以HFMEA檢視我國醫療資訊保護法制

醫療行為之目的係為解決患者病痛及維護健康，而醫療資訊之取得與分析，則為進行醫療行為時不可或缺過程，於該資訊蒐集過程中，均無可避免涉及諸多患者部分隱私，依醫療法相關規定，醫療機構有管理保存該資訊責任，然因其內容之特殊性，病患對己身之醫療資訊應如何主張其管理權？醫療機構是否有權於未經該資料當事人同意即擅自使用該資訊？現行個人資料保護主要法規—個人資料保護法，因僅要求持有者對資料當事人採被動式告知同意，該規定對患者醫療隱私之保障是否充足妥適？且如欲主張其資訊自主權之範圍究係為何？此皆值得吾人深思探討。依傳統法律之立法，多採社會發生案例分析歸納方式，進而將此分析結果反應於立法草案擬定中，惟此方式難免忽略潛在問題，而無法全面透視真正問題所在以防範未來；倘能建立一套推演模式，於草案擬定或修法前即加以科學分析，尋找出真正問題焦點進而完整性立法或修法，將可降低日後頻頻修法以因應實際狀況之窘境。基此，本文爰舉題例，自醫療資訊之特性，加以分析該醫療資訊內容之權利歸屬，探討現行法規對醫療資訊保護之密度，並參酌外國法例，以檢視本國對於醫療資訊權之保障是否完備，並嘗試創新運用健康照護失效模式與效應分析（Healthcare Failure Mode and Effect Analysis，HFMEA）以檢視現行法規或管理上之問題，且由HFMEA 結果得知，安全管理措施、授權同意及健保資料庫使用，乃隱私權侵害可能性最高之三大主因。針對此三大問題進行強化保護之對策，本文建議採資訊安全標準化管理措施，並參酌美國健康保險可攜性及責任法（Health Insurance Portability and Accountability Act，HIPAA）規定授權同意模式，且將健保資料蒐集目的與使用範圍具體化、明確化，並嚴守研究資料將個人資料去辨識規定，此除可減少民眾疑慮，更兼及隱私保護與資料利用之最大化目的。

關鍵字

健康照護失效模式與效應分析（HFMEA）；標準化；資訊自主權；醫療資訊隱私；個人資料保護法

並列摘要

Medical behaviors focus on reliving pains and maintaining health. The acquisition and analysis of medical information is one indispensable process when conducting medical behaviors. In the process of obtaining such information, patient`s privacy may be unavoidably violated. According to Medical Law, the medical agencies have the responsibilities for managing and preserving the medical information held. Due to the nature of special information, how the patients should advocate the management rights? Whether the medical agencies are entitled to use the information without consents of patients? The adequacy of passive notification to the patients for disclosing their medical records remains questionable under Personal Information Protection Act. What the scope the parties to the information advocate their rights? As such requires in-depth discussion. This paper has analyzed the ownership of medical information contents, discussed over the protection intensity of the current laws and regulations posing on medical information from the perspective of medical information characteristics, and inspected whether the domestic protective mechanisms for medical information rights are well-established by referring to foreign legislation; as well as probed into the problems of current laws and regulations or management by creatively applying with Healthcare Failure Mode and Effect Analysis (HFMEA). According to the result of HFMEA, safety management measures, granted permits as well as the use of National Health Insurance Database proved to be the potential reasons for privacy violation. The reinforced and protective measures for these three problems are proposed. Firstly, the legalization of standard provisions is worthy of being adopted for information security requirements. Secondly, domestic regulations may refer to the mode of granted permits of the American HIPAA rules. Finally, public concerns can be reduced, privacy protection and maximum information utility be reached as long as the purposes and scopes for healthcare information collection and use can be specific and explicit, and comply with the rule of personal information identified.