Summary of the Demarcation Point of Responsibility by Exemplification

Chapters 6, 7, and 8 for the security management of a health information system, the idea of networking for external connection, and the standards for selecting an organization where the external storage of documents legally subject to storage can be entrusted.

（1） “Exchanging patient information” through local health care linkage

（a） Idea for Medical Institutions

① Demarcation point of responsibility for exchanging patient information between a

Medical Institution sending health information and another medical institution receiving it through a “network provided by an information processing business operator”.

"Network provided by an information processing business operator" refers to a case in which the network channel security is ensured under the responsibility of the information processing business operator.

The sender Medical Institution and the receiver Medical Institution shall determine the demarcation point of responsibility within the network channel and agree to it in a contract, including action in case of a communication failure or incident.

Regarding shared-responsibility for management with information processing business operators, the demarcation point of responsibility shall be determined within the scope of its own responsibility. In addition, the scope of responsibility for entrusted management and the main business operator to take action in case of a service problem shall be clarified.

In case of entrustment, however, the sending Medical Institution, in principle, has operational responsibility and post-event operational responsibility. If information is provided appropriately to a third party, the receiving medical institution, in principle, has responsibility. For cases in which no fault is attributed to the information processing business operator, the information processing business operator shall be partially responsible for management only.

② Demarcation point of responsibility in case of unique connection between sending and receiving Medical Institutions

"Unique connection" here refers to Medical Institutions 1:1 or 1:N connecting through the network of an information processing business operator by setting their router or other connection equipment themselves or by making connection through the telephone network or any other public network.

If the receiver Medical Institution or possible receiver Medical Institution can be identified in advance, both institutions must fulfill their duty in accordance with the requirements of entrustment or third-party provision.

No responsibility for management is assigned to an information processing business operator. Apart from the responsibility for ensuring communication quality, the information processing business operator only has the general responsibility stated in the agreement of the parties.

Health information, in principle, cannot be provided by 1:N communication of

information sender and receiver institutions, if one of the receiver Medical Institution cannot be identified, excluding exceptional, legally prescribed cases.

（b） Idea for information processing business operators

① Demarcation point of responsibility when health information is appropriately encrypted by the sender and decrypted by the receiver

A Medical Institution sending patient information (sender) encrypts information by their information system before transmission and a Medical Institution receiving patient information (receiver) decrypts the received information by their information system. In this case, the information processing business operator has no duty of protecting personal information from tapping threats and responsibility is limited.

The information processing business operator is only responsible for management. Therefore, the scope of responsibility for management against the threats of tampering, intrusion, and interference to information in a network and the network quality, such as availability, should be clarified in the contract.

For encryption and other ideas related to network and minimum guidelines, see 6.11, "Security Management at External Exchange of Health information Including Personal Information."

② Demarcation point of responsibility when health information is encrypted appropriately at the beginning of the management range of an information processing business operator

Some information processing business operators provide encrypted safe network line as their main services.

If this kind of network line is used, the business operator is responsible for management against the tapping, tampering, and intrusion of information on their network line externally and the quality of this network line, such as service availability. Therefore, the responsibility should be clarified in the contract.

However, a medical institution is responsible for management until information reaches a network line provided by a business operator and for information flowing through the network line. Therefore, the idea should be reviewed in accordance with "I. Idea for Medical Institutions: ①Demarcation point of responsibility between Medical Institutions sending and receiving health information."

For ideas about network line and network line flowing information and minimum guidelines, see 6.11, "Security Management at External Exchange of Health information Including Personal Information."

（c） Proposal when an external storage organization is used

Since information storage is entrusted to an external storage organization, a Medical Institution has operational responsibility and post-event operational responsibility.

When sharing information with another Medical Institution, it is necessary to clarify the shared-responsibility for management between the institutions and obtain patients' approval for information-sharing.

With an external storage organization, action against a service problem shall be clarified in the contract.

For details about the proposals for Medical Institutions and external storage organization when Medical Institutions exchange patient information through an external storage organization, see "2. Handling of information" and "3. Provision of information" in 8.1.2, "Standards for Selecting External Information Storage Organization and Handling Information."

（2） When “accessing an information system at a medical institution from outside” as required for work

For a general overview concerning access to an information system externally through a network, see 6.11, "Security Management at External Exchange of Health information Including Personal Information," particularly B-2, "Proposal of Network Security for selection III, Connection from outside medical institution using mobile terminal." Here, the idea about the demarcation point of responsibility is explained.

（a） Teleworking - Work by accessing an information system at own institution

Recently, so-called “teleworking” is also becoming popular at Medical Institutions.

Personnel at Medical Institutions work externally by accessing information systems at their own institutions.

From the viewpoint of the demarcation of responsibility, teleworking is enclosed within an institute’s own facilities. However, personnel at a Medical Institution are on both ends of a communication line with an information processing business operator between them.

In this case, various methods to protect personal information are necessary because not only Internet but also mobile phone and public networks are used for communication lines.

Note particularly that even personnel not responsible for management at a Medical Institution may be required to take responsibility for management.

Since teleworking is enclosed within an institution’s own facilities, the demarcation point of responsibility shall, in principle, comply with 4.1, "Manager's Responsibility of Information Protection at Medical Institutions."

（b） Remote maintenance - Access by third party for maintenance

For remote maintenance, a maintenance agent accesses a system by remote login.

Without appropriate information management or information access control, health information temporarily stored on a disk, including personal information, may be tampered with or read illegally. If the remote login function is completely prohibited, remote maintenance shall be disabled and the maintenance time and costs shall increase.

Therefore, the convenience of maintenance and the protection of information should be balanced.

However, the medical institution still has “operational responsibility” and “post-event responsibility.” Therefore, the medical institution should satisfy the responsibility for management through supervision by receiving a management report periodically and clarifying where the final responsibility lies.

For the idea of maintenance, including remote login, see 6.8, "Alteration and Maintenance of Information System."

（1） When information is “temporarily stored externally” as part of work at a Medical Institution is entrusted

"Entrustment" here means to entrust remote image diagnosis and clinical examination to a third party for clinical purposes. Accordingly, a third party shall store information, though this may be temporary.

The manager of a Medical Institution is responsible to a subcontractor for selecting an entrusted business operator and should manage and supervise regulations relating to an information storage period and others, with the responsibility for management including improvement instructions (security, etc.).

Naturally, the entrusted business operator takes measures to prevent the leakage and tampering of stored information. However, it is also necessary to determine and state clearly the handling method and storage period of such delicate information as infection information and gene information upon mutual consultation.

When providing health information externally for experiment and not the above entrusted work it is necessary to agree in advance with the experiment requester about the mutual responsibility and the handling of information.

（2） When legally stipulated

When non-encrypted health information is transmitted to an information processing business operator under special legally stipulated circumstances, the information processing business operator or network should take measures against tapping threats.

Therefore, a Medical Institution with the responsibility for managing the said health information on a communication channel must clarify the responsibility for managing health information with the information processing business operator.

To entrust part or all of the responsibility for management to an information processing business operator, a contract of entrustment concerning personal information must be concluded and managed appropriately with each business operator.

4.4 Demarcation Point of Responsibility in Technical and Operational Remedies