ETHICS, PRIVACY, AND SECURITY
Ethics, Privacy, and Security
 The modernization in healthcare has led to
the tendency of most practitioners to rely
on the use of mechanical aids throughout
the process of providing patient treatment.
However, the fact remains that human
values should continue to govern research
and practice in the healthcare profession
 The healthcare informatics encompasses
issues of proper and improper behaviour,
honourable actions, and of right and wrong
 The ethical questions in medicine, nursing,
human subject research, psychology, and
other related fields continue to become
more twisted and complex, but some
overarching issues are common among
them
 The ethical issues in health informatics, on
the other hand, are less familiar, even if
some of them have been controversial for
decades
 The informatics also raises questions
about various legal and regulatory
requirements
 The computer program should be used in
clinical practice only after appropriate
evaluation of its efficacy and the
documentation that it performs its intended
task at an acceptable cost in time and
money
 All uses of informatics tools, especially in
patient care, should be preceded by
adequate training and instruction, which
should include review of applicable product
evaluations
 The users of most clinical systems should
be health professionals who are qualified
to address the question at hand on the
basis of their licensure, clinical training,
and experience
Guiding Principles of General Ethics
1. Autonomy
 It is defined as either allowing
individuals to make their own
decisions in response to a
particular societal context, or as
the idea that no one human
person does not have the
authority nor should have power
over another human person
 The Electronic health records
(EHR) must maintain respect for
patient autonomy, and this entails
certain restrictions about the
access, content, and ownership
of records
 Limiting patient access and
control over patient records
improves document quality
because they can become proof-
readers of their own patient
history (Mercuri, 2010)
2. Beneficence and Non-maleficence
 These two principles are
respectively defined as “do good”
and “do no harm.” In health
informatics, beneficence relates
most significantly with the use of
the stored data in the EHR
system, and non-maleficence with
data protection
 Deeply integrated EHR systems
will contain substantial amounts
of raw data, and great potential
exists for the conduction of
ground-breaking biomedical and
public health research. These
kinds of research will be
beneficial to both the individual
patient, and to the entirety of
society
 With this in mind, new EHR
systems should be developed
with the capacity to allow patients
to release information from their
EHRs which can be valuable to
researchers and scientists.
Similarly, the available
consolidated from clinical data
repositories will be able to allow
healthcare professionals to
provide the best possible
treatments for their patients,
further upholding the principle of
beneficence
 ETHICS, PRIVACY, AND SECURITY

3. Informatics Ethics to those records and the right to

 The informatics ethics, on the
other hand, involves the ethical
behaviour required of anyone
handling data and information, as
prescribed by the International
Medical Informatics Association
(2016)
 It covers seven principles:
 Privacy
 Openness
 Security
 Access
 Legitimate Infringement
correct them with respect to its
accurateness, completeness, and
relevance
8. Principle of Legitimate Infringement
 The fundamental right of privacy
and of control over the collection,
storage, access, use,
manipulation, linkage,
communication and disposition of
personal data is conditioned only
by the legitimate, appropriate and
relevant data-needs of a free,
responsible and democratic
society, and by the equal and
competing rights of others
9. Principle of the Least Intrusive
Alternative

 Least Intrusive  Any infringement of the privacy

Alternatives rights of a person or group of
persons, and of their right of
control over data about them,
 Accountability
may only occur in the least
intrusive fashion and with a
4. Principle of Information-Privacy and
minimum of interference with the
Disposition
rights of the affected parties
 All persons and group of persons
10. Principle of Accountability
have a fundamental right to
privacy, and hence to control over
 Any infringement of the privacy
the collection, storage, access,
rights of a person or group of
use, communication,
persons, and of the right to
manipulation, linkage, and
control over data about them,
disposition of data about
must be justified to the latter in
themselves
good time and in an appropriate
fashion
5. Principle of Openness
Software Ethics
 The collection, storage, access,
use, communication,
 The health informatics ethics heavily relies
manipulation, linkage, and
on use of software to store and process
disposition of personal data must
information. As a result, activities carried
be disclosed in an appropriate
out by software developers might
and timely fashion to the subject
significantly affect end-users. The software
or subjects of those data
developer has ethical duties and
responsibilities to the following
6. Principle of Security
stakeholders: society, institution and
employees, and the profession
 The data that have been
legitimately collected about
 The activities should be carried out with
persons or groups of persons
the best interest of the society in mind.
should be protected by all
Developers should be mindful of social
reasonable and appropriate
impacts of software systems. This includes
measures against loss
disclosing any threats or known defects in
degradation, unauthorized
software
destruction, access, use,
manipulation, linkage,
Privacy, Confidentiality and Security
modification, or communication

7. Principle of Access  The privacy generally applies to individuals

and their aversion to eavesdropping,
whereas confidentiality is more closely
 The subjects of electronic health
related to unintended disclosure of
records have the right of access
information
 ETHICS, PRIVACY, AND SECURITY

 There are numerous significant reasons to

protect privacy and confidentiality. One is
that privacy and confidentiality are widely
regarded as rights of all people which
merits respect without need to be earned,
argued, or defended. Secondly, protection
of privacy and confidentiality is ultimately
advantageous for both individuals and
society. Patients are more likely to be
comfortable to share sensitive health care
data when they believe this information
would not be shared inappropriately

 This kind of trust is essential in

establishing a successful physician-
patient or nurse-patient relationship, and it
enabled practitioners to perform their jobs
better

 The privacy and confidentiality protection

also benefits public health. When people
are not afraid to disclose personal
information, they are more inclined to seek
out professional assistance, and it will
diminish the risk of increasing untreated
illnesses and spreading infectious
diseases (Goodman, 2016)
 The National Research Council (1997)
Levels of Security in the Hospital Information emphasizes that technological security
System tools are essential components of modern
distributed health care information
 It is important to note that the types of systems, and that they serve five key
safeguards you choose may be prescribed functions:
or restricted by law. Another important
consideration is the cost-benefit principle. 1. Availability
If it is not cost effective for your practice to
avail of an expensive technology to  It is ensuring that accurate and
mitigate a risk to electronic health up-to-date information is available
information, an alternative may be when needed at appropriate
requiring your staff to follow a new places
administrative procedure that equally
reduces that risk 2. Accountability

 Conversely, if you cannot afford to place  It is helping to ensure that health

additional burden on your staff due to care providers are responsible for
possibilities of human error, you may their access to and use of
choose to purchase a technology that information, based on a legitimate
automates the procedure in order to need and right to know
minimize the risk
3. Perimeter Identification
 Regardless of the type of safeguard your
practice chooses to implement, it is  It is knowing and controlling the
important to monitor its effectiveness and boundaries of trusted access to
regularly assess your health IT the information system, both
environment to determine if new risks are physically and logically
present
4. Controlling Access

 It is enabling access for health

care providers only to information
essential to the performance of
their jobs and limiting the real or
perceived temptation to access
information beyond a legitimate
need
 ETHICS, PRIVACY, AND SECURITY
5. Comprehensibility and Control
 It is ensuring that record owners,
data stewards, and patients
understand and have effective
control over appropriate aspects
of information privacy and access
Philippine Data Privacy Act of 2012
 The Business Process Management,
particularly involving Health Information
Technology, is an increasingly growing
industry within the Philippine economy.
With total IT expenditure reaching $4.4
Billion in 2016, the industry is forecasted to
more than double itself by the year 2020.
In addition, Filipinos utilize social media
heavily, with a whopping 3.5 million users
on LinkedIn, 13 million on Twitter, and 42.1
on Facebook (Wall, 2017)
 Given the rapid evolution of the digital
economy and heightened international
data trading, the Philippines has decided
to strengthen its privacy and security
protection by passing the Data Privacy Act
of 2012, with an aim “to protect the
fundamental human right of privacy, of
communication while ensuring free flow of
information to promote innovation and
growth.” (Republic Act. No. 10173, Ch. 1,
Sec. 2)
 The Data Privacy Act applies to individuals
and legal entities that are in the business
of processing personal information. The
law applies extraterritorially, applying both
to companies with offices in the
Philippines, and even those located
outside, but which use equipment based in
the Philippines. It covers personal
information of Filipino citizens regardless
of the place of residence
 The main principles that govern the
approach for the Data Privacy act include:
 Transparency
 Legitimacy of purpose
 Proportionality
 Consent is one of the major
elements highly valued by the
Data Privacy Act. The act
provides that consent must be
documented and given prior to
the collection of all forms of
personal data, and the collection
must be declared, specified, and
for a legitimate purpose
 Furthermore, the subject must be notified
about the purpose and extent of data
processing, with details specifying the
need for automated processing, profiling,
direct marketing, or sharing. These factors
ensure that consent is freely given,
specific, and informed
 However, an exception to the requirement
of consent is allowed in cases of
contractual agreements where processing
is essential to pursue the legitimate
interests of the parties, except when
overridden by fundamental rights and
freedom. Such is also the case in
responding to national emergencies
 The processing of sensitive and personal
information is also forbidden, except in
particular circumstances enumerated
below. The Data Privacy Act describes
sensitive personal information as those
being:
 Individual’s race
 Ethnic origin
 Marital status
 Age
 Color
 Religious
 Philosophical or political
affiliations
 Health
 Education
 Genetic or sexual life of a person
 ETHICS, PRIVACY, AND SECURITY

 Any proceeding or any offense
committed or alleged to have
committed
 Issued by government agencies “peculiar”
(unique) to an individual, such as social
security number
years, and a fine of not less than one
million pesos (Php1,000,000.00) but
not more than five million pesos
(Php5,000,000.00) (Republic Act. No.
10173, Ch. 8, Sec. 33)

 Marked as classified by executive order or

act of Congress

 The exceptions are:

 Consent of the data subject

 Pursuant to law that does not

require consent

 Necessity to protect life and

health of a person

 Necessity for medical treatment

 Necessity to protect the lawful

rights of data subjects in court
proceedings, legal proceedings,
or regulation

 The provisions of the law

necessitate covered entities to
create privacy and security
program to improve the collection
of data, limit processing to
legitimate purposes, manage
access, and implement data
retention procedures

Penalties

 The act provides for different penalties for

varying violations, majority of which
include imprisonment. These violations
include:

a. Unauthorized processing

b. Processing for unauthorized purposes

c. Negligent access

d. Improper disposal

e. Unauthorized access or intentional

breach

f. Concealment of breach involving

sensitive personal information

g. Unauthorized disclosure

h. Malicious disclosure

i. Any combination or series of acts

enumerated above shall make the
person subject to imprisonment
ranging from three (3) years to six (6)