W16: ETHICS, PRIVACY, AND SECURITY

Application of the principles of ethics to the domain of health informatics

Health informatics ethics

Defined as either allowing individuals to make their own decisions in response to a particular societal context.

General ethics

no one human person does not have the authority nor should have power over another human person

Autonomy

Electronic health records (EHR) must maintain respect for patient autonomy

Autonomy

Defined as “do good” and “do no harm”, respectively

Beneficence and Non-maleficence

_______________ relates most significantly with the use of the stored data in the EHR system

Beneficence

_________________ relates most significantly with data protection

Non-maleficence

Conduction of groundbreaking biomedical and public health research

Principle of Beneficence in Health Informatics

What is the principle of Non-maleficence in Health Informatics

1.) Temporary outage
2.) Total system failure
3.) Data security

All have fundamental right to privacy

Principle of Information-Privacy and Disposition

The collection, storage, access, use, communication, manipulation, linkage and disposition of personal data must be disclosed in an appropriate and timely fashion to the subject or subjects of those data

Principle of openness

Data that have been legitimately collected about persons or groups of persons should be protected by all reasonable and appropriate measures

Principle of security

The subjects of electronic health records have the right of access to those records and the right to correct them with respect to its accurateness, completeness and relevance.

Principle of access

The fundamental right of privacy and of control is conditioned only by the
legitimate, appropriate and relevant data-needs of a free, responsible and democratic society, and by the equal and competing rights of others

Principle of Legitimate Infringement

Any infringement of the privacy rights of a person or group of persons, and of the right to control over data about them, must be justified to the latter in good time and in an appropriate fashion.

Principle of accountability

The software developer has ethical duties and responsibilities

Software ethics

• Developers should be mindful of social impacts of software systems

• Includes disclosing any threats or known defects in software

Society

While balancing their duties to the public, including being straightforward about personal limitations and qualifications

Institution and employees

• Software products should meet expected professional standards

• Developers should strive to build products that are of high standard, by thoroughly testing and detailing unresolved issues.

Professional standards

Generally applies to individuals and their aversion to eavesdropping

Privacy

more closely related to unintended disclosure of information

Confidentiality

widely regarded as rights of all people which merits respect without need to be earned, argued, or defended

Privacy and confidentiality

__________ and security practices heighten the vulnerability of patient information and increases the risk of successful cyber-attacks

Poor privacy

Continual risk assessment of your health IT environment

Administrative Safeguards

Office alarm systems

Physical Safeguards

Securely configured computing equipment (e.g., virus checking,
firewalls)

Technical safeguards

Certified applications and technologies that store or exchange
electronic health information

Technical safeguards

Locked offices containing computing equipment
that store electronic health information

Physical safeguards

Continual assessment of the effectiveness of safeguards for electronic
health information

Administrative safeguards

Detailed processes for viewing and administering electronic health
information

Administrative safeguards

ensuring that accurate and up-to- date information is available when needed at appropriate places

Availability

helping to ensure that health
care providers are responsible for their access
to and use of information, based on a
legitimate need and right to know

Accountability

knowing and controlling the boundaries of trusted access to
the information system, both physically and logically

Perimeter identification

Enabling access for health care providers only to information essential to the performance of their jobs and limiting the real or perceived temptation to access information beyond a legitimate need

Controlling access

ensuring that record owners, data stewards, and patients understand and have effective control over appropriate aspects of information privacy and access.

Comprehensibility and control

Patient record (e.g. ID Number, name, sex, age, location) must be created in the LIS before tests can be ordered. LIS usually automatically receives these data from a hospital registration system when a patient is admitted

Register patient

Physician orders tests on a patient to be draw as part of the laboratory’s morning blood collection rounds. The order is entered into the CIS an electronically sent to the LIS.

Order tests

Before morning blood collection, the LIS prints a list of all patients who have to be drawn and the appropriate number of sample bar-code labels for each patient order.

Collect sample

When the samples arrive in the laboratory, their status has to be updated in the LIS from “collected” to “received.” T

received sample

The sample is loaded onto the analyser, and the bar code is read. Having already received the test order from the LIS, the analyser knows which tests to perform on the patient.

Run sample

The analyzer produces the results and sends them to the LIS. These results are only viewable to technologists because they have not been released for general viewing.

Reviewing results

The technologist releases the results. Unflagged results are usually reviewed and released at the same time.

Release results

The physician can view the results on the CIS screen. Reports are printed when needed from the LIS.

Report results

Aim “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.”

Data privacy act of 2012

Data privacy act of 2012 fine

1M-5M

Data privacy act of 2012 imprisonment

3-6 yrs