Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
administrative_security [2016/06/21 00:44] jillian_nadette_de_leon |
administrative_security [2016/07/02 15:54] jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ##ADMINISTRATIVE SECURITY | + | ##ORGANIZATIONAL SECURITY MEASURES |
| - | a.k.a Organizational Security | + | |
| - | //Policies and Procedures//\\ | + | **1. Policies and Procedures.** Privacy and security policies must be documented, maintained and updated as appropriate.\\ |
| - | * Privacy and security policies must be documented, maintained and updated as appropriate, and retained for at least 6 years. \\ | + | |
| - | * Health care providers shall clearly define access rights and user roles of staff to ensure that only appropriate people have access to the minimum necessary protected health information. The health care provider shall create policies and procedures to specify the groups and positions that need to access health information to perform their job responsibilities, as well as the type of health information to which they need access. The Chief of Health Facility shall issue a memorandum containing the list of names and information stated in the preceding statement and a copy shall be furnished to the DOH central office.\\ | + | |
| - | * An orientation regarding privacy and security policies shall be done for all employees in the health facility with great emphasis to the information security personnel.\\ | + | 1.1. The PHCP shall create policies and procedures to specify the groups and positions that need to access health information to perform their job responsibilities, as well as the type of health information to which they need access.\\ |
| - | * * A regular privacy and security audit shall be done by health facilities.\\ | + | |
| - | + | ||
| - | //Manuals and guidelines//\\ | + | |
| - | * Information security manuals and training-related guidelines for capacity building shall be made by health facilities. They shall also provide a quality management system and Health Information Security Committee to put in place and check all processes, workflows among others in relation to the implementation of PHIE.\\ | + | |
| + | 1.2. Participating Health Care Providers shall provide an orientation regarding privacy and security policies for all employees in the health facility with great emphasis to the information security personnel.\\ | ||
| - | //Employment and Contracts//\\ | + | 1.3. Participating Health Care Providers shall clearly define access rights and user roles of staff to ensure that only appropriate people have access to the minimum necessary health information.\\ |
| - | * Privacy-related clause, information security clause and emphasis on the ownership of data shall be embedded in contracts of third party providers and job order personnel.\\ | + | |
| - | * A formal process for ending a person's employment or a user's access shall be formulated so that inappropriate access to health information does not occur.\\ | + | |
| - | * An assessment of the applicant's personal information shall be done to determine if the person has the capacity to perform the functions of the position being applied for. Once determined that the applicant is highly emotionally unstable, he/she shall not be put in a position requiring a great deal of reliability and consistency.\\ | + | |
| - | * Upon assignment, the said employee shall sign a non-disclosure agreement. Non-allied health staff shall also sign a non-disclosure agreement upon employment. \\ | + | |
| - | * Other than personality assessment, other possible conditions for hiring employees may include background information, past criminal record, if any, past administrative record, if any, background checks on prior employers, review of prior incidents, especially those which may involve issues on honesty and moral turpitude. This is also in line with ISO 27002 (17799), Sec. 8.1.2.\\ | + | |
| - | * Refer to Rule IX for Human Resources responsibilities. | + | |
| - | //Contract between third party relationships// | + | 1.4. The Chief of Health Facility shall issue a memorandum containing the list of names and information stated in the preceding statement and a copy shall be furnished to the DOH central office.\\ |
| - | * Contracts/agreements between the health care provider and the third party shall include:\\ | + | |
| - | (a) Policies for document storage and disposal; \\ | + | |
| - | (b) Data management processes, including methods for tracking and controlling records- such as dates and time stamps- as well as the type of data sent and received, and the individuals who have access to records; \\ | + | |
| - | (c) Description of the vendor's privacy and security programs; \\ | + | |
| - | (d) Description of output reporting- either electronically or in hard copy- so data can be reviewed, monitored and reconciled; \\ | + | |
| - | (e) Periodic staff training in secure records handling and providing, and appropriate document management tools; \\ | + | |
| - | (f) Staff responsibilities for ensuring compliance and allocation of sufficient job time to the task; \\ | + | |
| - | (g) Right to audit clauses; and \\ | + | |
| - | (h) Communication requirements regarding control deficiencies identified through internal or external sources.\\ | + | |
| - | //Authorization and Document Retention//\\ | + | 1.5. A regular privacy and security audit shall be done by participating health care providers.\\ |
| - | * For identification and authorization purposes, the authorizing entity shall provide any of the following for identification: \\ | + | |
| - | a. Biometrics\\ | + | |
| - | b. Specimen signature\\ | + | |
| - | c. E-signature\\ | + | |
| - | * The document retention policy issued by the National Archives of the Philippines shall be followed. For archiving purposes, the health facility can either have an internal archiving system or outsource an archiving specialist.\\ | + | |
| - | * Regular privacy and security audit shall be done.\\ | + | |
| - | * Allocation of budget for data security shall be included for government hospitals and LGUs.\\ | + | |
| - | **ACCOUNTABILITY/ Health Information Security Committee**\\ | + | **2. Contract with Third Party.**Contract or agreements between health care providers and a third party shall include:\\ |
| - | * A health information security committee shall be organized rather than a single security officer. In so far as practicable, the team shall include the medical records officer, medical director, nurse, division heads of front liners, finance officer and legal officer. Their main role is to ensure that health information are made secure. This shall be headed by the Medical Director or Chief of Health Facility. Membership and role of the committee shall vary for other health facilities. Hospitals, LGUs, MHCO/MCO shall create their health information security committee. \\ | + | a.) Policies for document storage and disposal;\\ |
| - | * Roles and responsibilities of health information security committee shall include:\\ | + | b.) Data management process including methods for tracking and controlling records- such as dates and time stamps- as well as the type of data sent and received, and the individuals who have access to records;\\ |
| - | a. Policy making on health information security.\\ | + | c.) Description of the privacy and security programs of the third party;\\ |
| - | b. Procedures on disclosure of health information.\\ | + | d.) Description of output reporting-either electronically or in hard copy- so data can be viewed, monitored and reconciled;\\ |
| - | c. Management of incident reports including attempts on the disclosure of health information.\\ | + | e.) Periodic staff training in secure records handling and providing, and appropriate document management tools;\\ |
| - | d. Validation of security officer rules.\\ | + | f.) Staff responsibilities for ensuring compliance and allocation of sufficient job time to the task; and\\ |
| - | e. Enforcement of sanctions on violations.\\ | + | g.) Communication requirements regarding control deficiencies identified through internal or external sources.\\ |
| - | //Security Department//\\ | + | **3. Authorization and Document Retention.** For identification and authorization purposes, the authorizing entity shall provide any of the following for identification:\\ |
| - | * In so far as practicable, the health facility shall have its own security department which would cover the management of security guards. The head of the security department shall be part of the quality committee and will have access to records for tracing purposes. \\ | + | a.) Biometrics\\ |
| + | b.) Specimen signature\\ | ||
| + | c.) E-signature\\ | ||
| - | //The IT personnel// \\ | + | The document retention policy issued by the National Archives of the Philippines shall be followed. For archiving purposes, the PHCP can either have an internal archiving system or outsource an archiving specialist.\\ |
| - | a. The IT shall be the custodian of security videos and they must adhere to the policy on confidentiality of medical records.\\ | + | |
| - | b. They shall be the one to perform system related functions such as but not limited to troubleshooting.\\ | + | |
| - | //The Medical Records Officer//\\ | + | **4. The Information Technology Personnel.** Authorized personnel responsible for supporting the implementation of security guidelines must adhere to the policy on confidentiality of medical records. They shall be the one to perform system related functions such as, but not limited to, troubleshooting.\\ |
| - | a. The MRO shall be the one to have access to patient's data. He/she alongside with the Privacy Officer has the authority to audit the patient record from time to time in order to determine the integrity of the patient record. \\ | + | |
| - | + | ||
| - | //Chief Privacy Officer, PHIE Compliance Officer, Management Information Systems Officer//\\ | + | |
| - | * The Chief Privacy Officer shall be the head of the facility or as may be assigned by the head.\\ | + | **5. The Medical Records Officer.** The Medical Records Officer with the Privacy Officer has the authority to audit the patient's shared health record.\\ |
| - | * A Privacy Officer, PHIE Compliance Officer and Management Information Systems Officer shall be assigned and work together with the health information security committee. The duties and responsibilities of the said officers shall include the following: \\ | ||
| - | a. Formulate a work flow on the process of accessing health information for standard implementation.\\ | ||
| - | b. Monitor, account and register devices used in the facility.\\ | ||
| - | c. Perform system or quality data check, compliance on the reporting form and safekeeping of back-up data.\\ | ||
| - | d. Delegate data collection to staff but should ensure that data collected are correct. The sole responsibility of encoding is on the appointed individual/unit.\\ | ||
| - | e. The privacy officer shall regularly audit the quality and integrity of patient records.\\ | ||
| - | * The following qualifications need to be met in order to become a Privacy Officer, PHIE Compliance Officer, and Management Information Systems Officer: \\ | ||
| - | a. A graduate of Master's of Science in Health Informatics or health-related course with IT background.\\ | ||
| - | b. With IT, medical or clinical background.\\ | ||
| - | c. With training certifications on the security aspect of PHIE (as applicable). Note however that DOH and PhilHealth shall set the minimum standards based on the body of knowledge for data security, which shall be the basis for hiring a Privacy Officer, PHIE Compliance Officer, and Management Information Systems Officer.\\ | ||
| - | --- | ||
| References: \\ | References: \\ | ||