presidential_system https://en.wikipedia.org/wiki/Parliamentary_system
19. Thai ICT Laws
Computer‐Related Crimes Act, B.E. 2550
Focuses on prosecuting computer
crimes & computer‐related crimes
Responsibility of organizations as IT
service provider: Logging &
provision of access data to authorities
20. Thai ICT Laws
Electronic Transactions Acts, B.E. 2544 & 2551
Legal binding of electronic transactions and
electronic signatures
Security & privacy requirements for
Determining legal validity & integrity of
electronic transactions and documents, print‐outs,
& paper‐to‐electronic conversions
Governmental & public organizations
Critical infrastructures
Financial sectors
Electronic certificate authorities
21. IP Laws
Copyright Law
Patent Law
Industrial Design Law
Trademark Law
Trade Secret Laws
etc.
22. Thai IP Laws
Copyright Act, B.E. 2537
And other IP laws (e.g. Patent Act)
Important for intellectual property
considerations (e.g. who owns the
software source code of an in‐house
or outsourced system?)
23. Laws on Access to Information
Examples
Freedom of Information Act
(U.S.)
Official Information Act
(Thailand)
24. Health Laws
Laws governing health care facilities
Laws governing health care
professionals
Other health laws
Laws on Food, Drugs, Medical
Devices
Laws on Health Care Systems
Laws on Emergency Medicine
etc.
25. Thai Health Laws
The Sanatorium Acts, B.E. 2541 & 2547
The Medical Profession Act, B.E. 2525
Professional Nursing & Midwifery Acts,
B.E. 2528 & 2540
Laws for other healthcare professionals
National Health Security Act, B.E. 2545
National Health Acts, B.E. 2550 & 2553
Emergency Medicine Act, B.E. 2551
Medical Devices Act, B.E. 2551
27. Privacy & Security
Privacy: “The ability of an individual or group
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
29. Ethical Principles in Bioethics
Respect for Persons (Autonomy)
Beneficence
Justice
Non‐maleficence
30. Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
33. U.S. Health Information Privacy Law
Health Insurance Portability and Accountability Act of
1996 http://www.gpo.gov/fdsys/pkg/PLAW‐
104publ191/pdf/PLAW‐104publ191.pdf
More stringent state privacy laws apply
HIPAAGoals
To protect health insurance coverage for workers &
families when they change or lose jobs (Title I)
To require establishment of national standards for
electronic health care transactions and national
identifiers for providers, health insurance plans, and
employers (Title II: “Administrative Simplification”
provisions)
Administrative Simplification provisions also address
security & privacy of health data
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
34. HIPAA(U.S.)
Title I: Health Care Access, Portability, and
Renewability
Title II: Preventing Health Care Fraud and
Abuse; Administrative Simplification;
Medical Liability Reform
Requires Department of Health & Human
Services (HHS) to draft rules aimed at increasing
efficiency of health care system by creating
standards for use and dissemination of health
care information
35. HIPAA(U.S.)
Title III: Tax‐Related Health Provisions
Title IV: Application and Enforcement
of Group Health Plan Requirements
Title V: Revenue Offsets
37. Some HIPAADefinitions
Covered Entities
A health plan
A health care clearinghouse
A healthcare provider who transmits any health
information in electronic form in connection with a
transaction to enable health information to be exchanged
electronically
Business Associates
38. Some HIPAADefinitions
Protected Health Information (PHI)
Individually identifiable health information transmitted or
maintained in electronic media or other form or medium
Individually Identifiable Health Information
Any information, including demographic information collected from
an individual, that—
(A) is created or received by a CE; and
(B) relates to the past, present, or future physical
or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment
for the provision of health care to an individual, and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify the individual.
39. Protected Health Information –
Personal Identifiers in PHI
Name
Address
Phone number
Fax number
E‐mail address
SSN
Birthdate
Medical Record No.
Health Plan ID
Treatment date
Account No.
Certificate/License No.
Device ID No.
Vehicle ID No.
Drivers license No.
URL
IP Address
Biometric identifier
including fingerprints
Full face photo
40. HIPAAPrivacy Rule
Establishes national standards to protect PHI; applies to CE &
business associates
Requires appropriate safeguards to protect privacy of PHI
Sets limits & conditions on uses & disclosures that may be made
without patient authorization
Gives patients rights over their health information, including
rights to examine & obtain copy of health records & to request
corrections
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
41. HIPAAPrivacy Rule
Timeline
November 3, 1999 Proposed Privacy Rule
December 28, 2000 Final Privacy Rule
August 14, 2002 Modifications to Privacy Rule
April 14, 2003 Compliance Date for most CE
Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
42. HIPAAPrivacy Rule
Some permitted uses and disclosures
Use of PHI
Sharing, application, use, examination or
analysis within the entity that maintains the
PHI
Disclosure of PHI
Release or divulgence of information by an
entity to persons or organizations outside of
that entity.
43. HIPAAPrivacy Rule
A covered entity may not use or disclose
PHI, except
with individual consent for treatment,
payment or healthcare operations (TPO)
with individual authorization for other
purposes
without consent or authorization for
governmental and other specified
purposes
44. HIPAAPrivacy Rule
Treatment, payment, health care operations
(TPO)
Quality improvement
Competency assurance
Medical reviews & audits
Insurance functions
Business planning & administration
General administrative activities
45. HIPAAPrivacy Rule
Uses & disclosures without the need for patient
authorization permitted in some circumstances
Required by law
For public health activities
About victims of abuse, neglect, or domestic
violence
For health oversight activities
For judicial & administrative proceedings
For law enforcement purposes
About decedents
46. HIPAAPrivacy Rule
Uses & disclosures without the need for patient
authorization permitted in some circumstances
For cadaveric organ, eye, or tissue donation purposes
For research purposes
To avert a serious threat to health or safety
For workers’ compensation
For specialized government functions
Military & veterans activities
National security & intelligence activities
Protective services for President & others
Medical suitability determinants
Correctional institutions
CE that are government programs providing public benefits
47. Responsibilities of a CE
Control use and disclosure of PHI
Notify patients of information practices (NPP, Notice of Privacy
Practices)
Specifies how CE can use and share PHI
Specifies patient’s rights regarding their PHI
Provide means for patients to access their own record
Obtain authorization for non‐TPO uses and disclosures
Log disclosures
Restrict use or disclosures
Minimum necessary
Privacy policy and practices
Business Associate agreements
Other applicable statutes
Provide management oversight and response to minimize threats and
breaches of privacy
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
48. HIPAA& Research
Individually identifiable health information
collected and used solely for research IS NOT PHI
Researchers obtaining PHI from a CE must obtain
the subject’s authorization or must justify an
exception:
Waiver of authorization (obtain from the IRB)
Limited Data Set (with data use agreement)
De‐identified Data Set
HIPAAPrivacy supplements the Common Rule
and the FDA’s existing protection for human
subjects
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
49. Research Data Sets
De‐identified Data Set
Remove all 18 personal identifiers of subjects,
relatives, employers, or household members
OR biostatistician confirms that individual cannot be
identified with the available information
Limited Data Set
May include Zip, Birthdate, Date of death, date of
service, geographic subdivision
Remove all other personal identifiers of subject, etc.
Data Use Agreement signed by data recipient that
there will be no attempt to re‐identify the subject
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
50. IRB’s New Responsibility
Assure the CE that all research‐initiated HIPAA
requirements have been met
Provide letter of approval to the researcher to
conduct research using PHI
OR, Certify and document that waiver of
authorization criteria have been met
Review and approve all authorizations and data
use agreements
Retain records documenting HIPAAactions for 6
years
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
51. HIPAASecurity Rule
Establishes national standards to protect
individuals’ electronic PHI that is created,
received, used, or maintained by a CE.
Requires appropriate safeguards to ensure
confidentiality, integrity & security of
electronic PHI
Administrative safeguards
Physical safeguards
Technical safeguards
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
52. HIPAASecurity Rule
Timeline
August 12, 1998 Proposed Security Rule
February 20, 2003 Final Security Rule
April 21, 2005 Compliance Date for most CE
Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
53. HIPAASecurity Rule: Meaning
The HIPAASecurity Rule is:
A set of information security “best practices”
A minimum baseline for security
An outline of what to do, and what procedures
should be in place
The HIPAASecurity Rule is not:
A set of specific instructions
A set of rules for universal, unconditional
implementation
A document outlining specific implementations
(vendors, equipment, software, etc.)
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
54. HIPAASecurity Rule: Meaning
The HIPAASecurity Rule is designed to be:
Technology‐neutral
Scalable (doesn’t require all CEs to apply the same
policies)
Flexible (allows CEs to determine their own needs)
Comprehensive (covers technical, business, and
behavioral issues)
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
55. HIPAASecurity Rule: Meaning
Many rules are either Required or Addressable
Required:
Compliance is mandatory
Addressable:
If a specification in the Rule is reasonable and
appropriate for the CE, then the CE must implement
Otherwise, documentation must be made of the
reasons the policy cannot/will not be implemented,
and when necessary, offer an alternative
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
56. New in HITECH Act of 2009
Breach notification
Extension of complete Privacy & Security
HIPAAprovisions to business associates of
covered entities
New rules for accounting of disclosures of a
patient’s health information
57. Health Information Privacy Law:
U.S. Challenges
Conflicts between federal vs. state laws
Variations among state laws of different
states
HIPAAonly covers “covered entities”
No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
58. Health Information Privacy Law:
Other Western Countries
Canada ‐ The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
EU Countries ‐ EU Data Protection Directive
UK ‐ Data Protection Act 1998
Austria ‐ Data Protection Act 2000
Australia ‐ Privacy Act of 1988
Germany ‐ Federal Data Protection Act of
2001
59. Two Systems of Privacy Laws
General Data Privacy Law
There exists general law protecting privacy
of all types of information (financial,
educational, health, etc.)
Sectoral Data Privacy Law
Each sector (e.g. health sector) has its own
information privacy laws without a
general law
60. { {
General Data
Privacy Law
Pros: Covers all types
of information with
uniform standard of
protection
Cons: May not be
flexible for specific
requirements in each
industry or for each
type of information
(e.g. health)
Pros & Cons
Sectoral Data
Privacy Law
Pros: Protections
specific to each type of
information (e.g.
health information) or
nature of each
industry
Cons: Not covering
other types of
information or those
kept by other
organizations outside
the sector, and no
uniform standard of
protections
62. Declaration of Patient’s Rights (1998)
1. Every patient has the basic rights to receive health service as have been legally enacted in the Thai Constitution BE 2540.
2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social standing, political
affiliation sex, age, and the nature of their illness from their medical practitioner.
3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly understand
about their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse treatment from the
medical practitioner treating him/her except in case of emergency or life threatening situation.
4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical practitioner as
necessary, regardless of whether the patient requests assistance or not.
5. The patient has the rights to know the name‐surname and the specialty of the practitioner under whose care he/she is in.
6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not involved in the
immediate care of him/her as well as the right to change the place of medical service or treatment, as requested by the patient without
prejudice.
7. The patient has the rights to expect that their personal
information are kept confidential by the medical practitioner, the
only exception being in cases with the consent of the patient or
due to legal obligation.
8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in order to
make decision to participate in/or withdraw from the medical research being carried out by their health care provider.
9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in the medical
record as requested. With respect to this, the information obtained must not infringe upon other individualʹs rights.
10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is physically or
mentally handicapped wherein they could not exercise their own rights.
Issued on April 16, 1998 (BE 2541)
63. Thailand’s Official Information Act
(1997)
Ascertains rights of the public to request and
obtain access to official information in a
government’s control (including public
providers)
Except
When disclosure would jeopardize law
enforcement or may harm others, etc.
Disclosure of personal information without
consent (except otherwise permitted by law)
64. National Health Act, B.E. 2550 (2007)
Section 7. Personal health information shall be
kept confidential. No person shall disclose it in
such a manner as to cause damage to him or her,
unless it is done according to his or her will, or is
required by a specific law to do so. Provided that,
in any case whatsoever, no person shall have the
power or right under the law on official
information or other laws to request for a
document related to personal health information
of any person other than himself or herself.
65. Health Information Privacy Law:
Thailand’s Challenges
Official Information Act only covers
governmental organizations
“Disclose as a rule, protect as an exception”
not appropriate mindset for health
information
National Health Act: One blanket provision
with minimal exceptions: raising concerns
about enforceability (in exceptional
circumstances, e.g. disasters)
Not considered professional legal opinion
66. Health Information Privacy Law:
Thailand’s Challenges
No general data privacy law in place
Unclear implications from ICT laws (e.g.
Electronic Transactions Act)
Governance: No governmental authority
responsible for oversight, enforcement &
regulation of health information privacy
protections
Policy: No systematic national policy to
promote privacy protections
Not considered professional legal opinion
67. Health Information Privacy Law:
Summary
Each country has its unique context,
including legal systems, national priorities,
public mindset, and infrastructure
A comprehensive & systematic approach to
data privacy and health information privacy
is still lacking in some countries such as
Thailand
Key issues include enforceable regulations,
governance, and national policy