BUSINESS ARTICLES

Security of user information in the medical environment

Security of user information in the medical environment
Security of user information in the medical environment

Currently, not only the educational industry but also the medical industry is a field that collects quite detailed information about users. The provision of information to the medical institution is required when performing medical examinations or other services at the medical institution. After the information is provided, it will be stored in the form of data on the digital platform and in paper form for some specific cases, especially in the era of strong development of industry 4.0, medical services are gradually digitized so that competent authorities can easily manage and support people when needed. However, this has posed the risk of user information being leaked, disclosed, and publicized in cyberspace, infringing on the privacy of individuals and organizations. This article will analyze the overall legal regulations on the privacy of user information, especially personal information in the medical environment.  

To protect user data in the medical field, the laws of some countries have specific provisions such as the Health Insurance Portability and Accountability Act (HIPAA) of the United States, and the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, etc.

In Vietnam, according to the provisions of Clause 2, Article 3 and Article 8 of the Law on Medical Examination and Treatment 2009, information about health status and private life recorded in the patient’s medical record should be respected and protected. Accordingly, only certain subjects have access to this information, including [1]:

  • Internship students, researchers, practitioners in medical examination and treatment establishments may borrow medical records on the spot for reading or copying for research or professional and technical work;
  • Representatives of state management agencies in charge of health directly manage medical examination and treatment establishments, investigation agencies, procuracies, courts, specialized health inspectors, insurance agencies, and supervision organizations For forensic medicine, and forensic psychiatry, lawyers may borrow medical records from the spot to read or copy to serve their assigned tasks according to their authorized competence;
  • The patient or the patient’s representative is entitled to receive a summary of the medical record as required by law.

In addition to the above provisions, the 2018 Law on Cybersecurity is an important basis for protecting personal data in the medical environment. Based on these bases, the Guidelines on information security in remote medical examination and treatment consultation in Decision 4054/QD-BYT of the Ministry of Health issued on September 22, 2020, also clearly state the Measures to limit sharing of patients’ personal information include:

  • Do not share the patient’s personal information such as Full name, address, picture of the patient’s face, body, or information that can identify the patient in any way (through pictures, text, audio recording…).
  • In case the consultation session requires the presence of the patient: technical measures must be used to cover or blur the patient’s face.
  • Do not perform live reporting – “Live stream” consultations, remote medical examination, and treatment through social networks or other forms that may reveal personal information, and images of the patient’s face and face. health status of patients and participants in consultation, or remote medical examination and treatment consultation.

The guidelines also clearly state that medical staff participating in remote medical consultation and treatment consultations are responsible for keeping confidential and not sharing information about patients and participants during consultations. remote diagnosis, consultation, medical examination, and treatment; strictly comply with the contents of this Guide and the internal regulations of the workplace.

According to Decree 53/2022/ND-CP detailing a number of articles of the Law on Cybersecurity effective from October 1, 2022, data about personal information is understood as data about personal information in the form of symbols, letters, numbers, images, sounds, or the like to identify an individual. Therefore, the user’s health data is one of the types of information that needs to be kept secure in a medical environment.

In fact, it can be seen that users have no choice in accepting or refusing to provide part or all of user information when using any service at medical facilities. Providing information is the first step for users to receive medical treatment. Therefore, whether you like it or not, providing the information is almost mandatory for users, and then users cannot control whether that information is secure or not. Stemming from this situation, it is necessary to have specialized documents regulating issues around the collection, use, and security of user information in the medical field as well as sanctions applied to organizations. loss or unauthorized use of user information. This is really necessary for the medical field, a field where users do not have any tools to control the process of using their information.

[1] Clause 4, Article 59 of the 2009 Law on Medical Examination and Treatment.

The article is based on applicable law at the time noted as above and may no longer be appropriate at the time the reader approaches this article as the applicable law has changed and the specific case that the reader wishes to apply. Therefore, the article is only for reference.