The eco-system should adopt and ensure privacy rules to assure that individuals’
health information is properly protected while allowing the flow of health
information needed to provide and promote high quality health care and to
protect the public's health and well being. A balance has to be maintained that
permits important uses of information, while protecting the privacy of people
who seek care and healing.
Security measures by type
Access By
Data Storage
System User
Patient/Individua Consent
ls
Facility
Encrypted/secure/poli
cy
Other “Covered
Encrypted/secure/poli
Entities”
cy
Data Access/exchange
Role/Rule/Consent
from Patient/Policy
Consent
Encrypted/secure/poli
cy
Encrypted/secure/poli
cy
Data
Sharin
g
NONE
Consen
t
Policy
Policy
“Protected Health Information (PHI)” – about health status, provision of
health care, or payment for health care that can be linked to a specific individual.
For more details: http://en.wikipedia.org/wiki/Protected_health_information
"Covered entity" refers to three specific groups, including health plans, health
care clearinghouses, and health care providers that transmit health information
electronically. Covered entities to comply with the Rule's requirements for
safeguarding the privacy of protected health information (PHI).



Health Care providers - Doctors, Clinics, Psychologists, Dentists,
Chiropractors, Nursing Homes, Diagnostic Labs, Pharmacies,
Health Plans – e.g Insurers, Medicare etc
health care clearinghouses – who process nonstandard health
information they receive from another entity into a standard (i.e.,
standard electronic format or data content). e.g. Billing Services,
Community Health Management Systems, etc.
Definition of Data:
 “Aggregated Data” - demographics, interests and behavior based on
Personal Data and other information, which is compiled and analyzed on
an aggregate and anonymous basis.
 "Personal Data" includes all information that enables an individual to be
identified, including, by way of example, the individual’s name and e-mail
address. This maybe synonymous to (Protected Health Information)
PHI.



"User Data" includes all information passively collected from users of the
system that does not identify a particular individual, including, by way of
example, statistical information on site usage.
“Public Information” includes information posted to any public areas of
the Site, such as bulletin boards, chat rooms and comment areas.
"Unsolicited Information" includes any ideas for new products or
modifications to existing products and other unsolicited communications.
Security Measures:
 Authentication/Authorization – authentication by certificate,
authorization by role/rule.
 System Password – strong encrypted password
 Other measures – see below.
Administrative Safegaurds
 policies and procedures designed to clearly show how a “covered entity”
will comply with the act.
Physical Safegaurds – controlling physical access
 Authorized access to physical equipment – hardware/software
 introduction/removal of hardware
 access controls - security plans, maintenance records, and visitor sign-in
and escorts
 access to subcontracted agents/employees etc
Technical Safegaurds for information exchange.
 Protection from interception by anyone other than intended recipient.
 Protection from intrusion. SSL. Encryption of the content over the wire
over open networks?
 Checksum, digital signature for data integrity?
 “Covered entity” is accountable for data within its system against
tempering.
 Authentication of “covered entities” of “specific” information access?
 Audit trail of all information received and sent.
 Anonymity – while exchanging information, if patient’s consent is needed
for data sharing, then data must be masked of all identifiers.
Secure deployment measures
 network security & topology – provisions and policies, prevent and
monitor unauthorized access, misuse etc, firewall, antivirus, perimeter
security etc
 data hosting
 disk encryption
 OS level security
 Data partitioning
Questions:
 Identify whether Bangladesh DGHS has established “privacy rule” as a
national standard for protection of health information.
o As far as we know, there is no specific law. See resources section
on mHealth survey on Bangladesh for health data.
 Inform/discuss/educate about the “Safegaurds” above. Government
“Facilities” might be covered with a default administrative safeguard
measure of standard policies and procedures. However, for “private
covered entities”, policies pertaining to “privacy rules” ought to be
drafted.
 As per Bangladesh “Freedom of Information Ordinance 2008”, individuals
can demand records from government bodies. How can an individual
access his or her own health related? Can a relative access information?
 Special authentication for selected individuals?
 Who is authorized to access what data?
o e.g. should a lab facility/pharmacy/CHW be able to access all
patient data?
o Part of the problem can be solved by adopting IHE profiles, which
could be then used to check authorization for a particular
information exchange.
 Certificate based (provided by DGHS)
 OpenPGP?
Resources:
 HIPAA – USA, privacy Rule standards address the use and disclosure of
individuals’ health information—called “protected health information” by
organizations subject to the Privacy Rule — called “covered entities,” as
well as standards for individuals' privacy rights to understand and control
how their health information is used. Within HHS, the Office for Civil
Rights (“OCR”) has responsibility for implementing and enforcing the
Privacy Rule with respect to voluntary compliance activities and civil
money penalties.


ISACA – Information Security Management in HealthCare
mHealth Alliance - Patient Privacy
o http://mhealthalliance.org/media-a-resources/pressreleases/118-first-of-its-kind-report-provides-global-outlook-onpatient-privacy-in-mobile-health

Bangladesh right to privacy https://www.privacyinternational.org/reports/state-of-legalprotections-in-asia/bangladesh