ALTAR, CATHERINE SIENNA B.

BS NURSING II-D
JANUARY 30, 2020

A. POLICIES, GUIDELINES, AND LAW IN NURSING INFORMATICS

 PRIVACY OF PERSONAL AND PUBLIC DOMAINS

POLICIES, GUIDELINES, AND LAW IN NURSING INFORMATICS

It is important to be familiar with federal and state legislation governing patient medical
records. There are several laws designed to protect Americans’ personal health information.
Patients have the right to privacy, and they have the right to have the information shared with
healthcare providers who will use it with discretion in the patient’s best interest. If you have
or are considering a career in health informatics, it is important to be aware of federal and
state laws so that Protected Health Information (PHI) remains secure when stored and
transmitted by electronic health record systems.

1. Privacy Act of 1974

The Privacy Act of 1974 regulates information collected by the federal government and its
agencies. The legislation allows citizens to know what information is collected about them,
assure the veracity of that data and obtain copies of the information. The Veterans Health
Administration and Indian Health Services are subject to these regulations.

2. Alcohol- and Drug-Abuse Patient Confidentiality

The Confidentiality of Alcohol and Drug Abuse Patient Records rule allows for additional
privacy in any federally assisted drug or alcohol -abuse program. Identity, diagnosis and
treatment are treated as confidential information. Patien t impairment does not excuse release
of confidential patient information.

3. Conditions for Coverage of Specialized Services by Suppliers

The Conditions for Coverage of Specialized Services by Suppliers is part of Medicare laws
that govern providers and requires that all PHI be kept confidential and protected against loss,
destruction or unauthorized use. This information requires the written approval of the patient
before it is used or forwarded. Hospitals must protect this information against unauthorized
use and current Electronic Health Records allow for monitoring and securing data. Patients
always have a right to access their records; an institution is allowed to charge a usual and
customary fee for paper copy costs. These laws extend to home health agencies and long -term
care facilities.

4. Institutional Review Boards

Institutional Review Boards are governed by state and federal laws and require informed
written consent and data security and privacy. State laws vary and may include special
requirements with regard to drug and alcohol treatment, special disease states and mental
illness.

5. JCAHO
The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) is a private
organization that has been used since 1965 to accredit hospitals and facilities, which allowed
for their participation in Medicare. In 2010, the process changed to provide for review by
Centers for Medicare and Medicaid Services (CMS) prior to facility participation. JCAHO has
had varying ability to control and determine rules related to patient care, several of which
pertain to PHI confidentiality. These rules are constantly under review and have included a
large number of recent revisions coinciding with the increasing prevalence of EHRs.

6. HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act of
2009 empowers the Federal Department of Health and Human Services (HHS) to oversee the
promotion of Health IT – including quality, safety and security as well as the secure
information exchange.
7. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted to
allow for continuance of health insurance coverage in situations involving job changes or
loss. Major provisions of this law were enacted to formulate and regulate federal guidelines
and standards pertaining to electronic healthcare. Standards were developed to allow for
identifications of providers, health insurance plans and employers, including the National
Provider Identifier Standard (NPIS), which provides every physician with a unique number
used in all aspects of healthcare.

8. Affordable Care Act

The Affordable Care Act of 2010 was set up to fundamentally change the way people are
insured; goals include lowering healthcare costs and making coverage accessible to previously
uninsured people. The law is undergoing major changes as issues wit h its implementation are
encountered. Final resolutions should be expected in the coming years as interpretations of its
standards are developed and enacted. As revisions are implemented, there may be many
changes to the way healthcare is delivered, includ ing control of PHI.

9. FDASIA
The Food and Drug Administration Safety and Innovation Act (FDASIA) of 2012 resulted
in the collaboration of the HHS and FDA to recommend a regulatory framework for Health IT
to improve mobile applications and other means to pro mote patient safety and innovation in
healthcare delivery. Many federal and state regulations affect the health informatics
field. Because the measures were developed in isolation at different times, there is some
conflicting legislation with regard to pa tient care and the collection and maintenance of
patient records. Familiarity with these laws and their implications is paramount for improved
functioning in the promotion and development of computer -based patient-care systems.

10. MACRA
The Medicare Access & CHIP (Children’s Health Insurance Program) Reauthorization Act
of 2015 is intended to ensure that physicians are paid fairly, that Medicare Part B costs are
controlled and that healthcare is improved. The passage of MACRA in August 2015 signaled a
move away from the Sustainable Growth Rate (SGR) Formula once used to determine
physician reimbursement and toward a model based on the quality, efficiency, value and
effectiveness of the medical care provided. In addition, MACRA also will combine existing
quality reporting programs into one new system.

11. 21st CENTURY CURES ACT

The 21st Century Cures Act, passed by both houses of Congress and signed into law by
President Obama in December 2016, covers many facets of healthcare. The goals for all,
though, are the same: to “help modernize and personalize health care, encourage greater
innovation, support research, and streamline the system,” according to the act’s mission
statement. Among the ways those goals will be sought are by the discovery of cures in basic
science; streamlining the drug and device development process; and unleashing the power of
digital medicine and social media at the treatment delivery phase.

PRIVACY OF PERSONAL AND PUBLIC DOMAINS

Personal data, be it publicly available or not, is subject to protection under the Personal Data
(Privacy) Ordinance (the “Ordinance”). Prior to the enactment of the Ordinance in 1995, the Law Reform
Commission had carefully deliberated on whether public registers should be exempted completely from the
Ordinance and concluded that it should not. In the public consultation exercises leading to the latest
amendments to the Ordinance (effective 1 October 2012 and 1 April 2013), the Government reaffirmed the
view that “putting personal data in the public domain does not make the data available for use for any
purpose”. This was upheld in a Court of Appeal judgment delivered in February this year (Re Hui Kee
Chun, CACV 4/2012).

Imagine the consequences if the opposite view was true. First, data users may get around the law by
deliberately publicising the data in the public domain. Further, improper use of personal data which had
been accidentally leaked to the public domain would be legitimised.
Privacy risks
At the very least, personal data in the public domain, if used and re-used indiscriminately and
without appropriate safeguards, would result in loss of control over the accuracy, retention and security of
the data, thus jeopardizing the interests of the data subjects.

The situation is aggravated by technological advances which support aggregation, matching and
further processing of data in the public domain. Data of an individual collected from one public source could
be combined with data of the same individual obtained from other public sources at phenomenal ease and
efficiency to profile the individual and generate new uses of the data beyond the purposes for which they
were initially collected. Admittedly, profiling and re-use of the personal data in the public domain could
generate immense economic efficiency and societal benefits. At the same time, such activities also pose
grave privacy risks.

THE PRIVACY OF ‘PUBLIC’ INFORMATION

In this age when everything is “instant,” information on just about anything and anyone under the
sun is not only readily available, but easy to come by. Especially with the proliferation of social media sites
and other publicly-accessible platforms and the increasing transparency of government databases most of
which are accessible on-line, a few clicks of a mouse will yield a treasure trove of information. But along
with this bounty comes the inevitable question of boundaries: What information should be made publicly
available? Can we use it? How should we use it?

These questions are particularly relevant today, with the implementation of the Data Privacy Act
(“DPA”) in the past few years. On its surface, the DPA is fairly easy to grasp and apply. The DPA is
teeming with rules, requirements and restrictions on the use and processing of Personal Information.
Significantly, the DPA declares that the consent of the individual, or data subject, is paramount and
indispensable, before any processing or handling of his or her personal information may be performed. This
places a considerable constraint and control on all types of human relations since the processing of personal
information is a necessary activity in all aspects of such relations — be they private or public. Ultimately,
the DPA aims to empower data subjects to control when, how, and for what purpose their personal
information may be processed.

However, the lines of when and how the DPA may be applied appear to be blurred when applied to
“publicly-accessible” personal information. For when information has been disseminated to the public, how
can it be considered private? How can public information be private? Verily, the definition of Personal
Information under the DPA provides little (if not no) aid in determining such boundaries. The DPA defines
Personal Information as “any information whether recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify an
individual” (Section 3 g). There is no mention in both the law and rules and regulations of the source of the
information that constitutes Personal Information.

In addressing this seemingly grey area of the DPA’s applicability, the National Privacy Commission
(“NPC”) has declared in several Advisory Opinions that the DPA has specified the information which is
outside of its scope but only to the minimum extent necessary to achieve the specific purpose, function, or
activity in Section 4 thereof and there is no express mention that personal data which is available publicly is
outside of its scope. Thus, the provisions of the DPA are still applicable even for those personal data which
are available in the public domain. The NPC echoes the sentiment of the Office of the Privacy
Commissioner for Personal Data of Hong Kong in saying that even if the data subject has provided his or
her personal data in a publicly accessible platform, this does not mean he or she has given blanket consent
for the use of his/her personal data for whatever purposes (Guidance Note — Guidance on Use of Personal
Data Obtained from the Public Domain, August 2013).

Another implication of the NPC’s declaration is that personal information obtained from public
documents may not be processed by third parties for purposes other than which such personal information
was provided. Thus, third parties may no longer process or use personal information obtained from
documents submitted to government regulatory agencies unless with the consent of the data subject/s.
This nuance is also especially crucial in contracts with business partners and third party service providers
involving the processing of personal information, including the outsourcing of the processing of personal
information. In addition to the mandatory stipulations required to be incorporated in such outsourcing
contracts under the Implementing Rules and Regulations of the DPA, personal information controllers must
also be careful in indicating in such contracts how personal information obtained from other sources other
than the data subject are to be treated. While it has become increasingly common in such contracts to
provide for separate provisions specifically dealing with personal information, in most instances, personal
information are lumped together in the greater group of information under “Confidential Information.” In
such instances, Information that is in, or subsequently enters, the public domain are often considered
excluded from the definition of Confidential Information. Applying the NPC’s position on personal
information found in and made available via publicly-accessible platforms, in cases where personal
information are included in what are considered Confidential Information, there arises a need to carve out
personal information from the exclusion.

The NPC’s position also behoves individuals and legal entities from using and relying on
information obtained from social media platforms, such as Facebook. While these information were shared
on the platform with the intention of making them public, this fact alone does not automatically constitute
consent for other uses of the information. Consequently, social media policies have become increasingly
important in companies and organizations.

Thus, while personal information from publicly-accessible platform is not particularly provided for
in the DPA, the NPC’s opinion has shed light on the issue and confirms that the protection attaches to the
underlying right to privacy and not actually to the pieces of personal information. Certainly, this means that
some things that have been made public are still private.

References:
 https://www.usfhealthonline.com/resources/healthcare/important-laws-and-regulations-in-health-
informatics/
 https://publicdomainreview.org/privacy-policy/
 https://cdn.ymaws.com/www.hinz.org.nz/resource/resmgr/resources/Guidelines_Informatics_for_n.p
df
 http://www.hk-lawyer.org/content/drawing-line-differentiating-between-access-public-domain-
information-and-protection
 https://www.bworldonline.com/the-privacy-of-public-information/