Jeongeun Kim*, College of Nursing, Seoul National University, Seoul, Korea, Republic Of James G. Boram Kim, Biomedical Knowledge Engineering Laboratory, Seoul National University, Seoul, Korea, Republic Of Yongyeob Jeong, KyungHee University Medical Center, Seoul, Korea, Republic Of Sukwha Kim, Seoul National University Hospital, Seoul, Korea, Republic Of Track: Research Presentation Topic: Ethical & legal issues, confidentiality and privacy Presentation Type: Poster presentation Submission Type: Single Presentation Last modified: 2013-09-25

If you are the presenter of this abstract (or if you cite this abstract in a talk or on a poster), please show the QR code in your slide or poster (QR code contains this URL).

Background: A Personal Health Record (PHR) consists of health information about an individual from diverse sources, including information entered by the patient or consumer. Majority of the information, however, especially objective data such as laboratory test results, come mainly from Electronic Health Record (EHR) systems. Due to this reason, it is absolutely vital for PHR systems to import data from EHR systems in a secure and private way. In South Korea, 82.3 percent of people are concerned about the privacy and security of their health information, and all the data residing in EHR systems are strictly protected by law, raising barriers for patients to download their health records from EHR systems, and to transfer it to PHR systems. Objective: The aim of this study is to find out which parts of the laws in South Korea hinder data liquidity between EHR and PHR systems. Methods: In this study, we closely investigated various acts in South Korea, including not only acts related to health and information technology but also the constitution and the criminal and civil acts. Privacy infringements can occur in one of the four stages of the health information life cycle: (1) Acquisition, (2) Preservation, (3) Use, and (4) Disposal. Hence, we asked a panel of experts to allocate each related article from the aforementioned laws and acts to one of the four stages, and then to evaluate how the articles can affect deployment of PHR systems in South Korea. Results: Since health information is a kind of personal information, people have the right to informational self-determination, according to the constitution of South Korea. The legal basis for imposing liability for a breach of confidentiality about personal information can be found in the criminal and civil acts, and the recently implemented privacy act heavily influences the way that hospitals and clinics should deal with patient data over the whole health information life cycle. The framework act on health and medical services underpins every law about protection of health information, and paper-based and electronic medical records are basically governed by the medical service act. There are also other laws and acts related to privacy of health information, such as the national health insurance act. Conclusions: Health information residing in EHR systems can be governed by either the privacy act or the medical service act, but due to the fact that health information in PHR systems is not medical records by law, it does not need to abide by the medical service act. Therefore, in South Korea, if appropriate security barriers and entry controls are in place, it is possible without any legal issues to enable patients to download medical records from EHR systems. And when it comes to transferring, if the patient initiates a transaction, the EHR system can transfer health information to a PHR system on behalf of the patient. However, in the USA, HIPAA (Health Insurance Portability and Accountability Act) rules have recently expanded the definition of a business associate to include a PHR vendor so that health information in PHR systems should be safeguarded by HIPAA. With these facts, we could reach to a conclusion that in South Korea, the real barrier to enabling data liquidity between EHR and PHR systems can be of policies hospitals and clinics have internally.