Privacy Impact Assessment
Section 56 of PHIPAA provides for Privacy Impact Assessment and there are certain situations in which a custodian or any other custodian who is a public body has to conduct a privacy impact assessment and those situations are-
- New collection, use or disclosure of personal health information or any material change to the collection, use or disclosure of personal health. However, this does not apply to the collection, use, disclosure is mandatory for the purposes of the delivery of an existing common or integrated service, program or activity.
- Creation of a personal health information system, communication technology or a modification to a personal health information system or personal health information communication technology
- Creation of a common or integrated service, program or activity or a modification to a common or integrated service, program or activity
Data matching
Under this head (section 57) it is mandated on custodian that the custodian shall not collect, use or disclose personal health information to be used in data matching or created through data matching. If custodian has an authority for collection, use or disclosure of the personal information then custodian may perform data matching using personal health information under its custody or control.
It is to be noted that a custodian is not required to conduct a privacy impact assessment if data matching has already been done for an authorized purpose.
General Provisions
There are certain clarifications provided under PHIPAA under section 76. It talks of following miscellaneous and general situation which shall amount as an offence under PHIPAA and they are –
- Collecting, using or disclosing personal health information in contravention to PHIPAA
- Attempt to gain or gain access to personal health information if contravention to PHIPAA
- Knowingly making a false or misleading statement to or obstructing the ombud or another person performing his/her duties or exercising the power of ombud
- Destroying or erasing the information in record either himself/herself or directing the other personĀ to do so (with intention to evade a request to examine or copy the record
- Alter, falsify, conceal or destroy any record or part of it or giving direction to other person to do so (with intention to evade a request to examine or copy of record) or willful failure to comply with an investigation of the ombud.
Disclosure of personal health information without the authorization of the custodian or information manager, is said to commit an offence.
It is pertinent to note that prosecution for an offence under PHIPAA shall not be commenced after 2 years from the date of discovery of the alleged offence.
Picture Credit – https://eccinternational.com/