Legal Aspects in Health Informatics
nawanan
2,766 views
65 slides
Apr 22, 2013
Slide 1 of 65
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
About This Presentation
No description available for this slideshow.
Slide Content
TMHG 529
Legal Aspects in
Health Informatics
Nawanan Theera- Ampornpunt, M.D., Ph.D.
Faculty of Medicine Ramathibodi Hospital
Mahidol University
April 23, 2013
http://www.SlideShare.net/Nawanan
Legal Aspects in
Health Informatics
Nawanan Theera- Ampornpunt, M.D., Ph.D.
Faculty of Medicine Ramathibodi Hospital
Mahidol University
April 23, 2013
http://www.SlideShare.net/Nawanan
Basics of Legal Systems
Law & Informatics
Privacy Laws
HIPAA
Thailand’s Health Information Privacy Law
Outline
Law & Informatics
Privacy Laws
HIPAA
Thailand’s Health Information Privacy Law
Outline
No part of the contents is to be considered
a professional legal opinion. I’m not
responsible for the lack of completeness,
accuracy, correctness, or validity of the
contents for legal or organizational use.
Seek professional counsels or legal
experts for legal advices.
Disclaimer
a professional legal opinion. I’m not
responsible for the lack of completeness,
accuracy, correctness, or validity of the
contents for legal or organizational use.
Seek professional counsels or legal
experts for legal advices.
Disclaimer
Basics of Legal Systems
Civil Law
Central source of law recognized as authoritative is
codifications in a constitution or statute passed by
legislature, to amend a code
Common Law
Sources of law are the decisions in cases by judges,
plus laws & statutes passed by legislature
Religious Law
A religious system or document used as a legal
source
Pluralistic Systems
Thailand is a civil law system influenced by common
law
National Legal Systems
http://en.wikipedia.org/wiki/List_of_national_legal_systems
Central source of law recognized as authoritative is
codifications in a constitution or statute passed by
legislature, to amend a code
Common Law
Sources of law are the decisions in cases by judges,
plus laws & statutes passed by legislature
Religious Law
A religious system or document used as a legal
source
Pluralistic Systems
Thailand is a civil law system influenced by common
law
National Legal Systems
http://en.wikipedia.org/wiki/List_of_national_legal_systems
Legal Systems of the World
http://en.wikipedia.org/wiki/List_of_national_legal_systems
http://en.wikipedia.org/wiki/List_of_national_legal_systems
Enacted Law
Constitutions
Statutes
Court Rules (for court procedures)
Administrative Agency Rules
Caselaw
Judicial
Common Law Caselaw
Caselaw Interpreting Enacted Law
Administrative Agency Decisions
Sources of Law
http://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy- of-U.S.-Law.pdf
Constitutions
Statutes
Court Rules (for court procedures)
Administrative Agency Rules
Caselaw
Judicial
Common Law Caselaw
Caselaw Interpreting Enacted Law
Administrative Agency Decisions
Sources of Law
http://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy- of-U.S.-Law.pdf
National Constitution
Federal statutes, treaties, and court rules
Federal administrative agency rules
Federal common law caselaw
State constitutions
State statutes and court rules
State agency rules
State common law caselaw
Secondary authorities (Treatises, law reviews,
legal encyclopedias, digests, etc.)
Hierarchy of Sources of Law
http://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy- of-U.S.-Law.pdf
Federal statutes, treaties, and court rules
Federal administrative agency rules
Federal common law caselaw
State constitutions
State statutes and court rules
State agency rules
State common law caselaw
Secondary authorities (Treatises, law reviews,
legal encyclopedias, digests, etc.)
Hierarchy of Sources of Law
http://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy- of-U.S.-Law.pdf
Future cases should be decided the same way as
similar past cases
Policy goals
Fairness: Equality before the law
Predictability
Judicial efficiency
Caselaw
http://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy- of-U.S.-Law.pdf
similar past cases
Policy goals
Fairness: Equality before the law
Predictability
Judicial efficiency
Caselaw
http://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy- of-U.S.-Law.pdf
Unitary States
A state governed as one single
unit in which central government
is supreme and any
administrative divisions exercise
only powers their central
government chooses to delegate
Forms of Government
http://en.wikipedia.org/wiki/Unitary_state
A state governed as one single
unit in which central government
is supreme and any
administrative divisions exercise
only powers their central
government chooses to delegate
Forms of Government
http://en.wikipedia.org/wiki/Unitary_state
Federal states (federalism)
States or other subnational units
share sovereignty with the central
government, and the states
constituting the federation have
an existence and power functions
that cannot be unilaterally
changed by central government
Forms of Government
http://en.wikipedia.org/wiki/Federalism http://en.wikipedia.org/wiki/Unitary_state
States or other subnational units
share sovereignty with the central
government, and the states
constituting the federation have
an existence and power functions
that cannot be unilaterally
changed by central government
Forms of Government
http://en.wikipedia.org/wiki/Federalism http://en.wikipedia.org/wiki/Unitary_state
In federal states
Federal government
State government
Local government
Levels of Government
Federal government
State government
Local government
Levels of Government
Executive Branch
Part of government with sole authority and
responsibility for daily administration of the
state. It executes the law.
Legislative Branch
(Legislature/Parliament/Congress)
An assembly with power to pass, amend, and
repeal laws
Law created by a legislature is called legislation
or statutory law
Branches of Government
https://en.wikipedia.org/wiki/Executive_(government) https://en.wikipedia.org/wiki/Legislature
Part of government with sole authority and
responsibility for daily administration of the
state. It executes the law.
Legislative Branch
(Legislature/Parliament/Congress)
An assembly with power to pass, amend, and
repeal laws
Law created by a legislature is called legislation
or statutory law
Branches of Government
https://en.wikipedia.org/wiki/Executive_(government) https://en.wikipedia.org/wiki/Legislature
Judicial Branch
A system of courts that interprets and applies the
law to the facts of each case in the name of the
state
Generally does not make law (legislative branch)
or enforce law (executive branch)
Separation of Powers doctrine
Branches of Government
https://en.wikipedia.org/wiki/Judiciary
A system of courts that interprets and applies the
law to the facts of each case in the name of the
state
Generally does not make law (legislative branch)
or enforce law (executive branch)
Separation of Powers doctrine
Branches of Government
https://en.wikipedia.org/wiki/Judiciary
Presidential system
Leader of executive branch as head
of state & head of government
Parliamentary system
Prime minister responsible to
legislature as head of government
Monarch or president as head of
state, largely ceremonial
Systems of Government
https://en.wikipedia.org/wiki/Presidential_system https://en.wikipedia.org/wiki/Parliamentary_system
Leader of executive branch as head
of state & head of government
Parliamentary system
Prime minister responsible to
legislature as head of government
Monarch or president as head of
state, largely ceremonial
Systems of Government
https://en.wikipedia.org/wiki/Presidential_system https://en.wikipedia.org/wiki/Parliamentary_system
Law & Informatics
Computer/ICT Laws
Intellectual Property Laws
Laws on Access to Information
Health Laws
Laws Related to Informatics
Intellectual Property Laws
Laws on Access to Information
Health Laws
Laws Related to Informatics
Computer Crimes
Electronic Transactions &
Electronic Signatures
E-commerce, Cyber Law
Privacy/Data Protection Law
(Generic)
Computer/ICT Laws
Electronic Transactions &
Electronic Signatures
E-commerce, Cyber Law
Privacy/Data Protection Law
(Generic)
Computer/ICT Laws
Computer-Related Crimes Act, B.E. 2550
Focuses on prosecuting computer
crimes & computer-related crimes
Responsibility of organizations as IT
service provider: Logging &
provision of access data to authorities
Thai ICT Laws
Focuses on prosecuting computer
crimes & computer-related crimes
Responsibility of organizations as IT
service provider: Logging &
provision of access data to authorities
Thai ICT Laws
Electronic Transactions Acts, B.E. 2544 & 2551
Legal binding of electronic transactions and
electronic signatures
Security & privacy requirements for
Determining legal validity & integrity of
electronic transactions and documents, print-
outs, & paper-to-electronic conversions
Governmental & public organizations
Critical infrastructures
Financial sectors
Electronic certificate authorities
Thai ICT Laws
Legal binding of electronic transactions and
electronic signatures
Security & privacy requirements for
Determining legal validity & integrity of
electronic transactions and documents, print-
outs, & paper-to-electronic conversions
Governmental & public organizations
Critical infrastructures
Financial sectors
Electronic certificate authorities
Thai ICT Laws
Copyright Law
Patent Law
Industrial Design Law
Trademark Law
Trade Secret Laws
etc.
IP Laws
Patent Law
Industrial Design Law
Trademark Law
Trade Secret Laws
etc.
IP Laws
Copyright Act, B.E. 2537
And other IP laws (e.g. Patent Act)
Important for intellectual property
considerations (e.g. who owns the
software source code of an in-house
or outsourced system?)
Thai IP Laws
And other IP laws (e.g. Patent Act)
Important for intellectual property
considerations (e.g. who owns the
software source code of an in-house
or outsourced system?)
Thai IP Laws
Examples
Freedom of Information Act
(U.S.)
Official Information Act
(Thailand)
Laws on Access to Information
Freedom of Information Act
(U.S.)
Official Information Act
(Thailand)
Laws on Access to Information
Laws governing health care facilities
Laws governing health care
professionals
Other health laws
Laws on Food, Drugs, Medical
Devices
Laws on Health Care Systems
Laws on Emergency Medicine
etc.
Health Laws
Laws governing health care
professionals
Other health laws
Laws on Food, Drugs, Medical
Devices
Laws on Health Care Systems
Laws on Emergency Medicine
etc.
Health Laws
The Sanatorium Acts, B.E. 2541 & 2547
The Medical Profession Act, B.E. 2525
Professional Nursing & Midwifery Acts,
B.E. 2528 & 2540
Laws for other healthcare professionals
National Health Security Act, B.E. 2545
National Health Acts, B.E. 2550 & 2553
Emergency Medicine Act, B.E. 2551
Medical Devices Act, B.E. 2551
Thai Health Laws
The Medical Profession Act, B.E. 2525
Professional Nursing & Midwifery Acts,
B.E. 2528 & 2540
Laws for other healthcare professionals
National Health Security Act, B.E. 2545
National Health Acts, B.E. 2550 & 2553
Emergency Medicine Act, B.E. 2551
Medical Devices Act, B.E. 2551
Thai Health Laws
Health Information
Privacy Laws
Privacy Laws
Privacy: “The ability of an individual or group
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
Privacy & Security
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
Privacy & Security
http://www.aclu.org/ordering-pizza
Privacy Protections: Why?
Privacy Protections: Why?
Respect for Persons (Autonomy)
Beneficence
Justice
Non-maleficence
Ethical Principles in Bioethics
Beneficence
Justice
Non-maleficence
Ethical Principles in Bioethics
Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
Privacy Safeguards
Image: http://www.nurseweek.com/news/images/privacy.jpg
Security safeguards
Informed consent
Privacy culture
User awareness building & education
Organizational policy & regulations
Enforcement
Ongoing privacy & security assessments, monitoring,
and protection
Image: http://www.nurseweek.com/news/images/privacy.jpg
Security safeguards
Informed consent
Privacy culture
User awareness building & education
Organizational policy & regulations
Enforcement
Ongoing privacy & security assessments, monitoring,
and protection
HIPAA
Health Insurance Portability and Accountability Act of
1996 http://www.gpo.gov/fdsys/pkg/PLAW -
104publ191/pdf/PLAW- 104publ191.pdf
More stringent state privacy laws apply
HIPAA Goals
To protect health insurance coverage for workers &
families when they change or lose jobs (Title I)
To require establishment of national standards for
electronic health care transactions and national
identifiers for providers, health insurance plans, and
employers (Title II: “Administrative Simplification”
provisions)
Administrative Simplification provisions also address
security & privacy of health data
U.S. Health Information Privacy Law
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
1996 http://www.gpo.gov/fdsys/pkg/PLAW -
104publ191/pdf/PLAW- 104publ191.pdf
More stringent state privacy laws apply
HIPAA Goals
To protect health insurance coverage for workers &
families when they change or lose jobs (Title I)
To require establishment of national standards for
electronic health care transactions and national
identifiers for providers, health insurance plans, and
employers (Title II: “Administrative Simplification”
provisions)
Administrative Simplification provisions also address
security & privacy of health data
U.S. Health Information Privacy Law
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
Title I: Health Care Access, Portability, and
Renewability
Title II: Preventing Health Care Fraud and
Abuse; Administrative Simplification;
Medical Liability Reform
Requires Department of Health & Human
Services (HHS) to draft rules aimed at increasing
efficiency of health care system by creating
standards for use and dissemination of health
care information
HIPAA (U.S.)
Renewability
Title II: Preventing Health Care Fraud and
Abuse; Administrative Simplification;
Medical Liability Reform
Requires Department of Health & Human
Services (HHS) to draft rules aimed at increasing
efficiency of health care system by creating
standards for use and dissemination of health
care information
HIPAA (U.S.)
Title III: Tax-Related Health Provisions
Title IV: Application and Enforcement
of Group Health Plan Requirements
Title V: Revenue Offsets
HIPAA (U.S.)
Title IV: Application and Enforcement
of Group Health Plan Requirements
Title V: Revenue Offsets
HIPAA (U.S.)
HHS promulgated 5 Administrative
Simplification rules
Privacy Rule
Transactions and Code Sets Rule
Security Rule
Unique Identifiers Rule
Enforcement Rule
HIPAA (U.S.)
Simplification rules
Privacy Rule
Transactions and Code Sets Rule
Security Rule
Unique Identifiers Rule
Enforcement Rule
HIPAA (U.S.)
Covered Entities
A health plan
A health care clearinghouse
A healthcare provider who transmits any health
information in electronic form in connection with a
transaction to enable health information to be exchanged
electronically
Business Associates
A health plan
Some HIPAA Definitions
A health plan
A health care clearinghouse
A healthcare provider who transmits any health
information in electronic form in connection with a
transaction to enable health information to be exchanged
electronically
Business Associates
A health plan
Some HIPAA Definitions
Protected Health Information (PHI)
Individually identifiable health information transmitted or
maintained in electronic media or other form or medium
Individually Identifiable Health Information
Any information, including demographic information collected from
an individual, that—
(A) is created or received by a CE; and
(B) relates to the past, present, or future physical
or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment
for the provision of health care to an individual, and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify the individual.
Some HIPAA Definitions
Individually identifiable health information transmitted or
maintained in electronic media or other form or medium
Individually Identifiable Health Information
Any information, including demographic information collected from
an individual, that—
(A) is created or received by a CE; and
(B) relates to the past, present, or future physical
or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment
for the provision of health care to an individual, and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify the individual.
Some HIPAA Definitions
Name
Address
Phone number
Fax number
E-mail address
SSN
Birthdate
Medical Record No.
Health Plan ID
Treatment date
Account No.
Certificate/License No.
Device ID No.
Vehicle ID No.
Drivers license No.
URL
IP Address
Biometric identifier
including fingerprints
Full face photo
Protected Health Information –
Personal Identifiers in PHI
Address
Phone number
Fax number
E-mail address
SSN
Birthdate
Medical Record No.
Health Plan ID
Treatment date
Account No.
Certificate/License No.
Device ID No.
Vehicle ID No.
Drivers license No.
URL
IP Address
Biometric identifier
including fingerprints
Full face photo
Protected Health Information –
Personal Identifiers in PHI
Establishes national standards to protect PHI; applies to CE &
business associates
Requires appropriate safeguards to protect privacy of PHI
Sets limits & conditions on uses & disclosures that may be made
without patient authorization
Gives patients rights over their health information, including
rights to examine & obtain copy of health records & to request
corrections
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
business associates
Requires appropriate safeguards to protect privacy of PHI
Sets limits & conditions on uses & disclosures that may be made
without patient authorization
Gives patients rights over their health information, including
rights to examine & obtain copy of health records & to request
corrections
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Timeline
November 3, 1999 Proposed Privacy Rule
December 28, 2000 Final Privacy Rule
August 14, 2002 Modifications to Privacy Rule
April 14, 2003 Compliance Date for most CE
Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
November 3, 1999 Proposed Privacy Rule
December 28, 2000 Final Privacy Rule
August 14, 2002 Modifications to Privacy Rule
April 14, 2003 Compliance Date for most CE
Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Some permitted uses and disclosures
Use of PHI
Sharing, application, use, examination or
analysis within the entity that maintains the
PHI
Disclosure of PHI
Release or divulgence of information by an
entity to persons or organizations outside of
that entity.
HIPAA Privacy Rule
Use of PHI
Sharing, application, use, examination or
analysis within the entity that maintains the
PHI
Disclosure of PHI
Release or divulgence of information by an
entity to persons or organizations outside of
that entity.
HIPAA Privacy Rule
A covered entity may not use or disclose
PHI, except
with individual consent for treatment,
payment or healthcare operations (TPO)
with individual authorization for other
purposes
without consent or authorization for
governmental and other specified
purposes
HIPAA Privacy Rule
PHI, except
with individual consent for treatment,
payment or healthcare operations (TPO)
with individual authorization for other
purposes
without consent or authorization for
governmental and other specified
purposes
HIPAA Privacy Rule
Treatment, payment, health care operations
(TPO)
Quality improvement
Competency assurance
Medical reviews & audits
Insurance functions
Business planning & administration
General administrative activities
HIPAA Privacy Rule
(TPO)
Quality improvement
Competency assurance
Medical reviews & audits
Insurance functions
Business planning & administration
General administrative activities
HIPAA Privacy Rule
Uses & disclosures without the need for patient
authorization permitted in some circumstances
Required by law
For public health activities
About victims of abuse, neglect, or domestic
violence
For health oversight activities
For judicial & administrative proceedings
For law enforcement purposes
About decedents
HIPAA Privacy Rule
authorization permitted in some circumstances
Required by law
For public health activities
About victims of abuse, neglect, or domestic
violence
For health oversight activities
For judicial & administrative proceedings
For law enforcement purposes
About decedents
HIPAA Privacy Rule
Uses & disclosures without the need for patient
authorization permitted in some circumstances
For cadaveric organ, eye, or tissue donation purposes
For research purposes
To avert a serious threat to health or safety
For workers’ compensation
For specialized government functions
Military & veterans activities
National security & intelligence activities
Protective services for President & others
Medical suitability determinants
Correctional institutions
CE that are government programs providing public benefits
HIPAA Privacy Rule
authorization permitted in some circumstances
For cadaveric organ, eye, or tissue donation purposes
For research purposes
To avert a serious threat to health or safety
For workers’ compensation
For specialized government functions
Military & veterans activities
National security & intelligence activities
Protective services for President & others
Medical suitability determinants
Correctional institutions
CE that are government programs providing public benefits
HIPAA Privacy Rule
Control use and disclosure of PHI
Notify patients of information practices (NPP, Notice of Privacy
Practices)
Specifies how CE can use and share PHI
Specifies patient’s rights regarding their PHI
Provide means for patients to access their own record
Obtain authorization for non-TPO uses and disclosures
Log disclosures
Restrict use or disclosures
Minimum necessary
Privacy policy and practices
Business Associate agreements
Other applicable statutes
Provide management oversight and response to minimize threats and
breaches of privacy
Responsibilities of a CE
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Notify patients of information practices (NPP, Notice of Privacy
Practices)
Specifies how CE can use and share PHI
Specifies patient’s rights regarding their PHI
Provide means for patients to access their own record
Obtain authorization for non-TPO uses and disclosures
Log disclosures
Restrict use or disclosures
Minimum necessary
Privacy policy and practices
Business Associate agreements
Other applicable statutes
Provide management oversight and response to minimize threats and
breaches of privacy
Responsibilities of a CE
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Individually identifiable health information
collected and used solely for research IS NOT PHI
Researchers obtaining PHI from a CE must obtain
the subject’s authorization or must justify an
exception:
Waiver of authorization (obtain from the IRB)
Limited Data Set (with data use agreement)
De-identified Data Set
HIPAA Privacy supplements the Common Rule
and the FDA’s existing protection for human
subjects
HIPAA & Research
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
collected and used solely for research IS NOT PHI
Researchers obtaining PHI from a CE must obtain
the subject’s authorization or must justify an
exception:
Waiver of authorization (obtain from the IRB)
Limited Data Set (with data use agreement)
De-identified Data Set
HIPAA Privacy supplements the Common Rule
and the FDA’s existing protection for human
subjects
HIPAA & Research
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
De-identified Data Set
Remove all 18 personal identifiers of subjects,
relatives, employers, or household members
OR biostatistician confirms that individual cannot be
identified with the available information
Limited Data Set
May include Zip, Birthdate, Date of death, date of
service, geographic subdivision
Remove all other personal identifiers of subject, etc.
Data Use Agreement signed by data recipient that
there will be no attempt to re-identify the subject
Research Data Sets
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Remove all 18 personal identifiers of subjects,
relatives, employers, or household members
OR biostatistician confirms that individual cannot be
identified with the available information
Limited Data Set
May include Zip, Birthdate, Date of death, date of
service, geographic subdivision
Remove all other personal identifiers of subject, etc.
Data Use Agreement signed by data recipient that
there will be no attempt to re-identify the subject
Research Data Sets
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Assure the CE that all research-initiated HIPAA
requirements have been met
Provide letter of approval to the researcher to
conduct research using PHI
OR, Certify and document that waiver of
authorization criteria have been met
Review and approve all authorizations and data
use agreements
Retain records documenting HIPAA actions for 6
years
IRB’s New Responsibility
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
requirements have been met
Provide letter of approval to the researcher to
conduct research using PHI
OR, Certify and document that waiver of
authorization criteria have been met
Review and approve all authorizations and data
use agreements
Retain records documenting HIPAA actions for 6
years
IRB’s New Responsibility
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Establishes national standards to protect
individuals’ electronic PHI that is created,
received, used, or maintained by a CE.
Requires appropriate safeguards to ensure
confidentiality, integrity & security of
electronic PHI
Administrative safeguards
Physical safeguards
Technical safeguards
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
individuals’ electronic PHI that is created,
received, used, or maintained by a CE.
Requires appropriate safeguards to ensure
confidentiality, integrity & security of
electronic PHI
Administrative safeguards
Physical safeguards
Technical safeguards
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Timeline
August 12, 1998 Proposed Security Rule
February 20, 2003 Final Security Rule
April 21, 2005 Compliance Date for most CE
Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
August 12, 1998 Proposed Security Rule
February 20, 2003 Final Security Rule
April 21, 2005 Compliance Date for most CE
Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
The HIPAA Security Rule is:
A set of information security “best practices”
A minimum baseline for security
An outline of what to do, and what procedures
should be in place
The HIPAA Security Rule is not:
A set of specific instructions
A set of rules for universal, unconditional
implementation
A document outlining specific implementations
(vendors, equipment, software, etc.)
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
A set of information security “best practices”
A minimum baseline for security
An outline of what to do, and what procedures
should be in place
The HIPAA Security Rule is not:
A set of specific instructions
A set of rules for universal, unconditional
implementation
A document outlining specific implementations
(vendors, equipment, software, etc.)
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
The HIPAA Security Rule is designed to be:
Technology-neutral
Scalable (doesn’t require all CEs to apply the same
policies)
Flexible (allows CEs to determine their own needs)
Comprehensive (covers technical, business, and
behavioral issues)
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Technology-neutral
Scalable (doesn’t require all CEs to apply the same
policies)
Flexible (allows CEs to determine their own needs)
Comprehensive (covers technical, business, and
behavioral issues)
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Many rules are either Required or Addressable
Required:
Compliance is mandatory
Addressable:
If a specification in the Rule is reasonable and
appropriate for the CE, then the CE must implement
Otherwise, documentation must be made of the
reasons the policy cannot/will not be implemented,
and when necessary, offer an alternative
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Required:
Compliance is mandatory
Addressable:
If a specification in the Rule is reasonable and
appropriate for the CE, then the CE must implement
Otherwise, documentation must be made of the
reasons the policy cannot/will not be implemented,
and when necessary, offer an alternative
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Breach notification
Extension of complete Privacy & Security
HIPAA provisions to business associates of
covered entities
New rules for accounting of disclosures of a
patient’s health information
New in HITECH Act of 2009
Extension of complete Privacy & Security
HIPAA provisions to business associates of
covered entities
New rules for accounting of disclosures of a
patient’s health information
New in HITECH Act of 2009
Conflicts between federal vs. state laws
Variations among state laws of different
states
HIPAA only covers “covered entities”
No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
Health Information Privacy Law:
U.S. Challenges
Variations among state laws of different
states
HIPAA only covers “covered entities”
No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
Health Information Privacy Law:
U.S. Challenges
Canada - The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
EU Countries - EU Data Protection Directive
UK - Data Protection Act 1998
Austria - Data Protection Act 2000
Australia - Privacy Act of 1988
Germany - Federal Data Protection Act of
2001
Health Information Privacy Law:
Other Western Countries
Information Protection and Electronic Data
Act of 2000
EU Countries - EU Data Protection Directive
UK - Data Protection Act 1998
Austria - Data Protection Act 2000
Australia - Privacy Act of 1988
Germany - Federal Data Protection Act of
2001
Health Information Privacy Law:
Other Western Countries
Thailand’s Health
Information Privacy
Law
Information Privacy
Law
1. Every patient has the basic rights to receive health service as have been legally enacted in the Thai Constitution BE 2540.
2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social stan ding, political
affiliation sex, age, and the nature of their illness from their medical practitioner.
3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly understand
about their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse treatment from the
medical practitioner treating him/her except in case of emergency or life threatening situation.
4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical practitioner as
necessary, regardless of whether the patient requests assistance or not.
5. The patient has the rights to know the name-surname and the specialty of the practitioner under whose care he/she is in.
6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not involved in the
immediate care of him/her as well as the right to change the place of medical service or treatment, as requested by the patient without
prejudice.
7. The patient has the rights to expect that their personal
information are kept confidential by the medical practitioner, the
only exception being in cases with the consent of the patient or
due to legal obligation.
8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in order to
make decision to participate in/or withdraw from the medical research being carried out by their health care provider.
9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in the medical
record as requested. With respect to this, the information obtained must not infringe upon other individual's rights.
10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is physically or
mentally handicapped wherein they could not exercise their own rights.
Issued on April 16, 1998 (BE 2541)
Declaration of Patient’s Rights (1998)
2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social stan ding, political
affiliation sex, age, and the nature of their illness from their medical practitioner.
3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly understand
about their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse treatment from the
medical practitioner treating him/her except in case of emergency or life threatening situation.
4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical practitioner as
necessary, regardless of whether the patient requests assistance or not.
5. The patient has the rights to know the name-surname and the specialty of the practitioner under whose care he/she is in.
6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not involved in the
immediate care of him/her as well as the right to change the place of medical service or treatment, as requested by the patient without
prejudice.
7. The patient has the rights to expect that their personal
information are kept confidential by the medical practitioner, the
only exception being in cases with the consent of the patient or
due to legal obligation.
8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in order to
make decision to participate in/or withdraw from the medical research being carried out by their health care provider.
9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in the medical
record as requested. With respect to this, the information obtained must not infringe upon other individual's rights.
10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is physically or
mentally handicapped wherein they could not exercise their own rights.
Issued on April 16, 1998 (BE 2541)
Declaration of Patient’s Rights (1998)
Ascertains rights of the public to request and
obtain access to official information in a
government’s control (including public
providers)
Except
When disclosure would jeopardize law
enforcement or may harm others, etc.
Disclosure of personal information without
consent (except otherwise permitted by law)
Thailand’s Official Information Act
(1997)
obtain access to official information in a
government’s control (including public
providers)
Except
When disclosure would jeopardize law
enforcement or may harm others, etc.
Disclosure of personal information without
consent (except otherwise permitted by law)
Thailand’s Official Information Act
(1997)
Section 7. Personal health information shall be
kept confidential. No person shall disclose it in
such a manner as to cause damage to him or her,
unless it is done according to his or her will, or is
required by a specific law to do so. Provided that,
in any case whatsoever, no person shall have the
power or right under the law on official
information or other laws to request for a
document related to personal health information
of any person other than himself or herself.
National Health Act, B.E. 2550 (2007)
kept confidential. No person shall disclose it in
such a manner as to cause damage to him or her,
unless it is done according to his or her will, or is
required by a specific law to do so. Provided that,
in any case whatsoever, no person shall have the
power or right under the law on official
information or other laws to request for a
document related to personal health information
of any person other than himself or herself.
National Health Act, B.E. 2550 (2007)
Official Information Act only covers
governmental organizations
“Disclose as a rule, protect as an exception”
not appropriate mindset for health
information
National Health Act: One blanket provision
with minimal exceptions: raising concerns
about enforceability (in exceptional
circumstances, e.g. disasters)
Health Information Privacy Law:
Thailand’s Challenges
Not considered professional legal opinion
governmental organizations
“Disclose as a rule, protect as an exception”
not appropriate mindset for health
information
National Health Act: One blanket provision
with minimal exceptions: raising concerns
about enforceability (in exceptional
circumstances, e.g. disasters)
Health Information Privacy Law:
Thailand’s Challenges
Not considered professional legal opinion
No general data privacy law in place
Unclear implications from ICT laws (e.g.
Electronic Transactions Act)
Governance: No governmental authority
responsible for oversight, enforcement &
regulation of health information privacy
protections
Policy: No systematic national policy to
promote privacy protections
Health Information Privacy Law:
Thailand’s Challenges
Not considered professional legal opinion
Unclear implications from ICT laws (e.g.
Electronic Transactions Act)
Governance: No governmental authority
responsible for oversight, enforcement &
regulation of health information privacy
protections
Policy: No systematic national policy to
promote privacy protections
Health Information Privacy Law:
Thailand’s Challenges
Not considered professional legal opinion
Each country has its unique context,
including legal systems, national priorities,
public mindset, and infrastructure
A comprehensive & systematic approach to
data privacy and health information privacy
is still lacking in some countries such as
Thailand
Key issues include enforceable regulations,
governance, and national policy
Health Information Privacy Law:
Summary
including legal systems, national priorities,
public mindset, and infrastructure
A comprehensive & systematic approach to
data privacy and health information privacy
is still lacking in some countries such as
Thailand
Key issues include enforceable regulations,
governance, and national policy
Health Information Privacy Law:
Summary
Categories
LegalDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 2,766
- Slides 65
- Favorites 2
- Age 4627 days
Related Slideshows
44
The Sale Of Goods Acts,1930 (Conditions & Warranties)
beastkalvi
22 views
29
INDIAN PARTNERSHIP ACT 1932 - OVERVIEWS
beastkalvi
29 views
9
INCUMPLIMIENTO DE PAGO - AUTOR JOSÉ MARÍA PACORI CARI
corporacionhiramservicioslegales
19 views
24
AMBITO APLICACION 728 - AUTOR JOSÉ MARÍA PACORI CARI
corporacionhiramservicioslegales
23 views
32
DOCUMENTOS GESTIÓN INSTITUCIONAL RELACIÓN LABORAL PÚBLICA - AUTOR JOSÉ MARÍA PACORI CARI
corporacionhiramservicioslegales
20 views
43
NR 05 - ASSEDIO MORAL.pptx NO AMBIENTE DE TRABALHO
gabriela18lg7
27 views