Guidelines for the Security Management of Health. information Systems. Edition 4

Transcription

1 Guidelines for the Security Management of Health information Systems Edition 4 (Draft version in English) March 2009 Ministry of Health, Labour and Welfare

2 Revision History Edition Date Description 1 March 2005 These guidelines were created by integrating the guidelines based on "Notice Concerning the Electronic Storage of Clinical and Other Records Legally Subject to Storage" (April 1999) and "Place for Storing Clinical and Other Records" (March 2002). These guidelines include those for the electronic storage of clinical and other records legally subject to storage (including the external storage of hard copies) and those for information system operation management relating to the protection of personal information at medical and nursing care institutions. 2 March 2007 The Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters) stated the Establishment of a safe network infrastructure in the New IT Reform Strategy (January 2006). In "Basic Proposal Concerning Information Security Measures for Critical Infrastructures" determined by the Information Security Conference (September 2005), health care was positioned as a Critical infrastructure that seriously affects the lives of citizens if its service deteriorates or is stopped by a serious fault in the IT infrastructure, and a request was made to systemize and clarify measures of protecting health care from IT infrastructure disasters and cyber attacks. In these circumstances: (1) For the security of a network suitable for use at medical institutions, the requirements for a network linking medical institutions were defined from various viewpoints, such as: assumed uses, threats to a network, measures against the threats, and measures of diffusion and their subjects. These requirements were compiled into 6.10, "Security

3 Management at External Exchange of Health information Including Personal Information." (2) For measures against IT faults due to natural disasters and cyber attacks, 6.9, "Emergency Response to Disasters and Other Incidents" was created to give guidelines to protect health care from disasters and cyber attacks while appropriately evaluating the dependence of health care on IT. 3 March 2008 After the second revision, various measures were further discussed concerning the handling of personal information related to health care. In these circumstances: (1) For "Handling of health information," the responsibility and rules of handling health care and health information were worked out and compiled into Chapter 4, "Responsibility for Handling Electronic Health information." Based on these proposals, 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information" was revised. (2) For "Technical requirements using wireless and mobile services," guidelines were added to related positions in Chapters 6 and 10 based on wireless LAN handling notes and the threat analysis of each type of network connection for mobile access. Requirements were added to 6.11, "Security Management at External Exchange of Health information Including Personal Information" regarding networks especially for mobile use and 6.9, "Taking out Information and Information Equipment" was added regarding new risks related to storing and taking information externally. 4, 2009 After the third revision, the following issues were pointed out: "For the security management of health information, medical institutions and medical professions require expertise on information technologies and also great

4 financial expenses such as facility investments." "Considering the recent severe health care provision system, the limited human and financial health care resources should be spent for providing high-quality health care that is the substantial work of medical institutions and medical professions, and excess labor and resources should not be spent for computerization." "On the other hand, with the recent progress of medical computerization, people are expected to browse, collect, and present their own health information for health enhancement." Consequently, to construct a more appropriate information infrastructure for the health care field: (0) For the Ideal management of electronic information in the health care field, these guidelines were revised for easy reading and to meet the request from various parties for consistent guidelines on health information by systematically studying security management and operation policies based on not only physical location but also health information to handle such information according to the technological progress. To clarify notes, 3.3, "Documents Requiring Careful Handling" was newly added. Chapter 5 was totally reviewed and revised as Chapter 5, "Interoperability and Standardization of Information." Items C and D were added to 6.1, "Establishment and Announcement of Policies" and 6.2, "Implementation of Information Security Management System (ISMS) at Medical Institution." The matter concerning access from outside was added to 6.11 "Security Management at External Exchange of Health information Including Personal Information." Items B, C, and D were greatly reviewed throughout Chapter 7, "Requirements relating to Electronic Storage." To 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information," a provision

5 was added concerning the compliance with guidelines from the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications when the information recipient is a private business operator. These guidelines were totally revised by reviewing the technical requirements and also relations between various ordinances and notices and Item A.

6 [Contents] 1 Introduction How to Interpret the Guidelines Applicable System and Information Regarding the Guidelines Applicable Documents of Chapters 7 and Applicable Documents of Chapter Documents Requiring Careful Handling Responsibility for Handling Electronic Health information Manager's Responsibility for Information Protection at Medical Institutions Demarcation of Responsibility in Entrustment and Provision to Third Party Demarcation of Responsibility in Entrustment Demarcation of Responsibility in Provision to a Third Party Summary of the Demarcation Point of Responsibility by Exemplification Demarcation Point of Responsibility in Technical and Operational Remedies Interoperability and Standardization of Information Basic Datasets, Standard Glossaries, and Code Sets Basic Datasets Glossaries and Code Sets Compliance with International Standards for Data Exchange Other Matter Related to the Application of Standards Basic Security Management of an Information System Establishment and Announcement of Policies Implementation of Information Security Management System (ISMS) at a Medical Institution ISMS Construction Procedure Grasp of Handled Information Risk Analysis Systematic Security Management Measures (System and Operation Management Regulations) Physical Security Measures Technical Security Measures Human Security Measures Discard of Information Alteration and Maintenance of Information System... 58

7 6.9 Taking out Information and Information Equipment Emergency Action in Disasters or Other Incidents Security Management at External Exchange of Health information Including Personal Information Electronic Signature for Compulsory Signing and Sealing Requirements for Electronic Storage Securing Authenticity Securing Human Readability Securing Storability Standards for the External Storage of Clinical and Other Records External Storage Using Electronic Media through a Network Observance of the 3 Standards for Electronic Storage Standards for Selecting External Information Storage Organization and Handling Information Protection of Personal Information Clarification of Responsibility Notes External Storage of Electronic Media Using Portable Media External Storage of Hard Copies General Notes on External Storage Operation Management Regulations At the End of External Storage Contract External Storage of Clinical Records Not Legally Subject to Storage Electronic Storage of Clinical Records Using Scanner or Other Common Requirements Electronic Storage after Every Clinical Consultation Using Scanner or Other Equipment Electronic Storage of Past Hard Copies Using Scanner or Other (Supplement) Electronic Storage Using Scanner and Hard-copy Storage for Convenience Operation Management Additional Clause 1 External Storage of Electronic Media Using Portable Media Additional Clause 2 External Storage of Hard Copies Attached Table 1 Operation Management Items for General Management Attached Table 2 Operation Management Items for Electronic Storage Attached Table 3 Example of Operation Management for External Storage

8 Appendix (Reference) Contents of Agreement on Interlinking Clinical Information with External Institution

9 1 Introduction Requirements related to the electronic storage of clinical and other records and the storage location were clarified by the notice in April 1999: "Electronic Storage of Clinical and Other Records" (Health Service Publication No.517, Pharmaceutical and Food Safety Publication No.587, and Health Insurance Publication No.82 dated April 22, 1999 under the joint signatures of the Ministry of Welfare s director generals for the Health Service Bureau, Pharmaceutical and Food Safety Bureau and Health Insurance Bureau), and the notice in March 2002: "Location for Storing Clinical and Other Records (Health Policy Publication No and Health Insurance Publication No dated March 29, 2002 under the joint signatures of the Ministry of Health, Labor and Welfare s director generals for the Health Policy Bureau and the Health Insurance Bureau, revised by Health Policy Publication No and Health Insurance Publication No dated March 31, 2005). The progress of information technology since then has been remarkable and the demands for integrated computerization beginning with e-japan Strategy and other projects are gradually increasing even on a social level. In November, 2004, the Utilization of Information and Communications Technology for Document Storage by Private Business Entities Act. (2004 Law No.149, hereinafter e-document Law ) was established to allow the electronic handling of documents which are legally obligated to be created or stored. For health information, the "Ordinance for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare" (MHLW Ordinance No.44 dated March 25, 2005) was issued. The Committee on Health information Network Infrastructure established within the Ministry of Health, Labour and Welfare Health Policy Bureau had been studying an institutional infrastructure to solve technical and operational management problems and promote the computerization of health information since June 2003 compiling the final report in September In response to the above situation, the Guidelines for the Electronic Storage of Clinical and Other Records Legally Subject to Storage (Health Service Publication No.517, Pharmaceutical and Food Safety Publication No.587, and Health Insurance Publication No.82 dated April 22, 1999 under the joint signatures of the director generals of Health Service Bureau, Pharmaceutical and Food Safety Bureau, and Health Insurance Bureau, Ministry of Welfare) and the Guidelines for the External Storage of Clinical Records" (Health Policy Publication No dated May 31, 2002 under the signature of the director general of Labour and Welfare Health Policy Bureau, Ministry of Health, Labour and Welfare Health) were reviewed and it was decided to create integrated guidelines for the operation 1

10 management of information systems contributing to the protection of personal information and compliance with the e-document Law. In December 2004, the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers were announced for the total enforcement of the Act Concerning Protection of Personal Information (2003 Law No.57, hereinafter, the Personal Information Protection Act ) in April The guidelines assigned the implementation of an information system and the handling of external storage accompanying the system implementation. These guidelines are intended for those responsible for the electronic storage of clinical and other records at hospitals, clinics, pharmacies, and midwifery centers (hereinafter, Medical Institutions ) and refers specifically to technologies now available and considers the ease of understanding such technologies. To prevent technical descriptions from becoming obsolete, these guidelines will be reviewed periodically. Be sure to use the latest edition of these guidelines. These guidelines are paired with the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers. The protection of personal information can not be achieved simply by measures related to information systems. When using these guidelines, therefore, even those in charge of information systems only should clearly understand the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers and confirm the achievement of measures relating to the protection of personal information even where no information systems are concerned. 2

11 Outline of Revision [Edition 2] In January 2006, after the first edition of these guidelines (March 2005) was published and the Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters) announced the New IT Reform Strategy. Compared with the e-japan Strategy, the New IT Reform Strategy gives priority to the utilization of health information. By stating that various interlinking health information will prove advantageous, the New IT Reform Strategy devised a range of proposals relating to interlinking methods and their elemental technologies, one of which is the "Establishment of Safe Network Infrastructure." In "Basic proposal Concerning Information Security Measures for Critical Infrastructures" determined by the Information Security Conference (September 2005), health care was positioned as a Critical Infrastructure that seriously affects the lives of citizens if its service is deteriorated or stopped by a serious fault in the IT infrastructure, and a request was made to systemize and clarify measures of protecting health care from IT infrastructure disasters and cyber attacks. In these circumstances, the Committee on Health information Network Infrastructure discussed (1) "Definition of security requirements concerning network suitable for use at Medical Institutions" and (2) "Measures against IT faults by natural disasters and cyber attacks" and revised these guidelines With respect to (1) ("Definition of security requirements concerning network suitable for use at Medical Institutions,") the requirements of a network linking Medical Institutions were defined from various viewpoints, such as assumed uses, threats to a network, measures against the threats, and measures of diffusion and their subjects. These requirements were compiled into 6.10, "Security Management at External Exchange of Health information Including Personal Information." For the network-related requirements in Chapter 8, "Standards for the External Storage of Clinical and Other Records," Section 6.10 was referred to. Chapter 10, "Operation and Management," was partially revised as operational guidelines for the said network at Medical Institutions. For (2) ("Measures against IT faults by natural disasters and cyber attacks,") 6.9 "Emergency Response to Disasters and Other Incidents" was created to provide guidelines to protect health care from disasters and cyber attacks while appropriately evaluating the dependence of health care on IT. As an idea for the practical operation of information security, the concept of 6.2, "Implementation of Information Security 3

12 Management System (ISMS) at Medical Institution," was incorporated and some additions were made to the related section in Chapter 10, "Operation and Management." The renewal of ordinances and notices amended after the publication of these guidelines was also executed as an institutional requirement. The basic requirements have not changed, however modifications to requested laws etc. based on institutional requirements, etc. should be noted. 4

13 [Edition 3] Edition 2 of these guidelines was published to ensure security regarding a network infrastructure. Since then, discussions on various measures have been in progress regarding personal information related to health care. In these circumstances, it is envisioned that access to information will not be limited to only medical and healthcare professionals as it had been in the past. In the exchange of health information through a network, for example, an information-processing service provider which accumulates the information temporarily is envisioned. If such a provider is to be used, clear rules for the handling of information are necessary. Now that work systems are diversifying, medical and health information may be processed not only within Medical Institutions, but also externally through a network. In these circumstances, the Committee on Health information Network Infrastructure discussed (1) "Handling of health information," (2) "Computerization of prescriptions," and (3) "Technical requirements for using wireless and mobile services" and reflected on the results of discussing (1) and (3) in Edition 3 of these guidelines. Medical and health information used to be handled by medical and healthcare professionals obligated to maintain confidentiality by their professional licenses. However, the progress of information technology is now producing circumstances where the information may be handled by those who do not have such licenses. Therefore, the Committee discussed (1) "Handling of health information" to establish rules for information handling. Only patients are permitted to handle their medical and health information, with the exception of authorized physicians and other medical professions who analyze it. However, due to the computerization of information numerous people can obtain access to such information and it is necessary to clarify the responsibility of those concerned and also the demarcation points of responsibility. Through discussion, the idea of responsibility was summarized in Chapter 4 "Responsibility for Handling Electronic Health information and, based on this idea, 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information" was also revised. To meet the recent diversification of work systems, (3) "Technical requirements for using wireless and mobile services" was also discussed. Using radio wireless LAN allows network connection in restricted areas. Depending on its use, however, wireless LAN also threatens communications by tapping, illegal access, and interference. Mobile networks allow connection to the information system from within the facilities and outside the facilities, which improves convenience, however, since there are 5

14 various networks permitting mobile access threats were analyzed by each form of connection. Necessary guidelines based on these discussions were added to the related sections in Chapter 6. In particular, the idea of a network was summarized in 6.11, "Security Management at External Exchange of Health information Including Personal Information." If information is removed by mobile terminals or portable media new risks such as theft and loss can also be anticipated; therefore 6.9, "Taking out Information and Information Equipment" was created. 6

15 [Edition 4] Edition 3 of these guidelines prescribed clear rules of information handling for professionals of various occupations dealing with medical information and, in particular, clarified the demarcation points of responsibility. This was expected to further promote computerization, however the following issues were pointed out: "For the security management of health information, Medical Institutions and medical professions require expertise on information technologies, as well as further financial expenses for facility investments etc." "Considering the recent severe health care provision system, the limited human and financial health care resources should be spent for providing high-quality health care that is the substantial work of Medical Institutions and medical professions, and excess labor and resources should not be spent for computerization. On the other hand, with the recent progress of medical computerization, people are expected to browse, collect, and present their own health information for health enhancement." To construct a more appropriate information infrastructure for the health care field, the Committee on Health information Network Infrastructure discussed (1) "Ideal management of electronic information in the health care field" and (2) "Measures for personal management and use of own health information." For (1), "Medical treatment information guidelines should be revised for easy reading and to meet the request from various parties for consistent guidelines on health information by systematically studying security management and operation policies based on not only physical location but also health information to handle such information according to the technological progress," the results of discussion are reflected in the guidelines of Edition 4. The outline is as follows: As part of the systematic review, 3.3, "Documents Requiring Careful Handling," was added to Chapter 3 to clarify the handling of the following documents in accordance with these guidelines: 1 Documents not mentioned in enforcement notices but covered by the e-document Law and containing personal information of patients (narcotics account book, etc.), 2 Documents after the legal storage period, 3 Physiological examination records and images, such as ultrasonic images, referred to at every clinical examination for description in clinical records, and 4 Various documents necessary for calculating health care fees (medication records at pharmacies, etc.). By considering the importance of interoperability and standardization of health information, Chapter 5 was totally reviewed to review the system and support the latest technologies and revised as Chapter 5, "Interoperability and Standardization of Information." Chapter 6 clarified the basic policy items of announcement in 6.1, "Establishment and Announcement of Policies," by quoting JIS Q 15001:2006 and explained the security 7

16 management policies specifically by quoting JIS Q 27001:2006. Then C Minimum guidelines" was added. Similarly, C Minimum guidelines" and D Recommended guidelines" were added to 6.2, "Implementation of Information Security Management System (ISMS) at Medical Institution." To 6.11, "Security Management at External Exchange of Health information Including Personal Information," Items B and D were added in relation to access from outside parties concerned. To Chapter 7, a preamble about electronic storage was added and the principles of requirements and measures were stated. Throughout Chapter 7, Item A clarified the relationship between ordinances and notices of the Ministry of Health, Labour and Welfare. In 7.1, "Securing Genuineness," Item B was greatly simplified, Item C was reviewed, and Item D was totally deleted. In 7.2, "Securing Human Readability," Item B was simplified, Item C was reviewed after statement by the type of storage place was cancelled, and predicted emergency cases were added to Item D. Similarly in 7.3, "Securing Storability," Items C and D were greatly reviewed. Note that Items C and D in Chapter 7 were reviewed and many corrections were made. Regarding the request from various parties for consistent guidelines on health information, no changes were made about the requirements for risk management when private business entities store health information externally. Chapter 8, "Standards for the External Storage of Clinical and Other Records," however, clarifies the idea of operation and information management to information-receiving business entities on the condition of complying with guidelines issued from the Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications. Edition 4 was created by general revision in accordance with the technological progress, such as changing the scanner requirements in Chapter 9, and making the descriptions easy to understand. 8

17 2 How to Interpret the Guidelines These guidelines are organized as explained below. Persons responsible at Medical Institutions, information system administrators and implementers are expected to take individual measures after understanding their related sections. In these guidelines, the terms "health information" and "health information system" refer to health information including patient information (personal ID information) and a system to deal with the information. [Chapters 1 to 6] The contents of these chapters are to be referred to at all Medical Institutions where data including personal information is dealt with. [Chapter 7] This chapter describes guidelines for the electronic storage of clinical records legally subject to storage. [Chapter 8] This chapter describes guidelines for the storage of clinical and other records outside Medical Institutions that are legally subject to storage. [Chapter 9] This chapter describes guidelines for electronic storage based on the e-document Law using a scanner. [Chapter 10] This chapter describes matters concerning operation and management regulations. Most of these guidelines aim to present measures about requirements, such as laws, MHLW ordinances, and other guidelines. They are roughly divided into the following items and explained individually. A Institutional requirements This item describes requirements based on laws, notices, and other guidelines. B Concept 9

18 This item explains the requirements and gives basic measures. C Minimum guidelines This item describes what must be done to satisfy the requirements of A. Actual measures may differ depending on the scale of Medical Institution or one of several measures may be selected. However, appropriate measures must be selected by using the attached operation management table and actually executed. D Recommended guidelines This item describes measures not essential for satisfying requirements but recommended for easy understanding from the viewpoint of accountability. It also describes some notes that should be taken when using technology not adopted in the minimum system. The three attached tables at the end of these guidelines summarize technical and operational measures to satisfy security management requirements. They were created for use in creating operation and management regulations. The security management measures become effective only when both technical and operational measures were taken. Technical measures often have multiple choices and corresponding operational measures are necessary for adopted technical measures. The attached tables are organized from the following items: 1 Operation and management item: Security management requirements needing some operational measures 2 Implementation item: Classified further from the above management item into the implementation level 3 Object: Standard scale of Medical Institutions 4 Technical measures: Technically possible measures enumerated for selection about one implementation item 5 Operational measures: Summary of operational measures necessary for technical measures in 4 6 Model sentence for operation and management regulation: Sample when stating operational measures in regulations Each institution prescribes operational measures corresponding to technical measures adopted for an Implementation item in operation and management regulations and confirms 10

19 the actual observance of the regulation to achieve the implementation item. Before selecting technical measures, each institution discusses corresponding operational measures to allow the selection of technical measures in the possible range of their own institutional operation. In general, if priority is given to operational measures, information system introduction costs decrease. If priority is given to technical measures, the user's operational burden decreases. Since their appropriate balancing is very important, these attached tables will be very helpful. 11

20 3 Applicable System and Information Regarding the Guidelines These guidelines are aimed at both storage systems and all information systems which deal with medical information, as well as all people and organizations involved in the implementation, operation, use, maintenance, and discard of the systems. The applicable documents, however, are partially limited in Chapter 7, "Requirements for Electronic Storage," Chapter 8, "Standards for the External Storage of Clinical and Other Records," and Chapter 9, "Electronic Storage of Clinical Records Using Scanners or Other equipment." 3.1 Applicable Documents of Chapters 7 and 9 Documents concerning health care can roughly be divided into those which are legally subject to creation or storage and those which are not. The applicable documents of Chapters 7 and 9 are documents which are legally subject to creation or storage. More specifically, these chapters deal with the following documents prescribed in "Ordinance for Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities Pertaining to Laws and Regulations Under the Jurisdiction of the Ministry of Health, Labour and Welfare" (2005 MHLW Ordinance No.44) and "Notice Concerning the Enforcement of Act on Utilization of Information and Communications Technology for Document Storage by Private Business Entities (Health Policy Publication No , Pharmaceutical and Food Security Publication No , and Health Insurance Publication No dated March 31, 2005 under the joint signatures of the directors general of Health Policy Bureau, Pharmaceutical and Food Safety Bureau, and Health Insurance Bureau, Ministry of Health, Labour and Welfare: hereinafter, Enforcement Notice ) as health care documents for which the e-document Act applies. Applicable documents of Chapters 7 and 9 (*For prescriptions, the requirements of (4) in Enforcement Notice No.2-2 shall be satisfied.) 1. Clinical records in Article 24 of the Medical Practitioners Law (1948 Law No.201) 2. Clinical records in Article 23 of the Dental Practitioners Law (1948 Law No.202) 3. Midwifery records in Article 42 of the Law of Public Health Nurses, Midwives and Nurses (1948 Law No.203) 4. Business reports and other reports reserved for audit based on the provisions of Clauses 1 and 2 in Article 51-2 of the Medical Care Law (1948 Law No.205) 12

21 5. Instructions in Article 19 of the Dental Technicians Law (1955 Law No.168) 6. Prescription records in Article 28 of the Pharmacists Law (1960 Law No.146) 7. Clinical records in Article 11 of the Law Concerning the Exceptional Cases of the Medical Practitioners Law and Dental Practitioners Law, Article 17, on the Advanced Clinical Training of Foreign Medical or Dental Practitioners (1987 Law No.29) 8. Emergency life saving records in Article 46 of the Emergency Life Guards Law (1991 Law No.36) 9. Documents of Clauses 1 and 2 in Article of the Enforcement Regulations for the Medical Care Law (1948 Ministry of Welfare Ordinance No.50) 10. Clinical records in Article 9 of the Insurance Medical Institution and Physician Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.15) (Article 22 for creation) 11. Prescription records in Article 6 of the Insurance Pharmacy and Pharmacist Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.16) (Article 5 for creation) 12. Documents in Article 12-3 of the Enforcement Regulations for the Clinical Laboratory Technicians Law (1958 Ministry of Welfare Ordinance No.24) (Paragraphs 14 and 15 of Article 12 for creation) 13. Records of Clause 1 in Article 21 of the Medical Care Law (1948 Law No.205) (of various clinical records prescribed in Paragraph 9 of the said clause, only prescriptions of Paragraph 10 of Article 20 of the Enforcement Regulations for the Medical Care Law Enforcement Regulation), records in Article 22 (of various clinical records prescribed in Paragraph 2 of the said article, only prescriptions of Paragraph 2 in Article 21-5 of the Enforcement Regulations for the Medical Care Law), and records in Article 22-2 (of various clinical records prescribed in Paragraph 3 of the said article, only prescriptions of Paragraph 2 in Article 22-3 of the Enforcement Regulations for the Medical Care Law) * 14. Prescriptions in Article 27 of the Pharmacists Law (1960 Law No.146)* 15. Prescriptions in Article 6 of the Insurance Pharmacy and Pharmacist Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.16)* 16. Records of Clause 1 in Article 21 of the Medical Care Law (1948 Law No.205) (excluding the prescriptions of Paragraph 10 in Article 20 of the Enforcement Regulations for the Medical Care Law), records in Article 22 (excluding the prescriptions of Paragraph 2 in Article 21-5 of the Enforcement Regulations for the Medical Care Law), and records in Article 22-2 (excluding the prescriptions of Paragraph 2 in Article 22-3 of the Enforcement Regulations for the Medical Care Law) 13

22 17. Works records of dental hygienists in Article 18 of the Enforcement Regulations for the Dental Hygienists Law (1989 Ministry of Welfare Ordinance No.46) 18. Irradiation records of Clause 1 in Article 28 for the Radiology Technician Law (1951 Law No.226) Within the documents legally subject to creation or storage, health care documents not prescribed in the e-document Act shall be excluded even when converted into electronic information. 3.2 Applicable Documents of Chapter 8 Chapter 8 covers the following documents prescribed in "Notice Concerning Partial Amendment of 'Place for Storing Clinical and Other Records'" (Health Policy Publication No , Health Insurance Publication No dated March 31, 2005 under the joint signatures of the directors general of Health Policy Bureau and Health Insurance Bureau, Ministry of Health, Labour and Welfare: hereinafter, External Storage Amendment Notice ). 1 Clinical records in Article 24 of the Medical Practitioners Law (1948 Law No.201) 2 Clinical records in Article 23 of the Dental Practitioners Law (1948 Law No.202) 3 Midwifery records in Article 42 of the Law of Public Health Nurses, Midwives and Nurses (1948 Law No.203) 4 Business reports and other reports reserved for audit based on the provisions of Clauses 1 and 2 in Article 51-2 of the Medical Care Law (1948 Law No.205) 5 Various clinical records in Articles 21, 22, and 22-2 of the Medical Care Law (1948 Law No.205) and various hospital management and operation records in Articles 22 and Instructions in Article 19 of the Dental Technicians Law (1955 Law No.168) 7 Clinical records in Article 11 of the Law Concerning the Exceptional Cases of the Medical Practitioners Law and Dental Practitioners Law, Article 17, on the Advanced Clinical Training of Foreign Medical or Dental Practitioners (1987 Law No.29) 8 Emergency life saving records in Article 46 of the Emergency Life Guards Law (1991 Law No.36) 9 Documents of Clauses 1 and 2 in Article of the Enforcement Regulations of the Medical Care Law (1948 Ministry of Welfare Ordinance No.50) 10 Clinical records in Article 9 of the Insurance Medical Institution and Physician Healthcare Management Regulations (1957 Ministry of Welfare Ordinance No.15) 14

23 (Article 22 for creation) 11 Documents in Article 12-3 of the Enforcement Regulations for the Clinical Laboratory Technicians Law (1958 Ministry of Welfare Ordinance No.24) (Paragraphs 14 and 15 of Article 12 for creation) 12 Work records of dental hygienists in Article 18 of the Enforcement Regulations of the Dental Hygienists Law (1989 Ministry of Welfare Ordinance No.46) 13 Irradiation records in Article 28 of the Radiology Technicians Law (1951 Law No.226) 3.3 Documents Requiring Careful Handling In addition to the documents listed in 3.1, the following documents require careful handling to protect personal information: Documents not mentioned in enforcement notices but covered by the e-document Act and containing personal information of patients (narcotics, account book, etc.), Documents after the legal storage period, Physiological examination records and images, such as ultrasonic images, referred to at every clinical examination for description in clinical records, and Various documents necessary for calculating health care fees (medication records at pharmacies, etc.) With a full understanding of laws related to the protection of personal information, the documents from to shall be handled in compliance with Articles 7 and 9 by referring to various guidelines and Chapter 6, "Security Management" of these guidelines which are also used for securing an information management system, as long as personal information, including backup information, is stored and not discarded. Also refer to Chapter 9.4, "Electronic Storage Scanner for Convenience and Hard-copy Storage " as required. For the external (continuous) storage of a document prescribed in 3.2, Chapter 8 shall be adhered to even when the Enforcement Notice or External Storage Amendment Notice no longer applies due to the expiration of the legal storage period. 15

24 4 Responsibility for Handling Electronic Health information The Medical Care Law and other laws prescribe that any medical practice shall be conducted under the responsibility of a manager at the medical institution concerned. This also applies to the handling of health information. Health information should be collected, stored, and discarded appropriately to maintain the duty of confidentiality prescribed in the Penal Code and to comply with various laws and guidelines related to the protection of personal information, and should meet requirements prescribed in laws, notices, and guidelines pertaining to clinical information. Intentional conduct which contravenes these requirements may be punishable as the disclosure of confidential information in accordance with the Penal Code. Unintentional leakage or unintended use of clinical information may also pose a critical problem. To avoid such circumstances, appropriate management is necessary. A manager should take due care as a good manager (duty of care). This management differs depending on the information and circumstances. The value and criticality of health information does not vary significantly with media. The manager at a medical institution should take at least equal care for hard-copy storage (paper or film) and electronic storage within the institution. However, electronic information also has the following peculiarities: Compared with hard-copy information, such as paper or film, the movement of electronic information is difficult to perceive for ordinary people. It is very possible that a great amount of information could leak instantaneously. Medical professionals are often unfamiliar with the safe protection of information because they are not necessarily specialists in information-handling. Consequently, each medical institution should: discuss the scope of computerization and its methods by considering advantages and disadvantages based on the circumstances, select system functions to implement and an operation plan, and determine actions to comply with the expected security standards. For circumstances in which computerized health information does not remain within the medical institution but is exchanged or shared through a network, both the medical institution and the network space provider and network communication carrier shall also be responsible for management. With respect to the handling of electronic health information between the parties concerned, this chapter summarizes "contents and scope of the manager's responsibility for 16

25 information protection at a medical institution" and responsibility when information processing is entrusted to another medical institution or business operator or when health information is entrusted with other work or provided to a third party" by using the concept of Demarcation of Responsibility. 4.1 Manager's Responsibility for Information Protection at Medical Institutions For the appropriate management of health information at a medical institution, the manager has normal responsibility for constructing and managing a system for the protection of health information in operation, as well as the responsibility for coping with any inconveniences (typically, information leakages). These guidelines refer to the former as "operational responsibility" and the latter as "post-event responsibility." 1 About operational responsibility Operational responsibility means pertinent information management to protect health information appropriately. However, this responsibility is not limited to appropriate information management but includes the following 3 kinds of responsibility: Accountability This is to clarify to a patient that the functions and operation plan of a system electronically handling health information satisfy handling standards. To satisfy this responsibility, a medical institution should do the following: Clearly document system specifications and an operation plan Conduct periodic audits to confirm that the specifications and plan are proceeding in accordance with the initial policy Document audit results with no ambiguities Cope sincerely with problems found by the audit Document action records for verification by a third party Responsibility for management This responsibility is for operating and managing a system that deals with health information. Entrusting the management of the said system to a subcontractor is not sufficient. To satisfy the responsibility, a medical institution should do the following: Produce a management status report periodically at least Conduct supervision by clarifying where the final responsibility for management lies 17

26 The Personal Information Protection Act prescribes the selection of the following persons to deal with a subcontractor: Persons responsible for protecting personal information Persons with certain knowledge relating to the protection of electronic personal information Responsibility for periodic review and necessary improvement Since information protection technology is advancing rapidly, the current information protection system may become outdated. To review and improve the system as required, a medical institution should do the following: Audit the operation management status of the said information system periodically Extract problems and make necessary improvements The manager of a medical institution should always consider improvements of the protection mechanism for health information and periodically evaluate and thoroughly study the current operation management. 2 Post-event responsibility For any inconveniences (typically, leakages) relating to health information, the responsibilities are as follows: Accountability In particular, Medical Institutions have a certain public feature and naturally have a responsibility to account to individual patients. In addition, Medical Institutions are expected to offer explanations and notifications to the supervising governmental agency and society. To satisfy this responsibility, a medical institution should do the following: Announce incidents through the manager of the medical institution Explain the cause and action Responsibility for devising remedial measures The manager of a medical institution is also responsible for devising remedial measures. The responsibility can be classified as follows: 1) Responsibility for pursuing and clarifying a cause 2) Responsibility for compensating for damage when caused by the institution 18

27 3) Responsibility for preventing recurrence 4.2 Demarcation of Responsibility in Entrustment and Provision to Third Party For the transmission of health information to an outside medical institution or business operator, the Personal Information Protection Act prescribes entrustment (entrustment to a third party) and provision to a third party. In accordance with the previous section, this section summarizes the responsibility of the manager of a medical institution for information protection Demarcation of Responsibility in Entrustment Upon entrustment, the manager of a medical institution is responsible for management. With assistance from an entrusted business operator, the manager of a medical institution is obligated to satisfy "Accountability," "Responsibility for management," and "Responsibility for periodic review and necessary improvement" referred to in the previous section. If any inconvenience should occur, the said manager should also satisfy "Accountability" and "Responsibility for devising remedial measures" with an entrusted business operator and therefore should state the duty of the entrusted party in a contract of entrusted management. In addition, a contract of entrustment should state how the responsibility for devising remedial measures against inconveniences should be shared between the medical institution and the operator. Here are the basic rules of entrustment for a medical institution to satisfy the responsibility for management: (1) Operational responsibility Accountability The manager of a medical institution is responsible for explaining the mechanism of health information protection and its functions. For the manager of a medical institution to satisfy accountability, information from the entrusted business operator may be essential in some cases. The entrusted business operator is accountable to the manager of the medical institution. Therefore, the contract of entrustment should state the responsibilities of the entrusted business operator for providing information and making appropriate explanations. Responsibility for management 19

28 The main entity responsible for management is the manager of a medical institution. In actual information processing, however, an entrusted business operator may often do safe maintenance work. The manager of a medical institution should understand management by the entrusted business operator and state the establishment of appropriate supervision in the contract of entrustment. Responsibility for periodic review and necessary improvement The contract of entrustment with an entrusted business operator should: state the shared-responsibility for periodically auditing the operation management status of the said system, eliminate problems, make necessary improvements and also perform periodic evaluations and examinations which consider technological advances related to protection. (2) Post-event responsibility Accountability As stated in the previous section, the manager of a medical institution is responsible for announcing the occurrence of any incident related to health information explaining its cause and the action to be taken. In many cases of information incidents, information provision and analysis by an entrusted business operator are indispensable for providing explanations. Therefore, as far as possible, events should be predicted and the sharing of accountability with the entrusted business operator should be included in the contract. Responsibility for devising remedial measures If any incident occurs relating to health information, the manager of a Medical Institution becomes responsible for devising remedial measures as stated in the previous section. If the problem is attributable to the business operator entrusted with the processing of health information, however, the manager of the medical institution may be legally understood as fulfilling the duty of care only if due care was taken in selecting and supervising an entrusted business operator. As stated at the beginning of this chapter, medical information at a medical institution should be managed under the responsibility of the manager of the institution. Therefore, the manager must take part of the responsibility for determining the cause of an incident related to health information, compensating for damage and preventing recurrence. Since an entrusted business operator does not always manage everything relating to health information, the manager of the medical 20

29 institution is unavoidably responsible for devising remedial measures in an incident which is related to the entire mechanism of health information protection. The manager of a Medical Institution cannot evade the responsibility for devising the following remedial measures for patients: 1) Pursuing and clarifying a cause, 2) Compensating for damage when caused, and 3) Preventing recurrence. The manager of a Medical Institution shall never be totally exempt from his/ her responsibility to patients. However, shared-responsibility with an entrusted business operator is a different matter. In particular, if an incident occurs due to a fault of the entrusted business operator, the manager of the Medical Institution, in principle, shall not take full responsibility. If any incident occurs relating to health information, however, it is important to pursue and clarify its cause and take preventive measures before discussing shared responsibility between the Medical Institution and the entrusted business operator. Therefore, the contract of entrustment should clearly stipulate that the Medical Institution and the entrusted business operator give priority to these measures by mutual cooperation. Depending on the contents of entrustment, the contract of entrustment should stipulate more clearly the duty of pursuing the cause and propose the responsibility of the business operator regarding preventive measures. With respect to shared-responsibility for compensation, if an incident is attributable to a fault of the entrusted business operator, the operator should, in principle, take ultimate responsibility. There are many factors to consider in regards to this matter, such as the type and complexity of a cause that may make it difficult to determine the cause, the shared-responsibility for compensation that may hinder determination of the cause, and the possibility of dispersing damage by insurance. It is necessary to clearly stipulate shared-responsibility for compensation in the contract of entrustment upon consideration of these factors Demarcation of Responsibility in Provision to a Third Party When providing health information to a third party, a Medical Institution should observe Article 23 of the Protection of Personal Information Act (Law No.57 on May 30, 2003) and the Guidelines for the Appropriate Handling of Personal Information by Medical and Nursing Care Providers. Health information is provided to a third party for particular purposes. As a rule, the appropriateness of this provision concerns only the manager of the Medical Institution. As 21