Health Informatics & Legal Issues

26 March 2014 NDU

Dr. Mona Al-Achkar Jabbour
Maj_aj@hotmail.com
Professor of Law
President of the Lebanese Information Technology Association
(LITA)
Member Founder of the Pan arab Observatory for Cyber Security

Thank you

Added value
For:

citizens
governments
business sctor
Online prescribing, information
patients portals
interactive communication
Extended service times
Decision support systems
Order clinicians entry
online training
Clinical databases
communication
Workflow planning systems
budgetary systems

Directory of eHealth policies

In September 2010 Ban Ki Moon, launched the Global Strategy
for Womens and Childrens Health, with the aim of saving the
lives of 16 million mothers and children worldwide by 2015 in 75
target countries, including the worlds 49 poorest nations.
CoIAs recommendations to improve accountability and
transparency emphasize the essential role of information and
communication technologies (ICT) in achieving the goals set out
by the Global Strategy.
by 2015, all target countries should have integrated the use of
ICT in their national health information systems and health
infrastructure.

"Medical Informatics
"Medical Informatics studies:
the organization of medical information
the effective management of information
using computer technology
and the impact of such technology on
medical research, education, and patient
care.

The field
explores
techniques
for:

assessing current information

practices,
determining the information needs of
health care providers and patients,
developing interventions using
computer technology,
and evaluating the impact of those
interventions.

Objectives

This
research
seeks to:

optimize the use of information in

order to improve:
the quality of health care,
reduce cost,
provide better education for
providers and patients,
and to conduct medical research
more effectively."

Health informatics
the study of:
resources and methods for the
management of health information.

 health information technology

medical practice
medical research

This area of
study supports:

systems such as electronic health

records (EHR)
electronic medical records (EMR)
health information exchange standards
medical terminologies
Clinical Terms
and portable medical devices for the
collection of data.

It involves:

health informatics
The first use in the 1950s with dental data collected by the
National Bureau of Standards, now known as the National Institute
of Standards and Technology (NIST).
Accelerated usage with development of the Massachusetts
General Hospital Utility Multi-Programming System (MUMPS),
which provided a standard programming language for clinical
applications.
Today,International Medical Informatics Association (IMIA)
oversees member organizations involved in health informatics
worldwide.

Scope - 1
It deals with:
- the resources
-devices
- required methods to optimize:
- the acquisition, storage, retrieval, and use
of information in health and biomedicine.

Scope -2

Health informatics tools:

Computers
clinical guidelines
formal medical terminologies
information and communication systems

Scope -3

It is
applied
to the
areas
of:

nursing
clinical care
dentistry
pharmacy
public health
occupational therapy
physical therapy
(bio)medical research
alternative medicine

The term "medical informatics", refered to the processing of medical data by

computers.

the importance of "information processing" wrapidly superseded by that of

"information communication

Health applications then became known as "health telematics" or

"telemedicine", and now "e health".
the value of these applications lies not in the technology itself or even in the
exchange of data but in the ability to develop human networks of competence
and expertise in the field of health.

Tele-health

Tele-medicine

surveillance, health
promotion and public
health functions. It is
broader in definition
than tele-medicine as
it includes computerassisted
telecommunications
to support
management,
surveillance, literature
and access to medical
knowledge.

is the use of
telecommunications
to diagnose and treat
disease and ill-health.

Telematics for health

is a WHO composite
term for both telemedicine and telehealth, or any healthrelated activities
carried out over
distance by means of
information
communication
technologies.

Nursing Informatics
Planning care

Delivering care

Nursing
informatics
refers to:
informatics
within all areas of
nursing practice
informatics
designed for and
relevant to
nurses

information
management,

knowledge from
sciences other
than nursing

E-health
Barely in use before 1999

Actually, this term now seems to serve as a general

"buzzword"
It characterizes everything related to computers and
medicine.
The term was apparently first used by industry leaders
and marketing people rather than academics.

e-health in the academic environment

the term has already entered

the scientific literature (today,
76 Medline-indexed articles
contain the term "e-health" in
the title or abstract).

E-health :
More than a technological developement

"stamping a definition on
something like e-health is
somewhat like stamping a
definition on 'the Internet': It is
defined how it is used - the
definition cannot be pinned
down, as it is a dynamic
environment, constantly
moving."

E-health by the academics

e-health is:
an emerging field in the intersection of medical informatics, public
health and business,
referring to health services and information delivered or enhanced
through the Internet and related technologies.

It characterizes:

a technical development
a state-of-mind
a way of thinking
an attitude
a commitment for networked, global thinking, to improve health care
locally, regionally, and worldwide by using information and
communication technology.

E-Health
E-health is the transfer of health resources and
health care by electronic means. It encompasses
three main areas:
The delivery of health information, for health professionals and
health consumers, through the Internet and
telecommunications.
Using the power of IT and e-commerce to improve public
health services, e.g. through the education and training of
health workers.
The use of e-commerce and e-business practices in health
systems management.

Defining E- Health

The
scope of
e-health
extremely
generic :

- public health which is the responsibility of States (preventing

and responding to disease in populations) and healthcarewhich is the responsibility of professional and hospitals toward
individual patients and the treatment of disease.
- products, such as instruments to ensure the constant
monitoring of blood pressure in ambulatory patients,
- systems, such as computer-assisted surgery systems, and
services, such as:
- operating surgical and intensive care units, with interconnected
instruments and surveillance services ensuring continuous
patient monitoring;
- computer-assisted prescription services, where the software
checks for incompatible drugs, contraindications and dosage
levels;
- information services for patients and consumers, including
individual electronic health records.

10 e's in "e-health"

Efficiency
Enhancing quality
Encouragement
Education
Enabling
Extending
Ethics
Evidence based
Empowerment
Equity

The goals
increasing efficiency in health care
Improving quality of care
increasing commitment to evidence-based medicine
empowering patients and consumers
developing new relationships between patients and health professionals

Some applications
system making patient information accessible for all
healthcare units at a district, county, or even national level.
patient portal, a system for patient Internet access to
medical record.
use of Internet as a source of medical information, a
means for medical consultation and for marketing of drugs.

e-Business
includes online
procurement
processing
between health
care providers
and suppliers,
online
electronic
claims
processing,
eligibility
authorization
from insurance
companies, and
consumer
purchase of
prescription
drugs and
health
insurance.

Consumer
marketing

Organizational
management

Clinical customer
services

includes the
use of Web sites
to showcase
organizational
information to
attract new
patients and
provide
wellness
information and
disease-specific
information to
existing
patients.

includes patient
access to
medical
information via
electronic
health records
allowing them
to conduct risk
assessments of
their own
health and
include patientphysician
interaction
using e-mail.

includes patient
access to
medical
information via
electronic
health records
allowing them
to conduct risk
assessments of
their own
health and
include patientphysician
interaction
using e-mail.

Going digital

- data
sharing

- mail and
electronic
messages
archiving

- access
logs data
and audit
trails

- tracing
access and
time of
access

Implications in practice
The standards and regulations that have hitherto served
to protect individuals in such a vitally important area of
life can no longer be guaranteed when healthcare moves
into the public arena.

At a more local level, the introduction of computermediated healthcare changes the processes and
practices of the care professionals not least in learning
to operate and manage ICTs, individually and as part of a
team.

Multi-layers stakeholders
Patients:
individuals, family,
carers
Management,
owners,
shareholders

Staff and unions:

scientific, technical,
administrative

Professional bodies:
colleges and
Community and
media associations

Health
professionals:
doctors, nurses,
Government
departments: local,
state, federal

professions allied to
health:
Researchers,
academics and
students Vendors
and consultants

The main players in the field :

new players
Varieties of cultures, objectives and traditions
- United Nations agencies
- other international bodies dealing with health telecommunications and Trade
- Government authorities, health and telecommunication decision-makers at the
national and regional levels, as well as the regional bodies to which they belong
- Academic and research institutions
- Local health professionals and their associations
- Consumers, patients and their associations
- The Donors
- Non-governmental organizations
- The private sector, including foundations and industries related to health and ICTs
- The media

Multidisciplinary
computer science
information science
medicine

law
philosophy
social sciences

Electronic Medical Records and Electronic Health

Records

Electronic Medical Records (EMR)

Contain the standard

medical and clinical data
gathered in one providers
office.

Electronic health records (EHRs)

1- go beyond the data collected in

the providers office and include a
more comprehensive patient history.
ex: EHRs are designed to contain and share
information from all providers involved in a
patients care.

2- EHR data can be created,

managed, and consulted by
authorized providers and staff from
across more than one health care
organization.

Unlike EMRs, EHRs also allow a

patients health record to move
with themto other health care
providers, specialists, hospitals,
nursing homes, and even across
states.

EMR legal aspects

- legal document (but what about the Proof)
- the hospital owns the Record

- the patient owns the infos

- confidential

Legal Challenges

The critical, legal challenge for

MEdical informatics is how to
maximize the opportunities and
benefits afforded whilst minimizing
the risks and liabilities arising from
new technology and practices.

Health information networks

Risks samples
Unethical practices due to unregulated IM&T use, e.g. Internet prescribing without
consultation
Privacy, confidentiality breaches due to poor security monitoring of data storage or
transmission
Privacy issues surrounding electronic health records
Incomplete data conversion from paper-based records
Medical errors due to failed or unavailable technology
Unethical use of healthcare information by insurance and other commercial companies

Main Legal issues in MI

Evolving and complex legal principles raised by the use of ICTs
in health related fields
Main issues:

- privacy, security, operational, Ethical, consumer

protection, unethical use, equity

What is Medical Data?

Personal data

Sensitive Data
Technical and legal Protection
Norms & Standards
Private Application

Sensitive data
Personal health data: Sensitive patient
health data can include insurancerelated data, actual medical information,
and personal data about patients, such
as social security numbers, addresses,
and other sensitive information, which
should not be publicly available.

Risks

Reliability

- The storing and exchange of medical images is crucial to providing a knowledge base for
practitioners, and clearly it is also crucial that the images from which judgments are made are
reliable.

Data Loss

Data Leakage
The movement of a data asset from an intended state to an unintended, inappropriate, or
unauthorized state, representing a risk or a potentially negative impact to the company.
Locate all sensitive information
A key challenge is being able to accurately identify relevant data at all key locations (stored
data, laptops, network, message server).
Control and protect all sensitive information
There are many ways to misuse and lose sensitive data. Hospitals/physicians and companies
must control and protect sensitive data in order to meet legal, regulatory and company policy
compliance obligations.

Obligations & Liabilities

Variations:

several legislations
may hold liability for
costs associated with
breaches of pd data

medical, employer ID, mothers maiden name, signature or biometric data

reasonable security measures
Encrypted data
secure destruction
businesses may not transfer covered data without encryption unless
internally or by fax
credit card companies

Increasing risks

According to a 2012
Department of Homeland
Security bulletin, attacks against
healthcare organizations are
expected to increase.

Standards: ISO 27799

information security standard developed by the International Organization for Standardization

(ISO). Its title is Health informatics -- Information security management in health using ISO/IEC
27002
The purpose of ISO 27799 is to provide guidance to health organizations and other holders of
personal health information on how to protect such information via implementation of ISO/IEC
27002.
The content sections are:
1: Scope
2: References
3: Terminology
4: Symbols
5: Health information security
6: Practical Action Plan for Implementing ISO 17799/27002
7: Healthcare Implications if ISO 17799/27002
8: Annex A: Threats
9: Annex B: Tasks and documentation of the ISMS
10: Annex C: Potential benefits and tool attributes
11: Annex D: Related standards

Contractual Agreements
Data Management with Third Parties
Data protection
through contracts
with outsourcing,
marketing
agreements, and
vendor
relationships that
involve data
transfer across
organizational,
geographic, and
system boundaries

Data transfer across geographic borders

Vendors or Partners may expose sensitive data to their
third parties agents and contractors
Granting vendors access to a hospital/ Companys
sensitive data and processing environments
Existing contracts may contain risk data leakage and
misuse by third parties
Inconsistent implementation of privacy practices
among independent organizations
Who has responsibility and associated liability for data
protection?
Contract language and internal auditing of those
contracts

Nursing informatics Legal issues

Two areas of the law

that most involve
healthcare leaders
and managers are :

employment
law

mal practice

Cyber Security: Must for E-health

As healthcare moves from prescription pads to iPads
new digital landscape requires a cyber security partner
to guard against the bugs, viruses and bad actors
Ponemon Institute estimated the cost of Medical
Identity Theft to consumers at $12 billion for 2013

Health cyber Threats

15% of respondents experienced a misdiagnosis
13% of respondents experienced a mistreatment
14% of respondents experienced a delay in treatment

11% of respondents were prescribed the wrong pharmaceutical

50% of respondents have done nothing to resolve the incident

issues of cyber security: Crimes and assaults

Cyber crime

online fraud
identity theft,
child pornography
intellectual property
Money laundering
Cyber Terrorism
Spamming, phishing, spyware, malware.

Minimizing Risks
With the
changing
legal
landscape
and the areas
of potential
risk,
physicians
can :

Openly discuss with their medical liability

carriers the advantages and pitfalls in using ICTs
Reach out to professionals within their
organizations, networks, or communities for
support in
Ensure that their systems meet their legal,
business, and records management needs
Ask in-depth questions of potential vendors to
ensure that their products address medico-legal
issues
demand the functionality that supports both
their clinical and business needs.

Lebanon

Lebanon
We are on the net!
The citizen at the heart of the
Government concern!?

What about the Legal Frame work?

Protection
legal
framework

HIPPA and HITECH in the USA set

national standard for the privacy
Convention on PDP in Europe
Varieties of legislations in Europe
Observation of technical standards of
secure data communication, or to
provisions ensuring high quality of
handling, collecting, storing,
transmitting and manipulating, etc. of
health care data

Administrative, legislative and regulatory

frameworks

Appropriate administrative, legislative and regulatory

frameworks are essential to the implementation of a
national or regional e-health project.
This wide-ranging subject has a bearing on the
fundamental rights of the citizen, e-commerce, health
and a large number of international regulations
governing the technical and economic spheres.

Administrative, legislative and regulatory

frameworks
On the general level

- rules governing security

- respect for human rights
- protection of the citizen
- protection of personal data
- intellectual property
- regulations on the legal status of electronic documents and signatures
- instruments relating to the implementation of directives and
international standards, particularly in the field of security and data
confidentiality and e-commerce
- rules on environmental protection and waste management and on
equal opportunities for citizens.

Administrative, legislative and regulatory

frameworks
On the technical level, this includes:

- liberalization of the telecommunication sector

- absence of monopoly in this sphere
- transparent bidding procedures
- reasonable taxation policy
- independent arbitration and regulation systems for telecommunications
- respect for international norms and standards, and related regulations.

On the medical level, this includes:

- codes of ethics for health professionals
- protocols for the certification and type approval of medical equipment
- rules for the protection of health professionals in the exercise of their duties (radiological
protection, contamination, etc.)
- rules governing hygiene and safety in regard to hospital wastes
- sound rules governing the production, distribution and management of medicines
- rules governing the status of medical records.

Administrative, legislative and regulatory

frameworks
- basic legislative and legal documents

- supervising by administrative machinery

- Regional cooperation

- The exchange of medical records can legitimately take place where a similar
level of personal data protection prevails in each of the countries
- conducting clinical trials
- Regional cooperation can be facilitated by partnerships with international
bodies to guarantee codes of good conduct and credibility

FOCUS

Protection of electronic patient

healthcare data and information

SCOPE

Global All industries

PENALTIES

Civil and criminal for exposure

of data or fraudulent behavior

Thanks for your

questions