Biomedical Engineering Reference
In-Depth Information
• Access requires that consumers have reasonable access to the informa-
tion collected, including the opportunity to review, correct, or delete that
information.
• Security requires performing reasonable steps to protect the security of
information they collect.
The privacy laws require a data collection audit. Data collection, such as
the names and addresses, is simply a part of doing business. Other information,
such as demographic or personal fi nancial data, is frequently collected to fi nd
out as much as possible about consumers and retailers. The law will force that
consent be obtained before collecting, using, and/or disclosing such personal
data.
The central obligation under the legislation is the need for data collectors
to provide transparent privacy policies so the individuals are accurately
informed about who is collecting their data, why it is being collected, and how
it will be used. As such, organizations need to defi ne a security policy and
procedure to accurately inform individuals as to what data are being collected
and how they will be used by providing mechanisms for:
• Obtaining an individual ' s informed consent before collecting or disclos-
ing personal information
• Allowing individuals to access to information collected about them
In addition, the policies and procedures should be in place to prohibit the
employees from using personal information for any purposes other than for
which it was originally collected.
Notice that the consent is to be “specifi c and informed.” If applied literally,
for some secondary research this would require solicitation of more- focused
consent than is now sought.
18.7.1
HIPAA Compliance
Compliance to the U.S. federal privacy law (HIPAA) means a legal assurance
for protection of personal privacy in addition to traditional security require-
ments such as authentication, authorization, confi dentiality, data privacy, non-
repudiation, and auditability. The HIPAA prohibits anyone from collecting or
disclosing an individual's personal information without explicitly stating the
purpose(s) of collecting or disclosing the individual's personal information and
acquiring an explicit informed consent from the individual.
Therefore, any documents containing protected personal information, spe-
cifi cally personal health information (PHI) in clinical trials, must be de-
identifi ed before they are shared with any unauthorized persons or when the
documents are used other than the original authorized purposes. The term
de - identifi cation
is a legal term for provision of an assurance of removal of any
personal information and also other information unique to an individual that
can be used to identify a particular person. As such, the medical information
Search WWH ::
Custom Search