Documente Academic
Documente Profesional
Documente Cultură
BS NURSING II-D
JANUARY 30, 2020
5. JCAHO
The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) is a private
organization that has been used since 1965 to accredit hospitals and facilities, which allowed
for their participation in Medicare. In 2010, the process changed to provide for review by
Centers for Medicare and Medicaid Services (CMS) prior to facility participation. JCAHO has
had varying ability to control and determine rules related to patient care, several of which
pertain to PHI confidentiality. These rules are constantly under review and have included a
large number of recent revisions coinciding with the increasing prevalence of EHRs.
6. HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act of
2009 empowers the Federal Department of Health and Human Services (HHS) to oversee the
promotion of Health IT – including quality, safety and security as well as the secure
information exchange.
7. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted to
allow for continuance of health insurance coverage in situations involving job changes or
loss. Major provisions of this law were enacted to formulate and regulate federal guidelines
and standards pertaining to electronic healthcare. Standards were developed to allow for
identifications of providers, health insurance plans and employers, including the National
Provider Identifier Standard (NPIS), which provides every physician with a unique number
used in all aspects of healthcare.
9. FDASIA
The Food and Drug Administration Safety and Innovation Act (FDASIA) of 2012 resulted
in the collaboration of the HHS and FDA to recommend a regulatory framework for Health IT
to improve mobile applications and other means to pro mote patient safety and innovation in
healthcare delivery. Many federal and state regulations affect the health informatics
field. Because the measures were developed in isolation at different times, there is some
conflicting legislation with regard to pa tient care and the collection and maintenance of
patient records. Familiarity with these laws and their implications is paramount for improved
functioning in the promotion and development of computer -based patient-care systems.
10. MACRA
The Medicare Access & CHIP (Children’s Health Insurance Program) Reauthorization Act
of 2015 is intended to ensure that physicians are paid fairly, that Medicare Part B costs are
controlled and that healthcare is improved. The passage of MACRA in August 2015 signaled a
move away from the Sustainable Growth Rate (SGR) Formula once used to determine
physician reimbursement and toward a model based on the quality, efficiency, value and
effectiveness of the medical care provided. In addition, MACRA also will combine existing
quality reporting programs into one new system.
Imagine the consequences if the opposite view was true. First, data users may get around the law by
deliberately publicising the data in the public domain. Further, improper use of personal data which had
been accidentally leaked to the public domain would be legitimised.
Privacy risks
At the very least, personal data in the public domain, if used and re-used indiscriminately and
without appropriate safeguards, would result in loss of control over the accuracy, retention and security of
the data, thus jeopardizing the interests of the data subjects.
The situation is aggravated by technological advances which support aggregation, matching and
further processing of data in the public domain. Data of an individual collected from one public source could
be combined with data of the same individual obtained from other public sources at phenomenal ease and
efficiency to profile the individual and generate new uses of the data beyond the purposes for which they
were initially collected. Admittedly, profiling and re-use of the personal data in the public domain could
generate immense economic efficiency and societal benefits. At the same time, such activities also pose
grave privacy risks.
These questions are particularly relevant today, with the implementation of the Data Privacy Act
(“DPA”) in the past few years. On its surface, the DPA is fairly easy to grasp and apply. The DPA is
teeming with rules, requirements and restrictions on the use and processing of Personal Information.
Significantly, the DPA declares that the consent of the individual, or data subject, is paramount and
indispensable, before any processing or handling of his or her personal information may be performed. This
places a considerable constraint and control on all types of human relations since the processing of personal
information is a necessary activity in all aspects of such relations — be they private or public. Ultimately,
the DPA aims to empower data subjects to control when, how, and for what purpose their personal
information may be processed.
However, the lines of when and how the DPA may be applied appear to be blurred when applied to
“publicly-accessible” personal information. For when information has been disseminated to the public, how
can it be considered private? How can public information be private? Verily, the definition of Personal
Information under the DPA provides little (if not no) aid in determining such boundaries. The DPA defines
Personal Information as “any information whether recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify an
individual” (Section 3 g). There is no mention in both the law and rules and regulations of the source of the
information that constitutes Personal Information.
In addressing this seemingly grey area of the DPA’s applicability, the National Privacy Commission
(“NPC”) has declared in several Advisory Opinions that the DPA has specified the information which is
outside of its scope but only to the minimum extent necessary to achieve the specific purpose, function, or
activity in Section 4 thereof and there is no express mention that personal data which is available publicly is
outside of its scope. Thus, the provisions of the DPA are still applicable even for those personal data which
are available in the public domain. The NPC echoes the sentiment of the Office of the Privacy
Commissioner for Personal Data of Hong Kong in saying that even if the data subject has provided his or
her personal data in a publicly accessible platform, this does not mean he or she has given blanket consent
for the use of his/her personal data for whatever purposes (Guidance Note — Guidance on Use of Personal
Data Obtained from the Public Domain, August 2013).
Another implication of the NPC’s declaration is that personal information obtained from public
documents may not be processed by third parties for purposes other than which such personal information
was provided. Thus, third parties may no longer process or use personal information obtained from
documents submitted to government regulatory agencies unless with the consent of the data subject/s.
This nuance is also especially crucial in contracts with business partners and third party service providers
involving the processing of personal information, including the outsourcing of the processing of personal
information. In addition to the mandatory stipulations required to be incorporated in such outsourcing
contracts under the Implementing Rules and Regulations of the DPA, personal information controllers must
also be careful in indicating in such contracts how personal information obtained from other sources other
than the data subject are to be treated. While it has become increasingly common in such contracts to
provide for separate provisions specifically dealing with personal information, in most instances, personal
information are lumped together in the greater group of information under “Confidential Information.” In
such instances, Information that is in, or subsequently enters, the public domain are often considered
excluded from the definition of Confidential Information. Applying the NPC’s position on personal
information found in and made available via publicly-accessible platforms, in cases where personal
information are included in what are considered Confidential Information, there arises a need to carve out
personal information from the exclusion.
The NPC’s position also behoves individuals and legal entities from using and relying on
information obtained from social media platforms, such as Facebook. While these information were shared
on the platform with the intention of making them public, this fact alone does not automatically constitute
consent for other uses of the information. Consequently, social media policies have become increasingly
important in companies and organizations.
Thus, while personal information from publicly-accessible platform is not particularly provided for
in the DPA, the NPC’s opinion has shed light on the issue and confirms that the protection attaches to the
underlying right to privacy and not actually to the pieces of personal information. Certainly, this means that
some things that have been made public are still private.
References:
https://www.usfhealthonline.com/resources/healthcare/important-laws-and-regulations-in-health-
informatics/
https://publicdomainreview.org/privacy-policy/
https://cdn.ymaws.com/www.hinz.org.nz/resource/resmgr/resources/Guidelines_Informatics_for_n.p
df
http://www.hk-lawyer.org/content/drawing-line-differentiating-between-access-public-domain-
information-and-protection
https://www.bworldonline.com/the-privacy-of-public-information/