Ethics , Privacy & Security Flashcards
encompasses issues of proper and improper behaviour, honourable actions, and of right and wrong.
Healthcare informatics
in medicine, nursing, human subject research, psychology, and other related fields continue to become more twisted and complex, but some overarching issues are common among them.
Ethical questions
on the other hand, are less familiar, even if some of them have been controversial for decades.
Ethical issues in health informatics,
also raises questions about various legal and regulatory requirements.
Informatics
should be used in clinical practice only after
appropriate evaluation of its efficacy and the documentation that it performs its intended task at an acceptable cost in time and money.
computer program
should be preceded by adequate training and instruction, which should include review of applicable product evaluations.
informatics tools
Users of most clinical systems should be
health professionals
is defined as either allowing individuals to make their own decisions in response to a particular societal context, or as the idea that no one human person does not have the authority nor should have power over another human person.
Autonomy
must maintain respect for patient autonomy,
and this entails certain restrictions about the access, content, and ownership of records.
Electronic health records (EHR)
These two principles are respectively defined as “do good” and “do no harm.” In health informatics, beneficence relates most significantly with the use of the stored data in the EHR system, and non -maleficence with data protection.
Beneficence and Non-maleficence
will contain substantial amounts of raw data, and
great potential exists for the conduction of groundbreaking biomedical and public health research. These kinds of research will be beneficial to both the individual patient, and to the entirety of society.
Deeply-integrated EHR systems
should be developed with the capacity to allow patients to release information from their EHRs which can be valuable to researchers and scientists.
new EHR systems
on the other hand, involves the ethical behaviour required of anyone handling data and information, as prescribed by the International Medical Informatics Association (2016). It covers seven principles: privacy, openness, security, access, legitimate infringement, least intrusive alternatives, and accountability.
Informatics Ethics
All persons and group of persons have a fundamental right to privacy, and hence to control over the collection, storage, access, use, communication, manipulation, linkage and disposition of data about themselves.
Principle of Information-Privacy and Disposition
The collection, storage, access, use, communication, manipulation, linkage and disposition of personal data must be disclosed in an appropriate and timely fashion to the subject or subjects of those data.
Principle of Openness
Data that have been legitimately collected about persons or groups of persons should be protected by all reasonable and appropriate measures against loss degradation, unauthorized destruction, access,
use, manipulation, linkage, modification or communication.
Principle of Security
The subjects of electronic health records have the right of access to those records and the right
to correct them with respect to its accurateness, completeness and relevance.
Principle of Access
The fundamental right of privacy and of control over the collection, storage, access, use, manipulation, linkage, communication and disposition of personal data is conditioned only by the legitimate, appropriate and relevant data-needs of a free, responsible and democratic society, and by the equal and competing rights of others.
Principle of Legitimate Infringement
Any infringement of the privacy rights of a person or group of persons, and of their right of control over data about them, may only occur in the least intrusive fashion and with a minimum of interference with the rights of the affected parties.
Principle of the Least Intrusive Alternative
Any infringement of the privacy rights of a person or group of persons, and of the right to control
over data about them, must be justified to the latter in good time and in an appropriate fashion.
Principle of Accountability
heavily relies on use of software to store and
process information. As a result, activities carried out by software developers might significantly affect end-users.
Software Ethics
has ethical duties and responsibilities to the following stakeholders: society, institution and employees, and the profession.
The software developer
generally applies to individuals and their aversion to eavesdropping, whereas confidentiality is more closely related to unintended disclosure of information.
Privacy
also benefits public health. When people are not afraid to disclose personal information, they are more inclined to seek out professional assistance, and it will diminish the risk of increasing untreated illnesses and spreading infectious diseases (Goodman, 2016).
Privacy and confidentiality protection
- Employee training on the use of health IT to appropriately protect electronic health information
- Continual risk assessment of your health IT environment
- Continual assessment of the effectiveness of safeguards for electronic health information
- Detailed processes for viewing and administering electronic health information
- Appropriately reporting security breaches (e.g., to those entities required by law or contract) and ensuring continued health IT operations
Administrative Safeguards
- Locked offices containing computing equipment that store electronic health information
- Office alarm system
- Security guards
Physical Safeguards
- Encryption of electronic health information
- Securely configured computing equipment (e.g.,virus checking, firewalls)
- Certified application and technologies that store or exchange electronic health information
- Access controls to health IT and electronic health information (e.g., authorized computer accounts)
- Auditing of health IT operations
- Health IT backup capabilities (e.g., regular backups of electronic information to another computer file server)
Technical Safeguards
emphasizes that technological security tools are essential components of modern distributed health care information systems, and that they serve five key functions:
National Research Council (1997)
ensuring that accurate and up-to-date information is available when needed at appropriate places;
Availability
helping to ensure that health care providers are responsible for their access to and use of information, based on a legitimate need and right to know;
Accountability
knowing and controlling the boundaries of trusted access to the information system, both physically and logically;
Perimeter identification
enabling access for health care providers only to information essential to the performance of their jobs and limiting the real or perceived temptation to
access information beyond a legitimate need;
Controlling access
ensuring that record owners, data stewards, and
patients understand and have effective control over appropriate aspects of information privacy and access.
Comprehensibility and control
- Patient record must be created in the LIS before test can be ordered. LIS usually automatically receives these data from a hospital registration system when a patient is admitted
Register Patient
- Physician orders tests on a patients to be draw as part of the laboratory’s morning blood collection rounds. The order is entered into the CIS and electronically sent to the LIS
Order Tests
The LIS prints a list of all patients who have to be drawn and the appropriate number of sample bar-code labels for each patients order, Each barcode has a patient ID, sample contained, and laboratory workstation that can be used to sort the tubes one it reaches the laboratory
Collect Sample
- When the sample arrive in the laboratory, Their status has to e updated in the LIS from “collected” to “received”. this can be done by scanning each sample container’s barcode ID into the LIS. Once the sample id “received,” the LIS transmits test order to the analyser who will perform the test
Receive Sample
- The sample is loaded onto the the analyser, and the bar code is read. having already received the test order from the LIS, the analyser knows which test to perform of the patients. No work list is needed. For manually performed test, the technologist prints a work list from the LIS. The work list contains the names of the patients and the tests ordered on each. Next to each test is a space to record the result.
Run Sample
- The analyser produces the results and send the to the LIS. These results are only viewable to technologist because they have not been released for general viewing. the LIS can be programmed to flag certain results- for example, critical values - so the technologist can easily identify what needs to be repeated or further evaluated.
Review Results
- The technologist releases the results. Unflagged results are usually viewed and released at the same time. The LIS can also be programmed to automatically review and release normal results or results that fall within a certain range. The results are automatically transmitted to the CIS
Release Results
- The Physician can view the results on the CIS screen. Reports are printed when needed from the LIS.
Report Results
- Release guidelines on proper disposal of laboratory specimen
- Continous employee training on the use of the LIS
- Periodic review of standards in identifying which results should be flagged
- strengthen laboratory authorization and supervision policies
- Implement strict rules and regulation regarding the testing procedures
- Enforcement policies on the proper use of laboratory workstations
- Impose disciplinary measures as needed
Administrative Safeguards (LIS)
- Biometrics and other security protocol for laboratory access
- periodic maintenance of laboratory equipment
- Controlled temperature both for equipment and specimen
- Contingency operations plan
- Use of appropriate personal laboratory safety equipment
Physical Safeguards (LIS)
- Regular change of username and password
- Automated identity confirmation procedures for users requesting access
- Different acess capabilities based on user position
- Automatic log-off after long periods of inactivity
Technical Safeguards (LIS)
is an increasingly growing industry within the Philippine economy.
Business Process Management
with an aim “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2).
Data Privacy Act of 2012
applies to individuals and legal entities that are in the business of processing personal information.
The Data Privacy Act
The main principles that govern the approach for the Data Privacy act include:
- Transparency;
- Legitimacy of purpose; and
- Proportionality.
is one of the major elements highly-valued by the Data Privacy Act. The act provides that consent must be documented and given prior to the collection of all forms of personal data, and the collection must be declared, specified, and for a legitimate purpose.
Consent
Processing of sensitive and personal information is also forbidden, except in particular circumstances enumerated below. The Data Privacy Act describes sensitive personal information as those being:
*About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
*About an individual’s health, education, genetic or sexual life of a person, or to any proceeding or any
offense committed or alleged to have committed;
*Issued by government agencies “peculiar” (unique) to an individual, such as social security number;
*Marked as classified by executive order or act of Congress.
The exceptions are:
- Consent of the data subject;
- Pursuant to law that does not require consent;
- Necessity to protect life and health of a person;
- Necessity for medical treatment;
- Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or
regulation. - The provisions of the law necessitate covered entities to create privacy and security program to improve the collection of data, limit processing to legitimate purposes, manage access, and implement data retention procedures.
The act provides for different penalties for varying violations, majority of which include imprisonment.
Penalties
These violations include:
- Unauthorized processing
- Processing for unauthorized purposes
- Negligent access
- Improper disposal
- Unauthorized access or intentional breach
- Concealment of breach involving sensitive personal information
- Unauthorized disclosure; and
- Malicious disclosure.
Any combination or series of acts enumerated above shall make the person subject to imprisonment ranging from
three (3) years to six (6) years,
Any combination or series of acts enumerated above shall make the person subject to a fine of not less than
One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00) (Republic Act. No. 10173, Ch. 8, Sec. 33).
