HEALTH INFORMATION SYSTEM FOR MEDICAL LABORATORY SCIENCE
ICTM111 WEEK-16 Ethics, Privacy, and Security beneficial to both the individual patient,and to the INTRODUCTION entirety of society. •Modernization in healthcare has led to the tendency of •With this in mind, new EHR systems should be most practitioners to rely on the use of mechanical aids developed with the capacity to allow patients to throughout the process of providing patient treatment. release information from their EHRs which can be However, the fact remains that human values should valuable to researchers and scientists. Similarly, the continue to govern research and practice in the available consolidated from clinical data repositories will healthcare profession. be able to allow healthcare professionals to provide the •Healthcare informatics encompasses issues of proper best possible treatments for their patients,further and improper behaviour, honourable actions, and of upholding the principle of beneficence. right and wrong. 4. Informatics Ethics •Ethical questions in medicine, nursing, human subject •Informatics ethics, on the other hand, involves the research,psychology, and other related fields continue to ethical behaviour required of anyone handling data and become more twisted and complex, but some information, as prescribed by the International Medical overarching issues are common among them. Informatics Association (2016). It covers seven •Ethical issues in health informatics, on the other hand, principles: privacy, openness, security, access, legitimate are less familiar, even if some of them have been infringement, least intrusive alternatives, and controversial for decades. accountability. •Informatics also raises questions about various legal 5. Principle of Information-Privacy and Disposition and regulatory requirements. •All persons and group of persons have a fundamental •A computer program should be used in clinical practice right to privacy, and hence to control over the collection, only after appropriate evaluation of its efficacy and the storage, access, use, communication, manipulation, documentation that it performs its intended task at an linkage and disposition of data about themselves. acceptable cost in time and money. 6. Principle of Openness •All uses of informatics tools, especially in patient care, •The collection, storage, access, use, communication, should be preceded by adequate training and manipulation, linkage and disposition of personal data instruction, which should include review of applicable must be disclosed in an appropriate and timely fashion product evaluations. to the subject or subjects of those data. •Users of most clinical systems should be health 7. Principle of Security professionals who are qualified to address the question •Data that have been legitimately collected about at hand on the basis of their licensure, clinical training, persons or groups of persons should be protected by all and experience. reasonable and appropriate measures against loss Guiding Principles of General Ethics: degradation, unauthorized destruction, access, use, 1. Autonomy manipulation, linkage, modification or communication. •Autonomy is defined as either allowing individuals to 8. Principle of Access make their own decisions in response to a particular •The subjects of electronic health records have the right societal context, or as the idea that no one human of access to those records and the right to correct them person does not have the authority nor should have with respect to its accurateness, completeness and power over another human person. relevance. •Electronic health records (EHR) must maintain respect 9. Principle of Legitimate Infringement for patient autonomy, and this entails certain •The fundamental right of privacy and of control over restrictions about the access, content, and ownership of the collection, storage, access, use, manipulation, records. linkage, communication and disposition of personal data •Limiting patient access and control over patient records is conditioned only by the legitimate, appropriate and improves document quality because they can become relevant data-needs of a free, responsible and proofreaders of their own patient history (Mercuri, democratic society, and by the equal and competing 2010). rights of others. 2. Beneficence and Non-maleficence 10. Principle of the Least Intrusive Alternative •These two principles are respectively defined as “do •Any infringement of the privacy rights of a person or good” and “do no harm.” In health informatics, group of persons, and of their right of control over data beneficence relates most significantly with the use of the about them, may only occur in the least intrusive fashion stored data in the EHR system, and non-maleficence and with a minimum of interference with the rights of with data protection. the affected parties. •Deeply-integrated EHR systems will contain substantial 11. Principle of Accountability amounts of raw data, and great potential exists for the •Any infringement of the privacy rights of a person or conduction of ground breaking biomedical and public group of persons, and of the right to control over data health research. These kinds of research will be
JENNY ROSE YUCADDI 1
PROF: SIR RAMON GARCIA HEALTH INFORMATION SYSTEM FOR MEDICAL LABORATORY SCIENCE ICTM111 WEEK-16 about them, must be justified to the latter in good time •The National Research Council (1997) emphasizes that and in an appropriate fashion. technological security tools are essential components of Software Ethics modern distributed health care information systems, and •Health informatics ethics heavily relies on use of that they serve five key functions: software to store and process information. As a result, •Availability—ensuring that accurate and up-to-date activities carried out by software developers might information is available when needed at appropriate significantly affect end-users. The software developer places; has ethical duties and responsibilities to the following •Accountability—helping to ensure that health care stakeholders: society, institution and employees, and providers are responsible for their access to and use of the profession. information, based on a legitimate need and right to •Activities should be carried out with the best interest of know; the society in mind. Developers should be mindful of •Perimeter identification —knowing and controlling the social impacts of software systems. This includes boundaries of trusted access to the information system, disclosing any threats or known defects in software. both physically and logically; •Controlling access —enabling access for health care PRIVACY, CONFIDENTIALITY AND SECURITY providers only to information essential to the •Privacy generally applies to individuals and their performance of their jobs and limiting the real or aversion to eavesdropping, whereas confidentiality is perceived temptation to access information beyond a more closely related to unintended disclosure of legitimate need; and information. •Comprehensibility and control —ensuring that record •There are numerous significant reasons to protect owners, data stewards, and patients understand and privacy and confidentiality. One is that privacy and have effective control over appropriate aspects of confidentiality are widely regarded as rights of all people information privacy and access. which merits respect without need to be earned, argued, or defended. Secondly, protection of privacy and Philippine Data Privacy Act of 2012 confidentiality is ultimately advantageous for both •Business Process Management, particularly involving individuals and society. Patients are more likely to be Health Information Technology, is an increasingly comfortable to share sensitive health care data when growing industry within the Philippine economy. With they believe this information would not be shared total IT expenditure reaching $4.4 Billion in 2016, the inappropriately. industry is forecasted to more than double itself by the •This kind of trust is essential in establishing a successful year 2020. In addition, Filipinos utilize social media physician-patient or nurse-patient relationship, and it heavily, with a whopping 3.5 Million users on LinkedIn, enabled practitioners to perform their jobs better. 13 Million on Twitter, and 42.1 on Facebook (Wall, 2017). •Privacy and confidentiality protection also benefits •Given the rapid evolution of the digital economy and public health. When people are not afraid to disclose heightened international data trading, the Philippines personal information, they are more inclined to seek out has decided to strengthen its privacy and security professional assistance, and it will diminish the risk of protection by passing the Data Privacy Act of 2012, with increasing untreated illnesses and spreading infectious an aim “to protect the fundamental human right of diseases (Goodman, 2016). privacy, of communication while ensuring free flow of information to promote innovation and growth.” Levels of Security in the Hospital Information System (Republic Act. No. 10173, Ch. 1, Sec. 2). •It is important to note that the types of safeguards you •The Data Privacy Act applies to individuals and legal choose may be prescribed or restricted by law. Another entities that are in the business of processing personal important consideration is the cost-benefit principle. If it information. The law applies extraterritorially, applying is not cost effective for your practice to avail of an both to companies with offices in the Philippines, and expensive technology to mitigate a risk to electronic even those located outside, but which use equipment health information, an alternative may be requiring your based in the Philippines. It covers personal information staff to follow a new administrative procedure that of Filipino citizens regardless of the place of residence. equally reduces that risk. The main principles that govern the approach for the •Conversely, if you cannot afford to place additional Data Privacy act include: burden on your staff due to possibilities of human error, •Transparency; you may choose to purchase a technology that •Legitimacy of purpose; and automates the procedure in order to minimize the risk. •Proportionality. •Regardless of the type of safeguard your practice •Consent is one of the major elements highly-valued by chooses to implement, it is important to monitor its the Data Privacy Act. The act provides that consent must effectiveness and regularly assess your health IT be documented and given prior to the collection of all environment to determine if new risks are present.
JENNY ROSE YUCADDI 2
PROF: SIR RAMON GARCIA HEALTH INFORMATION SYSTEM FOR MEDICAL LABORATORY SCIENCE ICTM111 WEEK-16 forms of personal data, and the collection must be than Five million pesos (Php5,000,000.00) (Republic Act. declared, specified, and for a legitimate purpose. No. 10173, Ch. 8, Sec. 33). •Furthermore, the subject must be notified about the purpose and extent of data processing, with details specifying the need for automated processing, profiling, direct marketing, or sharing. These factors ensure that consent is freely-given, specific, and informed. •However, an exception to the requirement of consent is allowed in cases of contractual agreements where processing is essential to pursue the legitimate interests of the parties, except when overridden by fundamental rights and freedom. Such is also the case in responding to national emergencies. •Processing of sensitive and personal information is also forbidden, except in particular circumstances enumerated below. The Data Privacy Act describes sensitive personal information as those being: •About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; •About an individual’s health, education, genetic or sexual life of a person, or to any proceeding or any offense committed or alleged to have committed; •Issued by government agencies “peculiar” (unique) to an individual, such as social security number; •Marked as classified by executive order or act of Congress. •The exceptions are: •Consent of the data subject; •Pursuant to law that does not require consent; •Necessity to protect life and health of a person; •Necessity for medical treatment; •Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or regulation. •The provisions of the law necessitate covered entities to create privacy and security program to improve the collection of data, limit processing to legitimate purposes, manage access, and implement data retention procedures. Penalties •The act provides for different penalties for varying violations, majority of which include imprisonment. These violations include: a. Unauthorized processing b. Processing for unauthorized purposes c. Negligent access d. Improper disposal e. Unauthorized access or intentional breach f. Concealment of breach involving sensitive personal information g. Unauthorized disclosure; and h. Malicious disclosure. i. Any combination or series of acts enumerated above shall make the person subject to imprisonment ranging from three (3) years to six (6) years, and a fine of not less than One million pesos (Php1,000,000.00) but not more