In our previous article, we discussed some of the products that have been innovated, developed, manufactured, assembled and brought to market as a result of new technology, and some of the opportunities and legal implications for their use and regulation.
Often these products enable and facilitate the collection, analysis, use and retention of a wide range of medical data. In this article we will briefly discuss the importance and protection of personal health information and legal implications of sensitive data management.
The expressions "personal health information", "patient data" or "medical records" refer to a wide spectrum of different types of information, everything from traditional medical records (kept by doctors in respect to their patients) through to human genome sequencing (providing a roadmap of the human body, analogous to understanding the computer code that controls our body, and promising the dawn of "personalised" or "precision" medicine).
This technology-driven enhancement of patient data has been marked in some parts of Thailand's private healthcare sector. One leading private hospital has been designated as among the "smartest" electronically in the world. It claims to have digitally integrated almost all of the services and activities conducted at its innovative facilities using secure wireless technology, including the replacement of all paper records with a digital system.
The amount of patient information collected and collated has increased substantially, allowing clinicians improved patient access. It is said that clinicians have more time with their patients, decision-making is more informed, medical outcomes are improved and errors reduced.
One of the key problems facing health delivery systems in Thailand is the lack of integrated health data that allow patients to access their health information easily, wherever they are. Having infrastructure that facilitates the exchange of electronic health records (EHR) will have the obvious benefits of improved healthcare quality and better patient care, reduced expenditure and increased access to high standards of healthcare, among other things.
On the other hand, key considerations will be how to ensure data integrity and patient privacy. There is a need for relevant laws to be harmonised and guidelines to be established to ensure appropriate patient data usage and identify which information is sensitive.
A committee on public health was appointed by the National Legislative Assembly (NLA) a few years ago to review and assess the current status of medical and information in Thailand and suggest actions to be taken so that data can be collected and utilised effectively for public health purposes.
The committee's report recognised the need to protect sensitive data of patients and the possibility of amending certain provisions of the National Public Health Act so that they are consistent with the restrictions/protection of sensitive information under the Data Privacy Bill, the new law which is now being drafted. Given this development, it seems having good platform and system to collect, store and effectively utilise health data in more effective manner should be possible.
Some critical considerations and concerns when we talk about patient data usage include:
- data protection and data protection laws,
- patient privacy,
- human errors,
- system errors,
- unauthorised access,
- information overload.
The need for confidentiality and the protection of patient data and privacy is self-evident. Many jurisdictions have enacted laws that regulate the use and movement of personal data and information, both in healthcare and elsewhere. Often these laws are complex and extensive. For example, in the European Union, one set of applicable laws includes 88 pages of regulations. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) protects certain types of health information. It contains a "privacy rule" that seeks to strike a balance between the individual's concern to keep health information confidential and other social considerations, including medical research. The privacy rule applies not only to healthcare providers but also researchers seeking access to or use of identifiable individual health information.
Parties that might be obliged to comply with data protection laws need to ask themselves a series of questions including:
To what extent is personal data being collected?
Is any of this data "sensitive"?
For what purpose is the data collected?
Are any consents required?
Are there secure means to store and maintain both the confidentiality and permitted use of data?
Will or might any of this data find its way offshore (in which case there might be a need to ensure multi-jurisdictional compliance)?
Patient consent can raise complicated considerations. Is the consent full, free, fully informed, and comprehensive? For example, at the time of data collection it might not be possible to identify fully the subsequent research purposes to which persona data might be put. Might there be a need to obtain a further consent? Is implied consent acceptable and to what extent?
Although the benefits of the availability of enhanced patient information are undoubted, there might be accompanying complications, extending beyond the need to comply with patient privacy and data protection laws. For example, on occasions there might simply be too much information available, rather than too little.
There might be instances where this information overload results in clinicians having to read and assimilate too much background information, wasting valuable time and possibly missing the forest for the trees in the end. Is there a risk the right hand will not know what the left hand is doing and might there be a greater potential risk of miscommunication and/or misunderstanding?
If there is any validity in any of these queries, the situation might not improve. One estimate made around 2015 was that the rapid growth of data creation had resulted in some 90% of the data available at that time having been generated in the immediately preceding two years. If this trend continues, might there be a need for more effective supervision, discrimination and economy in the collection, dissemination and usage of patient information? Training will be of critical importance to ensure all parties involved avoid liability in data collection, storage and usage.
In the next article, we will discuss telemedicine and potential liabilities of parties involved in more detail.
Peerapan Tungsuwan is a partner and head of the Healthcare Industry Group at Baker McKenzie in Bangkok.
