1. TMHG 529Legal Aspects inHealth InformaticsNawanan Theera-Ampornpunt, M.D., Ph.D.Faculty of Medicine Ramathibodi HospitalMahidol UniversityApril 23, 2013http://www.SlideShare.net/Nawanan

2. Basics of Legal Systems Law & Informatics Privacy Laws HIPAA Thailands Health Information Privacy LawOutline 3. No part of the contents is to be considereda professional legal opinion. Im notresponsible for the lack of completeness,accuracy, correctness, or validity of thecontents for legal or organizational use.Seek professional counsels or legalexperts for legal advices.Disclaimer 4. Basics of Legal Systems 5. Civil Law Central source of law recognized as authoritative iscodifications in a constitution or statute passed bylegislature, to amend a code Common Law Sources of law are the decisions in cases by judges,plus laws & statutes passed by legislature Religious Law A religious system or document used as a legalsource Pluralistic Systems Thailand is a civil law system influenced by commonlawNational Legal Systemshttp://en.wikipedia.org/wiki/List_of_national_legal_systems 6. Legal Systems of the Worldhttp://en.wikipedia.org/wiki/List_of_national_legal_systems 7. Enacted Law Constitutions Statutes Court Rules (for court procedures) Administrative Agency Rules Caselaw Judicial Common Law Caselaw Caselaw Interpreting Enacted Law Administrative Agency DecisionsSources of Lawhttp://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy-of-U.S.-Law.pdf 8. National Constitution Federal statutes, treaties, and court rules Federal administrative agency rules Federal common law caselaw State constitutions State statutes and court rules State agency rules State common law caselaw Secondary authorities (Treatises, law reviews,legal encyclopedias, digests, etc.)Hierarchy of Sources of Lawhttp://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy-of-U.S.-Law.pdf 9. Future cases should be decided the same way assimilar past cases Policy goals Fairness: Equality before the law Predictability Judicial efficiencyCaselawhttp://lawandborder.com/wp-content/uploads/2009/01/Sources-and-Hierarchy-of-U.S.-Law.pdf 10. Unitary States A state governed as one singleunit in which central governmentis supreme and anyadministrative divisions exerciseonly powers their centralgovernment chooses to delegateForms of Governmenthttp://en.wikipedia.org/wiki/Unitary_state 11. Federal states (federalism) States or other subnational unitsshare sovereignty with the centralgovernment, and the statesconstituting the federation havean existence and power functionsthat cannot be unilaterallychanged by central governmentForms of Governmenthttp://en.wikipedia.org/wiki/Federalism http://en.wikipedia.org/wiki/Unitary_state 12. In federal states Federal government State government Local governmentLevels of Government 13. Executive Branch Part of government with sole authority andresponsibility for daily administration of thestate. It executes the law. Legislative Branch(Legislature/Parliament/Congress) An assembly with power to pass, amend, andrepeal laws Law created by a legislature is called legislationor statutory lawBranches of Governmenthttps://en.wikipedia.org/wiki/Executive_(government) https://en.wikipedia.org/wiki/Legislature 14. Judicial Branch A system of courts that interprets and applies thelaw to the facts of each case in the name of thestate Generally does not make law (legislative branch)or enforce law (executive branch) Separation of Powers doctrineBranches of Governmenthttps://en.wikipedia.org/wiki/Judiciary 15. Presidential system Leader of executive branch as headof state & head of government Parliamentary system Prime minister responsible tolegislature as head of government Monarch or president as head ofstate, largely ceremonialSystems of Governmenthttps://en.wikipedia.org/wiki/Presidential_system https://en.wikipedia.org/wiki/Parliamentary_system 16. Law & Informatics 17. Computer/ICT Laws Intellectual Property Laws Laws on Access to Information Health LawsLaws Related to Informatics 18. Computer Crimes Electronic Transactions &Electronic Signatures E-commerce, Cyber Law Privacy/Data Protection Law(Generic)Computer/ICT Laws 19. Computer-Related Crimes Act, B.E. 2550 Focuses on prosecuting computercrimes & computer-related crimes Responsibility of organizations as ITservice provider: Logging &provision of access data to authoritiesThai ICT Laws 20. Electronic Transactions Acts, B.E. 2544 & 2551 Legal binding of electronic transactions andelectronic signatures Security & privacy requirements for Determining legal validity & integrity ofelectronic transactions and documents, print-outs, & paper-to-electronic conversions Governmental & public organizations Critical infrastructures Financial sectors Electronic certificate authoritiesThai ICT Laws 21. Copyright Law Patent Law Industrial Design Law Trademark Law Trade Secret Laws etc.IP Laws 22. Copyright Act, B.E. 2537 And other IP laws (e.g. Patent Act) Important for intellectual propertyconsiderations (e.g. who owns thesoftware source code of an in-houseor outsourced system?)Thai IP Laws 23. Examples Freedom of Information Act(U.S.) Official Information Act(Thailand)Laws on Access to Information 24. Laws governing health care facilities Laws governing health careprofessionals Other health laws Laws on Food, Drugs, MedicalDevices Laws on Health Care Systems Laws on Emergency Medicine etc.Health Laws 25. The Sanatorium Acts, B.E. 2541 & 2547 The Medical Profession Act, B.E. 2525 Professional Nursing & Midwifery Acts,B.E. 2528 & 2540 Laws for other healthcare professionals National Health Security Act, B.E. 2545 National Health Acts, B.E. 2550 & 2553 Emergency Medicine Act, B.E. 2551 Medical Devices Act, B.E. 2551Thai Health Laws 26. Health InformationPrivacy Laws 27. Privacy: The ability of an individual or groupto seclude themselves or information aboutthemselves and thereby reveal themselvesselectively. (Wikipedia) Security: The degree of protection to safeguard... person against danger, damage, loss, andcrime. (Wikipedia)Privacy & Security 28. http://www.aclu.org/ordering-pizzaPrivacy Protections: Why? 29. Respect for Persons (Autonomy) Beneficence Justice Non-maleficenceEthical Principles in Bioethics 30. Hippocratic Oath...What I may see or hear in the course oftreatment or even outside of thetreatment in regard to the life of men,which on no account one must spreadabroad, I will keep myself holding suchthings shameful to be spoken about....http://en.wikipedia.org/wiki/Hippocratic_Oath 31. Privacy SafeguardsImage: http://www.nurseweek.com/news/images/privacy.jpg Security safeguards Informed consent Privacy culture User awareness building & education Organizational policy & regulations Enforcement Ongoing privacy & security assessments, monitoring,and protection 32. HIPAA 33. Health Insurance Portability and Accountability Act of1996 http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf More stringent state privacy laws apply HIPAA Goals To protect health insurance coverage for workers &families when they change or lose jobs (Title I) To require establishment of national standards forelectronic health care transactions and nationalidentifiers for providers, health insurance plans, andemployers (Title II: Administrative Simplificationprovisions) Administrative Simplification provisions also addresssecurity & privacy of health dataU.S. Health Information Privacy Lawhttp://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act 34. Title I: Health Care Access, Portability, andRenewability Title II: Preventing Health Care Fraud andAbuse; Administrative Simplification;Medical Liability Reform Requires Department of Health & HumanServices (HHS) to draft rules aimed at increasingefficiency of health care system by creatingstandards for use and dissemination of healthcare informationHIPAA (U.S.) 35. Title III: Tax-Related Health Provisions Title IV: Application and Enforcementof Group Health Plan Requirements Title V: Revenue OffsetsHIPAA (U.S.) 36. HHS promulgated 5 AdministrativeSimplification rules Privacy Rule Transactions and Code Sets Rule Security Rule Unique Identifiers Rule Enforcement RuleHIPAA (U.S.) 37. Covered Entities A health plan A health care clearinghouse A healthcare provider who transmits any healthinformation in electronic form in connection with atransaction to enable health information to be exchangedelectronically Business AssociatesSome HIPAA Definitions 38. Protected Health Information (PHI) Individually identifiable health information transmitted ormaintained in electronic media or other form or medium Individually Identifiable Health Information Any information, including demographic information collected froman individual, that (A) is created or received by a CE; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision ofhealth care to an individual, or the past, present, or future paymentfor the provision of health care to an individual, and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe thatthe information can be used to identify the individual.Some HIPAA Definitions 39. Name Address Phone number Fax number E-mail address SSN Birthdate Medical Record No. Health Plan ID Treatment date Account No. Certificate/License No. Device ID No. Vehicle ID No. Drivers license No. URL IP Address Biometric identifierincluding fingerprints Full face photoProtected Health Information Personal Identifiers in PHI 40. Establishes national standards to protect PHI; applies to CE &business associates Requires appropriate safeguards to protect privacy of PHI Sets limits & conditions on uses & disclosures that may be madewithout patient authorization Gives patients rights over their health information, includingrights to examine & obtain copy of health records & to requestcorrectionsHIPAA Privacy Rulehttp://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 41. Timeline November 3, 1999 Proposed Privacy Rule December 28, 2000 Final Privacy Rule August 14, 2002 Modifications to Privacy Rule April 14, 2003 Compliance Date for most CE Full text (as amended)http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdfHIPAA Privacy Rulehttp://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 42. Some permitted uses and disclosures Use of PHI Sharing, application, use, examination oranalysis within the entity that maintains thePHI Disclosure of PHI Release or divulgence of information by anentity to persons or organizations outside ofthat entity.HIPAA Privacy Rule 43. A covered entity may not use or disclosePHI, except with individual consent for treatment,payment or healthcare operations (TPO) with individual authorization for otherpurposes without consent or authorization forgovernmental and other specifiedpurposesHIPAA Privacy Rule 44. Treatment, payment, health care operations(TPO) Quality improvement Competency assurance Medical reviews & audits Insurance functions Business planning & administration General administrative activitiesHIPAA Privacy Rule 45. Uses & disclosures without the need for patientauthorization permitted in some circumstances Required by law For public health activities About victims of abuse, neglect, or domesticviolence For health oversight activities For judicial & administrative proceedings For law enforcement purposes About decedentsHIPAA Privacy Rule 46. Uses & disclosures without the need for patientauthorization permitted in some circumstances For cadaveric organ, eye, or tissue donation purposes For research purposes To avert a serious threat to health or safety For workers compensation For specialized government functions Military & veterans activities National security & intelligence activities Protective services for President & others Medical suitability determinants Correctional institutions CE that are government programs providing public benefitsHIPAA Privacy Rule 47. Control use and disclosure of PHI Notify patients of information practices (NPP, Notice of PrivacyPractices) Specifies how CE can use and share PHI Specifies patients rights regarding their PHI Provide means for patients to access their own record Obtain authorization for non-TPO uses and disclosures Log disclosures Restrict use or disclosures Minimum necessary Privacy policy and practices Business Associate agreements Other applicable statutes Provide management oversight and response to minimize threats andbreaches of privacyResponsibilities of a CEFrom a teaching slide in UMNs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz 48. Individually identifiable health informationcollected and used solely for research IS NOT PHI Researchers obtaining PHI from a CE must obtainthe subjects authorization or must justify anexception: Waiver of authorization (obtain from the IRB) Limited Data Set (with data use agreement) De-identified Data Set HIPAA Privacy supplements the Common Ruleand the FDAs existing protection for humansubjectsHIPAA & ResearchFrom a teaching slide in UMNs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz 49. De-identified Data Set Remove all 18 personal identifiers of subjects,relatives, employers, or household members OR biostatistician confirms that individual cannot beidentified with the available information Limited Data Set May include Zip, Birthdate, Date of death, date ofservice, geographic subdivision Remove all other personal identifiers of subject, etc. Data Use Agreement signed by data recipient thatthere will be no attempt to re-identify the subjectResearch Data SetsFrom a teaching slide in UMNs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz 50. Assure the CE that all research-initiated HIPAArequirements have been met Provide letter of approval to the researcher toconduct research using PHI OR, Certify and document that waiver ofauthorization criteria have been met Review and approve all authorizations and datause agreements Retain records documenting HIPAA actions for 6yearsIRBs New ResponsibilityFrom a teaching slide in UMNs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz 51. Establishes national standards to protectindividuals electronic PHI that is created,received, used, or maintained by a CE. Requires appropriate safeguards to ensureconfidentiality, integrity & security ofelectronic PHI Administrative safeguards Physical safeguards Technical safeguardsHIPAA Security Rulehttp://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 52. Timeline August 12, 1998 Proposed Security Rule February 20, 2003 Final Security Rule April 21, 2005 Compliance Date for most CE Full Texthttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdfHIPAA Security Rulehttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html 53. The HIPAA Security Rule is: A set of information security best practices A minimum baseline for security An outline of what to do, and what proceduresshould be in place The HIPAA Security Rule is not: A set of specific instructions A set of rules for universal, unconditionalimplementation A document outlining specific implementations(vendors, equipment, software, etc.)HIPAA Security Rule: MeaningFrom a teaching slide in UMNs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz 54. The HIPAA Security Rule is designed to be: Technology-neutral Scalable (doesnt require all CEs to apply the samepolicies) Flexible (allows CEs to determine their own needs) Comprehensive (covers technical, business, andbehavioral issues)HIPAA Security Rule: MeaningFrom a teaching slide in UMNs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz 55. Many rules are either Required or Addressable Required: Compliance is mandatory Addressable: If a specification in the Rule is reasonable andappropriate for the CE, then the CE must implement Otherwise, documentation must be made of thereasons the policy cannot/will not be implemented,and when necessary, offer an alternativeHIPAA Security Rule: MeaningFrom a teaching slide in UMNs Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz 56. Breach notification Extension of complete Privacy & SecurityHIPAA provisions to business associates ofcovered entities New rules for accounting of disclosures of apatients health informationNew in HITECH Act of 2009 57. Conflicts between federal vs. state laws Variations among state laws of differentstates HIPAA only covers covered entities No general privacy laws in place, only a fewsectoral privacy laws e.g. HIPAAHealth Information Privacy Law:U.S. Challenges 58. Canada - The Privacy Act (1983), PersonalInformation Protection and Electronic DataAct of 2000 EU Countries - EU Data Protection Directive UK - Data Protection Act 1998 Austria - Data Protection Act 2000 Australia - Privacy Act of 1988 Germany - Federal Data Protection Act of2001Health Information Privacy Law:Other Western Countries 59. Thailands HealthInformation PrivacyLaw 60. 1. Every patient has the basic rights to receive health service as have been legally enacted in the Thai Constitution BE 2540.2. The patient is entitled to receive full medical services regardless of their status, race, nationality, religion, social standing, politicalaffiliation sex, age, and the nature of their illness from their medical practitioner.3. Patients who seek medical services have the rights to receive their complete current information in order to thoroughly understandabout their illness from their medical practitioner. Furthermore, the patient can either voluntarily consent or refuse treatment from themedical practitioner treating him/her except in case of emergency or life threatening situation.4. Patients at risk, in critical condition or near death, is entitled to receive urgent and immediate relief from their medical practitioner asnecessary, regardless of whether the patient requests assistance or not.5. The patient has the rights to know the name-surname and the specialty of the practitioner under whose care he/she is in.6. It is the right of the patient to request a second opinion from other medical practitioner in other specialties, who is not involved in theimmediate care of him/her as well as the right to change the place of medical service or treatment, as requested by the patient withoutprejudice.7. The patient has the rights to expect that their personalinformation are kept confidential by the medical practitioner, theonly exception being in cases with the consent of the patient ordue to legal obligation.8. The patient is entitled to demand complete current information regarding his role in the research and the risks involved, in order tomake decision to participate in/or withdraw from the medical research being carried out by their health care provider.9. The patient has the rights to know or demand full and current information about their medical treatment as appeared in the medicalrecord as requested. With respect to this, the information obtained must not infringe upon other individuals rights.10. The father/mother or legal representative may use their rights in place of a child under the age of eighteen or who is physically ormentally handicapped wherein they could not exercise their own rights.Issued on April 16, 1998 (BE 2541)Declaration of Patients Rights (1998) 61. Ascertains rights of the public to request andobtain access to official information in agovernments control (including publicproviders) Except When disclosure would jeopardize lawenforcement or may harm others, etc. Disclosure of personal information withoutconsent (except otherwise permitted by law)Thailands Official Information Act(1997) 62. Section 7. Personal health information shall bekept confidential. No person shall disclose it insuch a manner as to cause damage to him or her,unless it is done according to his or her will, or isrequired by a specific law to do so. Provided that,in any case whatsoever, no person shall have thepower or right under the law on officialinformation or other laws to request for adocument related to personal health informationof any person other than himself or herself.National Health Act, B.E. 2550 (2007) 63. Official Information Act only coversgovernmental organizations Disclose as a rule, protect as an exceptionnot appropriate mindset for healthinformation National Health Act: One blanket provisionwith minimal exceptions: raising concernsabout enforceability (in exceptionalcircumstances, e.g. disasters)Health Information Privacy Law:Thailands ChallengesNot considered professional legal opinion 64. No general data privacy law in place Unclear implications from ICT laws (e.g.Electronic Transactions Act) Governance: No governmental authorityresponsible for oversight, enforcement &regulation of health information privacyprotections Policy: No systematic national policy topromote privacy protectionsHealth Information Privacy Law:Thailands ChallengesNot considered professional legal opinion 65. Each country has its unique context,including legal systems, national priorities,public mindset, and infrastructure A comprehensive & systematic approach todata privacy and health information privacyis still lacking in some countries such asThailand Key issues include enforceable regulations,governance, and national policyHealth Information Privacy Law:Summary