Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CHAPTER I
GENERAL PROVISIONS
RULE I
PRELIMINARY PROVISIONS
To ensure that the privacy of the public is well protected during the
implementation and operation of the PHIE, the DOH-DOST-PhilHealth Joint
Administrative Order No. 2016-0002 was created. Consequently, this
Implementing Rules and Regulation (IRR), herein after called IRR is
promulgated pursuant to the aforementioned issuance.
Section 2. Title. These Rules shall be known and cited as the Implementing Rules
and Regulations of Joint Administrative Order No. 2016- 0002, otherwise known
as Privacy Guidelines for the Implementation of the Philippine Health
Information Exchange.
Section 2. Purpose. These Rules are hereby promulgated to prescribe the
procedures and guidelines for the implementation of the Privacy Guidelines for the
Implementation of the Philippine Health Information Exchange in order to provide
greater conceptual and operational clarity, establish standards in safeguarding the
privacy of individually identifiable health information, and facilitate rigorous
compliance with the requirements for the use and disclosure of protected health
information.
Primacy of human rights. The Constitution declares that the State values the
dignity of every person and guarantees full respect for human rights. Health has
long been affirmed as a fundamental human right recognized universally. The right
to privacy is also an important human right guaranteed by the Constitution, and
further expounded in the Data Privacy Act of 2012.
Section 4. Scope of Application. These rules shall apply to the Philippine Health
Information Exchange system, Health Care Providers, and any natural or juridical
person involved in the processing of health information within the PHIE
framework.
These rules shall also apply to patients who have given consent to participate in the
PHIE and who have allowed sharing of personal health information among
participating health care provider for purpose of treatment and care coordination.
CHAPTER II
SPECIFIC GUIDELINES
RULE II
COLLECTION AND PROCESSING OF HEALTH INFORMATION
Section 1. The consent form. A separate, standard consent form for PHIE entitled
Consent for Participation to PHIE shall be developed by health facilities. The
consent form must be clear, simple, and have a local translation which the patient
can understand. Within its contents there shall be an opt-out clause, a list of
information to be gathered for shared purpose, date and time the consent was given,
contact number of the patient or legal representative, and a provisions stating that
the patients identity will be protected. Upon obtaining consent, the patient shall
affix his/her printed name below the Patient Admission Form. If consent was
denied, a refusal form shall be provided.
The consent form shall take into account the decision of the deceased patients
family members regarding organ donation.
For patients who are physically or mentally incapable of giving consent. Persons
authorized to sign the consent in their behalf are:
For unconscious and minor patients. Consent shall be given either by the parents,
spouse (if married), descendant, ascendant, and/or guardian. The familys decision
may also be obtained by the physician.
For unconscious patients with no relative upon admission. The attending physician
may decide in behalf of the patient.
In emergency situations. Patients significant others can sign the consent however,
the consent for sharing information in PHIE shall not be applicable in the signed
consent.
Section 3. Point of Consent Collection. Consent for the PHIE shall be obtained
upon admission but if the patient does not give consent upon admission or is in an
emergency case, efforts should be made to obtain consent upon discharge. To
avoid missing consent, a system shall be developed to indicate completion of
consent taking.
Viable occasions to obtain consent:
a. Admission,
b. Admitting Order,
c. Discharge.
Section 4. Exemptions for Consent. For national security purpose, the following
situations do not need consent for information to be processed in the PHIE:
a. Emerging diseases identified in R.A. 3573;
Duration of Validity. Health care providers shall comply with the medical records
requirements electronically. For OPD 5 years, In-patient- 10 to 15 years, Medico-
legal cases- lifetime.
Section 7. Provisions on revoking or reinstating consent. A valid court order shall
prevail over written consent.
Unconscious and minor patients. When patient becomes able (becomes conscious
and is of legal age), he or she may revoke the consent previously given by their
authorized representative.
The Privacy Officer (or a duly authorized representative) shall be responsible for
the orientation of the patients regarding PHIE implementation and validation of
patient information.
If the hospital does not have an Electronic Medical Record in place, encoding and
processing of patient information will be through the medical records section or
hospital information management section. If they have an electronic medical
record or a Hospital Information System, encoding and processing shall begin at
the service transactions covered by the Hospital Information System.
Section 11. Filing and Storage. All information collected at different levels of
care shall be integrated into a common file. An electronic archiving system shall be
developed for the storage of electronic data.
RULE III
ACCESS OF HEALTH INFORMATION
Section 1. Access of Primary and Secondary Health Care Providers and Health
Facilities. Health facilities shall clearly define access rights and user roles of staff
to ensure that only appropriate people have access to the minimum necessary
protected health information The Health Facility shall create policies and
procedures to specify the groups and positions that need to access health
information to perform their job responsibilities, as well as the type of health
information to which they need access. The Chief of Health Facility shall issue a
memorandum containing the list of names and information stated in the preceding
statement and a copy shall be furnished to the DOH central office.
Upon patient consent, only the attending physician shall have access to the
patients information and read-only access shall be given to secondary healthcare
providers.
Approval of Access. The head of the section or unit (medical director, chief nurse)
shall approve the creation of user credentials for personnel that shall have access to
the hospital information system. The head of the facility shall approve the system
access request.
Patients who gave consent for their information to be processed in PHIE shall have
the preference to choose which portal provider to use and shall have access to their
own record even if their doctors are not yet enrolled in PHIE.
For child. Joint parental authority, either patient or legal guardian if one has been
appointed shall have access to the childs health information. If separated, the one
granted legal custody, or legal guardian if one has been appointed by court will
have the right to access.
In cases when the person requesting for information is incapacitated, special power
of attorney shall be allowed.
RULE IV
USE AND DISCLOSURE OF HEALTH INFORMATION
The Primary Health Care Provider has the authority to disclose information upon
patient request for his legitimate personal use such as release of insurance or HMO
required medical record provided that there is a clear agreement/contract made
between the HMO and the patient.
For U.S. war veteran patients. They should come with a signed consent in order to
release their medical records.
Section 3. Information disclosed after discharge. The following information may
be disclosed after patient discharge from the health facility:
a) Clinical abstract;
b) Laboratory result;
c) Doctors order;
d) Discharge summary.
When personal health information is released to legal authority, a cover letter shall
be sent containing information reminding the recipient that the information
contained is personal health information and must be handled in a confidential
manner. A receiving copy shall be maintained by the health facility for record
purposes.
Section 4. Third Party Use and Disclosure. Third party providers shall not
disclose health information other than as provided by contract with the PHCP or as
required by law. They shall also agree to use appropriate safeguards to prevent use
and disclosure of the health information other than as provided by contract with the
primary health care provide or as required by law.
Third party providers shall report to the primary health care provider any use or
disclosure of health information not provided for by the agreement of which it
becomes aware, including breaches of unsecured health information, and any
security incident of which it becomes aware.
Research. All research protocols pertaining to patient condition shall pass thru
strict review by the Institutional Review Board to safeguard patient information.
Protocols for requesting and accessing aggregate and de-identified information for
research, both public and private, shall be clearly defined.
CHAPTER III
DATA SECURITY
RULE V
ADMINISTRATIVE SECURITY
Other than personality assessment, other possible conditions for hiring employees
may include background information, past criminal record, if any, past
administrative record, if any, background checks on prior employers, review of
prior incidents, especially those which may involve issues on honesty and moral
turpitude. This is also in line with ISO 27002 (17799), Sec. 8.1.2.
An orientation regarding privacy and security policies shall be done for all
employees in the health facility with great emphasis to the information security
personnel.
The document retention policy issued by the National Archives of the Philippines
shall be followed. For archiving purposes, the health facility can either have an
internal archiving system or outsource an archiving specialist.
Security Department. The health facility shall have its own security department
which would cover the management of security guards. The head of the security
department shall be part of the quality committee and will have access to records
for tracing purposes.
Section 3. The Information Technology Personnel. The IT shall be the custodian
of security videos and must adhere to the policy on confidentiality of medical
records. They shall be the one to perform system related functions such as but not
limited to troubleshooting.
Section 4. The Medical Records Officer. The Medical Records Officer shall be the
one to have access to patients data. He/she has the authority to audit the patient
record from time to time in order to determine the integrity of the patient record.
Qualifications:
a) A graduate of Masters of Science in Health Informatics.
b) With IT, medical for clinical background.
c) With training certifications on the security aspect of PHIE.
RULE VI
PHYSICAL SECURITY
Section 1. Computer Access. Pre-deployment site assessment shall be conducted
and computers to be installed shall be non-portable and fixed in one place.
Computers shall be accessible to authorized personnel only and role-based system
access shall be implemented. Each user shall have one account only. Multiple
accounts per user are not allowed. A person requesting for access to a computer
shall fill-out a request form.
Anti-glare filters on computer monitors shall be installed. This will not only help
reduce glare, but also prevent anyone from seeing what is on the screen unless
directly in front of the computer.
Computer loss. In case of computer loss, the accounts in the computer system shall
be reset and deactivated until it is retrieved or reported.
Section 2. Servers. The health facility shall provide a designated area for the
housing of servers/data centers. It shall be a separate are from the data collection
and processing as well as from the IT office. The server room shall be marked as
Restricted and shall only be accessible to authorized personnel. If the heath
facility cannot allot a space for the server room, at the minimum, a data cabinet
shall be installed.
For smaller health facilities or clinics, they may use cloud computing while bigger
facilities use servers.
Mobile devices used for job responsibilities are subject to audits even if an
employee owns it.
Capturing of patient data using camera phones and bringing of electronic devices
such as cellular phones, laptops, tablets, and cameras inside the medical records
area is strictly not allowed.
RULE VII
TECHNICAL SAFEGUARDS
Section 1. Access Controls. Standard user IDs shall be given to each staff whose
work entails the need to access or process health information. There shall be a
three way process for authentication of users:
Something they know (password);
Something they have (secure token);
Something they are (biometrics).
The last user ID that logged in must not be displayed on the log-in screen. There
shall be an automatic screen or keyboard locking after 5 minutes of inactivity.
Leave of Absence. User IDs of employees or staff who are on extended leave of
absence shall be disabled until they return for work.
Data back-up. Complete back-ups of the system shall be done periodically- once a
month or every few months. Back-up data tapes shall not be stored near a computer
monitor or uninterruptible power supply- the electromagnetic interference coming
from these devices can corrupt data on them or completely delete them.
The cloud providers electronic discovery capabilities and processes must not
compromise the privacy or security of the data and applications of the health
facility.
Health facilities shall ensure that they have knowledge of a cloud providers
security measures to conduct risk management.
Health facilities should understand the privacy and security controls of the cloud
service, establish adequate arrangements in the service agreement, making any
needed adjustments, and monitor compliance of the service controls with the terms
of the agreement.
Contract between health facility and cloud provider. The health care facilitys
ownership rights over the data must be firmly established in the service contract to
enable the basis of trust and privacy of data. In so far as practicable, the contract
between the health care facility and cloud service provider should state clearly that:
Service agreements should include some means for the health facility to gain
visibility into the security controls and processes employed by the cloud provider
and their performance over time. Ideally, the health facility will have control over
aspects of the means of visibility to accommodate its needs, such as the threshold
for alerts and notifications, and the level of detail and schedule of reports.
Health care providers must understand the technologies the cloud provider uses to
provision services and the implications the technical controls involved have on
security and privacy of the system throughout its lifecycle. The underlying system
architecture of a cloud can be decomposed and mapped to a framework of security
and privacy controls that can be used to assess and manage risk.
RULE VIII
USE OF SOCIAL MEDIA
Section 2. Responsible Social Media Use. Health care professionals shall always
be mindful of his or her duties to the patient and community, his profession and his
colleagues thus take into account that content once posted can be disseminated to
others.
Health care professionals shall always be conscious of his or her online image and
how it impacts his or her profession, or the institution where he or she is
professionally employed, affiliated or otherwise connected.
Health care professionals must ensure that in his or her social media activity, there
is no law violated, including copyright, libel and cybercrime laws. At all times, the
individual shall respect the privacy of others.
The health care professional shall practice due diligence in keeping their social
media accounts safe such as through regular password change and logging out after
social media use.
Information posted online shall be beneficial to the Filipino people. Heath care
professionals shall refrain from any activity which spreads or tends to spread
misinformation.
Information that will compromise patient confidentiality and privacy shall not be
posted online. This may include comments which patients are described with
enough sufficient detail to be identified, referring to patients in a degrading or
demeaning manner.
The individual shall be careful in posting or publishing his or her opinion and shall
ensure that such opinion will not propagate misinformation or constitute a
misrepresentation. The individual shall not make any misrepresentations in his or
her social media activity relating to content, his or her employment or credentials,
and any other information that may be misconstrued or taken out of context.
Section 3. Health Education and Promotion. The individual using social media
for health information and/or promotion must be well-informed of the matter
subject of the social media post, comment or other activity. The individual shall
refrain from any activity which spreads or tends to spread misinformation.
Social media shall not be used to dispense specific medical diagnosis, advice,
treatment or projection but shall consist of general opinions only. Use of social
media should include statements that a person should not rely on the advice given
online, and that medical concerns are best addressed in the appropriate setting.
Health care professionals are discouraged from using a single account for both
professional and private use.
Health care professionals shall conduct himself or herself in social media or online
the same way that he/she would in public, mindful of acting in a manner befitting
his profession, or that would inspire trust in the service he or she provides,
especially if the individual has not separated his or her professional and personal
accounts in social media.
Health care professionals shall refrain from using the name, logo, or other symbol
of an institution without proper authority in his or her social media activity. An
individual shall not identify himself or herself as a representative or an institution
in social media without being authorized to do so.
A health care professional shall not use copyrighted materials other than for fair
use where there is proper citation of source and author.
Health care professionals shall refrain from posting, sharing, or using photos or
videos taken within the facility, which would give the impression of
unprofessionalism, show parts of the health facility where there is an expectation
of privacy, or those which includes colleagues, employees, other health facility
staff, or patients without their consent.
1.) Social media activities that defame, harass, stalk or bully another
person or institution.
2.) The use or access of personal social media accounts of others without
authority.
3.) Posting, sharing or otherwise using any information intended to be
private or obtained through access to electronic data messages or
documents.
4.) Posting, sharing or otherwise using recorded conversations between
doctor, individuals or patients, when such recording, whether audio
or video was obtained without consent of all parties to the
conversation.
A health care professional may like a defamatory post but he or she must use
caution when sharing, retweeting, or contributing anything that might be construed
as a new defamatory statement.
CHAPTER IV
SPECIAL AREAS
RULE IX
HUMAN RESOURCES
Security roles and responsibilities of employees, contractors and third party users
shall be defined and documented in accordance with the facilitys information
security policy. This document shall be signed as an agreement by employees,
contractors, and third party users of information processing facilities.
a) Implement and act in accordance with the health care facilitys information
security policies;
b) Protect assets from unauthorized access, disclosure, modification,
destruction or interference;
c) Execute particular security processes of activities;
d) Ensure responsibility is assigned to the individual for actions taken;
e) Report security events or potential events or other security risks to the
organization.
Security roles and responsibilities shall be clearly defined and communicated.
A screening process shall be carried out for contractors, and third party users.
Where contractors are provided through an agency, the contract with the agency
should clearly specify the agencys responsibilities for the screening and the
notification procedures they need to follow if screening has not been completed or
if the results give cause for doubt or concern. In the same way, the agreement with
the third party should clearly specify all responsibilities and notification
procedures for screening.
Employees, contractors and third party users shall agree and sign the terms and
conditions of their employment contract, which would state their and the health
facilitys responsibilities for information security. Terms and conditions of
employment shall reflect the health care facilitys security policy in addition to
clarifying:
a) That all employees, contractors and third party users who are given access to
sensitive information shall sign a confidentiality or non-disclosure
agreement prior to being given access to information processing facilities;
b) The employees, contractors and any other users legal responsibilities and
rights (e.g. copyright laws or data protection legislation);
c) Responsibilities for the classification of information and management of
organizational assets associated with information systems and services
handled by the employee, contractor or third party user;
d) Responsibilities of the employee, contractor or third party user for the
handling of information received from other companies or external parties;
e) Responsibilities of the organization for the handling of personal information,
including personal information created as a result of, or in the course of,
employment with the organization;
f) Responsibilities that are extended outside the organizations premises and
outside normal working hours;
g) Actions to be taken if the employee, contractor or third-party user disregards
the organizations security requirements.
The security awareness, education, and training activities should be suitable and
relevant to the persons role, responsibilities and skills, and should include
information on known threats, who to contact for further security advice and the
proper channels for reporting information security incidents.
Section 2.3. Disciplinary Process. There shall be a formal disciplinary process for
employees who have committed a security breach.
The formal disciplinary process shall ensure correct and fair treatment for
employees who are suspected of committing breaches of privacy and security, and
shall not be commenced without prior verification that a privacy breach has
occurred.
A graduated response that takes into consideration factors such as the nature and
gravity of breach and its impact on business, whether or not it is a first or repeat
offence, whether or not the violator was properly trained, relevant legislation,
business contracts and other factors as required shall be provided.
In serious cases of misconduct, the process shall allow for instant removal of duties,
access rights and privileges, and for immediate escorting out of the site, if
necessary.
The disciplinary shall be used as a deterrent to prevent employees, contractors and
third party users in violating organization security policies and procedures, and any
other security breaches.
The Human Resources function is generally responsible for the overall termination
process and works together with the supervising manager of the person leaving to
manage the security aspects of the relevant procedures. In the case of a contractor,
this termination responsibility process may be undertaken by an agency
responsible for the contractor, and in case of another user this might be handled by
their organization.
Return of Assets. All employees, contractors and third party users shall return all of
the health care facilitys assets in their possession upon termination of their
employment, contract, or agreement.
The termination process shall be formalized to include the return of all previously
issued software, corporate documents, and equipment. Other organizational assets
such as mobile computing devices, credit cards, access cards, software, manuals,
and information stored on electronic media also need to be returned.
In cases where an employee, contractor or third party user has knowledge that is
important to ongoing operation, the information shall be documented and
transferred to the organization.
Access Rights. The access rights of all employees, contractors and third party users
to information and information processing facilities shall be removed upon
termination of their employment, contract or agreement, or adjusted upon change.
If a departing employee, contractor or third party user has known password for
accounts remaining active, these shall be changed upon termination or change of
employment, contract or agreement.
Access rights for information assets and information processing facilities shall be
reduced or removed before the employment terminates or changes, depending on
the evaluation risk factors such as:
RULE X
HEALTH RESEARCH
Section 1. Rationale.
Data breach reporting protocol shall be followed and researchers must ensure that
there is privacy protection of data during the entire research process: recruitment,
study proper, close-out, and even after study conduct.
All personnel involved in the study will be required to sign statements agreeing to
protect the privacy, security and confidentiality of identifiable information prior to
accessing any personal information of data or research subject.
Section 5. Research Data. Data or specimen collected from research shall be de-
identified or destructed as deemed appropriate. Identifiers will be removed from
study-related information, whenever feasible.
Data Sharing. Aside from the ones indicated in the study protocol and the original
consent document, the research subject shall give his or her permission prior to
data sharing arrangements.
RULE XI
PATIENT REGISTRIES
Where an authorization for the use and disclosure of registry data for future
research does not exist, health care provider or health insurance plan maintaining
the registry shall need to obtain an additional authorization for the research from
individuals or seek a waiver of authorization from an Institutional Research Board
or Privacy Board.
Registries compiling health information from vulnerable population such as but not
limited to pregnant women, human fetuses, neonates, prisoners, children and
patients having rate diseases shall employ special efforts to protect identities of
these subjects.
CHAPTER IV
NATIONAL HEALTH PRIVACY BOARD
1. The Board shall assist in the implementation of the Privacy Guidelines and
related issuance through Training and Capacity Building, and through
Compliance Monitoring and Planning. It shall coordinate with the licensing
authority of the heath institution or other accreditation bodies, when
necessary, in order to perform its function.
2. The Board shall accept complaints, inquiries and requests for assistance
from the health sector on matters related to the Privacy Guidelines and
related issuances.
a. Complaints. It shall promulgate rules and procedures for receiving and
processing complaints. It shall mediate between parties to reach a
compromise settlement, without prejudice to reporting before the NPC
or licensing and regulatory authorities matters contrary to law, in
which case it shall make its recommendation after proper evaluation.
b. Inquiries and Requests for Assistance. It shall assist persons or
institutions on the interpretation of privacy regulations. It shall elevate
to the Privacy Experts Group issues which in its discretion requires
advisory assistance.
3. It shall provide the PEG a report of its activities, including case reports of
issues brought before it that are of importance or significant impact.
4. It shall make recommendations on change in policy or further policy
development. It shall coordinate with appropriate agencies to incorporate
emerging technologies and new regulations in existing policies.
Section 4. Training and Capacity Building. The Training and Capacity Building
functions of the Board shall be spearheaded by the Board Member for Training and
Capacity Building. He or she shall:
1. Coordinate with other government agencies and the private sector on efforts
to formulate and implement plans and policies to strengthen the protection of
personal information in the health sector.
2. Develop and implement training modules for capacity building.
3. Develop and implement programs to inform and educate the public of health
information privacy and to promote a privacy culture in the health sector,
including powerpoint presentations and articles that may be used by health
information privacy advocates.
4. Conduct training workshops and accommodate requests for public
information on the implementation of the privacy guidelines.
Section 6. Competencies and Qualifications. Members of the Board shall have the
following competencies and qualifications:
CHAPTER V
THE PRIVACY TEAM OF A HEALTH FACILITY
Section 2. Roles and Functions. Ultimately, the Privacy Officer is the person
responsible for the privacy policy compliance at the health facility. The privacy
officer is not automatically the personal information controller who controls the
collection, holding, processing or use of personal information. While the latter is
directly accountable for the protection of privacy, the PO sees to it that overall
compliance is observed at the institution. Other roles of the PO shall include:
Section 3. Appointment. Health facilities with at least 300 beds are required to
employ a Privacy Officer. Those with less than 300 beds may affiliate with other
health facilities to employ a shared Privacy Officer. A government health facility
shall appoint Privacy Officer Designate while waiting for the official plantilla
assignment.
Rural Health Units may share a Privacy Officer in the provincial level, preferably
working with the Provincial Health Unit.
CHAPTER VII
COMPLIANCE, INCIDENT REPORTING, RESPONSE
RULE I
COMPLIANCE
RULE II
INCIDENT REPORTING
Section 1. General Principles. The National Health Privacy Board does not have
quasi-judicial powers or the power to impose penalties. Parties who voluntarily
submit their complaints or issues for resolution may be assisted in clarifying the
issues subject of the complaint, and in reaching an amicable settlement. To ensure
compliance with the Resolution of the Board, both parties must submit an
undertaking under oath or embodies in an affidavit that the parties agree to be
bound by the Resolution of the Board.
The National Health Privacy Board does not have subpoena powers or powers of
contempt. It relies on the documents and evidence voluntarily submitted by the
parties. The investigations conducted by the Board shall be fact-finding and
summary in nature, without prejudice, however, to the due process of law, and
recourse to the National Privacy Commission or proper courts, when necessary.
The National Health Privacy Board may be able to assist the parties in clarifying
privacy related complaints in health facilities due to the fact that they have a
deeper understanding and better perspective of privacy issues concerning personal
and sensitive health information. The Resolution of the National Health Privacy
Board may also serve as support document of cases filed before the National
Privacy Commission, or regular courts.
Section 2.2. Who May File. The complaint may be filed by any person, firm,
partnership, association or corporation, through its duly authorized representative.
Section 2.3. Contents. The complaint must be written in a clear, simple and
concise language and shall contain the following:
1. Full names and complete addresses of the complainant and the respondent;
2. A brief narration of the material facts which show a violation of the privacy
guidelines or related issuance, or the acts or omissions allegedly committed
by the respondent amounting to a privacy concern.
3. If the complainant contains personal and sensitive information involving
third parties, which information will be disclosed to the Board, the
complainant shall include proof that consent of said parties have been
obtained with regard to the use, access and disclosure of said personal or
sensitive information for purposes of resolving or adjudicating the complaint,
before appropriate bodies.
4. If the Complainant is an institution, the complaint shall be accompanied by
the incident report or relevant document showing the results of the
investigation conducted within the institution.
5. Certified true copies of documentary evidence, and the affidavit/s of
witness/es if any.
6. An undertaking of the complaint, or in case of juridical person by a duly
authorized representative, under oath or embodied in an affidavit, to the
effect that the complainant agrees to abide by the final resolution of the
National Health Privacy Board, without prejudice to other legal remedies.
Section 2.4. Number of Copies. The complainant, together with the documentary
evidence and affidavit/s of witness/es, if any, shall be filed in such number as there
are respondents, plus two (2) copies for the file. The affidavit/s required to be
submitted shall state facts only of direct personal knowledge to the affiant and shall
show the competence of the affiant to testify to the matters stated therein. A
violation of the foregoing requirement shall be a ground for expunging the
affidavit or portion thereof from the record.
Section 2.5. Where to File A Complaint. A complaint may be filed at the office of
the Health Privacy Board.
Section 2.6. Evaluation of Complaint. The Board shall evaluate the allegations of
the complaint (1) to determine whether it involves a violation of the Privacy
Guidelines or issues involving privacy of health information and (2) if based on its
allegations, there is reason to believe that there is a violation of the Privacy
Guidelines or related issuances. If both conditions are not satisfied, the complaint
shall be dismissed.
1. The Board shall set a date to convene the parties involved in the complaint,
sending notices to the parties, and requesting for them to appear before the
National Health Data Privacy Board, with their witnesses, if any.
2. The Board shall ensure that before it convenes the parties:
3. Both complainant and respondent have signed and undertaking that they
agree to be bound by the Resolution of the Board.
4. Proof that consent have been obtained from third parties when the affidavits
or submitted evidence includes their personal and sensitive information, for
purposes of resolving or adjudicating the complaint, before appropriate
bodies.
5. The Board may ask clarificatory questions when necessary.
6. The Board shall identify the issues for resolution and mediate in order for
the parties to reach an amicable settlement. In case the parties reach an
amicable settlement, the Board shall issue a resolution on the agreement
between parties, which shall be binding in view of their undertaking. Even if
the parties have reached an amicable settlement, but the Board finds that the
complaint constitutes a violation of law, it shall prepare a report and
recommendation, and submit the same to the proper licensing regulatory or
accrediting body, or to the National Privacy Commission.
7. In case the parties are unable to reach an amicable settlement, the complaint
shall be submitted for resolution. The Board may request the parties to
submit a memorandum containing their arguments on the facts and issues for
resolution.
8. The Board shall adjudicate on the issues and issue a resolution containing its
recommendation. The resolution shall be binding on the parties in view of
their undertaking. Its resolution, with supporting documents shall be
submitted to the proper licensing regulatory or accrediting body, or to the
National Privacy Commission, for appropriate action, if necessary.
9. The minutes of the proceeding shall be filed and maintained.
Section 2.9. Procedure if the Respondent does not Appear. If the Respondent
does not appear before the Board, the Board shall resolve the complaint on the
basis of the affidavits and documents submitted by the complainant. Its resolution,
with supporting documents shall be submitted to the proper licensing regulatory or
accrediting body, or to the National Privacy Commission, for appropriate action, if
necessary.
Section 3. Resolution. The Board shall furnish the parties with copies of its
resolution.