Review of literature for health information security on Sri Lankan health

Abstract

Introduction: A large number of government health institutions in Sri Lanka are using Health Information Systems at present. However, there is no national-level health information security policy or privacy protection legislation in the country to regulate health information security and privacy. The objective of this study was to identify the current policies and acts related to health information security and privacy in Sri Lanka. Methods: A literature search was carried out in PubMed and google scholar databases. Grey literature is also included in the search, such as Health Ministry publications. Following keywords/ search terms were used: Information Security Policy in Sri Lanka, Information Security Act in Sri Lanka, Health Information Security, Health Data privacy. Results: There were no specific documents on health information security and privacy in Sri Lankan context. However, nine documents published by the ministry of health were related to health information. Except for the National Policy on health information, other documents have limited description on security-related areas such as data storage, information disclosure, patient privacy and patient consent. Data/Information Security, Client Privacy, Confidentiality and ethics were addressed with few strategies including fair information practices, Anonymity and Pseudo anonymity and empowering health care recipients in The National Policy on Health information. In addition, there are some general e-laws and policies related to electronic data which can be partially linked to information management in the health sector. Conclusions: Most of the available documents only briefly address security and privacy issues. However, when a legal value has been given to electronic information systems, it helps to restrict information misuse and promotes authorized use of personal health data. As there is no specific policy or acts to safeguard health information security and privacy there is an urgent requirement to develop policy documents and guidelines addressing issues like data ownership, data localization and data sharing.