PROF: SIR RAMON GARCIA
HEALTH INFORMATION SYSTEM FOR MEDICAL LABORATORY SCIENCE
ICTM111 WEEK-16
Ethics, Privacy, and Security
INTRODUCTION
•Modernization in healthcare has led to the tendency of
most practitioners to rely on the use of mechanical aids
throughout the process of providing patient treatment.
However, the fact remains that human values should
continue to govern research and practice in the
healthcare profession.
•Healthcare informatics encompasses issues of proper
and improper behaviour, honourable actions, and of
right and wrong.
•Ethical questions in medicine, nursing, human subject
research,psychology, and other related fields continue to
become more twisted and complex, but some
overarching issues are common among them.
•Ethical issues in health informatics, on the other hand,
are less familiar, even if some of them have been
controversial for decades.
•Informatics also raises questions about various legal
and regulatory requirements.
•A computer program should be used in clinical practice
only after appropriate evaluation of its efficacy and the
documentation that it performs its intended task at an
acceptable cost in time and money.
•All uses of informatics tools, especially in patient care, •The collection, storage, access, use, communication,
should be preceded by adequate training and
instruction, which should include review of applicable
product evaluations.
•Users of most clinical systems should be health
professionals who are qualified to address the question
at hand on the basis of their licensure, clinical training, persons or groups of persons should be protected by all
and experience.
Guiding Principles of General Ethics:
1. Autonomy
•Autonomy is defined as either allowing individuals to
make their own decisions in response to a particular
societal context, or as the idea that no one human
person does not have the authority nor should have
power over another human person.
•Electronic health records (EHR) must maintain respect
for patient autonomy, and this entails certain
restrictions about the access, content, and ownership of
records.
•Limiting patient access and control over patient records
improves document quality because they can become
proofreaders of their own patient history (Mercuri,
2010).
2. Beneficence and Non-maleficence
•These two principles are respectively defined as “do
good” and “do no harm.” In health informatics,
beneficence relates most significantly with the use of the about them, may only occur in the least intrusive fashion
stored data in the EHR system, and non-maleficence
with data protection.
•Deeply-integrated EHR systems will contain substantial
amounts of raw data, and great potential exists for the
conduction of ground breaking biomedical and public
health research. These kinds of research will be
JENNY ROSE YUCADDI
beneficial to both the individual patient,and to the
entirety of society.
•With this in mind, new EHR systems should be
developed with the capacity to allow patients to
release information from their EHRs which can be
valuable to researchers and scientists. Similarly, the
available consolidated from clinical data repositories will
be able to allow healthcare professionals to provide the
best possible treatments for their patients,further
upholding the principle of beneficence.
4. Informatics Ethics
•Informatics ethics, on the other hand, involves the
ethical behaviour required of anyone handling data and
information, as prescribed by the International Medical
Informatics Association (2016). It covers seven
principles: privacy, openness, security, access, legitimate
infringement, least intrusive alternatives, and
accountability.
5. Principle of Information-Privacy and Disposition
•All persons and group of persons have a fundamental
right to privacy, and hence to control over the collection,
storage, access, use, communication, manipulation,
linkage and disposition of data about themselves.
6. Principle of Openness
manipulation, linkage and disposition of personal data
must be disclosed in an appropriate and timely fashion
to the subject or subjects of those data.
7. Principle of Security
•Data that have been legitimately collected about
reasonable and appropriate measures against loss
degradation, unauthorized destruction, access, use,
manipulation, linkage, modification or communication.
8. Principle of Access
•The subjects of electronic health records have the right
of access to those records and the right to correct them
with respect to its accurateness, completeness and
relevance.
9. Principle of Legitimate Infringement
•The fundamental right of privacy and of control over
the collection, storage, access, use, manipulation,
linkage, communication and disposition of personal data
is conditioned only by the legitimate, appropriate and
relevant data-needs of a free, responsible and
democratic society, and by the equal and competing
rights of others.
10. Principle of the Least Intrusive Alternative
•Any infringement of the privacy rights of a person or
group of persons, and of their right of control over data
and with a minimum of interference with the rights of
the affected parties.
11. Principle of Accountability
•Any infringement of the privacy rights of a person or
group of persons, and of the right to control over data
1
PROF: SIR RAMON GARCIA
HEALTH INFORMATION SYSTEM FOR MEDICAL LABORATORY SCIENCE
ICTM111 WEEK-16
about them, must be justified to the latter in good time
and in an appropriate fashion.
Software Ethics
•Health informatics ethics heavily relies on use of
software to store and process information. As a result,
activities carried out by software developers might
significantly affect end-users. The software developer
has ethical duties and responsibilities to the following
stakeholders: society, institution and employees, and
the profession.
•Activities should be carried out with the best interest of
the society in mind. Developers should be mindful of
social impacts of software systems. This includes
disclosing any threats or known defects in software.
PRIVACY, CONFIDENTIALITY AND SECURITY
•Privacy generally applies to individuals and their
aversion to eavesdropping, whereas confidentiality is
more closely related to unintended disclosure of
information.
•There are numerous significant reasons to protect
privacy and confidentiality. One is that privacy and
confidentiality are widely regarded as rights of all people
which merits respect without need to be earned, argued,
or defended. Secondly, protection of privacy and
confidentiality is ultimately advantageous for both
individuals and society. Patients are more likely to be
comfortable to share sensitive health care data when
they believe this information would not be shared
inappropriately.
•This kind of trust is essential in establishing a successful year 2020. In addition, Filipinos utilize social media
physician-patient or nurse-patient relationship, and it
enabled practitioners to perform their jobs better.
•Privacy and confidentiality protection also benefits
public health. When people are not afraid to disclose
personal information, they are more inclined to seek out
professional assistance, and it will diminish the risk of
increasing untreated illnesses and spreading infectious
diseases (Goodman, 2016).
Levels of Security in the Hospital Information System
•It is important to note that the types of safeguards you
choose may be prescribed or restricted by law. Another
important consideration is the cost-benefit principle. If it information. The law applies extraterritorially, applying
is not cost effective for your practice to avail of an
expensive technology to mitigate a risk to electronic
health information, an alternative may be requiring your
staff to follow a new administrative procedure that
equally reduces that risk.
•Conversely, if you cannot afford to place additional
burden on your staff due to possibilities of human error,
you may choose to purchase a technology that
automates the procedure in order to minimize the risk.
•Regardless of the type of safeguard your practice
chooses to implement, it is important to monitor its
effectiveness and regularly assess your health IT
environment to determine if new risks are present.
JENNY ROSE YUCADDI
•The National Research Council (1997) emphasizes that
technological security tools are essential components of
modern distributed health care information systems, and
that they serve five key functions:
•Availability—ensuring that accurate and up-to-date
information is available when needed at appropriate
places;
•Accountability—helping to ensure that health care
providers are responsible for their access to and use of
information, based on a legitimate need and right to
know;
•Perimeter identification —knowing and controlling the
boundaries of trusted access to the information system,
both physically and logically;
•Controlling access —enabling access for health care
providers only to information essential to the
performance of their jobs and limiting the real or
perceived temptation to access information beyond a
legitimate need; and
•Comprehensibility and control —ensuring that record
owners, data stewards, and patients understand and
have effective control over appropriate aspects of
information privacy and access.
Philippine Data Privacy Act of 2012
•Business Process Management, particularly involving
Health Information Technology, is an increasingly
growing industry within the Philippine economy. With
total IT expenditure reaching $4.4 Billion in 2016, the
industry is forecasted to more than double itself by the
heavily, with a whopping 3.5 Million users on LinkedIn,
13 Million on Twitter, and 42.1 on Facebook (Wall, 2017).
•Given the rapid evolution of the digital economy and
heightened international data trading, the Philippines
has decided to strengthen its privacy and security
protection by passing the Data Privacy Act of 2012, with
an aim “to protect the fundamental human right of
privacy, of communication while ensuring free flow of
information to promote innovation and growth.”
(Republic Act. No. 10173, Ch. 1, Sec. 2).
•The Data Privacy Act applies to individuals and legal
entities that are in the business of processing personal
both to companies with offices in the Philippines, and
even those located outside, but which use equipment
based in the Philippines. It covers personal information
of Filipino citizens regardless of the place of residence.
The main principles that govern the approach for the
Data Privacy act include:
•Transparency;
•Legitimacy of purpose; and
•Proportionality.
•Consent is one of the major elements highly-valued by
the Data Privacy Act. The act provides that consent must
be documented and given prior to the collection of all
2
PROF: SIR RAMON GARCIA
HEALTH INFORMATION SYSTEM FOR MEDICAL LABORATORY SCIENCE
ICTM111 WEEK-16
forms of personal data, and the collection must be than Five million pesos (Php5,000,000.00) (Republic Act.
declared, specified, and for a legitimate purpose. No. 10173, Ch. 8, Sec. 33).
•Furthermore, the subject must be notified about the
purpose and extent of data processing, with details
specifying the need for automated processing, profiling,
direct marketing, or sharing. These factors ensure that
consent is freely-given, specific, and informed.
•However, an exception to the requirement of consent is
allowed in cases of contractual agreements where
processing is essential to pursue the legitimate interests
of the parties, except when overridden by fundamental
rights and freedom. Such is also the case in responding
to national emergencies.
•Processing of sensitive and personal information is also
forbidden, except in particular circumstances
enumerated below. The Data Privacy Act describes
sensitive personal information as those being:
•About an individual’s race, ethnic origin, marital status,
age, color, and religious, philosophical or political
affiliations;
•About an individual’s health, education, genetic or
sexual life of a person, or to any proceeding or any
offense committed or alleged to have committed;
•Issued by government agencies “peculiar” (unique) to
an individual, such as social security number;
•Marked as classified by executive order or act of
Congress.
•The exceptions are:
•Consent of the data subject;
•Pursuant to law that does not require consent;
•Necessity to protect life and health of a person;
•Necessity for medical treatment;
•Necessity to protect the lawful rights of data subjects in
court proceedings, legal proceedings, or regulation.
•The provisions of the law necessitate covered entities
to create privacy and security program to improve the
collection of data, limit processing to legitimate
purposes, manage access, and implement data retention
procedures.
Penalties
•The act provides for different penalties for varying
violations, majority of which include imprisonment.
These violations include:
a. Unauthorized processing
b. Processing for unauthorized purposes
c. Negligent access
d. Improper disposal
e. Unauthorized access or intentional breach
f. Concealment of breach involving sensitive personal
information
g. Unauthorized disclosure; and
h. Malicious disclosure.
i. Any combination or series of acts enumerated above
shall make the person subject to imprisonment ranging
from three (3) years to six (6) years, and a fine of not less
than One million pesos (Php1,000,000.00) but not more

JENNY ROSE YUCADDI 3