Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
ETHICS, PRIVACY, AND SECURITY
TOPIC OUTLINE
1 Ethics in Health Informatics
2 Privacy, Confidentiality and Security Measures
In Health Care
3 Data Privacy Act
HEALTHCARE INFORMATICS
 In the picture, it can be seen that the Healthcare
and Ethics are overlapping
 Even from before, issues concerning ethics,
prvacy and security have long been common in
medicine, research, psychology and other areas
and fields
 Whenever we deal with humans, Ethics is always
there. We always have to consider ethical issues
 Right now in this modern world, we now have
informatics involved and this made the venn
diagram much more complicated
 Technology helped in the modernization of the
helathcare industry, but it made it a lot MORE
complicated
 It did help us healthcare professionals to be
dependent on the use of mechanical aids in
providing patient treatment
 If we go to the hospitals, we can see
different machines that are being used to
treat the patients
 We also see computers and information
systems
 The technology has greatly benefitted the
healthcare professionals, especially on the service
delivery
 Because of this advent of technology, the
healthcare sector has a lot of things to consider. They
now have to think of informatics
HEALTHCARE INFORMATICS
 Healthcare informatics covers issues on
honorable actions, proper and improper
behaviors in the field of healthcare
LEGAL CONCERNS REGULATORY REQUIREMENTS
 With this advancing world, the healthcare sector
also needs to adapt such as integrating informatics into
their system
 But even with the selection of the proper informatics
tools can give us a lot of issues to deal with
THINGS THAT ARE NEEDED TO BE CONSIDERED
THE KIND OF INFORMATICS TOOLS TO BE USED
 The kind of informatics system will the hospital
acquire
USERS OF THESE TOOLS
 The hospital also needs to hire people who will be
using this system
EVALUATION, DEVELOPMENT, MAINTENANCE
 The hospital will have to pay for the maintenance
of the system
COMPUTERS IN TRACKING
 Buying hardwares to help in tracking the system
 We are just talking about the finances and the
logistics, but we also have to deal with the concern of
keeping these data secured
1
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
ETHICAL PRINCIPLES FOR INFORMATICS
Before we will buy or secure informatic tool or system,
we have to see if:
EFFICIENCY ON PERFORMANCE AS WELL AS
EFFECTIVENES IN FINANCIAL & TIMEFRAME COST
 Will it benefit us financially in the long run?
 Is the timeframe cost already too high?
TRAINING OF USERS PRIOR TO IMPLEMENTATION
 We need to hire some people. Of course, training
the healthcare practitioners who will use the system
 One will pay for the training
QUALIFIED PROFESSIONALS TO MANAGE
CONCERNS
 One will have to hire qualified professionals to
manage the different concerns
 Here, IT personnels are included in the list of
people to be hired in order to manage the system
 We need to hire a lot of people because even
though we are buying a very technologically-
advanced software, but the software should never
replace the functions of the humans or our
healthcare professionals
 This includes the function of decision-
making
 In an ideal clinical setting, information systems are
involved. This stores the patients’s records and through
it, can be retrieved when needed
 These records assist in the dispensation of
healthcare or other supplementary services which are
part of health informatics
 Health informatics is needed by health information
ethics, defined as the application of principles of
ethics in the domain of health informatics
HEALTH INFORMATICS ETHICS
3 MAIN ASPECTS OF HEALTH INFORMATICS
ETHICS
GENERAL ETHICS
 Guide the reasoning and decision-making of all
people in organization involved in healthcare
PRINCIPLE OF AUTONOMY
 Autonomy is freedom
 The idea of allowing individuals to make their
own decisions, in response to a particular societal
context or being free from external influence or
control
 For the patient, they have control to his/her
decisions
 In the hospital settings, the patient
should have freedom and control to
choose what kind of healthcare service
he/she will acquire
 For the informatics side, the patient has
control and freedom over their own personal data
 For example in the EHR, it contains the
personal data of the patient and these
data are sensitive.
 We must respect the patient and uphold
the principle of autonomy by keeping
restrictions about the access, content,
and ownership of these records
 Sometimes, when the patients are given too
much control over their data or EHRs, this could
defeat the purpose because the patients might
modify certain informations without the health
professionals’ knowledge
2
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
 With this, there should be a compromise
 It is best that these records are being used by
the healthcare professionals, but still upholding
the principle of autonomy by limiting the patients’
control over their own records
 We still give them access and control,
but only on verification purposes (to
verify the records are correct)
 This improves the overall quality of the
document but still preserving the principle of
autonomy
PRINCIPLE OF BENEFICENCE
 Beneficence is for the good
 This mostly relates the usage of thorough data
in the EHR system
 When we use this data, this information is for
the good of the patient, or even for the good of the
society when we use this information to do some
researches, which can develop the community,
produce the new knowledge that we can apply in
the world of healthcare
 Then, we are doing something good with
the information. We are preserving the
principle of benevolence
PRINCIPLE OF NON-MALEFICENCE
 To do no harm
 Mostly, this will be talking about how we are
protecting the data we collect so that there will be
no harm that will happen
 The EHR contains data and that data can be
used in various ways for the good of the various
people, not only the patient
 If we use the patient’s data for research
purposes, consent should also be needed and
given
 Since we are living in an advanced world,
soemtimes we are too dependent on technology
and this can be a way in which threats or carious
lapses can occur, which can lead to doing harm,
violating non-maleficence
 Examples: temporary power outages, which
can sometimes stop the flow of the hospital
All data should have multiple back-ups for fast and
easy recovery
These data should be equipped with the highest level
of security
 We have to protect these data because if
we don’t protect these data, then we might
break the principle of non-maleficence
INFORMATICS ETHICS
 Informatics ethics is about the behavior expected
from an individual assigned to handle information
PRINCIPLE OF INFORMATION PRIVACY AND
DISPOSITION
 Everyone has the fundamental right to privacy
 Every individual should ensure that he/she has
control over the collection, access, use,
communication, manipulation, storage, linkage
and disposition of data about himself/herself
 If you are the owner of a certain data, then you
have a fundamental right to privacy of the data
PRINCIPLE OF OPENNESS
 Talks about the control measures of particular
data
 Should be disclosed to the concerned
individuals in an appropriate or timely fashion
 If you collected a certain data, then you should
be open to that person on what will happen to the
data
 You will inform the person as to where
you will store it, manner of
destroying/disposing it, or control
measures that one will do to the data.
This should be open to the patient or to
the person
PRINCIPLE OF SECURITY
 Legitimate collecting of data should be
protected in all appropriate measures against
access, use, modification, communication,
manipulation, linkage, loss, derivation, and
unauthorized destruction
 If you collected these data, then you should
make sure that these data is secured by putting
up security measures
3
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
PRINCIPLE OF ACCESS
 Authorized individuals should be given access
to electronic health records and the right to
correct the data with respect to their
completeness, accuracy, and relevance
 If you are the patient and you are giving your
doctor access to your data, it should only be that
doctor and all healthcare professionals that are
handling you
 Healthcare professionals that are not handling
your case should not access your data
 That is why the keywords here are
authorized individuals. Meaning, these
people are given authority to access
your data
 In the hospital, if they want to use the
information system, they need to have
credentials, username, and password. Only those
username and password can operate the system
 Not all personnel in the hospital has that
username and password
 Workers and different departments have their
own username and password and can only have
their own access
 For example as a MedTech who have
his/her own username and password,
he/she have access to almost entire LIS.
However, the doctor who has his own
username and password, he only has
limited acces to LIS.
PRINCIPLE OF LEGITIMATE INFRINGEMENT
 The right to privacy and control over personal
data should be conditioned by the appropriate,
legitimate, and relevant data requirement of a
democratic society and by the equal rights of
others
 If you are gonna break the principle of privacy
of someone, if you are gonna collect your data
possibly without their consent, then you should
have a legitimate reason for collecting these data
 Most common example would be court
cases, legal proceedings in which you
might be asked to hand over these data.
So you are violating another person’s
privacy. But it is needed becauuse you
have a legitimate reason to do that
 By the time you will become interns, you
will be having duties in hospital. Blood
bank, one of the departments in the
laboratory, sometimes you will be asked
to screen donors. You will screen these
donors by interviewing them (you will
get information from them). There is a
questionnaire that is needed to be asked
to the donors.
 Because of which, you have a legitimate
reason to infringe on their privacy
because you are interviewing them for
donor screening
 You are dealing with sensitive
information such as HIV and sexual
practices. However, you are authorized
to get those data because you have a
reason
PRINCIPLE OF LEAST INTRUSION / LEAST
INTRUSIVE ALTERNATIVE
 Any infringement of privacy rights should
occur in the least intrusive manner and with the
least amount of interference with the rights of the
affected parties
 You are gonna break someone’s privacy
because you have a legitimate reason to do so,
then you should only get the data that you are in
concern with that you are needing
 You don’t touch, collect, or pick a data that are
not concerned to you or you are not needing
 Going back to the intern example, you
will conduct an interview to these
donors. You have a lkst of questions or
questionnaire. You should stick to those
questions and you should only get the
data that those questions are asking for.
You should not ask added questions that
you want
 As mentioned, it contains sensitive
information such as the number of
sexual partners. You should only for th
number and not the names of the sexual
partners
 As future MedTechs, you should be
confident and be direct in asking the
questions. Do not be awkward on some
certain questions since the donors are
expecting that you will ask them these
type of questions
4
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
PRINCIPLE OF ACCOUNTABILITY
 Any infringement must be justified to the
concerned individual in a timely and appropriate
fashion
 With great power comes with great
responsibility. If you are given the power to collect
these data, then you should have responsibility
over these data
 Any infringement of these data, you should tell
the concerned individual. You should be
accountable on the data you have collected
SOFTWARE ETHICS
 Health informatics ethics relies on the use of
softwares to store and process information
 With that, the developers of the softwares or the
makers of the softwares of the different companies,
they have an effect on the end users
 These software developers will also have to follow
their own software ethics. They have their own
ethical duties and responsibilities as software
developers, as software makers, as software
engineers to the stakeholders (which is us)
THIS INCLUDES
SOCIETY
 The general society community
INSTITUTION AND EMPLOYEES
 The ones that will use the software
 Deals more on the developer’s side
 They should build these tools, build these
machines and systems that are helpful to the
institutions and employees. That are easy to use
by the employees
 Not all employees in the hospital are IT people.
The doctors, nurses, MedTechs will still us the
system, but they might not be as knowledgeable
as the IT
 As much as possible as part of their
software ethics, they should create tools
that are easy to use by the hospital
employees
 If they are making machines, it should be up to
the professional’s standards. They should
evaluate these machines before selling them
PROFESSION
 The developers when they are making these new
tools and new systems, they should have the best
interest of the society in mind
 They should be honest and disclose any threats
or no defects in their software. They should be
straightforward to the limitations of their product
because if they are only concerned with financial
gains in selling these products, then they are
violating the software ethics
 In the health institution, it is not only the
healthcare institution employees that have to follow
ethics, also those who develop machines, systems,
and tools for these people (society, institution,
employees)
THOUGHTS TO PONDER
Is ethics flexible?
How is EHR different from other informatics records?
HIMP vs other informatics specialists?
 EHR contains more sensitive data than informatics
records (e.g. grade sheets)
 HIMP (Health Information Management
Professionals) deals more with sensitive data than
informatics specialists (e.g. teachers)
 With this, the HIMP has more on their plates.
They have more ethical issues to follow or
consider when making decisions
PRIVACY, CONFIDENTIALITY AND SECURITY
PRIVACY
 How many people are involved
 In privacy, only one person or party is involved
 For example, you have a secret information
that you don’t want others to know. You
have the right to your own privacy
 Privacy generally applies to individuals under a
version to eavesdropping because you don’t want
5
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
other people eavesdropping, knowing that secret
information
CONFIDENTIALITY
 Confidentiality involves more than one person
 You entrusted another person or party with
your secret infromation
 Atleast two people knows your secret information
 For example in a hospital, you are the
patient and you are giving personal data to
this hospital. That is now confidentiality
since there are two parties that are
involved (you and the hospital)
 On the side of the hospital since they are
the second party, they should also try to
protect this information because this is part
of your confidentiality
 Confidentiality is more closely related to the
unintended exposure to information because your
information is now at the hands of another party
SECURITY
 Those are the measures that we do to protect our
privacy and to protect our confidentiality
WHY DO WE NEED TO PROTECT OUR PRIVACY
AND CONFIDENTIALITY
IT IS A BASIC HUMAN RIGHT
 People deserves their privacy and confidentiality
with merit respect, without the need to be earned,
argued, or defended
TRUST
 Preserving privacy and confidentiality in the
healthcare setting establishes trust between our
patients and the healthcare practitioners
 There is trust if the patients are very comfortable
in sharing their sensitive data to the healthcare
practitioners. Then the healthcare practioners can
treat their patients better since we get more
information from them
 This establishes patient and healthcare provider
relationship and the healthcare professionals can do
their jobs better
PUBLIC HEALTH
 If we preserve or uphold privacy and
confidentiality, then public health is also benefitted
because people are not anymore afraid to seek out
professional assistance when they are having
problems.
 They are more likely to seek professional help,
especially in terms with their health
 For illness, they are more likely to go to the
hospital that they trust than go to hospital
that they don’t trust because it will break
their confidentilaity
 More common with the COVID-19 situation.
Some people are more apprehensve to go
to the hospital because maybe they will be
judged or there will be people who will know
that they are COVID positive
 That is why upholding confidentilaity is important
because it actually also helps the general public
health
 When patients trust their healthcare
professionals, then they will have a more holistic view
of the patient’s overall health
 Both the healthcare professionals and the
patient can formulate more informed
decisions
WHAT HAPPENS IF WE BREAK PRIVACY AND
CONFIDENTIALITY?
HEALTHCARE ORGANIZATION
 On the healthcare organization part, there will be
consequences such as a decrease in the reputation,
even financial harm and personal harm to the
patients
 The healthcare organization can also be sued
 Poor privacy and security practices heightened
the vulnerability of the patient information and
increases the risk of successful cyber attacks
 The most vulnerable part is the patient
 As part of the healthcare organizations, they
need to do their best to have strict security measures
to protect their data
6
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
 Since they trust them, so the health care
organzations should deliver service to them
the best of their capabilities
SAFEGUARDS
 Part of security measures
 Safeguards are solutions and tools, which may be
utilized to implement security policies at different levels
of health organization such as administrative, physical,
and technical
ADMINISTRATIVE SAFEGUARDS
 We are talking about the measures implemented
by the management as organization-wide policies
and procedures
 We are talking about policies, procedures, rules,
and protocls that the administration implements, to
be followed by the institution. They are
administrative safeguards
EXAMPLES
Continual risk assessment of your health IT
 environment
Continual assessment of the effectiveness of
safeguards for electronic health information
 law does ot allow that
 This improves your security
Detailed processes for viewing and
 administering electronic health information
Employee training on the use of health IT to
appropriately protect electronic health

information
Appropriately reporting secuirty breaches
(e.g., to those entities required by law or
 contract) and ensuring continued health IT
operations
PHYSICAL SAFEGUARDS
 Mechanisms used to protect equipment,
systems, and locations
 What is common among equipment, systems,
and locations is that they are physical things
 To put it simply, they can be touch or they
are tangible
 If we are protecting something tangible, then
those are part of the physical safeguards
 It does not only iclude your computers and your
hardwares, but also the very building or office itself
EXAMPLES
 Office alarm systems
Locked offices containing computing
 equipment that store electronic health
information
Security guards

 To guard the building
TECHNICAL SAFEGUARDS
 If we are protecting something not tangible such
as the software, then we are now implementing
technical safeguards, which protects the software
and database access and control
 Anything about putting security into the software
(usernames, passwords, installing firewalls)
 This type of safeguards is restricted by the law
 Sometimes, we can’t get this type of
safeguard, a certain brand of firewall, or a
certain brand of security system since the
 Organizations also have to consider the cost-
benefit principle
 If they buy the system, can they manage
financially? If not, then they will just have to
find another alternative way. If this
happens, the employee and manpower will
have to sacrifice or do some extra work
because the administration cannot buy the
system that will do the work for them
 If the organization has the money or has the
capability to buy very advanced security
system, then that puts the employees and
manpower in a more comfortable position
as they don’t have to exert extra effort
EXAMPLES
Securely configured computing equipment
 (e.g., virus checking, firewalls)
7
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ

Certified applications and technologies that both physically and

 store or exchage electronic health logically
information
Accesss controls to health IT and electronic
Enabling access for
 health information (e.g., authorized
health care providers
computer accounts)
only to information
 Encyption od health IT operations essential to the
 Auditing of health IT operations performance of their
Health IT backup capabilities (e.g., regular jobs and limiting the real
or perceived tempation
 bckups of electronic health information to
another computer file server to access information
beyond a legitimate
need

 If you are also

 The organization has to monitor the effectiveness of CONTROLLING authorized to
safeguards in place and regularly assess the health IT ACCESS access this
environment to determine if new risks are present system, you
are only
 If we are a bit too relaxed that we don’t keep allowed to view
up-to-date to newest trends or practices that those
we don’t know anymore that there are new information
that are
risks already that are rising, then we are also
concerning to
compromising our security
you. You
cannot view
the records of
NATIONAL RESEARCH COUNCIL other patients

 The National Research Council (1997) emphasizes

Ensuring that recrd
that technological security tools are essential
owners, data stewards
components of modern distributed health care
and patients understand
information systems, and that they serve five key COMPREHENSIBILITY and have effective
functions: AND CONTROL control over appropriate
aspects of information
FIVE KEY ELEMENTS and access
Ensuring that accurate
and up-to-date
AVAILABILITY information is available
LABORATORY DEPARTMENT
when needed at
appropriate places
 In the laboratory, we deal a lot of data and
Helping to ensure that information
health care providers
are responsible for their  We deal with patient’s data, we receive data
ACCOUNTABILITY access to and use of from the patients, but we also generate data
information, based on a through the results of our tests
legitimate need and
right to know INFORMATION FLOW OF THE LABORATORY
REGISTER PATIENT
Knowing and controlling  Patient sample (e.g. ID Number, name, sex,
PERIMETER the boundaries of age, location) must be created in the LIS before
IDENTIFICATION trusted access to the tests can be ordered. LIS usually automatically
information system, receives these data from a hospital registration
system when a patient is admitted

8
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
 If you have an effective LIS system, then that
actually makes your job or the laboratory more
secured
 Instead of having a manual way wherein the
patient will write in the paper for his/her personal
records, the paper will have a chance of getting lost
and the chance of the paper that will go into the
wrong hands
ORDER TESTS
 Physician order tests on a patient to be draw as
part of the laboratory’s morning blood collection
rounds. The order is entered into the CIS and
electronically sent to the LIS
 Upon ordering tests, the physician can just
use the CIS and electronically send the
request to the LIS directly
COLLECT SAMPLE
 Before morning blood collection, the LIS prints a
list of all patients who have to be drawn and the
appropriate number of sample barcode labels for
each patient order. Each barcode has a patient ID,
sample contained, and laboratory workstation that
can be used to sort the tube once it reaches the
laboratory. Another increasingly popular approach
is for patient caregivers or nurses to collect the blood
sample. Immediately prior to collection, sample
barcode labels can be printed (on demand) at the
nursing station on an LIS printer or portable bedside
printer
 Upon collecting a sample, the LIS will just
print as a copy of all request slips
 Instead of writing the patient’s details, we
will just use the barcodes so the patient’s
information are now just stored
electronically. We need the barcode so that
we will just access them in the LIS rather
than writing everything like a patient ID,
sample contained, and laboratory
workstation in the request slip
 If you are collecting blood from a patient,
verify the name of the patient
RECEIVE SAMPLE
 When the samples arrive in the laboratory, their
status has to be updated in the LIS from “collected”
to “received.” This can be done by scanning each
sample container’s barcode ID into the LIS. Once the
sample is “received,” the LIS transmits the test order
to the analyser who will perform the test
 Upon receiving the sample, the LIS will be
updated from “collected” to “received” and
this is just done by scanning the barcode
 After you collect blood in your collection
tubes, you put your barcodes on the
selection tubes
RUN SAMPLE
 The sample is loaded onto the analyser, and the
bar code is read. Having already received the test
order from the LIS, the analyser knows which tests to
perform on the patient. No work list is needed. For
manually performed tests, the technologist prints a
work list from the LIS. The work list contains the
names of the patients and the tests ordered on each.
Next to each test is a space to record the result.
 When we are running our tests, we will still
use the barcode.
 If you are having a very highly
comprehensive LIS that is integrated to
your laboratory including your different
machines, so just by attaching the barcode
alone to your sample, the machine will
already know what test to run rather than
manually inputting the request
 This makes our job easier and also
improves security
 Lesser chance of people seeing the
information since there is no more worklist
REVIEW RESULTS
 The analyser produces the results and sends
them to the LIS. These results are only viewable to
technologists because they have not been released
for general viewing. The LIS can be programmed to
flag certaiin results – for example, critical values – so
the technologist can easily identify what needs to be
repeated or further evaluated
 There is a term such as flagging, in which
the machine and the LIS, if the result is too
high or too low, will flag and will notify the
MedTech of these values (critical values –
too high/too low) and inform the physician
immediately
 In hospitals, critical values is also known as
panic values wherein if the patient have the
panic values, the MedTech will call the
physician right away
9
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
RELEASE RESULTS Periodic review of standards in identifying
 The technologist releases the results. Unflagged  which results should be flagged
results are usually reviewed and released at the
Strengthen laboratory authorization and
same time. The LIS can also be programmed to
 supervision policies
automatically review and relese normal results or
results that fall within a certain range. The latter Implement strict rules and regulations
approach reduces the number of tests that a  regarding the testing procedures
technologist has to review. Upon release, the results
are automatically transmitted to the CIS. Release guidelines on proper disposal of
 laboratory specimen
 Even with the use of machine and with a Enforce policies on the proper use of
very comprehensive and effective LIS, the  laboratory workstations
MedTechs has to review the results,
especially if there are flagging or abnomrla  Impose disciplinary measures as needed
results

 If the results are normal, the machine will PHYSICAL SAFEGUARDS

release the result
 We are protecting physical or tangible things
such as machines and equipments
REPORT RESULTS
 The physician can view the results on the CIS  The laboratory itself is our office or area and
screen. Reports are printed when needed from the
anything that protects it are physical safeguards
LIS.

 Upon reporting results, the physician can

EXAMPLES
just view the results on the CIS
Periodic maintenance of laboratory
 equipment
 The LIS will generate and report the results
directly to the CIS as long as the physician Biometrics or other security protocl for
has the right credentials to access the CIS
 laboratory access
Controlled temperature both for equipment
 The physician has the username and the  and specimen
password so that he/she can use the CIS
 Contingency operations plan
 The MedTech has the username and Use of appropriate personal laboratory
password, but only on the LIS. The  safety equipment
MedTechs only have limited control and
access

 Employees having limited control and TECHNICAL SAFEGUARDS

access improves security. Too much power  Protect the softwares
on one individual can actually be
detrimental EXAMPLES
Automated identity confirmation
 procedures for users requesting access
 Regular change of username and password
SAFEGUARDS FOR THE LABORATORY
INFORMATION SYSTEM Different access capabilities based on user
 position
ADMINISTRATIVE SAFEGUARDS Automatic log-off after long periods of
 Protocols, rules, procedures that the inactivity
administration implements for the employees to 
follow  So that when somebody enters the
lab, they cannot use it with your
EXAMPLES credentials
Continuous eployee training on the use of
 the LIS

10
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ
DATA PRIVACY ACT OF 2012 (REPUBLIC ACT OF
10173)
CHAPTER 1, SECTION 2
 It aims to protect the fundamental human
right of privacy of communication while ensuring
free-flow of information to promote innovation
and growth
 This applies to all individuals and legal entities
that are in the business of processing personal
information
 In the healthcare setting, we are a part of this
 Applies to both companies with offices in the
Philippines, and even to those situated–outside that
use equipments based in the Philippines
 This covers personal information of Filipino
citizens, regardless the place of residence
 The main principles that govern the approach for
this act includes transparency, legitimacy of
purpose,and proportionality
CONSENT
 Consent is important
 Consent is one of the major elements and is
being highly valued
 The acts provides that consent must be
documented and given prior to the collection of
any form of personal data
 The collection must be declared, specified, and
used only for legitimate purpose
 In addition, the data subjects must be notified
about the purpose and extent to data processing,
mediating speciying the need for automated
processing, profiling, direct marketing or sharing
 We are upholding the principle of openness
that we should be open to our data subjects to our
patients on how their data will be handled
 These factors ensured that consent is freely
given, specific, and informed
Are there exceptions or cases in which it is
okay not to have consent?
 Yes there are. In legal proceedings in which we
are askd to give information, pursuant to law that
does not required consent
 In public health, necessity to protect life and
health of a person. If you as a healthcare provider
knows that doing this will help save your patient,
then you can do so without consent also in times
of national emergency
 If the benefit of proceeding to this step or doing
this is far greater, then the act of violating the
person’s privacy by not getting his/her consent,
then it it okay
SENSITIVE PERSONAL INFORMATION
Race, ethnic origin, marital status, age, color,
1 and religious, philosophical or political
affilations
Health, education, genetic or sexual life of a
person, or to any proceeding for any
offensecommitted or alleged to have been
2 committed by such person, the disposal of such
proceedings, or the sentence of any court in
such proceedings
Information issued by government agencies
peculiar to an individual which includes, but not
limited to, social security numbers,previous or
3
current health records, licenses or its denials,
suspension or revocation, and tax returns
Information specifically established by an
4 executive order or an act of Congress to be
kept classified
KEY POINTS TO REMEMBER
 Health Informatics ethics is the application of the
principles of ethics to the domain of health informatics
(General Ethics, Informatics Ethics, Software Ethics)
 General Ethics cover Autonomy, Beneficence, Non-
Maleficence
 Informatics Ethics refers to Privacy, Openness,
Security, Access, Infringement, Least Intrusion and
Accountability
11
Health Information System
WEEK NUMBER 14 / VIDEO LECTURE (MR. NIÑO PAOLO TAN) / TRANSCRIBED BY: NIÑA DE LA CRUZ

 Software developers should consider the best

interest of the society in general, institution and its
employees and the profession

 Administrative, Physical and Technical safeguards

are placed regularly to monitor effectiveness and
access the health IT environment.

12