Your eDoctor is INternet
W12: Telehealth/eHealth and Data Privacy
One of the interesting photos I have seen in #MedTwitter is Nathan Gray’s take on Sir Luke Fildes’ famous 1891 painting, “The Doctor” :
I keep both photos in my phone. Sometimes it’s a negative haunting reminder of what medicine is becoming in this digital era, but sometimes it’s also something positive, a hopeful inspiration of what medicine could become, yes, in this digital era.
Imagine if the doctor in question on the laptop is a GIDA doctor, and he is actually corresponding with another doctor. Perhaps he needed a consult from a colleague with a higher subspecialty, who is in another city or the mainland. Then the cartoon doesn’t seem so sad.
For our penultimate HI201 readings, we have two working questions: one on eHealth and another on Data Privacy.
- Identify three provisions in the eHealth bill that you think needs to be revised.
The first provision I chose is about the people chosen to lead or be part of the committee. There are already 17 people listed in the bill, but I think there should be more. I propose that we should also include the Private HMO’s, or their lead organization, and not just the PhilHealth. Since we are including the Philippine Hospital Association, there must be a move to make sure the private sector is involved. In this same thread of thought, I wonder if we could also include those private tech companies who are already using telehealth. Of course, this is where Section 15’s interoperability will become under discussion.
I also feel that two (2) patient representatives is too few. I think there should be patient representatives from chronic conditions, parents or elderly, rare diseases and one from normal patients (for preventive medicine). But these are just off the top of my head. Since there is 2-3 years of service within the committee, different patient groups can be considered.
The next provision I would like to revise is from Section 10, subsection i: Social Media. I think this deserves a long, extensive section all on it’s own. Just the phrase “online communication channels”, needs to be further defined. Which one? Facebook? Instagram? And what of them? Are they limited to Doctor-Patient interaction? What about patient support groups? What does it mean to have “opportunities for the healthcare industry to engage with patients and healthcare professionals”? Will there be regulation? What kind of content-sharing? What kind of collaborations? What is the role of DOH here?
There’s just so many questions over two words: Social Media.
The last provision I would like to revise is Section 14, on Standards. As with the last few assignment posts. There are so many Standards. Which one of them are we going to “introduce and impose”? Who gets to decide? How will they “introduce and impose” these standards? Can we change the standards? Who decides on the update? The DOH? Per institution?
After reading the bill, I felt it was quite short. Even shorter than the UHC. So there are just too many questions for me and not just three provisions. But at the moment, I think that the most important one is the first: getting the important stakeholders together to dialogue in the committee. Only then can we probably start filling up the rest of the missing pieces.
Going back to our second question:
2. How can telehealth support healthcare delivery in the Philippines without violating data privacy and confidentiality?
All stakeholders involved must first adhere to the basic principles of ethics. As in all medical procedures and intervention, we need to have consent of the patient. Since Telehealth would involve the use of technology in collecting or processing sensitive information, stakeholders must be aware of possible security risks such as planning for scenarios of data breach. There must also be constant dialogue or transparency between patient and healthcare professionals. Patients must be aware or educated that this is how their data is processed and of their rights to their information.
The above diagram takes inspiration from the last slide from a Data Privacy Workshop I attended a few months ago. I modified some elements into possible roles in Telehealth/eHealth.
The left (blue) side represents information going in, while the right (red) side represents information going out. In the original diagram; the PIC is the Personal Information Controller, I revised this to represent the Healthcare Team or perhaps, more specifically, the leading doctor. The PIP or the Personal Information Processor is not the same as the PIC. The PIC is often a third party — usually outsourced, which I think would fit the IT section role very well. Obviously the Data Subject is the Patient (or their relative).
In the core of this diagram is the glue that holds a Telehealth’s Data Privacy Compliance together. An eHealth or Telehealth system must have 1) Registration: to identify all involved individuals (who does what, to whom), 2) Privacy Manual: implementing rules and regulation on processing sensitive personal information, and 3) Security Risk Management: it is part of the Telehealth system to have security measures (and counter-measures) in place in the event of security breach or privacy violations.
The next layer is a non-disclosure agreement for all involved individuals. This is a legal contract that restricts access to other third/fourth parties. In parallel to this is the out-sourcing agreement: this is to ensure that the Information Processor must deliver specific services. For example: the IT staff involved are to have a certain equipment, that produces a certain result. It could also indicate the staff involved in the service and the location of the service.
I particularly put the Data Sharing Agreement between Healthcare Teams because it is them who inputs most of the patient’s data and they control which data to share depending on the case, the patient’s decision or the leading doctor’s discretion.
For the Patient (Data Subject), in the influx of information: they can be presented with two things: 1) a Privacy Notice — a description of what the Telehealth will do with their data. If they will be recording (or not) the consult. Will they be storing it? How long will they store it? Among other details. 2) Consent — according to the workshop, there is no provision that it has to be written. If in this (hypothetical) Telehealth system, it can be video recorded.
A patient also reserves the right to be forgotten, to have copies of their own medical record. So when the Telehealth system does provide data; the patient (recipient) has to sign a release letter. This will also protects the Telehealth that they have not been negligent in ensuring the security of their patient’s records.
Although there are still locations without internet or electricity, the rapid rise of the internet has given us opportunities to connect great distances. The Filipino is connected to the World. We connect with our OFW relatives or to keep touch with those in provinces. Telehealth or eHealth has a great many potentials since we are dispersed in multiple islands with difficult transportation systems. Physicians with specialities can help doctors and patients in far away places, making diagnosis and treatment earlier. Medicine is expanding exponentially. Sometimes Sir Luke Fildes’ Doctor needs to call a friend for help. And that’s totally OK.
As long as he complies with Data Privacy, right? ;)
