2012-08-20 Privacy Meeting

Module Review:
1. Are there any outstanding questions?
  1. Family History: linking records is very complicated and dangerous from a privacy perspective. At this point we only use patient provided family history information which is fine legally.
  2. In case the patient wants to look over the shoulder of the Lab tech, info on other patients in the queue should not be visible to them, the queue is integral to the design of the module, but the information that appears could be altered. Need to maintain anonymity of certain tests.
2. Next steps: making the changes in designs
  1. Nathan will make tickets for 1) limiting info in Billing, 2) Ensuring Family History is only "patient provided" info in OPD, 3) Changing the queue information that appears in Lab.
Privacy Policy: Review of Prasanth's draft
1. Apache 2.0 will cover Raxa, this is mostly for JSS.
2. Michael suggests adding something more explicit about billing to the "purpose" section.
3. Sharing info with third parties or other family members: this will require additional consent
4. Grievance officer and withdrawal of consent? Withdrawal is in the document, Grievance officer could be a burden for JSS
5. Data for statistical use will be anonymized and not linked to individuals, for research purposes only
6. Logging access: we need to be able to provide the logs to patients if they request them, we also need to state how we will log access
7. ISO Standards https://www.dropbox.com/home/JSS%20EMR/Publicity%20and%20Communications/Patient%20Privacy (we should all review these, Prasanth will double check relevant ISO standards and make sure it is included in the policy)
Review of John's wiki pages: Role-based permissions and login and authentications
1. Front end vs backend security/privacy: Michael, Phoram, John, Nathan and Shuro will set up a time to discuss this
2. In role based permissions, we need to articulate the tasks of the "Admin role" (deleting a patients data, etc)