DEPARTMENT OF HEALTH

DEPARTMENT OF SCIENCE AND TECHNOLOGY

PHILIPPINE HEALTH INSURANCE CORPORATION

IMPLEMENTING RULES AND REGULTIONS OF JOINT

ADMINISTRATIVE ORDER NO. 2016- 0002 PRIVACY GUIDELINES
FOR THE IMPLEMENTATION OF THE PHILIPPINE HEALTH
INFORMATION EXCHANGE
WHEREAS, Joint Administrative Order No. 2016- 0002 entitled PRIVACY
GUIDELINES FOR THE IMPLEMENTATION OF THE PHILIPPINE HEALTH
INFORMATION EXCHANGE was approved on January 20, 2016 and took
effect on _____, _____ days after its complete publication in a major newspaper of
national circulation in the Philippines.
NOW THERFORE, the following rules and regulations are hereby promulgated:

CHAPTER I
GENERAL PROVISIONS

RULE I
PRELIMINARY PROVISIONS

Section 1. Introduction. As a mandate of the Constitution to provide quality health

care to the Filipino people while protecting and promoting the right to privacy, the
Department of Health (DOH), in cooperation with the Department of Science and
Technology (DOST), Philippine Health Insurance Corporation (PhilHealth),
University of the Philippines-Manila (UPM), and Commission on Higher
Education (CHED), established the National eHealth Program (NeHP) that
envisions widespread information-technology (IT)-enabled health care services by
2020.
Guided by the Philippine eHealth Strategic Framework and Plan, one of the
identified eHealth Project is the implementation of the Philippine Health
Information Exchange (PHIE). The PHIE is the first major collaborative and
convergence endeavor of the Health Cluster, and the initial step towards the
realization of the National eHealth vision.

The PHIE will enable electronic transmission of healthcare-related data among

facilities, health providers, health information organizations and government
agencies, according to nation standards. It will allow different applications to
exchange data with each other without loss of semantics and allowing health
facilities in particular rural health unit, health centers, hospitals, DOH and
PhilHealth to communicate with each other effectively and collaborate in the care
of the patients and providers. The development and implementation of the PHIE
will enable a patients medical or health information to follow the patient wherever
health care services are provided within set of standards. Health care providers will
be able to securely share or exchange patients medical or health information to
improve health care delivery and decision making.

To ensure that the privacy of the public is well protected during the
implementation and operation of the PHIE, the DOH-DOST-PhilHealth Joint
Administrative Order No. 2016-0002 was created. Consequently, this
Implementing Rules and Regulation (IRR), herein after called IRR is
promulgated pursuant to the aforementioned issuance.

Section 2. Title. These Rules shall be known and cited as the Implementing Rules
and Regulations of Joint Administrative Order No. 2016- 0002, otherwise known
as Privacy Guidelines for the Implementation of the Philippine Health
Information Exchange.
Section 2. Purpose. These Rules are hereby promulgated to prescribe the
procedures and guidelines for the implementation of the Privacy Guidelines for the
Implementation of the Philippine Health Information Exchange in order to provide
greater conceptual and operational clarity, establish standards in safeguarding the
privacy of individually identifiable health information, and facilitate rigorous
compliance with the requirements for the use and disclosure of protected health
information.

Section 3. Declaration of Principles. These rules complement the following

issuances, resolutions or provisions:

Primacy of human rights. The Constitution declares that the State values the
dignity of every person and guarantees full respect for human rights. Health has
long been affirmed as a fundamental human right recognized universally. The right
to privacy is also an important human right guaranteed by the Constitution, and
further expounded in the Data Privacy Act of 2012.

Vital role of communication and information technology in nation-building. The

rules complement the Philippine Digital Strategy 2011-2016 which provides for
the national strategy to harness the potential and power of information and
communications technology to support the attainment of the governments
obligations to the Filipino people, and the Philippines Development Plan 2011-
2016 which intends to prepare the country to take advantage of opportunities in a
digital economy and knowledge societies.

Improvement of health information systems for public health. The Philippines

adopts the generally accepted principles of international law as part of the law of
the land. The country is a signatory to a number of global agreements such as the
Millennium Development Goals, the Geneva Declaration on the World Summit on
Information Society, and the 58th World Health Assembly, wherein the Philippines
has pledged to meet specific commitments. These include the adoption of
information and communication technology to improve and extend health care and
health information systems for public health purpose, and mobilization of multi-
sectoral collaboration to develop an overall national eHealth strategy for the
implementation of eHealth and health data standards.

Achievement of better health outcomes. These rules support the 2011-2016

National Objective for Health and related regulations to utilize ICTs to provide
better health services to Geographically Isolated and Disadvantaged Areas, support
attainment of Millennium Development Goals, and contribute to the goal of
universal healthcare.

Protection of Health Information Privacy. These rules adopt the principles of

transparency, legitimate purpose and proportionality contained in the Data Privacy
Act of 2012 for the processing of health information ad acknowledges the need to
implement security measures for data protection. It adheres to the duty of
maintaining confidentiality of patients medical records and health information as
provided by the law, Rules of Court, and the Code of Ethics adopted by the
different healthcare providers.

Section 4. Scope of Application. These rules shall apply to the Philippine Health
Information Exchange system, Health Care Providers, and any natural or juridical
person involved in the processing of health information within the PHIE
framework.

These rules shall also apply to patients who have given consent to participate in the
PHIE and who have allowed sharing of personal health information among
participating health care provider for purpose of treatment and care coordination.

Section 5. Definition of Terms. (See Annex 2.0)

CHAPTER II
SPECIFIC GUIDELINES

RULE II
COLLECTION AND PROCESSING OF HEALTH INFORMATION

Section 1. The consent form. A separate, standard consent form for PHIE entitled
Consent for Participation to PHIE shall be developed by health facilities. The
consent form must be clear, simple, and have a local translation which the patient
can understand. Within its contents there shall be an opt-out clause, a list of
information to be gathered for shared purpose, date and time the consent was given,
contact number of the patient or legal representative, and a provisions stating that
the patients identity will be protected. Upon obtaining consent, the patient shall
affix his/her printed name below the Patient Admission Form. If consent was
denied, a refusal form shall be provided.

The consent form shall take into account the decision of the deceased patients
family members regarding organ donation.

Section 2. Manner of Obtaining Consent. The consent procedure must adequately

inform patients about the choices they have and the consequences of their choices.
The procedure must be conducted in a manner that ensures that consent is entirely
voluntary.

For patients who are physically or mentally incapable of giving consent. Persons
authorized to sign the consent in their behalf are:

a.) Immediate relatives within the 3rd degree of consanguinity;

b.) Cohabitant partner for a minimum of 1 year;
c.) Persons with special power of attorney.

For unconscious and minor patients. Consent shall be given either by the parents,
spouse (if married), descendant, ascendant, and/or guardian. The familys decision
may also be obtained by the physician.

For unconscious patients with no relative upon admission. The attending physician
may decide in behalf of the patient.

In emergency situations. Patients significant others can sign the consent however,
the consent for sharing information in PHIE shall not be applicable in the signed
consent.

Section 3. Point of Consent Collection. Consent for the PHIE shall be obtained
upon admission but if the patient does not give consent upon admission or is in an
emergency case, efforts should be made to obtain consent upon discharge. To
avoid missing consent, a system shall be developed to indicate completion of
consent taking.
Viable occasions to obtain consent:
a. Admission,
b. Admitting Order,
c. Discharge.

Section 4. Exemptions for Consent. For national security purpose, the following
situations do not need consent for information to be processed in the PHIE:
a. Emerging diseases identified in R.A. 3573;

Section 5. Persons to Obtain Consent. A designated staff, not necessarily a doctor

shall obtain the consent for PHIE.

Section 6. Validity of Consent. For consent to be considered valid, it must contain

all of these 5 elements:

a) Disclosure- the consenter has the information needed to make an

autonomous decision;
b) Capacity or Competence- the consenters ability to understand the
information to make judgments about the potential consequences of
his or her decision;
c) Understanding or Comprehension- the consenters comprehension of
the information provided;
d) Voluntariness- the consenters right to make a decision freely without
external pressure or coercion;
e) Consent or Decision- the consenters authorization for PHIE.

A thumb mark may be considered once the consenting patient is incapable to

imprint his signature but must be witnessed by a person of legal age.

Duration of Validity. Health care providers shall comply with the medical records
requirements electronically. For OPD 5 years, In-patient- 10 to 15 years, Medico-
legal cases- lifetime.
Section 7. Provisions on revoking or reinstating consent. A valid court order shall
prevail over written consent.

Unconscious and minor patients. When patient becomes able (becomes conscious
and is of legal age), he or she may revoke the consent previously given by their
authorized representative.

Section 8. Point of Collection of Information. Collection of information shall start

at the time of registration in the health facility. This shall be done in the
Admitting/Registration section and subsequent information shall be provided at
different points of care undergone by the patient.

The Privacy Officer (or a duly authorized representative) shall be responsible for
the orientation of the patients regarding PHIE implementation and validation of
patient information.

If the hospital does not have an Electronic Medical Record in place, encoding and
processing of patient information will be through the medical records section or
hospital information management section. If they have an electronic medical
record or a Hospital Information System, encoding and processing shall begin at
the service transactions covered by the Hospital Information System.

Section 9. Identification of Patient. A national system of unique patient identifier

shall be identified. The lack of it poses difficult challenges for PHIE. A non-unique,
out-of-date, or incorrect identifier can cause 2 types of errors:
1. False Negative- failure to find a patients information when it in fact exists.
2. False Positive- finding information that is not, in fact, for the patient.

Point of de-identification. De-identification shall be done at the level of the

Primary Health Care Provider. The Primary Health Care Provider shall transmit
information from patients records to PHIE as shared health record or as part of
PHIEs data warehouse. If the patient consents, the patients health record may be
processed in PHIE without the need for de-identification. If the patient does not
consent, the patients health information shall be de-identified, containing only
information necessary for immediate statistical reference.
Only de-identified health information shall be stored in the PHIE Data Warehouse.

Section 10.Authorized personnel to collect data. Data collection and processing

shall be done by a permanent employee of the health facility and shall ensure that
good clinical practice guidelines are observed when changing data:
Original entry must be visible.
Change must be dated and countersigned.
Reason for the change/s must be entered or specified.

In so far as practicable, the medical social worker or some equivalent personnel

shall collect information especially in salient points such as family information,
socio-economic profile, and other vital data.

Section 11. Reportorial Requirements. In compliance with Act No. 3573

otherwise known as Law on Reporting of Communicable Diseases, all notifiable
diseases/syndromes/events and conditions shall be immediately collected and
reported to the local and national health authorities.

Section 10. Information to be Shared. Health facilities shall share health

information exclusively for continuity of medical services.

Section 11. Filing and Storage. All information collected at different levels of
care shall be integrated into a common file. An electronic archiving system shall be
developed for the storage of electronic data.

RULE III
ACCESS OF HEALTH INFORMATION

Section 1. Access of Primary and Secondary Health Care Providers and Health
Facilities. Health facilities shall clearly define access rights and user roles of staff
to ensure that only appropriate people have access to the minimum necessary
protected health information The Health Facility shall create policies and
procedures to specify the groups and positions that need to access health
information to perform their job responsibilities, as well as the type of health
information to which they need access. The Chief of Health Facility shall issue a
memorandum containing the list of names and information stated in the preceding
statement and a copy shall be furnished to the DOH central office.

Upon patient consent, only the attending physician shall have access to the
patients information and read-only access shall be given to secondary healthcare
providers.

Accessible information for secondary healthcare providers shall be the following:

a. History of past illness;
b. Family history of illness;
c. History of present illness;
d. Allergies;
e. Adverse effect of medications given;
f. Treatment outcome (Final diagnoses shall be included whether clinical or
confirmed);
g. Laboratory and diagnostic procedures;
h. Any information approved by the patient for viewing.

Approval of Access. The head of the section or unit (medical director, chief nurse)
shall approve the creation of user credentials for personnel that shall have access to
the hospital information system. The head of the facility shall approve the system
access request.

Section 2. Access of User/Patient. Consenting patients shall have rights to access,

view, request amendments to, and request restriction over how their health
information is used. The health facility shall ensure that disclosures and any
subsequent changes are documented.

Patients who gave consent for their information to be processed in PHIE shall have
the preference to choose which portal provider to use and shall have access to their
own record even if their doctors are not yet enrolled in PHIE.
For child. Joint parental authority, either patient or legal guardian if one has been
appointed shall have access to the childs health information. If separated, the one
granted legal custody, or legal guardian if one has been appointed by court will
have the right to access.

Section 3. Access of Third Party. A third party in relation to personal data,

means any person other thani-

a) the data subject,

b) the data controller, or
any data processor or other person authorized to process data for the data controller
or processor.
Patients medical records shall not be accessible for case study purposes.

Section 4. Authorization to Access Information. Authorization must be written in

plain language, and must contain specific information such as:
a) A description of the health information to be used and disclosed;
b) The name of the person to whom the health care provider may disclose the
health information;
c) An expiration date;
d) The purpose which the health information be used or disclosed.

A protocol on how to identify authorized persons to access patient information

shall be made.

In cases when the person requesting for information is incapacitated, special power
of attorney shall be allowed.

RULE IV
USE AND DISCLOSURE OF HEALTH INFORMATION

Section 1. A formal procedure to authorize disclosure of personal health

information shall be developed by health facilities.
Use and disclosure of health information shall only be to the extent of consent
given by the patient and for the following purposes:

a) For planning of quality services;

b) Department of Health reporting intervention and disease prevention;
c) Continuing care to patients;
d) Requirements and reporting for communicable and notifiable diseases as
well as those with serious health and safety threat to the public such as, but
not limited to:
a. Meningitis
b. Food Poisoning (mass)
c. Breakthrough epidemic of contagious disease
d. Biological or chemical warfare
e. Anthrax
f. Emerging and re-emerging diseases
g. Ebola
e) Reporting of serious and less serious physical injury;
f) Reporting of maltreated or abused child to proper authorities;
g) Mandatory reporting required by licensing and accreditation bodies (DOH,
PhilHealth, etc.)

Deceased Individuals. Disclosure of health information of a deceased individual

shall be to the authorized legal representative.

Section 2. Privilege Communication. Both patient and physician must provide

consent for the use and disclosure of patient information otherwise, information
shall not be released.

The Primary Health Care Provider has the authority to disclose information upon
patient request for his legitimate personal use such as release of insurance or HMO
required medical record provided that there is a clear agreement/contract made
between the HMO and the patient.

For U.S. war veteran patients. They should come with a signed consent in order to
release their medical records.
Section 3. Information disclosed after discharge. The following information may
be disclosed after patient discharge from the health facility:
a) Clinical abstract;
b) Laboratory result;
c) Doctors order;
d) Discharge summary.

Section 4. Legal Authorities and/or Government Agencies. Before a disclosure is

made to any other government agency, there must be a court order. It is only in
cases of emergency such as that provided in Sec. 15 of the privacy guidelines,
where disclosure can be done without court order. This would be situations where
time is of the essence such as:
1. For PNP Subpoena, obtain consent of patient before death otherwise,
consent should be obtained from next of kin.
2. For medical or financial assistance requesting abstracts or similar documents,
authorization of patient is required.

Without a court order, release of information shall be pursuant to hospital policy

otherwise, patient records shall not be released or disclosed.

When personal health information is released to legal authority, a cover letter shall
be sent containing information reminding the recipient that the information
contained is personal health information and must be handled in a confidential
manner. A receiving copy shall be maintained by the health facility for record
purposes.

Section 4. Third Party Use and Disclosure. Third party providers shall not
disclose health information other than as provided by contract with the PHCP or as
required by law. They shall also agree to use appropriate safeguards to prevent use
and disclosure of the health information other than as provided by contract with the
primary health care provide or as required by law.

Third party providers shall report to the primary health care provider any use or
disclosure of health information not provided for by the agreement of which it
becomes aware, including breaches of unsecured health information, and any
security incident of which it becomes aware.

Research. All research protocols pertaining to patient condition shall pass thru
strict review by the Institutional Review Board to safeguard patient information.
Protocols for requesting and accessing aggregate and de-identified information for
research, both public and private, shall be clearly defined.

Training Hospitals and Licensure Purposes. Guidelines for retrieval of information

for purposes of PRC requirements shall be made.

A non-disclosure clause shall be included in the contract of the schools with

affiliations to a health facility.

CHAPTER III
DATA SECURITY

RULE V
ADMINISTRATIVE SECURITY

Section 1. Policies and Procedures. Privacy and security policies must be

documented, maintained and updated as appropriate, and retained for at least 6
years.

A regular privacy and security audit shall be done by health facilities.

Manuals and guidelines. Information security manuals and training-related

guidelines for capacity building shall be made by health facilities. They shall also
provide a quality management system to put in place all processes, workflow
among others in relation to the implementation of PHIE.

Employment and Contracts. Privacy-related clause, information security clause and

emphasis on the ownership of data shall be embedded in contracts of third party
providers and job order personnel.
A formal process for ending a persons employment or a users access shall be
formulated so that inappropriate access to health information does not occur.

An assessment of the applicants personal information shall be done to determine if

the person has the capacity to perform the functions being applied for. Once
determined that the applicant is highly emotionally unstable, he/she shall not be put
in a position requiring a great deal of reliability and consistency.
.Upon assignment, the said employee shall sign a non-disclosure agreement. Non-
allied health staff shall also sign a non-disclosure agreement upon employment.

Other than personality assessment, other possible conditions for hiring employees
may include background information, past criminal record, if any, past
administrative record, if any, background checks on prior employers, review of
prior incidents, especially those which may involve issues on honesty and moral
turpitude. This is also in line with ISO 27002 (17799), Sec. 8.1.2.

An orientation regarding privacy and security policies shall be done for all
employees in the health facility with great emphasis to the information security
personnel.

Contract with third-party providers. Contracts/agreements between health care

provider and the third party shall include:

a) Policies for document storage and disposal;

b) Data management processes including methods for tracking and controlling
records-such as dates and time stamps-as well as the type of data sent and
received, and the individuals who have access to records;
c) Description of the vendors privacy and security programs;
d) Description of output reporting-either electronically or in hard copy-so data
can be reviewed, monitored and reconciled;
e) Periodic staff training in secure records handling and providing, and
appropriate document management tools;
f) Staff responsibilities for ensuring compliance and allocation of sufficient job
time to the task;
g) Right to audit clauses; and
 h) Communication requirements regarding control deficiencies identified
through internal or external sources.

Authorization and Document Retention. For identification and authorization

purposes, the authorizing entity shall provide any of the following for
identification:
a) Biometrics
b) Specimen signature
c) E-signature

The document retention policy issued by the National Archives of the Philippines
shall be followed. For archiving purposes, the health facility can either have an
internal archiving system or outsource an archiving specialist.

Section 2. Health Information Security Committee. A Health Information

Security Committee shall be organized rather than a single security officer. The
team shall include the Medical Records Officer, Medical Director, Nurse, Division
heads of front liners, Finance Officer and Legal Officer. Their main roles is to
ensure that health information are made secure. Membership and roles of the
committee shall vary for other health facilities. Hospitals, Local Government Units,
Municipal Health Centers shall create their health information security committee.

Roles and responsibilities of the Health Information Security Committee:

a) Policy making on health information security;
b) Procedures on disclosure of health information;
c) Management of incident reports including attempts on the disclosure of
health information;
d) Validation of security officer rules;
e) Enforcement of sanctions on violations.

Security Department. The health facility shall have its own security department
which would cover the management of security guards. The head of the security
department shall be part of the quality committee and will have access to records
for tracing purposes.
Section 3. The Information Technology Personnel. The IT shall be the custodian
of security videos and must adhere to the policy on confidentiality of medical
records. They shall be the one to perform system related functions such as but not
limited to troubleshooting.

Section 4. The Medical Records Officer. The Medical Records Officer shall be the
one to have access to patients data. He/she has the authority to audit the patient
record from time to time in order to determine the integrity of the patient record.

Section 5. Chief Privacy Officer, PHIE Compliance Officer, Management

Information Systems Officer. A Privacy Officer, PHIE Compliance Officer and
Management Information Systems Officer shall be assigned per health facility. The
Chief Privacy Officer shall be the head of the facility or as may be assigned by the
head.

Duties and Responsibilities of the Privacy Officer, PHIE Compliance Officer,

Management Information Systems Officer:
a) Formulate a workflow on the process of accessing health information for
standard implementation.
b) Monitor, account and register devices used in the health facility.
c) Perform system or quality data check, compliance on the reporting form and
safekeeping of back-up data.
d) Delegate data collection to staff but should ensure that data collected are
correct. The sole responsibility of encoding is on the appointed
individual/unit.
e) The privacy officer shall regularly audit the quality and integrity of patient
records.

Qualifications:
a) A graduate of Masters of Science in Health Informatics.
b) With IT, medical for clinical background.
c) With training certifications on the security aspect of PHIE.

RULE VI
PHYSICAL SECURITY
Section 1. Computer Access. Pre-deployment site assessment shall be conducted
and computers to be installed shall be non-portable and fixed in one place.
Computers shall be accessible to authorized personnel only and role-based system
access shall be implemented. Each user shall have one account only. Multiple
accounts per user are not allowed. A person requesting for access to a computer
shall fill-out a request form.

Anti-glare filters on computer monitors shall be installed. This will not only help
reduce glare, but also prevent anyone from seeing what is on the screen unless
directly in front of the computer.

Applications. Only applications for the hospital information system shall be

installed in the computer system. Other applications, most especially social media
applications are strictly not allowed.

Computer loss. In case of computer loss, the accounts in the computer system shall
be reset and deactivated until it is retrieved or reported.

Section 2. Servers. The health facility shall provide a designated area for the
housing of servers/data centers. It shall be a separate are from the data collection
and processing as well as from the IT office. The server room shall be marked as
Restricted and shall only be accessible to authorized personnel. If the heath
facility cannot allot a space for the server room, at the minimum, a data cabinet
shall be installed.

For smaller health facilities or clinics, they may use cloud computing while bigger
facilities use servers.

IT Room. The IT room shall only be accessible to authorized personnel and to

personnel involved during quality assurance monitoring. A designated IT
personnel shall be tasked to handle the servers.

Section 3. Other Devices. Facility-registered electronic devices shall not brought

outside the hospital premises except under circumstances such as disasters and
vaccinations. USB devices shall be limited to office use but as may be practical,
shall not be used.

Mobile devices used for job responsibilities are subject to audits even if an
employee owns it.

Capturing of patient data using camera phones and bringing of electronic devices
such as cellular phones, laptops, tablets, and cameras inside the medical records
area is strictly not allowed.

RULE VII
TECHNICAL SAFEGUARDS

Section 1. Access Controls. Standard user IDs shall be given to each staff whose
work entails the need to access or process health information. There shall be a
three way process for authentication of users:
Something they know (password);
Something they have (secure token);
Something they are (biometrics).

Multi-factor authentication shall be implemented, especially for administrative and

supervisory accounts.

Passwords. Passwords shall have the following characteristics: minimum of eight

(8) characters in length, have an upper case, lower case and special character in it.

The last user ID that logged in must not be displayed on the log-in screen. There
shall be an automatic screen or keyboard locking after 5 minutes of inactivity.

Leave of Absence. User IDs of employees or staff who are on extended leave of
absence shall be disabled until they return for work.

Section 2. Data Protection. Data on many computer devices can be damaged by

being moved, knocked or even when turned off. If there is a hard disk, the heads on
the drive should be parked before moving the system to avoid destroying stored
information.

Due to different variations of computer variations of computers and types of

connections, it is important to seize all the different cables and chargers for the
seized equipment.

Anti-virus. Anti-virus software must be loaded in every computer possible. The

software needs to be configured regularly and automatically download updates for
the latest threats.

Data back-up. Complete back-ups of the system shall be done periodically- once a
month or every few months. Back-up data tapes shall not be stored near a computer
monitor or uninterruptible power supply- the electromagnetic interference coming
from these devices can corrupt data on them or completely delete them.

Section 3. Configuration management. It is important to document how the

computer system is organized to know when and how to disconnect additional
pieces of equipment such as telephone modems, auto-dialers, and printers from the
system. Otherwise, important information can be lost.

There shall be a regular monitoring and maintenance of database and networks of

health facilities to be conducted by the Database and Network administrator of the
PHIE group.

Section 4. Cloud Services. For cloud service providers, appropriate audit

mechanisms and tools should be in place to determine how data is stored, protected,
and used, to validate services and to verify policy enforcement. A risk management
program should also be in place that is flexible enough to deal with the
continuously evolving and shifting risk landscape.

The cloud providers electronic discovery capabilities and processes must not
compromise the privacy or security of the data and applications of the health
facility.
Health facilities shall ensure that they have knowledge of a cloud providers
security measures to conduct risk management.

Health facilities should understand the privacy and security controls of the cloud
service, establish adequate arrangements in the service agreement, making any
needed adjustments, and monitor compliance of the service controls with the terms
of the agreement.

Adequate and secure network communications infrastructure shall be in place.

Contract between health facility and cloud provider. The health care facilitys
ownership rights over the data must be firmly established in the service contract to
enable the basis of trust and privacy of data. In so far as practicable, the contract
between the health care facility and cloud service provider should state clearly that:

a) the health facility retains ownership over all its data;

b) the cloud provider acquires not rights or licenses throughout the agreement,
including intellectual property rights or licenses, to use the health facilitys
data for its own purposes;
c) the cloud provider does not acquire and may not claim any interest in the
data due to security.

Service agreements should include some means for the health facility to gain
visibility into the security controls and processes employed by the cloud provider
and their performance over time. Ideally, the health facility will have control over
aspects of the means of visibility to accommodate its needs, such as the threshold
for alerts and notifications, and the level of detail and schedule of reports.

Contracts/agreements shall clarify the types of metadata collected by the cloud

provider, the protection afforded the metadata, and the organizations rights over
metadata, including ownership, opting out of collection or distribution and fair use.

Health care providers must understand the technologies the cloud provider uses to
provision services and the implications the technical controls involved have on
security and privacy of the system throughout its lifecycle. The underlying system
architecture of a cloud can be decomposed and mapped to a framework of security
and privacy controls that can be used to assess and manage risk.

Composite Services. Cloud services that use third-party providers to outsource or

subcontract some of their services should specify the scope of control of the third
party, responsibilities involved, and the remedies and recourse available should
problems occur.

RULE VIII
USE OF SOCIAL MEDIA

Section 1. Administrative Responsibilities. In so far as practicable, social media

activity of all physicians, employees and other health facility staff including
students or residents in training, practicing their profession, working or fulfilling
academic and clinical requirements within the health facility, whether temporary or
permanent shall be monitored by health facilities to check for privacy breach.

An individual who witnesses unprofessional behavior or misinformation in social

media or sees social media activity that violates patient privacy or privacy of other
individuals shall report the same to supervisory or regulatory authorities within the
facility.

Section 2. Responsible Social Media Use. Health care professionals shall always
be mindful of his or her duties to the patient and community, his profession and his
colleagues thus take into account that content once posted can be disseminated to
others.

Health care professionals shall always be conscious of his or her online image and
how it impacts his or her profession, or the institution where he or she is
professionally employed, affiliated or otherwise connected.

Health care professionals must ensure that in his or her social media activity, there
is no law violated, including copyright, libel and cybercrime laws. At all times, the
individual shall respect the privacy of others.
The health care professional shall practice due diligence in keeping their social
media accounts safe such as through regular password change and logging out after
social media use.

Information posted online shall be beneficial to the Filipino people. Heath care
professionals shall refrain from any activity which spreads or tends to spread
misinformation.

Information that will compromise patient confidentiality and privacy shall not be
posted online. This may include comments which patients are described with
enough sufficient detail to be identified, referring to patients in a degrading or
demeaning manner.

The individual shall be careful in posting or publishing his or her opinion and shall
ensure that such opinion will not propagate misinformation or constitute a
misrepresentation. The individual shall not make any misrepresentations in his or
her social media activity relating to content, his or her employment or credentials,
and any other information that may be misconstrued or taken out of context.

Section 3. Health Education and Promotion. The individual using social media
for health information and/or promotion must be well-informed of the matter
subject of the social media post, comment or other activity. The individual shall
refrain from any activity which spreads or tends to spread misinformation.

Social media shall not be used to dispense specific medical diagnosis, advice,
treatment or projection but shall consist of general opinions only. Use of social
media should include statements that a person should not rely on the advice given
online, and that medical concerns are best addressed in the appropriate setting.

An article written by an individual posted in social media must be evidence-based

and disclose connections with pharmaceutical or health product companies or other
sources of possible conflict of interest.
The health care professional shall be careful in posting or publishing his or her
opinion and shall ensure that such opinion will not propagate misinformation or
constitute misrepresentation.

Section 4. Professionalism. A health care professional shall strive to develop,

support and maintain a privacy culture in the health facility. He or she shall abide
by the social media use policy of the institution.

Health care professionals are discouraged from using a single account for both
professional and private use.

Health care professionals shall conduct himself or herself in social media or online
the same way that he/she would in public, mindful of acting in a manner befitting
his profession, or that would inspire trust in the service he or she provides,
especially if the individual has not separated his or her professional and personal
accounts in social media.

Health care professionals shall refrain from using the name, logo, or other symbol
of an institution without proper authority in his or her social media activity. An
individual shall not identify himself or herself as a representative or an institution
in social media without being authorized to do so.

A health care professional shall not use copyrighted materials other than for fair
use where there is proper citation of source and author.

Health care professionals shall refrain from posting, sharing, or using photos or
videos taken within the facility, which would give the impression of
unprofessionalism, show parts of the health facility where there is an expectation
of privacy, or those which includes colleagues, employees, other health facility
staff, or patients without their consent.

Health care professionals shall maintain a professional boundary between patients.

Online contact with patients or former patients blur distinction between a
professional and personal relationship thus must refrain from adding patients in
their personal social networking sites, unless there is justification to do so.
A health care professional is prohibited from:

1.) Social media activities that defame, harass, stalk or bully another
person or institution.
2.) The use or access of personal social media accounts of others without
authority.
3.) Posting, sharing or otherwise using any information intended to be
private or obtained through access to electronic data messages or
documents.
4.) Posting, sharing or otherwise using recorded conversations between
doctor, individuals or patients, when such recording, whether audio
or video was obtained without consent of all parties to the
conversation.

A health care professional may like a defamatory post but he or she must use
caution when sharing, retweeting, or contributing anything that might be construed
as a new defamatory statement.

A post, comment, or other social media activity is considered defamatory if:

1.) The activity imputes a discreditable act or condition of another;
2.) The activity is viewed or seen by any other person;
3.) The person or institution defamed is identified or readily identifiable;
4.) There is malice or intent to damage the reputation of another.

Disclosing identifiable information/ personal health information about a patient

including taking selfies, groufies, or videos during encounters with patients that
include patients body parts, surgical specimens or that show patients in the
background without their consent or any information that will compromise
patients dignity and privacy shall not be poste, shared or used in social media.
Consent shall be obtained after explaining to the patient the purpose of the
intended collection, use access and disclosure. Consent for use of personal health
information shall be written or evidenced by electronic means.
An individual shall not post, share or otherwise use any information relating to the
identity, status and personal details of persons with HIV, those who have
undergone drug rehabilitation, and victims of domestic violence, rape and child
abuse.

CHAPTER IV
SPECIAL AREAS

RULE IX
HUMAN RESOURCES

Section 1. On-boarding of employees. All candidates for employment, contractors

and third party users shall be adequately screened, especially for sensitive jobs.

Security roles and responsibilities of employees, contractors and third party users
shall be defined and documented in accordance with the facilitys information
security policy. This document shall be signed as an agreement by employees,
contractors, and third party users of information processing facilities.

Security roles and responsibilities shall include the requirement to:

a) Implement and act in accordance with the health care facilitys information
security policies;
b) Protect assets from unauthorized access, disclosure, modification,
destruction or interference;
c) Execute particular security processes of activities;
d) Ensure responsibility is assigned to the individual for actions taken;
e) Report security events or potential events or other security risks to the
organization.
Security roles and responsibilities shall be clearly defined and communicated.

Job descriptions can be used to document security roles and responsibilities.

Security roles and responsibilities for individuals not engaged via the
organizations employment process (e.g. via a third party organization) shall be
clearly defined and communicated.

Background verification checks on all candidates for employment, contractors, and

third party users shall be carried out in accordance with relevant laws, regulations
and ethics, and proportional to the business requirements, the classification of the
information to be accessed, and the perceived risks. Procedures shall define criteria
and limitations for verification checks (who is eligible to screen people, and how,
when and why verification checks are carried out).

A screening process shall be carried out for contractors, and third party users.
Where contractors are provided through an agency, the contract with the agency
should clearly specify the agencys responsibilities for the screening and the
notification procedures they need to follow if screening has not been completed or
if the results give cause for doubt or concern. In the same way, the agreement with
the third party should clearly specify all responsibilities and notification
procedures for screening.

Employees, contractors and third party users shall agree and sign the terms and
conditions of their employment contract, which would state their and the health
facilitys responsibilities for information security. Terms and conditions of
employment shall reflect the health care facilitys security policy in addition to
clarifying:

a) That all employees, contractors and third party users who are given access to
sensitive information shall sign a confidentiality or non-disclosure
agreement prior to being given access to information processing facilities;
b) The employees, contractors and any other users legal responsibilities and
rights (e.g. copyright laws or data protection legislation);
c) Responsibilities for the classification of information and management of
organizational assets associated with information systems and services
handled by the employee, contractor or third party user;
d) Responsibilities of the employee, contractor or third party user for the
handling of information received from other companies or external parties;
 e) Responsibilities of the organization for the handling of personal information,
including personal information created as a result of, or in the course of,
employment with the organization;
f) Responsibilities that are extended outside the organizations premises and
outside normal working hours;
g) Actions to be taken if the employee, contractor or third-party user disregards
the organizations security requirements.

Section 2. During Employment.

Section 2.1. Management Responsibilities. Management responsibilities should be

defined to ensure that security is applied throughout an individuals employment
within the organization.

Management responsibilities shall ensure that employees, contractors and third

party users:

a) Are properly briefed on their information security roles and responsibilities

prior to being granted access to sensitive information or information systems;
b) Are provided with guidelines to state security expectations of their role
within the health care facility;
c) Are motivated to fulfill the security policies of the health care facility;
d) Achieve a level of awareness of security relevant to their roles and
responsibilities within the health care facility;
e) Conform to the terms and conditions of employment, which includes the
health care facilitys information security policy and appropriate methods of
working;
f) continue to have the appropriate skills and qualifications.

Section 2.2. Awareness and Training. An adequate level of awareness, education,

and training in security procedures and the correct use of information processing
facilities should be provided to all employees, contractors and third party users. A
formal disciplinary process for handling security breaches shall be established.
All employees of the health care facility and, where relevant, contractors and third
party users should receive appropriate awareness training and regular updates in
organization policies and procedures, as relevant for their job function.

Awareness training shall commence with a formal induction process designed to

introduce the health care facilitys security policies and expectations before access
to information or services is granted.

Ongoing training shall include security requirements, legal responsibilities and

business controls, as well as training in the correct use of information processing
facilities (e.g. log-on procedure, use of software packages and information on the
disciplinary process).

The security awareness, education, and training activities should be suitable and
relevant to the persons role, responsibilities and skills, and should include
information on known threats, who to contact for further security advice and the
proper channels for reporting information security incidents.

Section 2.3. Disciplinary Process. There shall be a formal disciplinary process for
employees who have committed a security breach.

The formal disciplinary process shall ensure correct and fair treatment for
employees who are suspected of committing breaches of privacy and security, and
shall not be commenced without prior verification that a privacy breach has
occurred.

A graduated response that takes into consideration factors such as the nature and
gravity of breach and its impact on business, whether or not it is a first or repeat
offence, whether or not the violator was properly trained, relevant legislation,
business contracts and other factors as required shall be provided.

In serious cases of misconduct, the process shall allow for instant removal of duties,
access rights and privileges, and for immediate escorting out of the site, if
necessary.
The disciplinary shall be used as a deterrent to prevent employees, contractors and
third party users in violating organization security policies and procedures, and any
other security breaches.

Section 2.4. Termination or Off-boarding of Employees. Responsibilities for

performing employment termination or change of employment shall be clearly
defined and assigned. Responsibilities and duties still valid after termination of
employment shall be contained in employees contractors or third party users
contracts.

The communication of termination responsibilities shall include ongoing security

requirements and legal responsibilities and, where appropriate, responsibilities
contained within any confidentiality agreement, and the terms and conditions of
employment continuing for a defined period after the end of the employees,
contractors or third party users employment.

The Human Resources function is generally responsible for the overall termination
process and works together with the supervising manager of the person leaving to
manage the security aspects of the relevant procedures. In the case of a contractor,
this termination responsibility process may be undertaken by an agency
responsible for the contractor, and in case of another user this might be handled by
their organization.

Return of Assets. All employees, contractors and third party users shall return all of
the health care facilitys assets in their possession upon termination of their
employment, contract, or agreement.

The termination process shall be formalized to include the return of all previously
issued software, corporate documents, and equipment. Other organizational assets
such as mobile computing devices, credit cards, access cards, software, manuals,
and information stored on electronic media also need to be returned.

In cases where an employee, contractor or third party user has knowledge that is
important to ongoing operation, the information shall be documented and
transferred to the organization.
Access Rights. The access rights of all employees, contractors and third party users
to information and information processing facilities shall be removed upon
termination of their employment, contract or agreement, or adjusted upon change.

If a departing employee, contractor or third party user has known password for
accounts remaining active, these shall be changed upon termination or change of
employment, contract or agreement.

Access rights for information assets and information processing facilities shall be
reduced or removed before the employment terminates or changes, depending on
the evaluation risk factors such as:

a) Whether the termination or change is initiated by the employee, contractor

or third party user, or by management and the reason of termination;
b) The current responsibilities of the employee, contractor or any other user;
c) The value of the assets currently accessible.

In certain circumstances access rights may be allocated on the bases of being

available to more people than the departing employee, contractor or third party
user (e.g. group IDs). In such circumstances, departing individuals shall be
removed from any group access lists and arrangement shall be made to advise
other employees, contractors and third party users involved to no longer share this
information with the person departing.

RULE X
HEALTH RESEARCH

Section 1. Rationale.

Section 2. Research Subject. The research participant must understand that he or

she can opt-out of the study or have their personal information deleted from the
projects database if they so request in writing.
Acceptable recruitment methods. Acceptable recruitment methods may include:
advertisements, notices, media (social or tri-media), websites, letter or email to
colleagues or healthcare staff to distribute to potentially eligible individuals.

Unacceptable recruitment methods. Unacceptable recruitment methods include

(but not limited to): searching through medical records or databases (e.g. patient
registry) for qualified subjects and having a researcher with no prior contact with
potential subject recruit; recruiting subjects immediately prior to sensitivie or
invasive procedure (e.g. in pre-op room); retaining sensitive information obtained
at screening without the consent of those who either failed to qualify or refused to
participate for possible future study participation.

Section 3. Research Protocol. Study protocols shall incorporate data protection

measures. Protocols shall describe how the participants privacy will be protected
in the entire research process and shall also include provisions on how to protect
data and samples during use and subsequent storage.

Individuals, organizations or third-party data processors who may access

identifiable information shall be identified in the research protocol and in
registration with review bodies.

Section 4. Research Projects. A research project involving 1,000 or more data

subjects shall register with the National Privacy Commission or its duly deputized
body (for health research, possibly the National Health Privacy Board).

Data breach reporting protocol shall be followed and researchers must ensure that
there is privacy protection of data during the entire research process: recruitment,
study proper, close-out, and even after study conduct.

All personnel involved in the study will be required to sign statements agreeing to
protect the privacy, security and confidentiality of identifiable information prior to
accessing any personal information of data or research subject.
Section 5. Research Data. Data or specimen collected from research shall be de-
identified or destructed as deemed appropriate. Identifiers will be removed from
study-related information, whenever feasible.

Paper-based records. Paper-based records are to be kept in a secure location and

made accessible to personnel involved in the study only.

Electronic records. Computer-based files will be encrypted and made available to

personnel involved in the study through the use of secure access privileges and
passwords.

Audio or video recording of subjects will be transcribed and then destroyed to

eliminate audible or visual identification of data.

Data Sharing. Aside from the ones indicated in the study protocol and the original
consent document, the research subject shall give his or her permission prior to
data sharing arrangements.

RULE XI
PATIENT REGISTRIES

Section 1. Registry developers shall prospectively apply careful scrutiny to the

proposed purposes for and activities of a registry to avoid both ethical and
compliance issues that may undermine achievement of the registrys objectives.

Health information registries for research shall incorporate an appropriate design

and data elements, written operating procedures, and documented methodologies,
as necessary, to ensure the fulfillment of a valid scientific purpose.

Where an authorization for the use and disclosure of registry data for future
research does not exist, health care provider or health insurance plan maintaining
the registry shall need to obtain an additional authorization for the research from
individuals or seek a waiver of authorization from an Institutional Research Board
or Privacy Board.
Registries compiling health information from vulnerable population such as but not
limited to pregnant women, human fetuses, neonates, prisoners, children and
patients having rate diseases shall employ special efforts to protect identities of
these subjects.

An independent review of privacy risks (e.g. reidentification, fraud) involved must

be conducted if a dataset is going to be linked to another.

CHAPTER IV
NATIONAL HEALTH PRIVACY BOARD

Section 1. Rationale. The National Health Privacy Board is a broad sectoral

response to health information privacy needs. It will support the health sector in
complying with issuance and administrative orders relating the health information
privacy and further the development of policy and practice for health data
protection.

Section 2. Composition. The National Health Privacy Board shall be composed of

the Chairperson who shall be assisted by two Board Members, one to be
responsible for Training and Capacity Building and one to be responsible for
Compliance and Planning.

Section 3. General Roles and Functions.

1. The Board shall assist in the implementation of the Privacy Guidelines and
related issuance through Training and Capacity Building, and through
Compliance Monitoring and Planning. It shall coordinate with the licensing
authority of the heath institution or other accreditation bodies, when
necessary, in order to perform its function.
2. The Board shall accept complaints, inquiries and requests for assistance
from the health sector on matters related to the Privacy Guidelines and
related issuances.
a. Complaints. It shall promulgate rules and procedures for receiving and
processing complaints. It shall mediate between parties to reach a
 compromise settlement, without prejudice to reporting before the NPC
or licensing and regulatory authorities matters contrary to law, in
which case it shall make its recommendation after proper evaluation.
b. Inquiries and Requests for Assistance. It shall assist persons or
institutions on the interpretation of privacy regulations. It shall elevate
to the Privacy Experts Group issues which in its discretion requires
advisory assistance.
3. It shall provide the PEG a report of its activities, including case reports of
issues brought before it that are of importance or significant impact.
4. It shall make recommendations on change in policy or further policy
development. It shall coordinate with appropriate agencies to incorporate
emerging technologies and new regulations in existing policies.

Section 4. Training and Capacity Building. The Training and Capacity Building
functions of the Board shall be spearheaded by the Board Member for Training and
Capacity Building. He or she shall:

1. Coordinate with other government agencies and the private sector on efforts
to formulate and implement plans and policies to strengthen the protection of
personal information in the health sector.
2. Develop and implement training modules for capacity building.
3. Develop and implement programs to inform and educate the public of health
information privacy and to promote a privacy culture in the health sector,
including powerpoint presentations and articles that may be used by health
information privacy advocates.
4. Conduct training workshops and accommodate requests for public
information on the implementation of the privacy guidelines.

Section 5. Privacy Compliance and Planning. The Privacy Compliance and

Planning functions of the Board shall be spearheaded by the Board Member for
Privacy Compliance and Planning. He or she shall:

1. Oversee the monitoring of privacy compliance in health facilities. It shall

develop procedures for assessment of privacy practices in health facilities, in
accordance with standards for organizational, physical and technical security
measures in the Privacy Guidelines and related issuances. It shall also
coordinate with licensing and accreditation bodies to advocate inclusion of
privacy standards in their evaluation of health facilities, in view of the
requirement of existing laws.
 2. Review privacy codes voluntarily adhered to by personal information
controllers and processors in the health sector and make recommendations to
meet standards for the protection of personal health information.
3. Identify gaps in current standards for organizational, physical and technical
security measures for protection of personal health information and make
recommendation for its improvement.
4. Develop materials and documents such as templates for employment
contracts and non-disclosure agreements to serve as a guide for the health
facilities.
5. Undertake regular planning activities to develop and recommend programs
to support the implementation of the Privacy Guidelines.
6. Maintain a record of all compliance and monitoring reports.

Section 6. Competencies and Qualifications. Members of the Board shall have the
following competencies and qualifications:

a) Law, education, and clinical or public health background.

b) At least a bachelors degree in management, information systems, human
resources, health administration, or other relevant fields.
c) Minimum 5 years experience in health care.
d) Demonstrate mastery of regulatory development and compliance, including
standards, laws and regulations concerning information security and privacy.
e) Familiar with business functions and operation of large institutions
(preferably health-related).
f) Strong organizational and problem-solving skills.
g) Work effectively with teams and stakeholders.
h) Have the ability to communicate with clarity both orally and in writing.

CHAPTER V
THE PRIVACY TEAM OF A HEALTH FACILITY

Section 1. Rationale. In so far as practicable, the Privacy Officer (PO) shall be

designated at a health facility. The POs identity shall be made known to any data
subject upon request. It is recommended that the PO has to be on the Vice-
president level (or equivalent) to have sufficient authority to uphold privacy in the
institution. Expected to have some personnel with specialized privacy roles are
regional health units (RHUs) and bigger health facilities. In a facility where
plantilla position for a privacy officer could not be immediately secured, a Privacy-
Officer-Designate shall be appointed.

Section 2. Roles and Functions. Ultimately, the Privacy Officer is the person
responsible for the privacy policy compliance at the health facility. The privacy
officer is not automatically the personal information controller who controls the
collection, holding, processing or use of personal information. While the latter is
directly accountable for the protection of privacy, the PO sees to it that overall
compliance is observed at the institution. Other roles of the PO shall include:

a) Developing and implementing privacy policies and procedures.

b) Assumes advocacy, capacity-building, and stake-holding functions.
c) Manages the privacy aspect in the different areas of the operations.
d) PO and the privacy team shall identify the governance structure from
national level down to RHU and align with them their facilities privacy
goals and initiatives.
e) Ascertains the authority and delegates data collection to staff. He or she
regularly audits the quality and integrity of patient records.
f) Ensures that the entire process of editing data is documented: request for
editing, who did the editing,the process followed in editing, and closing the
editing.
g) Identifies how personal health information is created, stored or disclosed in
paper and electronic format and maintains an inventory of how we use or
disclose all personal health information.
h) Is the contact person responsible for receiving complaints and providing
individuals with further information about matters contained in the health
facilitys privacy protocols.
i) Maintains a record of complaints and brief description of how they were
resolved.
j) Distributes the health facilitys privacy protocols to all new patients and post
the update health facilitys privacy protocols on the isntitutions website or
on its public bulletin boards.
k) Continually updates the staffs knowledge of privacy rule guidelines,
developments, and new regulations and must train workforce on these
requirements. The PO shall update the health facilitys privacy protocols,
 acknowledgement forms, authorization, consents, and other forms as
required and ensures that the workforce adheres to the policies and
procedires, including imposing sanctions on workforce members that breach
an individuals privacy.
l) Effectively communicates technical and legal information to nontechnical
and non-legal staff for employee training.
m) PO and privacy team shall account for devices used in facility and ensure
devices containing electronic personal health information are encrypted as
required by health facilitys privacy protocols.
n) Reviews all business associate agreements or contracts for privacy
compliance.
o) Consistently apply sanctions, in accordance with the facilitys policies and
procedure.
p) Regularly communicates the status of legal complaints, risk, and sanctions
imposed on workforce members.
q) Serve as the practices resource for regulatory and accrediting bodies on
matters relating to privacy and security.
r) Perform system or quality data check, compliance on the reporting forma nd
safekeeping of backup data.
s) Coordinate privacy safeguards with the practices security officer to ensure
consistency in development, documentation, and training for security and
privacy requirements.
t) Coordinate and communicate to practice leaders and audits of the National
Health Privacy Board or any other governmental or accrediting organization.
u) Coordinate with the institutions Risk Manager (if any) to address privacy
risks.
v) Reports directly to the hospital director, president, board of directors.

Section 3. Appointment. Health facilities with at least 300 beds are required to
employ a Privacy Officer. Those with less than 300 beds may affiliate with other
health facilities to employ a shared Privacy Officer. A government health facility
shall appoint Privacy Officer Designate while waiting for the official plantilla
assignment.
Rural Health Units may share a Privacy Officer in the provincial level, preferably
working with the Provincial Health Unit.

Section 4. Qualifications. The Privacy Officer shall have the following

qualifications:

a) At least a bachelors degree in management, information systems, human

resources, health administration, or other relevant field.
b) Minimum 5 years experience in health care.
c) Familiar with regulatory development and compliance, including standards,
laws and regulations concerning information security and privacy.
d) Familiar with business functions and operation of large institutions
(preferably health-related).
e) Strong organizational and problem-solving skills.
f) Work effectively with teams and stakeholders.
g) Have the ability to communicate with clarity both orally and in writing.
h) Must undergo data privacy and security training from reputable training
providers.

Section 5. Staff. While the PO is responsible for privacy management and

compliance, He or She may delegate responsibilities to others within the
organization if they are trained and would communicate promptly with the privacy
official on these matters.

CHAPTER VII
COMPLIANCE, INCIDENT REPORTING, RESPONSE

RULE I
COMPLIANCE

RULE II
INCIDENT REPORTING

Section 1. General Principles. The National Health Privacy Board does not have
quasi-judicial powers or the power to impose penalties. Parties who voluntarily
submit their complaints or issues for resolution may be assisted in clarifying the
issues subject of the complaint, and in reaching an amicable settlement. To ensure
compliance with the Resolution of the Board, both parties must submit an
undertaking under oath or embodies in an affidavit that the parties agree to be
bound by the Resolution of the Board.

The National Health Privacy Board does not have subpoena powers or powers of
contempt. It relies on the documents and evidence voluntarily submitted by the
parties. The investigations conducted by the Board shall be fact-finding and
summary in nature, without prejudice, however, to the due process of law, and
recourse to the National Privacy Commission or proper courts, when necessary.

The National Health Privacy Board may be able to assist the parties in clarifying
privacy related complaints in health facilities due to the fact that they have a
deeper understanding and better perspective of privacy issues concerning personal
and sensitive health information. The Resolution of the National Health Privacy
Board may also serve as support document of cases filed before the National
Privacy Commission, or regular courts.

Section 2. Procedure for Complaint and Investigation.

Section 2.1. Complaint- A complaint shall be in writing and under oath ot

embodied in an affidavit.

Section 2.2. Who May File. The complaint may be filed by any person, firm,
partnership, association or corporation, through its duly authorized representative.

Section 2.3. Contents. The complaint must be written in a clear, simple and
concise language and shall contain the following:

1. Full names and complete addresses of the complainant and the respondent;
2. A brief narration of the material facts which show a violation of the privacy
guidelines or related issuance, or the acts or omissions allegedly committed
by the respondent amounting to a privacy concern.
 3. If the complainant contains personal and sensitive information involving
third parties, which information will be disclosed to the Board, the
complainant shall include proof that consent of said parties have been
obtained with regard to the use, access and disclosure of said personal or
sensitive information for purposes of resolving or adjudicating the complaint,
before appropriate bodies.
4. If the Complainant is an institution, the complaint shall be accompanied by
the incident report or relevant document showing the results of the
investigation conducted within the institution.
5. Certified true copies of documentary evidence, and the affidavit/s of
witness/es if any.
6. An undertaking of the complaint, or in case of juridical person by a duly
authorized representative, under oath or embodied in an affidavit, to the
effect that the complainant agrees to abide by the final resolution of the
National Health Privacy Board, without prejudice to other legal remedies.

Section 2.4. Number of Copies. The complainant, together with the documentary
evidence and affidavit/s of witness/es, if any, shall be filed in such number as there
are respondents, plus two (2) copies for the file. The affidavit/s required to be
submitted shall state facts only of direct personal knowledge to the affiant and shall
show the competence of the affiant to testify to the matters stated therein. A
violation of the foregoing requirement shall be a ground for expunging the
affidavit or portion thereof from the record.

Section 2.5. Where to File A Complaint. A complaint may be filed at the office of
the Health Privacy Board.
Section 2.6. Evaluation of Complaint. The Board shall evaluate the allegations of
the complaint (1) to determine whether it involves a violation of the Privacy
Guidelines or issues involving privacy of health information and (2) if based on its
allegations, there is reason to believe that there is a violation of the Privacy
Guidelines or related issuances. If both conditions are not satisfied, the complaint
shall be dismissed.

Section 2.7. Issuance of Requests to Appear.

 1. On the basis of the complaint, if there is reason to believe that there is a
violation of the Privacy Guidelines, the Board shall request, in writing, the
respondent to appear before it, furnishing the said respondent a copy of the
complaint, and requiring the submission of a counter-affidavit within ten
days from receiving the said request.
2. If the counter-affidavit contains personal and sensitive information involving
third parties, which information will be disclosed to the Board, the
respondent shall include proof that consent of said parties have been
obtained with regard to the use, access and disclosure of said personal or
sensitive information for purposes of resolving or adjudicating the complaint,
before appropriate bodies.
3. If the respondent appears before the Board, the respondent, or in case of
juridical person by a duly authorized representative, shall be asked to sign
and undertaking, under oath or embodied in an affidavit, to the effect that the
respondent agrees to abide by the final resolution of the National Health
Privacy Board, without prejudice to other legal remedies.

Section 2.8. Procedure if the Respondent Appears.

1. The Board shall set a date to convene the parties involved in the complaint,
sending notices to the parties, and requesting for them to appear before the
National Health Data Privacy Board, with their witnesses, if any.
2. The Board shall ensure that before it convenes the parties:
3. Both complainant and respondent have signed and undertaking that they
agree to be bound by the Resolution of the Board.
4. Proof that consent have been obtained from third parties when the affidavits
or submitted evidence includes their personal and sensitive information, for
purposes of resolving or adjudicating the complaint, before appropriate
bodies.
5. The Board may ask clarificatory questions when necessary.
6. The Board shall identify the issues for resolution and mediate in order for
the parties to reach an amicable settlement. In case the parties reach an
amicable settlement, the Board shall issue a resolution on the agreement
between parties, which shall be binding in view of their undertaking. Even if
the parties have reached an amicable settlement, but the Board finds that the
 complaint constitutes a violation of law, it shall prepare a report and
recommendation, and submit the same to the proper licensing regulatory or
accrediting body, or to the National Privacy Commission.
7. In case the parties are unable to reach an amicable settlement, the complaint
shall be submitted for resolution. The Board may request the parties to
submit a memorandum containing their arguments on the facts and issues for
resolution.
8. The Board shall adjudicate on the issues and issue a resolution containing its
recommendation. The resolution shall be binding on the parties in view of
their undertaking. Its resolution, with supporting documents shall be
submitted to the proper licensing regulatory or accrediting body, or to the
National Privacy Commission, for appropriate action, if necessary.
9. The minutes of the proceeding shall be filed and maintained.

Section 2.9. Procedure if the Respondent does not Appear. If the Respondent
does not appear before the Board, the Board shall resolve the complaint on the
basis of the affidavits and documents submitted by the complainant. Its resolution,
with supporting documents shall be submitted to the proper licensing regulatory or
accrediting body, or to the National Privacy Commission, for appropriate action, if
necessary.

Section 3. Resolution. The Board shall furnish the parties with copies of its
resolution.