ADEQUACY OF DATA PROTECTION IN TOTAL HOSPITAL INFORMATION SYSTEM (THIS); THE MALAYSIAN STORY

By Noriswadi IsmailDoctoral Researcher in RFID, Data Protection & Privacy

MARA Scholar & HeLEX Academic Visitor (1st August 2011 – 19th August 2011)

Executive Summary

::: Introduction::: THIS Brief Background::: Research Methodology::: PDPA 2010::: 7 Data Protection Principles::: Observations::: Interim recommendation::: Conclusion::: References

Introduction

Introduction

10th Malaysian Plan (2010-2014)

::: Transforming delivery of the healthcare system (Streamlining regulatory and service provision rules, reviewing legislation and regulations & review financing options);

::: Increasing quality, capacity and coverage of the healthcare infrastructure (Expanding primary care services, strengthening secondary and tertiary care services and improving provision of healthcare services);

::: Shifting towards wellness and disease prevention, rather than treatment (Expanding the healthy lifestyle campaign and encouraging healthy and active lifestyle); and

::: Increasing the quality of human resources for health

THIS Brief Background

::: Integrated and comprehensive information system that manages, processes and retains all data relating to administrative, financial and clinical

::: Dr. Rasiah S., “…Electronic Information System that supports the core business of patient care which enables and facilitates the functions in fulfilling its services…”

Source: New Generation Hospitals – IT hospitals, Malaysia’s Health 2005, Ministry of Health, pp 177-186.

THIS Brief Background

Source: Dr. Nor Bizura Abdul Hamid, Planning and Development Division, Ministry of Health, “HIS – Malaysian Experience” presentation slides, pages 3-5 of 37

THIS Brief Background

Source: Dr. Nor Bizura Abdul Hamid, Planning and Development Division, Ministry of Health, “HIS – Malaysian Experience” presentation slides, page 25 of 37

THIS Brief Background(Application Architecture)

Source: Dr Saadon Ibrahim, Privilege Management and Access Controls in HIS Hospitals, Clinical Information Technology Coordinator, Hospital Sultan Ismail, Malaysia, MSC Malaysia IHE Education Session 3/09, Electronic Health Record Privacy, Slide 10 of 47.

Research Methodology

::: Literature Review: Journals and policy papers ( 1st August – 19th August 2011)

::: Observations: Malaysian Personal Data Protection Act 2010 (25th July 2011 – 19th August 2011)

::: Qualitative: Semi-structured interview with focused groups – IT Service Providers, Doctors, IT Team, Patients and Users (January 2012-February 2012)

Research Methodology

::: Limitation: Most of the literature materials are in medical informatics and information system. Lack of legal materials and multidisciplinary materials on the same (especially on local content – Malaysia’s regime/contour)

PDPA 2010

Data User Forum

TransborderData flow?

Full / PartialIndependence?

*Exemptions•Processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes;

•* Processed for prevention or detection of crime or for the purpose of investigations;

•* The apprehension or prosecution of offenders;

•The assessment or collection of any tax or any other imposition of a similar nature;

•* Processed in relation to information of the physical or mental health of a data subject;

•* Processed for preparing statistics or carrying out research;

•* Processed for the purpose of or in connection with any order or judgment of a court;

•Processed for the purpose of discharging regulatory functions; and

•* Processed only for journalistic, literary or artistic purposes

7 Data Protection Principles

PRINCIPLES APPLICABLE SECTIONS

Principle 1: General – Consent, Lawful Purpose, Necessary, Adequate and Not Excessive

Sections 6 (1) – (3)

Principle 2 : Notice and Choice Section 7 (1)

Principle 3 : Disclosure Section 8

Principle 4: Security Section 9 (1) & (2)

Principle 5: Retention Section 10

Principle 6: Data Integrity Section 11

Principle 7: Access Section 12

Observations

::: Actors in action: Ministry of Health officials, doctors, consultants (local or foreign), patients (local or foreign), third parties (vendors, contractors, service providers and sub-contractors)

::: Many actors, different liabilities

::: Exemption: Ministry of Health officials, Federal and State Government doctors – leads to uncertainty in comprehensively applying the PDPA 201 although these actors are dealing directly with patients (as data subjects) and consultants

Observations

::: Consultants: How their relationship is defined in THIS?

::: Patients: How secured the patients’ personal sensitive data are processed, managed and retained throughout THIS? What happens to the data of demised patients? Who owns it? And whether PDPA 2010 addresses the period of retention on the same?

::: Third parties: Is contractual obligations suffice?

Observations

::: Transfer of doctors/patients: Whether such transfers reach the adequacy level within the PDPA 2010 - is/are yet to be tested.

::: Secondary Opinion: Whether seeking such secondary opinion outside Malaysia deemed to be adequate under the PDPA 2010 - is yet to be tested

::: Transborder data flow: Whether such transborder data flow from a Malaysian hospital to another hospital deemed to be regarded as commercial transaction – is yet to be tested

Observations

::: THIS dilemma 1: Different hospitals, different service providers (system integrators) – Standardisation challenge

::: THIS dilemma 2: Different policies on the integrated systems, and different levels of information security & privilege access – privilege management

::: THIS dilemma 3: At least, there are 3-4 parties involved in a specific application architecture. A back-to-back arrangement on data protection & privacy compliance is technically sophisticated

Interim recommendation

‘360 degree data health check’

Interim recommendation

::: Rationale 1: To be able to understand the inter-relationship

::: Rationale 2: To be able to assess the limitations

::: Rationale 3: To be able to recommend workable information governance model for THIS

Interim recommendation

::: How to achieve this?: Pilot interview and semi-structured interview (qualitative)

::: Expected period of outcome: By the fourth quarter of 2011 or the latest, first quarter of 2012.

::: Dissemination strategy: Publication in the Malaysian Journal of Public Health and series of workshops & presentations before the Ministry of Health: Expected by first quarter of 2012.

ReferencesArticles & Policy Papers

Dr. Nor Bizura Abdul Hamid of Planning and Development Division, Ministry of Health Malaysia’s presentation on Hospital Information System – Malaysian Experience

Dr. Saadon Ibrahim of Clinical Information Technology Coordinator, Hospital Sultan Ismail Malaysia’s presentation on Privilege Management and Access Control in HIS hospitals

Economic Transformation Programme – A Roadmap for Malaysia, Chapter 16, healthcare (p1-36)

Ganthan Narayana Samy, Rabiah Ahmad and Zuraini Ismail, Threats to Health Information Security, Journal of Information Assurance and Security 5 (2010) 146-153

Health Facts 2009, Health Informatics Centre, Planning and Development Division Ministry of Health Malaysia (July 2010)

Sapiah Sulaiman and Rose Alinda Alias, Information Ethics in Malaysia paperless Hospital, Proceedings of the Postgraduate Annual Research Seminar 2006

Suhaila Samsuri, Rabiah Ahmad and Zuraini Ismail, Towards Implementing a Privacy Policy: An Observation on Existing Practices in Hospital Information System, Journal of e-health Management, Vol. 2011 (2011), Article ID345834.

The 10th Malaysian Plan (2010-2014)

References

Book

Abu Bakar Munir & Siti Hajar Yasin, Personal Data Protection in Malaysia, Law and Practice, Sweet & Maxwell Asia (2010)

Websites

MSC Malaysia <www.mscmalaysia.my>PEMANDU, Economic Transformation Programme <http://etp.pemandu.gov.my/>

Ministry of Health Malaysia <http://www.moh.gov.my/>Malaysia Health Fact 2009

<http://www.moh.gov.my/images/gallery/stats/heal_fact/healthfact-P_2009.pdf>

Conclusion

It is hoped that the impact of this research will be able to address the application of PDPA 2010 within the Total Hospital Information System (THIS).

It is also hoped that the outcome of dissemination shall become a blueprint headway to responding any potential issues relating to data protection and privacy compliance in Malaysia’s healthcare.

Thank You

E: <noriswadi@gmail.com> &<noris@qconsultant.com>