College of Medicine and Health Sciences

Department of Health Informatics

Health Informatics Professionals Ethics

Getahun Gebre, MPH-HI

 Health Informatics Ethics & Standards

Unit I: Introduction to Health Informatics

Unit 2: Ethico-legal aspect of Health Informatics

Unit 3. Ethiopian Health Service Program and Regulations

Unit 4: Patient Privacy & Confidentiality of Health

Information

Unit 5: Security & Access to Health Information

Unit 6 :Cyberspace Ethics

 Course Objectives

 Define health informatics

 Identify history of health informatics
 Identify ethical principles of health informatics
 Explain why the knowledge of ethics & law is important to
HI
 Explain health information system policies and procedures
 Explain how and when patient accesses their information
 Understand cyber space issue related ethics
 Health Informatics Ethics & Standards
Unit I: Introduction to Health Informatics
Contents
 Definition of health informatics
 Historical development of health informatics
 Associations of Health Informatics
 Evolution of Health Care Standards
 Profession and Occupation
 Roles of health informatics professional
 Introduction to health informatics
Defi:
 It is a multidisciplinary field that uses HIT to
improve health care via any combination of
higher quality, higher efficiency and new
opportunities.
 The interdisciplinary study of the design, dev‟t,
adoption & application of IT-based innovations
in healthcare services delivery, planning & mgt.
 Introduction…

 It deals with the resources, devices, and methods

required optimizing the acquisition, storage, retrieval,
and use of information in health & biomedicine.

 Health informatics tools include amongst others

computers, clinical guideline, formal medical
terminologies, & information & communication
systems.
 Introduction…

 It is applied to the areas of nursing, clinical care

, dentistry, pharmacy, public health, ….

 All of which are designed to improve the overall

of effectiveness of patient care delivery by
ensuring that the data generated is of a high
quality e.g. an m-health based early warning
scorecard.
 Introduction…

 People who work in medical informatics are

highly educated in both information science &
health care.

• It is a growing field, but at present the primary

areas of specialization include: Dental informatics,
Nursing informatics…..
Historical development of health informatics
 The field of HI, emerged when computer technology
became sophisticated enough to manage large amounts
of data.

 There were earlier experimentations in the field of

dentistry, but it wasn‟t until the 1960‟s that health
informatics began to standardize as a field of study.
Historical dev,t
• Worldwide use of computer technology in medicine
began in the early 1950s with the rise of the
computers.

• 1949, Germen Gustav wagner- establishes the

Germen society for medical document computer
science, and statistics, the world’s first professional
organization for informatics
Historical dev,t
 Gustav wagner work paves the way for informatics to
become an integral part of the healthcare industry in
Europe and the rest of the world

 1952, Dr. Arthur E.Rappoport spoke about using the

McBee manual pouch card, the 1st computer used in
clinical practice, at the American society for clinical
pathology
• 1959, Ledley and Lusted publish their influential paper
“Reasoning foundations of medical diagnosis”, which
suggest computer should be integrated in the health care
field to automate physicians word, reduce error

• Specialized university departments and Informatics

training programs began during the 1960s in France,
Germany, Belgium & Netherlands
• 1967 Utah’s latter day saints hospital is one of the 1st in
the United States to use an electric medical record, the
Health Evaluation through Logical Programming (HELP)
software. There was great success with the software.

• 1970s Medical informatics research units began to

appear in Poland and U.S.

• Since then the development of high-quality health

informatics research, education and infrastructure has
been a goal of the U.S. and the European Union.
1988 –
• Us gov‟t invests on local and military health care
system. This system continues to be the
foundation of the department of defense's
electronic health record.

• Launch the American Medical Informatics

Association (AMIA) to educate health care
professional in informatics standards and system.
• 2004,

„‟By computerizing health records we can avoid dangerous

medical mistakes, reduce costs, and improve care, said
president Bush’’ at his state of the union address.

• He vowed to make electronic health record available to

American‟s with the next decades.

• 2009, President Obama calls for a national electronic

health record system
• 2012 - hospitals in the America trials health monitoring
devices which record the movement, respiratory rate,
heart rhythm and other vital expectant mothers during
child birth

• 2013 - 72% of physician‟s use tablets to maintain

electronic health record.
 International & National association of HI

IMIA (International Medical Informatics

Association)
• It is an independent organization established in
1989
• It was established in 1967 as Technical
Committee 4 of the International Federation for
Information Processing
• As an 'association of associations', IMIA acts as a
bridging organization, bringing together the
constituent organizations and their members.
International & National …..

IMIA provides leadership and expertise to

 The multidisciplinary, Health focused community and

Policy makers, to enable the transformation of
healthcare in accord with the world-wide vision of
improving the health of the world population
• Purpose, Goals, Objectives of IMIA
IMIA plays a major global role in the application
of information science and IT in the fields of
healthcare and research in medical, health and
bio-informatics.
The basic goals and objectives:

• Promote informatics in health care and research

• Advance and nurture/raise international cooperation.

• Stimulate research, development and routine application.

• Move informatics from theory into practice

• Dissemination and exchange of knowledge, information

and technology
 IMIA Membership
• As an 'association of associations' bridging the world of
health & biomedical informatics
• IMIA membership consists primarily of
1. Member Societies - In each country, one society/ a group of
societies
2. Institutional (Academic and Corporate)
 Corporate:- include vendor, consulting, national professional
organizations
 Academic: include universities, medical centers, research
centers & institutions.
 IMIA Membership…….

3. Affiliate Members: International organizations that

share an interest in the broad field of health and
biomedical informatics.

4. Honorary Fellows: these are individuals who have

demonstrated exceptional merit in furthering the aims and
interests of IMIA
IMIA Membership…….

• IMIA‟s role is to bring together, from a global

perspective, scientists, researchers, users, vendors,
developers, consultants and suppliers in an environment
of cooperation and sharing
IMIA's vision is that
„‟There will be a world-wide systems approach for
healthcare. Clinicians, researchers, patients and people in
general will be supported by informatics tools, processes
and behaviors that make it easy to do the right thing, in
the right way, at the right time to improve health care for
all. This systems approach will incorporate and integrate
research, clinical care and public health. To achieve this
vision it will require everyone being supported by
informatics-based information and communication
systems and technologies”
 Health informatics Association in Africa
 HELINA stands for HI in Africa.

 It is the pan African HI association and the Africa Region of

the International Medical Informatics Association (IMIA).

 HELINA is a young region created in 1993 in Nigeria.

HELINA arose out of the First International Working

Conference on HI in Africa.
 HELINA 96 was held in South Africa, HELINA 99 took place in
Zimbabwe, HELINA 2007 in Mali, and HELINA 2009 in Côte
d‟Ivoire.
 Health informatics Association ……..
HELINA’S VISION
• IMIA vision
HELINA’S OBJECTIVES
• To get African countries to develop their National HI Societies so
that they can qualify to join the World of HI by becoming a
member of IMIA.
• To develop education & research programs adapted to the African
context, fostering alliance with gov‟t & the private sector, and
• To develop a strategic plan for the sustainable dev‟t of HI & e-
health in Africa.
 Health informatics Association…..
• The African societies who thus far are full members of
IMIA are health informatics associations in the country of
• Cameroon – CAHIS,
• Ethiopia – EHIA,
• Ivory Coast – ISBHI,
• Malawi – MIAM,
• Mali – SOMIBS,
• Nigeria – AHIN,
• South Africa - SAHIA,
• Togo – ATIM-TELEMED,
Evolution of Healthcare Informatics Standards
 The field of health informatics is complex & still
developing discipline today.

 Perhaps the great irony of the field is that there is

no standard when it comes to the technology
behind the data.

 Hospital systems may have two or more different

software systems in place.
Con…

 The field of healthcare informatics standards

started in the late 1960s.

 Standards for laboratory message exchange, data

content, and health information system security
were among the first healthcare informatics
standards developed.
Con…
 Standards in other industries often arise from a dominant
vendor (e.g., Microsoft Disk Operating System) in order
to enable widespread use of a technology (e.g., ATM
banking transactions).
 In contrast, healthcare standards developed by specific
vendors often do not rise to dominance because there are
no truly dominant vendors in the industry, nor are there
industry action groups powerful enough to achieve
voluntary convergence.
Con…

 The healthcare delivery system today employs many

different information systems from different vendors,
both within a single organization and across multiple
organizations.

 For example, a hospital may have a laboratory system

from one vendor, a pharmacy system from another
vendor, and a patient care documentation system from a
third vendor.
Health informatics as a developing profession
Profession and professionalism
• Health informatics is a profession.
• A profession is a calling that requires special knowledge & skilled
preparation (training).
• A profession is generally distinguished from other kinds of occupation
by:
a) Its requirement of prolonged specialized training acquiring a body of
knowledge pertinent to the role to be performed and
b) An orientation of the individual to ward service, either to community or
organization
 Criteria of a profession
• Professional status is achieved when an occupation involves
 Practice,
 Carries great individual responsibility &
 Theoretical Knowledge.
The privilege to practice is granted only after the individual
 Was completed a standardized program of highly specialized
education and
 Has demonstrated an ability to meet the standards for
practice.
 Criteria ---
• The body of specialized knowledge is continually
developed & Evaluated through research.

• The members are self organized and collectively assume

the responsibility of establishing standards for education
and practice.
 Comparison b/n Profession & occupation
Occupation Profession
• Training may occur on job • Education takes place in College &

• Length of training varies university

• Education is definite and prolonged
• Value, beliefs and Ethics are not
Prominent features of preparation • Value, beliefs, & Ethics are integral
part of preparation
• Commitment & personal
• Commitment & personal
Identification vary
identification are strong
• Works are supervised
• Works are autonomous
• Peoples often change Jobs
• People unlikely to change jobs
• Accountability rests with employees
• Accountability rests with individual
Eg. Drivers, clerks & technicians
Eg-Doctors, engineers, journalists
Professional profile of health informatics
Health informatics graduate have the following
professional profile names:
• Health information system manager
• Medical record officer and health information
technologist
• Health care network and systems administrator
• Health care computer programmer
Professional profile----
• Health care database manager (administrator )
• Health care web developer
• Health care system analyst
• Health informatics instructors/Educator
• Telemedicine/mobile health administrator
• Health information technology Project manager
• Health planning officer
Role of the professional health informatics

A. Medical record officer

• Creates new medical records & retrieves existing

• Assigning and recording new record numbers;

• Delivers charts by following established procedures.

• Maintains quality results by following hospital standards.

• Serves & protects the hospital community by adhering to

professional standards, hospital policies and procedures

 B. Health care computer programmer
• Not everyone can speak a computer‟s language,
but that‟s precisely what computer programmers
do for a living.

• write the code which creates software programs,

turning the program designs into code computers
can understand and follow, such as Java or C++.
C. SOFTWARE DEVELOPER
• They write the computer programs used for
everything from the systems that allow computers
to run properly

• Develop and maintain complex, mission-critical

applications as defined by requirements.

• Participate in requirements, design, and code peer

reviews.
 Chapter two
Ethico - legal aspects of health informatics
Learning objectives
1. Define ethics
2. Describe Importance of ethics
3. Mention the divisions of ethics
4. Describe ethical issue of health informatics
5. Describe codes of ethics
6. Mention types of law
7. Identify importance of law
8. Identify the difference b/n Ethics and Law
 Introduction about Ethics
• Ethics is derived from the Greek word “ethos”,
meaning “the „‟set of moral principles” “a system of
moral principles” or “rules of behavior “custom” or
“character”.
• Ethics is a branch of philosophy dealing with moral
principles that may be connected to beliefs about
what may be considered wrong or right. It is the
science of moral value.
 Introduction about Ethics

• Ethics is the branch of philosophy dealing with

standards of conduct and moral judgment.

• Ethics refers to the practices or beliefs of a certain

group (i.e. Health informatics ethics, Nursing
ethics, Physicians' ethics/Medical ethics).

• Ethics is concerned with what ought to be, what

is right, or wrong, good or bad.
Importance of Ethics

 To help health professional identify moral and

ethical issues,

 To know what is right and wrong about what

should and should not be done for and to client,

 To know and respect the issues of human rights,

personal and civic.
 Ethical Issues in Health Informatics
• Confidentiality of electronic patient information
• Proper selection/use of informatics tools in clinical settings
• Determination of who uses these tools
• system evaluation
• The obligations of system developers, maintainers, vendors
• The use of computers to track clinical outcomes to guide
future practice.
 Divisions of ethics
It is divided into three primary areas.
A. Meta– ethics (the study of concept of ethics)

It is the branch of ethics that seeks to understand the nature

of ethical properties, statements, attitudes, and judgments

Asks questions such as: what do ethical statements mean?

How can we know what is ethical and what is not?

what we mean when we talk about what is right and what is

wrong
 Divisions of ethics…
B. Normative ethics (the study of how determine ethical
values)

It is the study of what you should or should not do

Asks what are the basic principles of right or wrong

Examine standards for the rightness and wrongness of action

C. Applied ethics (the study of use of ethical values).

Seeks to apply ethical principles to concrete social issues

Attempts to apply ethical theory to real-life situations

 Codes of ethics

• Ethics deals with decisions about right versus wrong,

good versus bad. An ethical conflict is opposition b/n
moral ideas or interests.

• To resolve such conflict there are various ethical

resources available:

1. Case studies - Reference to similar ethical conflicts and

situations in the past that may have been resolved in a
certain manner.
2. Ethics committees and personnel - Discuss with them
resolve ethics issues.

3. Informal discussions – resolve the issue by chats with

friends or colleagues

3. Codes of ethics - it is formal documents that list

ethical principles and duties.

• Members of the profession are required to adhere to the

principles of these codes to guide their ethical conduct.
Codes of professional ethics serve several purposes
such as:
• It provides ethical guidance for the professionals
themselves
• It furnishes a set of principles against which the
conduct of the professionals may be measured, and
• It provides the public with a clear statement of the
ethical considerations that should shape the behavior
of the professionals themselves.
 Codes of Ethics in Health Informatics

 Codes of ethics is organized from professional

association, national and international bodies.

Eg. WHO, IMIA, (AMIA) American Medical

Informatics Association

 These codes provide a simplified framework that

allows ethical conflicts in health informatics to be
resolved.
Codes of Ethics ….

IMIA Code of Ethics for Health Informatics

Professionals is very comprehensive and covers
duties of health informatics professionals from;

Fundamental ethics principles,

Informatics ethics principles

 HEALTH INFORMATICS ETHICS
• There are 3 aspects of health informatics that can be
identified:
 Healthcare - Health informatics is in the context of
healthcare. Information systems are developed to
facilitate dispensation/privilege of health care
 Information - Health informatics deals with
efficiently processing information.
 Software- Information is processed, stored, and
retrieved effectively by using software.
 HEALTH INFORMATICS ETHICS…..

• Given these components in health informatics, we

can define health informatics ethics in terms of
ethical dimension for each component

• Health informatics professionals need to adhere

to these 3 ethical dimensions of their profession
General Ethics

• The 1st dimension to health informatics ethics is

general ethics, in cognizance with healthcare.

• All our social interactions dealing with norms and

values are guided by ethics.

• The IMIA code defines general ethics using six

major principles
 General Ethics….
1. Non – Maleficence/ avoiding evil or harm
• We have a duty to prevent harm to others without
undue harm to ourselves.
• It is to avoid causing deliberate harm, risk of harm
and harm that occurs during the performance of
beneficial acts.
• E.g. Experimental research that have negative
consequences on the client.
General Ethics….

2. Integrity/honesty

• We have a duty to fulfill our obligations to the

best of our abilities.

• Every member of society is expected to be honest

and diligent/hard working
General Ethics….
3. Equality and justice
• We have the right to be treated equally without
discrimination.
• All persons are equal as persons and have a right to be
treated accordingly
• Justice means “fairness” which implies giving each person/
client what he or she deserves.
• Justice requires you that “equals be treated equally and un-
equals unequally”.
General Ethics….
4. Beneficence/ doing good
• We have a duty to advance the good of others.
• A member of society does not seek just his or her
own good, but the general good & advancement
of the society as a whole.
• Beneficence is doing or promoting good.
• This principle is the basis for all health care
providers
General Ethics….
5. Autonomy
• We have the right to self-determination.
• Members of society ought to be given independence
in making decisions & judgments.
• Autonomy means independence and ability to be
self-directed in healthcare.
• Autonomy is the basis for the client's right to self-
determination.
General Ethics….
Autonomy – Respect for person
• Autonomous came from a Greek word ”auto” means
“self” and “nomos” means “government”.
Therefore, autonomous means “self – government”
• Autonomy is the promotion of independent choice,
self determination and freedom of action.
The term autonomy implies for basic elements
• The autonomous person is respected
General Ethics….

Competent adult clients have the right to

consent or refuse treatment even if health care
providers do not agree with clients' decisions;
their wishes must be respected.

However, in most instances patients are expected

to be dependent upon the health care provider.
General Ethics….

6. Impossibility

• All our duties are subject to our ability to do them.

• As an example, in-line with the principle of

impossibility, a surgeon cannot be 100% sure about
the success of an operation. However, because of the
principle of integrity, the surgeon performs the
operation to the best of his or her agreement.
B. Informatics Ethics
• It is the 2nd dimension to HI ethics.
• It deals with ethical behavior required of anyone
handling data and information
• In this information age, ethical conduct is required
in our handling of information as well.
The following seven principles are stated in the
informatics ethics.
Informatics Ethics…..
1. Privacy
• Everyone has the right to privacy of their own
information.
• Every person has the right to decide how much
information they wish to disclose about themselves,
and what information they wish to withhold
• Individuals have the right to control what information
is collected, how it is stored, and used,
communicated, manipulated of data about themselves
Informatics Ethics…..

2. Principle of Openness

The collection, storage, access, use,

communication, manipulation and disposition of
personal data must be disclosed in an appropriate
and timely fashion to the subject of those data.
Informatics Ethics…..

3. Principle of Security

• Data that have been legitimately collected about a

person should be protected by all reasonable and
appropriate measures against loss, degradation,
unauthorized destruction, access, use,
manipulation, modification or communication.
Informatics Ethics…..

4. Principle of Access

• The subject of an electronic record has the right of

access to that record and the right to correct the
record with respect to its accurateness,
completeness and relevance.
Informatics Ethics…..
5. Principle of Legitimate Infringement
• The fundamental right of control over the
collection, storage, access, use, manipulation,
communication and disposition of personal data is
conditioned only by the legitimate, appropriate
and relevant data-needs of a free, responsible and
democratic society, and by the equal and
competing rights of other persons.
Informatics Ethics…..
6. Principle of the Least Intrusive /interfering
Alternative
• Any infringement/breach of the privacy rights of the
individual person, and of the individual‟s right to
control over person-relative data as mandated under
Principle 1, may only occur in the least intrusive
fashion and with a minimum of interference with the
rights of the affected person.
Informatics Ethics…..

7. Principle of Accountability

• Any infringement of the privacy rights of the

individual person, and of the right to control over
person-relative data, must be justified to the
affected person in good time and in an appropriate
fashion.
 C. Software Engineering Ethics

• Our 3rd dimension to health informatics ethics is

software engineering ethics, which can be defined
in terms of activities carried out by software
developers that have the potential of affecting
end-users

• A code of ethics for software engineers that

contains the following 8 principles
Software Engineering Ethics….
1. Public
• Activities are done with the best interest of the
society in mind.
• Developers should be aware of social impacts of
software systems; in the process of developing these
systems as well as eventual usage of such systems.
This includes disclosing any dangers or known
defects in software.
Software Engineering Ethics….

2. Client and employer

• Activities are done in the best interests of clients

and employers.

• Developers are obliged to have the interests of

their clients in mind, while balancing their duties
to the public.
Software Engineering Ethics….
3. Product
• Software products should meet expected professional
standards.
• Developers should strive to build products that are
not sub-standard.
• Developers should ensure that the product is
thoroughly tested and debugged/repaired, and
unsolved problems are documented.
Software Engineering Ethics….
4. Judgment
• Integrity/honesty and independence is kept in
making decisions about software development.
Developers should avoid situations in which they
or their clients have conflicts of interest, either
internally or with other parties.
Software Engineering Ethics….
5. Management
• Managers and leaders should subscribe/agree to
ethical approaches in software development.
• Realistic and effective costs, schedules, and
procedures should be promoted.
• In addition, developers should be aware of their
client or employer‟s policies.
Software Engineering Ethics….

6. Profession

• The reputation/status of the software engineering

profession should be advanced.

• Developers should promote and facilitate

education of software engineering and point out
anyone who violates the profession‟s standards
and codes.
Software Engineering Ethics….
7. Colleagues
• Colleagues are to be supported and treated fairly.
• This includes support in development, as well as
in understanding of the profession‟s codes.
• Developers are to fully credit their colleagues for
their work, including intellectual contributions
and code re-use.
Software Engineering Ethics….
8. Self
• Re-training and improvement is to be
pursued/followed by the software developer.
• Developers should not let prejudices/unfavorable
lead to unfair treatment of others.
• Developers should not encourage others, directly or
indirectly, to perform actions that violate the
profession‟s code.
 Stakeholders in Health Informatics Ethics

• Ethical conflicts arise as a result of interactions

between stakeholders.

• Codes of conduct allows ethical conflicts in

health informatics to be resolved.

• From code of conduct, six types of professional

relationships are listed that the health informatics
professional is involved
Stakeholders in Health Informatics Ethics…..
1. Patient
• This refers to anyone who makes use of
healthcare services, which generate electronic
records for that individual, i.e. EMRs, etc.
2. Self
• The health informatics professional has personal
ethical duties, to which they should adhere.
Stakeholders in Health Informatics Ethics…..
3. Healthcare professionals
• Doctors, nurses, & other medical staff that care
for patients.
4. Profession
• Health informatics professionals relate with
colleagues, and represent the health informatics
profession in general
Stakeholders in Health Informatics Ethics…..
5. Institutions and employers
Institutions/employers refers to who the health
informatics professional is working for.
6. Society
• This is a generalization of everyone else to whom
the HIP has duties, excluding patients, healthcare
professionals, and employers.
•Patient Bill of Right

21-Nov-19 LEGAL ASPECTS & UNETHICAL BRs 86

 Patient bill of right
The patient‟s rights are as follows

They have the right to considerate &

respectful care

They have the right to get complete, current,

understandable information about his/her
diagnosis, treatment & prognosis.

87
 Patient bill of right
 They have right to make decision about the plan
of care
 They have the right to get advice
 They have the right to get to every consideration
of privacy
 They have right to expect all communication,
records pertinent to him should be treated
confidential.
88
 Patient bill of right
They have the right to expect that within its
capacity a hospital must make reasonable
response to the request of a patient for their
services.

The hospital must provide evaluation, service,

and/ or referral as indicated by the urgency of
the case.
89
 Patient bill of right
The patient has a right to obtain information
as far as his care is concerned.

 The patient has the right to obtain

information as to who is treating him.
They have right to consent or decline to
participate in proposed research study

90
 Patient bill of right
They have right to expect reasonable
continuity of care
They have the right to know what hospital
rules and regulations apply to his/her
conduct as a patient.
 They have right to review the record
pertaining to his medical care
91
 Legal Concepts in health informatics
Definition of Law

 Law can be defined as those rules/principles made by

humans who regulated social conduct in a formally
prescribed and legally binding manner.

• Laws are passed by government to keep society operating

smoothly and to control behaviors that could threaten the
public safety.

 Laws are based upon concerns for fairness and justice.

 Legal Concepts…..
• Enforcement of these laws is possible by penalties
for violation which are decided by courts of law.

• Those persons who violate the law may be fined,

imprisoned or both and

• Professionals who violate laws may also lose

their registration or license to practice their
profession.
Basis for a law
• The Constitution of the Federal Democratic Republic of
Ethiopia divides the power and responsibilities of the
Federal government among:

• The legislature - which is the law maker (The House of

Peoples Representatives)
• The executive - which is the law enforcer, (the Council of
Ministers) and
• The judiciary - which is the interpreter of the law.
 Types of low
• The two types of law:
• civil/Private Law:- which deals with relations between
individuals, involves interactions between private citizens
• public law:- which governs relationships b/n individuals &
the government, and those relationships b/n individuals
which are of direct concern to the society
• Interrelations between the state and the general population
• Example of public , theft, homicide
Functions of Law in health Informatics

• It provides a framework for establishing which health

informatician actions in the care of client are legal.

• It differentiates the health informatician's

responsibilities from those of other health professional.

• It assists in maintaining a standard of health informatics

practice by making health informatics accountable under
the law
 Health related laws

• Laws which set rules and principles relating to the

health sector operation

• Laws dealing with issues affecting the health and

welfare of the people.
Health related laws cover legislations related to:

• Disease control and medical care,

• Professional regulation

• Ethics and patients rights

• Health information and statistics

• Pharmaceuticals and medical devices

• Health institution and services

Health related laws cover legislations related to
• occupational health and accident prevention
• nutrition and food safety
• mental health
• health insurance
• smoking, alcoholism and drug abuse
• environmental protection
• criminal sanctions and human rights.
Health related laws which have direct or indirect
application to the Health informatics
profession
 Health information and statistics;
 Ethics and patients rights;
 Professional regulation and human rights
document
 Health insurance
 Difference between Ethics and Law
Both share two fundamental goals for creating and
maintaining societal good:
 The regulation of behavior and
 The protection of society at large.
 In respect to the HI profession, the ethical and legal
requirements aim at primarily the protection of
privacy and confidentiality of personal health
information of client/patient.
Difference between ……
• Ethics is a set of principles and require professionals
to behave in a certain manner just because doing
something is right or wrong.
• An illegal act by a professional is always unethical
but unethical act is not necessarily illegal.
• Moral values are a beginning to the development of
legal rules, an ethics statement which is not adopted
into law is generally unenforceable.
Difference between ……

• However, courts of law may see the ethics

statements or principles of professional
associations or regulatory bodies when they
interpret laws affecting that profession. Therefore,
ethical standards influence legal standards by
creating professional ethics standards.
Difference between ……
• In contrast,
• Law sets a standard of conduct which must be
adhered to, and breaching of the standard may
followed by civil or criminal consequences
• Laws are written, approved and then enforced by
the government body which approved of them.
Enforcement of these laws is through penalties
decided by courts of law.
The Application of Ethics and the Law in HIP

• The function of ethics and legal requirements

which are applicable to the health informatics
profession are critical.

• The laws and ethics governing the provision and

maintenance patients’ privacy protection and
confidentiality has a broad application in the
Health Informatics Profession.
 Legal Framework and enforcement in Health
Information Management
Individual health record is an important legal
document. This record has to do

• The protection of clients‟ legal right of privacy

and confidentiality of the information

• It may be used in medical malpractice

• Settlement of health insurance payment

 HIP need to meet, understand & familiar with
various legislative requirements in respect to:
• Collection,
• Security,
• Right of access,
• Use
• Disclosure of the information
• Ownership and
• Control of the health record.
 Medical Record as a Legal Document
Since medical record has become an important
legal document they must be
 Complete,
 Accurate, and
 Available when needed
 Used and stored according to all governing laws
and the policies of the health facility.
 Medical record….

Legally, medical records are used to:

• Support the patient‟s claim in case of injury

• Protection of the attending doctor against claims

of malpractice,

• The protection of the health institution against

criticism and claims for injuries and damages.
 Medical record….

MR is the property of the health institution & the

information in the MR is the property of the pt,
information can‟t be released without the consent of the
pt. Exceptions to this rule include the use of the infn:

• By doctors & other health professionals for the continuing

care of the pt.

• For medical research where the pt is NOT identified,

• For the collection of health care statistics when the

individual pt is NOT identified.
 Medical record….

• Medical records are generally used in court for the

following:

a. Worker's Compensation - To compensation for

bodily injury and disability. The MR is used as
evidence to show the date of injury, the type and
severity of injury, and the patient‟s expected
recovery.
 Medical record….

Worker's Compensation:-
• Death- Minimum of Five years salary.

• Permanent Total Disablement- Percentage of Five years salary.

• Temporary Total Disablement- Monthly payment of salary up to

12 months.

• Permanent Partial Disablement- Percentage of Five years salary.

• Medical, Surgical and Hospital Expenses- Varies starting from

ETB 1,000.00 according to each undertaking procedure and special
agreement made with insurance companies.
 Medical record….
b. Personal Injury Claims - injured through the fault
or neglect. The MR would also be used to show
• The extent of the injuries,
• Treatment given,
• Duration of care
• Expected recovery or disability.
It is the most frequent situations by which MR are
used as evidence.
 Medical record….
c. Malpractice Claims
In this type of case the Plaintiff (person suing)
claims damages from
• A doctor,
• A hospital,
• Nurse or other health professional for negligence
in giving improper treatment.
 Medical record….

d. Will Case

• A patient may have made a will during his or her health

institution stay. After the death of the pt, an attempt may
be made to set aside the will by seeking to prove that the
patient was not mentally incompetent.

• The medical record would be used to show the mental

state of the patient at the time of making the will.
 Medical record….
e. Criminal Cases
MR have been used in many criminal cases like
• Assault cases: to prove the assault & extent of injuries.
• Violent or unexplained death: to prove death resulted from
natural causes, accident, murder.
• Sexual assault cases: to prove the condition of a pt on
admission and the history of the assault related by the pt.
• Mental competency: hospital MR may also be used as
evidence in proving the mental condition of a pt
 Medical record….

f. Insurance Cases

• Used by the pt for proof of injury and/or disability

in personal accident cases or by the insurance
company to disclaim responsibility.
 Medical record…
In order to treat medical records as legal documents, the
following points should be considered in your daily
practice of handling them:
• Use blue or black ink unless you are using a computer.
• Do not use pencil or ink that can be erased.
• Date all of your notes
• Write the time that you took your notes.
 Medical record….
• Sign your full name and title.
• Do not use white or any other cover up for
mistakes.
• Write only the facts. Never add personal
comments or feelings
• Do not use abbreviation unless they are accepted
for use by your health institution.
 Medical record….
• Do not allow anyone to touch or look at your medical
records unless they are a healthcare worker assigned
to take care of the patient.
• Keep all medical records in a safe and secure place.
• Medical records are confidential. Do not disclose or
discuss any facts of the patient or their care with
anyone other than the assigned healthcare staff or the
patient themselves.
 Unit three:
Ethiopian Health Service Program and
Regulations
Learning objectives:-
• Understand the Ethiopian health policy
• Identify health care system regulations
• Explain health information system policies and
procedures
 Ethiopian health policy
• Policy: The set of basic principles and associated
guidelines, formulated and enforced by the governing body
of an organization, to direct and limit its actions in pursuit
of long-term goals
• Strategies: A method or plan chosen to bring about a
desired future, such as achievement of a goal or solution to
a problem.
• Regulation: A legal provision that creates, limits, or
constrains a right; creates or limits a duty, or allocates a
responsibility.
• Procedure: A procedure is a document written to
support a policy.

• It is designed to describe Who, What, Where,

When, and Why by means of establishing
organization accountability in support of the
implementation of a policy.
 Ethiopian Health Policy Development

• The national health policy focuses on addressing

mainly of the following public health problems.

• Communicable diseases

• Malnutrition

• Improving maternal and child health

 Ethiopian Health Policy
It incorporates the following basic components.
General policy – Approved in September 1993. The main focus
areas of the policy were:
 Democratization and decentralization of the health service
system.
 Devp‟t of the preventive & promotive components of health
care.
 Promoting and strengthening of inter sectoral activities.
 Assurance of accessibility of health care for all segments of the
population.
 Priorities of the policy
Some of the policy priorities:
• Information, Education and Communication (I.E.C)
of health shall be given appropriate
prominence/importance to enhance health awareness
• Emphasis shall be given to the control of
communicable diseases and diseases related to
minorities and poor living conditions
• Provision of essential medicines and medical supplies
• Applied health research
 General strategies
• Health policy strategies are methods approaches chosen to bring
about a desired future. The government has formulated a twenty
year health sector development strategy
• Democratization within the system
• Decentralization
• Inter-sectoral collaboration
• Health Education shall be strengthened
• Promotive and Preventive activities shall address;
• Human Resource Development
 Major Health Related Legislations in Ethiopia
• The history of health and health related legislation in
Ethiopia dates back as far as the early 19th century.
• The first health decrees/announcement were
vaccination against smallpox by Emperors Yohannes
and Menelik II, during the smallpox epidemic in
1886.
• However, modern medical legislation could be traced
back to the coronation of Emperor Haileselassie I in
1930.
 Major Health Related Legislations….
• On July 18, 1930 a law was passed to regulate the practice
of doctors, dentists, pharmacists, midwives and
veterinarians.
• The law specified that no one could practice these
professions without a relevant Diploma.
• In 1942 (proc. 27), traditional medicine was given a formal
recognition.
• Between 1941and present time, some 27 Public Health
enactments/performance were made available
 Healthcare Regulation System

• Regulation usually intends to ensure that

providers are able to deliver quality care by
ensuring the quality of the physical facility,
medical personnel, equipment, and supplies.

• It was mainly answers to frequently asked

questions፡ Do providers have the capability to
produce quality care?
 Healthcare Regulation System…..

• Quality is ensured basically by regulating health

practitioners and health service providers
through the following three approaches:

1. Licensing

2. Certification

3. Accreditation
 1. Licensing
• It is a mechanism by which an executive organ gives
permission to an individual practitioner to engage in an
occupation or to a healthcare institutions to operate and
deliver health services.
A. Facility Licensing
• It is the process of judging a health care facility or practice
against a set of standards (the equipment, staff, and
physical facilities)
• If the facility meets these standards it is granted a license to
open and provide healthcare to clients
 Licensing….
B. Health practitioners licensing
• It is the process by which a regulatory body based on
preset standard requirements issues permission to an
individual to practice his/ her respective profession.
• Licensing is mostly mandatory.
• A license is usually granted on the basis of examination or
proof of education, or both, rather than on
measurement of actual performance.
 Licensing……

• The regulatory body by issuing a license certifies that

those licensed have attained the minimal degree of
competency necessary to ensure reasonable
protection of public health, safety, and welfare.

• Regulatory body can be a Government or

Professional Associations, independent Council or
Board.
 2. Certification
• It is a process by which a recognized authority and
recognizes an individual provider or an organization as
having met pre-determined requirements
• Unlike licensing certification programs are usually
voluntary, and give certified persons special recognition or
authorization to use a particular title or official designation.
• Certification also enables the public to identify
practitioners who have met a standard of training and
experience
 3. Accreditation
• Accreditation is the formal process by which a
recognized accrediting body assesses and
recognizes that a healthcare organization meets
pre-established performance standards.
• Its standards are usually regarded as optimal yet
achievable and are designed to encourage
continuous improvement efforts within accredited
organizations.
 Regulating Ethiopian Healthcare Facilities operational
procedures
Ethiopian healthcare facilities (hospitals) operational
regulations.
A. Operational Standards for Patient Flow
1. Procedures are established to ensure efficient patient flow;
to emergency, outpatient, and inpatient settings and seek to
reduce patient crowding.
2. The health facility (hospital) has an Emergency Triage with
staff and material
 Regulating Ethiopian Healthcare Facilities….
3. The health facility (hospital) has a Central Triage
4. All patients (except laboring mothers, pts with an app
for an outpatient clinic or admission and private wing
patients) undergo triage.
5. Outpatient appointment systems are in place for all
disciplines
6. Appointment systems are in place for elective
inpatient admissions in all discipline
 Regulating Ethiopian Healthcare Facilities…..

7. Hospital has a Liaison and Referral Service that:

a. Manages bed occupancy,

b. Facilitates emergency and non-emergency

(elective) admissions, and

c. Receives referrals from, and makes referrals to,

other facilities in the referral network
 Regulating Ethiopian Healthcare Facilities….

8. Health facility has a written protocol for the

admission & discharge of pts that is known, and
adhered to, by all relevant staff.

9. Health facility has a Referrals Service Directory,

listing facilities which the hospital may refer pts
to or receive pts from
Regulating Ethiopian Healthcare Facilities….

10. Criteria for the referral of pts from the hospital

to other health facilities are established, including
standardized referral and feedback forms and
necessary clinical documents.

11. Health facility (hospital) has a standardized

method for managing referrals.
Regulating Ethiopian Healthcare Facilities ….

12. Health facility staff members are familiar with

the referral systems including relevant referral
protocols and forms.

13. Health facility (hospital) promotes and

publicizes the referral system throughout the
community in order to ensure that all constituents
are aware of the applicable service pathway.
B. Emergency Services

• The Emergency Services should be organized so

that the Emergency Service‟s entrance can be
easily accessed by ambulances and patients.

• The entrance to the Emergency services should be

clearly labeled in a way that is visible from the
street.
C. Emergency Triage
• Pts entering the hospital through the separate
Emergency Department entrance should undergo
Emergency Triage.
• If further investigations and/or treatments are
required following triage, these should be provided
by the Emergency Case Team.
• Pts that are not classified as emergency cases should
be referred to Central Triage.
D. Central Triage
• Pts will be directed to Central Triage from the
reception/Emergency service.
• Within Central Triage, the patient will undergo a triage
assessment and registration, medical record retrieval,
payment etc will be conducted.
• The triage assessment will assign each patient to an
appropriate case team.
• The patient will then be directed to the relevant case team
with MR delivered by a Runner.
E. Outpatient Case Management

• There should be General Case Teams and

Specialist Case Teams for all specialist services
provided by a hospital.

• Patients enter the Outpatient case management

pathway from Central Triage or directly from the
reception service, if they have a pre-booked
appointment.
F. Inpatient Services
• Pt wards should be located in close proximity to the
emergency and outpatient departments and should be easily
accessible from elevators, ramps or stairways.
• Each ward should have a functioning set of toilets, sinks
and showers.
• There should be sufficient seating for caregivers and
visitors.
• If mixed-sex wards are used, there should be separate
areas/rooms for male and female patients.
G. Admission process

• The hospital should have a written protocol for the

admission of patients that includes all steps to be
taken in the admission process
• This should be known by, and adhered to by all
relevant staff.
• The patient should be assessed by a medical doctor
upon arrival on the ward. A Nursing Assessment
should be completed within 24 hours of admission
H. Discharge Process

• The hospital should establish a written protocol

for the discharge

• In particular, when a patient is ready for discharge

he/she should be counseled by a member of the
Case Team
I. Patient death
• If a patient dies in the hospital, the death should be
confirmed by a physician.
• A death summary should be completed and should be
documented in the patient‟s medical record.
• If it is necessary to confirm the cause of death, a post
mortem examination form should be completed and
the body should be transferred to the pathology case
team for post mortem examination.
J. Maternity/Delivery Services

• The Labor/Delivery Service is comprised of the

antenatal and postnatal ward(s), delivery suite (labor
and delivery rooms) and the neonatal unit.

• An operating room(s) should be readily accessible.

• Obstetric cases should be given priority over other

surgical cases to minimize delay and prevent
avoidable maternal and perinatal deaths.
K. Liaison and Referral Service
• Each hospital should establish a Liaison and Referral Service that is
responsible to:
1. Manage hospital bed occupancy
2. Facilitate emergency and non-emergency admissions
3. Provide social service support to the Emergency, Inpatient and Outpatient
Case Teams
4. Manage the referral service
• The Liaison and Referral Service is staffed by Liaison Officers.

• Each hospital should determine the number of Liaison Officers required

based on the work load.
 Health Information System Policies and
Procedures

• Legal, regulatory and planning context of health

information is a key resource for effective HIS.

• Legal and policy guidance is needed to elaborate

specifications for health information access and to
protect confidentiality, etc.
Con…
• Ethiopia has established a functional central HIS
unit under the FMOH which plays a significant role
in coordinating, strengthening and maintaining
the national HIS, including the implemented
(HMIS).
• However, it lacks to develop and implement clear
policies and procedures related to capturing, storing
processing, and transmitting & communicating
information in the country.
 Unit 4: Patient Privacy and confidentiality

At the end of this section the learner should be able to:

• Explain concepts of patient confidentiality of information.

• Apply pt‟s privacy & confidentiality of pt information.

• Identify patient/client right to access of care.

• State ethical standards related to pt privacy & confidentiality.

• Describe general Medico-Legal principles in relation to patient

Medical records
 Patient Privacy and confidentiality
The term privacy, confidentiality and security are frequently
used when health information & MR are discussed
Privacy is both a legal and an ethical concept.
• It is the right and desire of a person to control and to
disclosure of personal health information
• It is the right of every person to be left alone and no one
can interfere in the personal life of the individual
• Privacy protections vary from one jurisdiction to another
and are defined by law and regulations.
 Privacy and confidentiality….

• Confidentiality - the responsibility of a HIP to

limit disclosure of individual health information

unless authorized by the client or specifically

under law

• It is the right of individuals to protection of their

data during storage, transfer, and use

 Privacy and confidentiality….

• Confidentiality is the controlled release of

personal health information to a care provider or

information to custodian under an agreement

• Privacy generally applied to people while

confidentiality is best applied to information.

Con …

• Security: a collection of policies, procedures, measures, and

safeguards that help to maintain the integrity and availability
of information systems and control access to their contents.

• Security and privacy of information in health care is

becoming a people problem.

• This concept includes the responsibility of professionals to

use, disclose or release such information only with the
knowledge and consent of the client.
Why Does Privacy & Security Matter?
• Your patients trust you. Trust is clinically important and a
key business asset. How your practice handles pt
information is an important aspect of this trust.
To cultivate patients’ trust, you:
• Make sure pts can request access to their medical record;
• Carefully handle pts‟ health information to protect their
privacy; and
• Keep the information in pts‟ individual records as accurate
as possible.
 Health Insurance Portability and Accountability Act
(HIPAA) of 1966

It is United States legislation that provides data privacy

and security provisions for safeguarding medical
information.

It is prepared by the Department of Health and Human

Services. It was endorsed in 1966 by the U.S. Congress.

It is a key federal initiative

It is composed of several sets of standards like

The main purpose of the standards are

• To modify the administration of health insurance claims

and lower costs,

• To give pts more easily access to their health care

information
HIPAA calls for:

• Standardization of electronic patient health,

administrative and financial data.

• Unique health identifiers for individuals,

employers, health plans and health care providers.
The HIPAA Privacy Rule/the Standards for
Privacy

• It Gives pts control over the use of their health

information

• Defines boundaries for the use/disclosure of

health records by Health care provider

• Establishes national-level standards that

healthcare providers must comply/fulfill with.
The HIPAA Privacy…..

• Strictly investigates compliance-related issues and

holds violators accountable with civil or criminal
penalties for violating the privacy of an individual
PHI.

• Supports the cause of disclosing PHI without

individual consent for individual healthcare
needs, public benefit and national interests.
 In HIPAA privacy rule
You have the right to:
• Ask to see and get a copy of your health records.
• Have corrections added to your health information.
• Receive a notice that tells you how your health
information may be used and shared.
• Decide if you want to give your permission before
your health information can be used or shared for
certain purposes, such as marketing.
HIPAA ---
• Get a report on when and why your health
information was shared for certain purposes.
• If you believe your rights are being denied or your
health information isn't being protected, you can:
 File a complaint with your provider or health insurer,
or
 File a complaint with the U.S. Government.
• The right to ask that your information NOT to be
shared
Who Must Follow this Law?

• Doctors, nurses, pharmacies, hospitals, clinics,

nursing homes, and many other healthcare
providers.

• Health insurance companies, most employer group

health plans.

• Certain government programs that pay for

healthcare
What Information is Protected?
• Information your doctors, nurses, and other healthcare
providers put in your medical record.
• Conversations your doctor has had about your care or
treatment
• Information about you in your health insurer's
computer system.
• Billing information about you from your
clinic/healthcare provider.
 Some of the Stakeholders who want to access Pt
information
• Insurance companies who want to determine the
extent of the damage
• Someone in a law suit who wants to challenge the
health status of his accuser.
The healthcare facility should develop a policy for
the release of patient information and all staff
should aware of the policy
 Release of Individual Health Information
There are four methods of releasing information:
• Direct access to the medical record;
• Supply abstract
• Verbal release
• Photocopying
• Note: Unauthorized person cannot take any or
part of a medical record out of file, or read, copy,
or otherwise tamper/interfere with them.
If a request is made, it should contain the following:

• Full name of patient, address and date of birth;

• Name of person/institution requesting information;

• Purpose and need of the information;

• Extent and nature of information

• A recently dated authorization, signed by the patient

or authorized representative

• E.g. parent or guardian of a child

 Patient Consent for Release of Records

Release of information from medical record is

possible:

• Written consent of pt

• Written consent of legal guardian – Institution policy

• Subpoena or a court order

• Family/guardian consent if age of pt < 18

• Next of kin if the pt died

Ethical standards related to Patient Privacy Right in
Ethiopia
Health information privacy is vital for the following
major reasons:
• 1st Information privacy is a fundamental human
right
 It is essential to the dignity and integrity of an
individual
 The information is the patient‟s property;
Ethical standards…..

• 2nd , if appropriate health information privacy

is not guaranteed, the client - caregiver
relationship will suffer negative impacts.

• Clients will not tell the necessary information or

will avoid seeking care.
Ethical standards….
•This right to privacy is understood as an individual
right protected under the Constitution, international
human rights documents and other laws.
• The international human rights documents provides
that no one shall be subjected to arbitrary or unlawful
interference with his privacy, family, home or
correspondence, or to unlawful attack on his honor
and reputation.
Ethical standards…..
The right to privacy is found to be very important in
examining the protection of individual health information.
The right to be free from unlawful intervention of
• One‟s personality,
• The publicizing of one‟s private affair with which the
public has no legitimate concern;
• The wrongful intrusion/interruption in to one‟s private
activities.
Ethical standards….

• Everyone has the right to the protection of the law

against such interferences. Therefore, HIP
personnel are duty bound to protect individual
health information from any kind of unlawful
interference.
 General Medico legal principles
• The professional must be familiar with the legal
requirements regarding pt information as per the
national policy to be able to cope with medico-legal
problems.
• The professional must also be able to identify
legitimate and illegitimate requests for information.
Remember that being used for patient care a
medical record is also a legal document and
should be treated accordingly.
 Major medico-legal ….
• No information concerning a patient should be
released to another person without the written
consent of the patient or the patient's legal guardian.

• If a patient is under the age of 18 years or otherwise

subject to a guardianship order, any consent for
access to information should be given in writing by
the patient's parents or legal guardian.
Major medico-legal ….
• In the case of a patient who has died, the written
consent to access information from the patient's
medical record should be provided by the next of kin
shown on the medical records or by the administrator
of the patient's estate.
• If the patient lacks the capacity to provide genuine
consent, then the written consent must be obtained
from the person's legal guardian.
Major medico-legal ….
• Medical records should be kept under adequate
security and only removed from the hospital or health
care center upon receipt of a subpoena, statutory
authority, or court order.
• When an original medical record leaves the hospital
for legal purposes, a photocopy of the medical record
is made beforehand and kept in the hospital until the
original is returned. The copy is subsequently
destroyed.
Unit 5: Security and Access to Health Information
At the end of this topic, you should be able to:
• Identify issues related to the use and disclosure of
individual health information
• Identify common information security measures
• Identify the legislative requirements for the collection
and security of individual health information
• Define the right of access to individual health
information
Security & Access to Health Information

• Security: a collection of policies, procedures,

measures, and safeguards that help to maintain the
integrity and availability of information
systems and control access to their contents
• Physical or electronic protection of the integrity,
availability and confidentiality of personal health
information.
 The HIPAA Security Rule
• HIPAA establishes a national set of minimum
security standards for protecting all created,
received, maintained, or transmitted PHI .

• The Security Rule contains the administrative,

physical, and technical safeguards that the user
must put in place to secure PHI.
The HIPAA Security Rule….
These Security Rule safeguards can help health care
providers to avoid some of the common security
gaps.
Safeguards can protect
 The people,
 The information,
 The technology, and
 Facilities
The HIPAA Security Rule….
The Security Rule has several types of safeguards
and requirements which you must apply:
1. Administrative safeguards are administrative
actions, policies, and procedures to
 Prevent,
 Detect,
 Correct security violations
The HIPAA Security Rule…..

Administrative safeguards involve

 The selection,

 Development,

 Implementation, and

 Maintenance of security measures to protect PHI

The HIPAA Security Rule…..
2. Physical safeguards are
 Physical measures,
 Policies, and
 procedures to protect information systems and
related buildings and equipment from natural and
environmental hazards and unauthorized
intrusion.
The HIPAA Security Rule…..
3. Policy and procedure: These standards require
a concerned body to adopt reasonable and
appropriate policies and procedures to comply
with the provisions of the Security Rule.
• A provider must periodically review and update
its documentation in response to environmental
or organizational changes that affect the security
of PHI
 Security requirement
There are many common requirements to ensure the
confidentiality & security at the various levels of healthcare
provision,
At each level, security discussions should include
• Identification of potential threats to systems & data,
• The likelihood of harm from these threats
• Dev‟t of strategies to manage each of the identified threats,
• A cost and risk analysis which attempts to balance the risks
to security and resulting harm
 Con….
Security must address both

• Protection of data from

inadvertent/inappropriate disclosure, and

• Non-availability of data due to system failure

& user errors.
Security Measures to Pt/Client Medical
Record/information
• Medical records may be maintained as paper-based or
computer records.
• Staff need to protect medical records against such
unauthorized access - stored or transmitted.
• A breach of the security measures in place should
result in disciplinary action with a range of penalties
including dismissals.
 Handling Confidential Information

Confidential health information must be stored, transported,

transmitted, handled, used, and disposed of in ways that

protect the information from

 Unauthorized access,
 Alteration,
 Destruction,
 Disclosure,
 Copying,
 Theft, or
 Physical damage
 Handling …..
• Security measures for paper-based or electronic MRs are:
 System access management
 Password protection of computer applications
 Secure disposal of confidential waste
 Data backup and disaster recovery procedures
 Assigned responsibility for confidentiality and security of
information
 Confidentiality and security awareness training
Some good practices to meet security requirements
are:

1. Policies, Physical and Administrative safeguards:

The medical record unit, computers and portable

devices that contain patient health information should
be physically protected from unauthorized access by
means of a security measure such as having alarm
systems or locking with key.
Physical security

• Paper or electronic format, needs to be physically

secured, such as by being stored in a locked
cabinet, within a locked room, and within a
secured building.

• Data transfer of paper based information may

include transport in locked briefcases,
transmission by fax or using mail services
Physical security…..

• Electronic infrastructures which are too

geographically dispersed to be physically
protected, such as a wide area networks (WAN),
need to be secured via commercially-available or
public domain encryption and password schemas.
Electronic security

Data at rest: Depending on the location of where

the data are stored, the data may be in nominal or
de-identified format (totally anonymized)

• Access to personal computers, laptops, and

servers all need to be made secure through the use
of passwords, smartcards or other means of
securing access to the stored information.
Electronic security …..
• The data may be stored in an encrypted format and contain other
access controls such as passwords and user identifications.
• Data stored on local/wide area networks with large numbers of
computers or internet access will require the use of technologies
such as firewalls to limit access to those entitled to the data.
• Different levels of access may be created depending on
different purposes for the information, which is known as “role-
based” access.
Data transfer: For electronic data - use of
diskettes, CD-ROMs, memory sticks, smart
cards, personal digital assistants (PDAs),
telephone conversation, encrypted email, secured
file transfer protocol (ftp), or secured web
services.
• Security measures required in these situations
include encryption and the use of public-private
key pairs and other relevant measures.
Procedural Security
• A written policy of security procedures needs to be
produced that covers the way the data are collected, stored,
transferred and released.
• Written policies and administrative measures like
 Designating security officers,
 Training the work force,
 Controlling information access and
 Periodic security reassessment - can minimize unauthorized
access to patient information in the health facility.
2. Prevent Unauthorized or Inappropriate Access:
Issue unique user names and passwords to everyone
who will use the EHR
3. Backup: To keep information available when and
where it is needed, plan for backing up your EHR
system.
4. Use Encryption Technology: Whether an EHR is
locally installed or accessed over the Internet,
encryption technology can protect pt health
information from being read by unauthorized parties
 Policies and Procedures to Health Information
Access and Disclosure
Medical record policy will endeavor/attempt to
protect the confidentiality and security of its patient
health information against
 Inappropriate access,
 Inappropriate use,
 Tampering/ interference,
 loss/destruction and
 Inappropriate disclosure through the use of
reasonable safeguards.
 The organization policy should address the
following areas

The medical record unit shall have written policies

and procedures that are reviewed at least once
every three years, revised more frequently as
needed, and implemented.
con….
• They shall include at least:
1. Procedures for record completion, including chart
analysis.
2. Conditions, procedures, and fees for releasing
medical information.
3. Procedures for the protection of medical record
information against the loss, alteration, destruction,
or unauthorized use.
All entries in the patient's medical record shall
be

 written legibly in ink,

 Dated, and

 Signed by the recording person.

If computer generated orders with a physician's

electronic signature are used (in case of EMR),
 Access and disclosure of health information

Access of health information:- using the personal health

data internally within a health institution like a hospital or
health center, However,

Disclosure:- it relates with the manner how health

information should be disseminated externally.
Con….

• In principle, medical records, x-rays, laboratory

reports or other physical documents relating to the
delivery of health care service are owned by the
specific health institution. However, this doesn‟t
mean that the client have no right over the health
record.
 con….

Rather, the information within the record is the

property of the client. It‟s out of this concept that the
client is granted the right to

• Take a copy or

• View or

• Otherwise access his/her health information or

• Amends the information when it‟s found to be proper.

 con….
Use and disclosure of PHI other than for the primary
purposes can be possible in two cases.

1st , PHI can be disclosed or used when consent is

acquired or collected from the client/patient.
2nd, where PHI disclosed is for his/her legal
representative. Should be supported by law
 Patient access to their health information
Clients have right of access to their own health information for
different purposes. They may need to
• Inspect
• Copy or
• Amend the information on the medical record
Under the draft regulation of HMIS, clients have the right to
access their own health information. This right may be exercised
through
• A receipt of a copy or by viewing the health information in
the medical record.
Con…

•In this case, the client is required to submit their

requests in writing.

• It should be done very carefully.

• This can be ensured by requiring the client to

present an identification card and checking the
information that belongs to the client.
Con…

• On the other hand a client who believes there is an

error or omission in his individual health record
may in writing or orally request, depending on the
case, the health professional to correct or amend
the record.
Record Keeping during Refusal of treatment by
Patients

• Patients have the right to refuse treatment and

need to be made aware that they may refuse all or
part of any care and treatment proposed and may
withdraw previously given consent at any time.
con…

• Refusal may be written, verbal or by any form of

communication possible.

• It is also revocable at any time.

• If there is any concern about the capacity of the

patient to give valid consent, it should be
discussed preoperatively with senior staff.
 con…
Before complying with a direction to refuse or withdraw
treatment, the health professional is required to take all steps to
ensure that:
 The patient has been provided with all relevant information;
• The nature of the illness
• Any alternative forms of treatment
• The consequences of those forms of treatment
• The consequences of remaining untreated
 The patient has understood the information; and
 She/he has made an informed decision
Con…
• MRs that clearly reflect the decision-making process can be
pivotal in the success or failure of legal claims.
• In addition to the discussion with the patient, the medical
record should describe any involvement of family or other
third parties.
• If potentially serious consequences are likely to happen
because of patient refusal, health care providers should
make the refusal signed, witnessed and documented.