Privacy Wiki

Access of PHCP, Secondary Health Care Provider, Health Facilities

• Health facilities shall clearly define access rights and user roles of staff to ensure that only appropriate people have access to the minimum necessary protected health information. The Health Facility shall create policies and procedures to specify the groups and positions that need to access health information to perform their job responsibilities, as well as the types of health information to which they need access. The Chief of Health Facility shall issue a memorandum containing the list of names and information stated in the preceding statement and a copy shall be furnished to the DOH Central Office.
  
• Upon patient consent, only the attending physician shall have access to the patient's information and read-only access shall be given to secondary health care providers.
  
• Accessible information for secondary healthcare providers shall be the following:
  

a. History of past illness
b. Family history of illness
c. History of present illness
d. Allergies
e. Adverse effect of medications given
f. Treatment outcome. Final diagnoses shall be included whether clinical or confirmed.
g. Laboratory and diagnostic procedures
h. Any information approved by the patient for viewing

Approval of Access
* The head of the section or unit (ex. medical director, chief nurse) shall approve the creation of user credentials for personnel that will have access to the hospital information system. The head of the facility shall approve the system access request.

Access of User/Patient

• Consenting patients shall have rights to access, view, request amendments to, and request restriction over how their health information is used. The health facility shall ensure that disclosures and any subsequent changes are documented. Health care providers shall be notified once update has been done.
  
• Patients who gave consent for their information to be processed in PHIE shall have the preference to choose which portal provider to use and shall have access to their own record even if their doctors are not yet enrolled in PHIE.
  
• For child- joint parental authority, either parent or legal guardian if one has been appointed can have access to the child's health information. If separated, the one granted legal custody, or legal guardian if one has been appointed by court will have the right to access.
  

Access of Third Party

• A third party is allowed access to health information that is provided in the contract with the health care provider or as required by law.

Notes re: Third Party Relationships

• Types of 3rd party relationships:
  

(1) Infrastructure only- provides key infrastructure, such as network and servers, and their administration but doesn't provide any applications or application support.
(2) Managed Applications- exerts some control over installation, maintenance and support of the infrastructure and applications. Includes cloud computing, infrastructure and software as a service.
(3) All Data- includes infrastructure and managed applications, as well as support, maintenance and disaster recovery of the infrastructure and applications (e.g., backup and recovery site.

Authorization to Access Information

• Authorization must be written in plain language, and must contain specific information such as:
  

(a) A description of the health information to be used and disclosed.
(b) The name of the person to whom the health care provider may disclose the health information.
© An expiration date.
(d) The purpose which the health information may be used or disclosed.

• A protocol on how to identify authorized persons to access patient information shall be made. The authorized person approving the request to access health information shall ensure that proper authorization from proper authorities is obtained by the requesting party.
  
• In cases when the person requesting for information is incapacitated, special power of attorney shall be allowed.
  

Others

• Add more specific guidelines for Joint AO VII, item 1.C. Specify what data is to be shown.
  

(Can be discussed further. This section was a recent amendment from TWG.)

• A 24/7 hotline shall be provided to help in cases when necessary information is required at any point in time.
  
• There shall be no UID or PWD.

* Herold R., Beaver K. (2015). The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.

• Grant Thornton (2013). Third-Party Relationships and Your Confidential Data. Assessing Risk and Management Oversight Processes. Retrieved from https://www.grantthornton.com/~/media/content-page-files/health-care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control-concerns.ashx

• Consolidated Workshop Outputs