**This is an old revision of the document!**

ACCESS OF HEALTH INFORMATION

Access of PHCP, Secondary Health Care Provider, Health Facilities

  • Health facilities shall clearly define access rights and user roles of staff to ensure that only appropriate people have access to the minimum necessary protected health information. The Health Facility shall create policies and procedures to specify the groups and positions that need to access health information to perform their job responsibilities, as well as the types of health information to which they need access. The Chief of Health Facility shall issue a memorandum containing the list of names and information stated in the preceding statement and a copy shall be furnished to the DOH Central Office.
  • Upon patient consent, only the attending physician shall have access to the patient's information.
  • Read-only access shall be given to secondary healthcare providers and the following information may be accessible:

a. History of past illness
b. Family history of illness
c. History of present illness
d. Allergies
e. Adverse effect of medications given
f. Treatment outcome. Final diagnoses shall be included whether clinical or confirmed.
g. Laboratory and diagnostic procedures
h. Any information approved by the patient for viewing

  • The head of the section or unit (ex. medical director, chief nurse) shall approve the creation of user credentials for personnel that shall access the hospital information system. The head of the facility shall approve the system access request.

    Access of User/Patient
    • Consenting patients shall have rights to access, view, request amendments to, and request restriction over how their health information is used. The health facility shall ensure that disclosures and any subsequent changes are documented.
    • Patients who gave consent for their information to be processed in PHIE shall have the preference to choose which portal provider to use and shall have access to their own record even if their doctors are not yet enrolled in PHIE.
    • For child- joint parental authority, either parent or legal guardian if one has been appointed can have access to the child's health information. If separated, the one granted legal custody, or legal guardian if one has been appointed by court will have the right to access.

Access of Third Party
*A 'third party“ is a person or organization, other than a member of a Health Care Provider's workforce, that performs certain functions or activities on behalf of, or provides certain services to a Health Care Provider that involve the use of protected health information.

  • Patient's medical record shall not be accessible for case study purposes.
  • Provisions regarding access of third party providers which use applications that are hosted in their cloud service shall be provided. Accountability of third party providers shall be made explicit.

Authorization to Access Information

  • Authorization must be written in plain language, and must contain specific information such as:

(a) A description of the health information to be used and disclosed.
(b) The name of the person to whom the health care provider may disclose the health information.
© An expiration date.
(d) The purpose which the health information may be used or disclosed.

  • A protocol on how to identify authorized persons to access patient information shall be made.
  • In cases when the person requesting for information is incapacitated, special power of attorney shall be allowed.

Others

  • In accessing PHIE, there should ba Pin+ security questions.
  • Add more specific guidelines for Joint AO VII, item 1.C. Specify what data is to be shown.

(Can be discussed further. This section was a recent amendment from TWG.)

  • If electronic information system will be used to access information of the patient, it must be done with the same language and portal to the user, user-friendly, real-time batch period with terminals and identified locations.
  • For each purpose of accessing data, there shall be an inclusion/exclusion criteria.
  • A 24/7 hotline shall be provided to help in cases when necessary information is required at any point in time.
  • There shall be no UID or PWD.
  • The secretaries of MDs shall not be allowed to access the date for them.
  • Best practices on health information exchange must be considered.
  • The patient chart should be double-checked before saving the information in the MIS.




References

* Herold R., Beaver K. (2015). The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.


See Also