health information privacy: asia's viewpoint
DESCRIPTION
Theera-Ampornpunt N. Health information privacy: Asia's viewpoint. Presented at: Globalizing Asia: Health Law, Governance, and Policy - Issues, Approaches, and Gaps!; 2012 Apr 16-18; Bangkok, Thailand.TRANSCRIPT
Health Information Privacy: Asia’s Viewpoint
Nawanan Theera-Ampornpunt, MD, PhDFaculty of Medicine Ramathibodi Hospital
Mahidol University
Privacy: Why?
http://www.aclu.org/ordering-pizza
Privacy: Ethical Principles
• Autonomy
• Non-maleficencePrimum non nocere (First, do no harm)
Hippocratic Oath...
What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep myself holding such things shameful to be spoken about....
http://en.wikipedia.org/wiki/Hippocratic_Oath
UNITED STATES
Levels of U.S. Privacy Laws
Federal Level
State Level
Health Information Privacy Laws: U.S. Federal Government
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)– Privacy Rule regulates use & disclosure of protected health
information held by covered entities– Security Rule lays out security safeguards required for
compliance• Administrative safeguards• Physical safeguards• Technical safeguards
– (New in HITECH Act of 2009)• Breach notification
Health Information Privacy Laws: Privacy Rule
Some permitted uses and disclosures• Treatment, payment, health care operations
– Quality improvement– Competency assurance– Medical reviews & audits– Insurance functions– Business planning & administration– General administrative activities
Health Information Privacy Laws: U.S. Challenges
• Conflicts between federal vs. state laws• Variations among state laws of different states• HIPAA only covers “covered entities”• No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
Health Information Privacy Laws: Other Western Countries
• Canada - The Privacy Act (1983), Personal Information Protection and Electronic Data Act of 2000
• EU Countries - EU Data Protection Directive• UK - Data Protection Act 1998• Austria - Data Protection Act 2000• Australia - Privacy Act of 1988• Germany - Federal Data Protection Act of 2001
Cloud Computing Policy Environment (Report by Business Software Alliance)
http://portal.bsa.org/cloudscorecard2012/countries.html
THAILAND:HEALTH INFORMATION PRIVACY
1. Every patient has the basic rights to receive health service as have been legally enacted in the Thai Constitution BE 2540. 2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social standing, political affiliation sex, age, and the nature of their illness from their medical practitioner. 3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly understand about their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse treatment from the medical practitioner treating him/her except in case of emergency or life threatening situation. 4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical practitioner as necessary, regardless of whether the patient requests assistance or not. 5. The patient has the rights to know the name-surname and the specialty of the practitioner under whose care he/she is in. 6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not involved in the immediate care of him/her as well as the right to change the place of medical service or treatment, as requested by the patient without prejudice.
7. The patient has the rights to expect that their personal information are kept confidential by the medical practitioner, the only exception being in cases with the consent of the patient or due to legal obligation. 8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in order to make decision to participate in/or withdraw from the medical research being carried out by their health care provider. 9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in themedical record as requested. With respect to this, the information obtained must not infringe upon other individual's rights.10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is physically or mentally handicapped wherein they could not exercise their own rights. Issued on April 16, 1998 (BE 2541)
Declaration of Patient’s Rights (1998)
Thailand’s Official Information Act (1997)
• Ascertains rights of the public to request and obtain access to official information in a government’s control (including public providers)
• Except– When disclosure would jeopardize law enforcement
or may harm others, etc.– Disclosure of personal information without consent
(except otherwise permitted by law)
Section 7. Personal health information shall be kept confidential. No person shall disclose it in such a manner as to cause damage to him or her, unless it is done according to his or her will, or is required by a specific law to do so. Provided that, in any case whatsoever, no person shall have the power or right under the law on official information or other laws to request for a document related to personal health information of any person other than himself or herself.
National Health Act, B.E. 2550 (2007)
Health Information Privacy Laws: Thailand’s Challenges
• Official Information Act only covers governmental organizations
• “Disclose as a rule, protect as an exception”not appropriate mindset for health information
• National Health Act: One blanket provision with minimal exceptions: raising concerns about enforceability (in exceptional circumstances, e.g. disasters)
Health Information Privacy Laws: Thailand’s Challenges
• No general data privacy law in place• Unclear implications from ICT laws (e.g.
Electronic Transactions Act)• Governance: No governmental authority
responsible for oversight, enforcement & regulation of health information privacy protections
• Policy: No systematic national policy to promote privacy protections
Privacy: The Cultural Aspect
From Flickr by Bikoy (Victor Villanueva)
Privacy: The Cultural Aspect
From Flickr by Saikofish
Health Information Privacy Laws: Recommendations
• Each country has its unique context, including legal systems, national priorities, public mindset, and infrastructure
• A comprehensive & systematic approach to data privacy and health information privacy is still lacking in some countries such as Thailand
• Key issues include enforceable regulations, governance, and national policy