2012-07-18 Privacy meeting
Participants: Surajit Nundy, Michael Tschantz, Nathan Leiby, John V Stoecker (Unlicensed), Prasanth, Sathyan Velumani, Daniel Pepper (Unlicensed), Jessica Tribbe
- Introductions
- Draft of Policy Paper:Â
- The purpose of the paper
- filling in the gaps (in need of volunteers to help with specific sections)
- Additional Resources in a new Dropbox folder (Documents for best practices, etc)
- Deciding on Privacy Policy/Terms of Service
- Technical Implementation:Â
- Can we look at Markle Foundation or OpenMRS (The report on the audit of their system can be found here) for resources on making a plan?
- Best methods for reviewing current screens/workflows
- Discussion
- Legal Aspects  (Prasanth)
- There are specific rules under the IT Act which will apply to us
- Need to consider the data at three stages: Registration, Storage, and Retrieval / Sharing (within and outside of hospital)
- There should also be provisions for Sharing(within and outside of the hospital), and withdrawal of consent
- In addition to the IT Act, we should look at other existing best practices?Â
Markle, HIPAA? - who do we want to base our policy on, esp given the unique concerns of JSS?- Michael warned that HIPAA may not be the best model, the word "may" is used throughout and it presents a series of choices, but we'll need to make a specific choice of our policy. Perhaps a better approach is to define what we want to do and then check if it complies with HIPAA, then decide where we stand
- What are our "minimum standards"?
- Can compare these against Indian law, ethicists
- Prasanth will put together a document that outlines what is required by Indian law, as well as according to some of the major policies internationally.Â
- How long to make a privacy implement policy and tech elements for "minimum standards"?Â
- Under a month? Can continue to refine. Iterative process needed to make sure we can implement what we promise inÂ
- Can follow a process, like OASIS Privacy process
- How to make existing code privacy compliant?
- What tweaks can we make to existing screens to make them more privacy-aware ... Michael will try to review screens and make comments
- Access Control
- Post-Access Logging
- Patient Autonomy - what kind of information does the patient get out of this system?
- Reasonable that patient might want to see what doctor is entering
- but also concerns about what sensitive data could be if a patient is watching the system in use
- See existing Patient-Facing module for conceptual ideas on how we'll interact with often illiterate patient population at JSS
- patient-facing.github.com (code:Â
- What tweaks can we make to existing screens to make them more privacy-aware ... Michael will try to review screens and make comments
- "Google Search" (searches across all fields)
- First name and last name often mixed up ... so if we search by fields then we would miss this record
- Do a multi-field search on demographics?
- Feature itself doesn't seem to violate privacy, but seems like there might be many more illegitimate rather than legitimate uses –> worth doing? what are valuable use cases and do they outweigh the problematic ones?
- Prasanth: these can be addressed in the consent forms, but we will have to ask consent for different features.
- How does ToS apply to
- Patients
- Possibly illiterate – must explain by reading/recording it to them?
- Doctors/Nurses/etc
- Software developers
- Patients
- Legal Aspects  (Prasanth)
- Next Steps/Timeline
- Consider Splitting into 2 working groups
- Privacy Policy , high level
- Developer level feedback (we may schedule a separate call for this)
- how to ensure our screens respect privacy better... user-workflow
- code-level security concerns
- Aim is ~Aug 31st for completing a ToS document, since we want to begin implementing soon after that date
- We will be breaking the law if we implement the software and don't have a ToS
- Recommended ToS
- Consider Splitting into 2 working groups
Â