Data Privacy and Confidentiality MEP2425-4 PDF
Document Details
Uploaded by ObservantHazel
Catherine Grace Q. Aparece, MD
Tags
Related
Summary
This presentation discusses data privacy and confidentiality, covering key concepts, the importance of confidentiality in the doctor-patient relationship, potential weaknesses in healthcare information systems, and the analysis of data privacy violations. It also includes details such as privileged information, consent of the data subject, and relevant laws in the Philippines.
Full Transcript
Opening Prayer Data Privacy and Confidentiality Catherine Grace Q. Aparece, MD “All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I w...
Opening Prayer Data Privacy and Confidentiality Catherine Grace Q. Aparece, MD “All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.” —Hippocrates Objectives Define basic terminology relating to data privacy Recognize the importance of confidentiality in the doctor-patient relationship Identify potential weaknesses in the health care and information system Apply the core principles in the analysis of the cases on the violation of data privacy and confidentiality References World Medical Association Ethics Manual 3rd Edition WHO Ethics Manual Compilation of Cases Health Information Privacy in the Philippines: Trends and Challenges in Policy and Practice Confidentiality breaches in clinical practice: what happens in hospitals? National Privacy Commission Top 5 data breach incidents in Southeast Asia in 2022 Confidentiality refers to “the privacy of information and its protection against unauthorized disclosure.” Privacy “The state of being free from intrusion or disturbance in one's private life or affairs.” PRIVACY CONFIDENTIALITY VERSUS pertains to an points to the duty individual’s right that rests on those to be free from to whom private information has unwanted external been entrusted, scrutiny PRIVACY CONFIDENTIALITY description The right to be let alone. Agreement that information is kept secret from the reach of any other person concept Limits the access of the public Prevents information and documents from unauthorized access Applies to individual information obligatory voluntary compulsory disallowed Everyone is disallowed Only unauthorized persons Confidentiality Patients-the holders of HCP-the bearers of the the right to privacy duty of confidentiality Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication. Legal obligation REPUBLIC ACT NO. 10173 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. Consent of the data subject ▪ refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. ▪ Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so Data subject refers to an individual whose personal information is processed. Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. Sensitive personal information refers to personal information: 1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; 2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; Sensitive personal information refers to personal information: 3.Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and 4. Specifically established by an executive order or an act of Congress to be kept classified. WHY CONFIDENTIALITY IS IMPORTANT? If patient knows his/her information will be kept secret S/he will understand important information to the doctor Good diagnosis Better treatment Privacy of personal information is a closely-guarded individual right any unauthorized access or breach is considered a violation of this entitlement from both legal and moral perspectives. Liberal transfer of private information stems from the fiduciary nature of the clinician-patient relationship: patients trust that any and all details they may share with their healthcare provider will be maintained as private information. Technology is also changing the landscape of healthcare practice. the evolution of electronic medical records and the connectivity afforded by the Internet health information is more readily accessible to anyone with the right tools and can be easily linked across disparate databases Telemedicine the delivery of health-related services and information via telecommunications technologies now makes possible virtual patient consultations and specialist referrals involving parties separated by physical distance Electronic Medical Records transcends the physical limitations of paper files and facilitates access to, and sharing of, health information among providers of care improves the accuracy and quality of recorded data improves the quality of care as a result of having health information immediately available at all times for patient care While in many ways these developments contribute towards enhancing the delivery of care to all people, they also tend to redefine the scope of privacy and confidentiality within the context of the provider-patient relationship. In the Philippines, a person’s right to privacy is enshrined in no less than fundamental law. The Philippine Constitution provides: Section 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law A person’s general right to privacy is affirmed in the Civil Code (Republic Act No. 386). It provides that every person shall respect the dignity, personality, privacy and peace of mind of another. Since a physician has an acknowledged duty to maintain patient confidentiality, any injury that a patient may incur as a direct result of the violation of this duty will make the physician liable for damages The Revised Penal Code (Act No. 3185) criminalizes “Revelation of Secrets”. Its provision protecting the secrets of any person may find application in cases of government physicians who have custody of patient records and who would reveal private information about patients or any other employee who may abuse their position to obtain confidential information. Specific laws guarantee the right to privacy of rape victims and minors in conflict with the law – Republic Act No. 8505, Rape Victim Assistance and Protection Act of 1998 – Republic Act No. 9344, Juvenile Justice and Welfare Act of 2006 Republic Act No. 8504 Handling of information, both the identity and status, of persons with HIV Republic Act No. 9165 confidentiality of records of those who have undergone drug rehabilitation Republic Act No. 9262 confidentiality of records pertaining to cases of violence against women and their children The Electronic Commerce Act of 2000 provides that any person with access to electronic data messages or documents has the obligation of confidentiality or the duty not to convey the information to, or share it with, any other person. unauthorized access to computer systems is punishable by a fine and mandatory imprisonment Republic Act No. 4200 :The Anti-wiretapping Law may also be applied where a person who is not authorized by parties to a private communication record or communicate its contents. covers doctor-patient communication which is privileged and confidential, and which therefore should not be recorded or disclosed without consent Types of Breaches (Hospital setting) 1. related to the custody of clinical histories and records (admission forms, clinical and nursing report sheets, laboratory tests and other complementary examinations, and any other type of record containing patient data), as well as computer access to such records 2. related to the consultation and/or disclosure of clinical and/or personal data to medical personnel not involved in the patient’s clinical care, as well as people external to the hospital Breach severity Minor confidentiality breaches – those in which sensitive patient data is not properly safeguarded or handled but which do not result in observable consequences. custody of clinical histories and records or breaches due to inadequate hospital infrastructure. committed repeatedly: more than once. Breach severity Severe confidentiality breaches – the disclosure of sensitive data, as well as incidents that result in some kind of observable consequence. correspond to situations where clinical patient data are disclosed to third parties or to medical personnel not involved in the patient’s care, as well as those that are committed intentionally, or related to the patient’s sexual life, mental or other stigmatizing illnesses, and racial or ethnic background. highly private nature occur repeatedly: more than once The rule of the confidentiality of physician-patient communication and patient records is not absolute there are exceptions under the following circumstances: 1. Upon patient consent or waiver: a. Upon waiver or authority of the patient to release such information. stems from the recognition that the information contained in medical records is the property of the patient, while the medical records themselves are the property of the hospital The rule of the confidentiality of physician-patient communication and patient records is not absolute b. For purposes of insurance compensation. Presidential Decree No. 442, as amended Labor Code of the Philippines Republic Act No. 7875, National Health Insurance Act of 1995 individuals availing themselves of insurance coverage also sign waivers allowing the health maintenance organization or insurer access to their medical records in exchange for claim of benefits The rule of the confidentiality of physician-patient communication and patient records is not absolute 2. In the interest of public order and safety. Republic Act No. 3753 (Law on Registry of Civil Status) Births and deaths should be registered Republic Act No. 3573 Reporting of certain communicable diseases is mandatory Executive Order No. 212 requires medical practitioners to report treatment of patients for serious and less serious physical injuries. Presidential Decree No. 603, as amended Child and Youth Welfare Code, practitioners are required to report cases of child abuse or maltreatment. The rule of the confidentiality of physician-patient communication and patient records is not absolute ▪3. Upon lawful order of the court or a quasi-judicial body. Release of health information may occur upon service of a valid subpoena, warrant, or adjudicative order from a court, a law enforcement agency, an administrative agency authorized by law, or an arbitration panel. The rule of the confidentiality of physician-patient communication and patient records is not absolute ▪4. For research purposes. The National Ethical Guidelines for Health Research permits review of medical records without consent for purposes of research provided the data are de-identified or anonymized and are non-sensitive. “It is ethical to disclose confidential information when the patient consents to it or when there is a real and imminent threat of harm to the patient or to others and this threat can be only removed by a breach of confidentiality.” WMA’s International Code of Medical Ethics Now let’s tap the cases… Activity 2 Case Assigned My personal Ethical Law reaction Base the issue on The specific law State your personal the core principles applicable reaction…(no filters) CASES SGD 1& 22: Lloyd v Google LLC EWCA Civ 1599 The data protection class action against Google which found that they are permissible in the case of DPA breaches for the Safari Workaround. The case sets a precedent for representative opt-out style class actions for data protection breaches under UK law. SGD 2 & 21: Bohol Governor posted on Facebook on the use of expired IV fluids in Loon District Hospital SGD 3 & 20:SWU PHINMA IT Security issue , July 2024 SGD 4 & 19: Juliana Villafuerte Flatline Issue SGD 5 & 18: Philippines COMELEC data breach The Commission on Elections (COMELEC) for the Republic of the Philippines’ security systems was breached by a hacker group, exposing 60 terabytes of private voter information.The depth of this data could enable cybercriminals to map the whole internal workings of the Philippine voting system. Essentially opening the door to much more destructive follow-up strikes on a national security level. SGD 6 & 17: Bjorka, the SIM card hacker A hacker named Bjorka listed 1.3 billion profiles of Indonesian SIM card registrations for sale. The number is more than the total population, but it’s common to have more than one phone number in the country. The hacker also showed how weak Indonesia’s cybersecurity infrastructure is. SGD 7 & 16: The Black Suede Scandal A 39-year-old homosexual florist from Cebu City underwent minor operation on January 3, 2008 at the Vicente Sotto Memorial Medical Center (VSMMC) for extraction of a foreign body lodged in his rectum. He was allegedly asleep at the time of the operation, and was not made aware that the procedure was going to be filmed, nor was he informed post facto that the medical staff took a footage of his operation. He claimed that he only learned of the existence of the YouTube video when it was brought to his attention by their barangay captain, who saw the video on YouTube. SGD 8 & 15 Carlos Yulo Issue SGD 9 & 14: The Careless Whisper The PRC revoked Dr. Hayden Kho's license in November 2009, after he was found guilty of committing "immorality, dishonorable and unethical conduct" in connection with his video-recording of his intimate interactions with different women without their consent. The videos, including one showing TV actress Katrina Halili, made the rounds online and were even sold in DVD format at the time. SGD 10 & 13: Alice Guo Issue SGD 11 & 12 Facebook, Inc and its User Privacy Issue. Facebook Inc will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information. Thanks! CREDITS: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik Please keep this slide for attribution Closing Prayer