Compliance

Compliance. Health care facilities involved in the PHIE are required to:
a.) Register their data processing systems involved in the PHIE process to the health privacy board, including the data processing systems of contractors, employees and third parties entering into contracts with them that involves accessing or requiring sensitive personal health information from one thousand (1,000) or more individuals;
b.) Notify the health privacy board of automatic processing operations being carried out by the health facility, its contractors and third parties;
c.) Submit a copy of their privacy policy as well as a list of personnel having direct access to health information to the health privacy board;
d.) Submit an annual report on documented security incidents to the health privacy board;
e.) Comply with other requirements that may be provided in other issuance issued by the National Privacy Commission or the Health Privacy Board.


Incidents

  • Processes and procedures established by DOST-ICTO for detecting and reporting the occurrence of information security events (by human or automatic means) shall be implemented and observed accordingly.
  • All reported incidents must be identified to initiate immediate response actions to deal with the information security incident.
  • All information security incident report must be updated and collected into the information security event/incident database by information security incident response team member and must notify the team leader/manager and others as necessary.
  • All information security incidents that have been resolved or closed must be reviewed to:

(a) conduct further analysis, as required;
(b) Identify the lessons learned from information security incidents;
© Identify improvements to information security and safeguard the implementation;
(d) Identify the improvements to the information security response management plan as a whole to determine the effectiveness of the processes, procedures, reporting forms and/or the organizational structure.

References:

  • C.Evans., D. Laggui., A. Salvador., (2013). Information Security Incident Response Manual DOST-ICTO.

Draft Rules of Procedure in the Investigation of Complaints filed before the Health Privacy Board

A. General Principles

The Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board.

The Health Privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. The investigations conducted by the Board shall be fact-finding and summary in nature, without prejudice, however, to the due process of law, and recourse to the National Privacy Commission or proper courts, when necessary.

The Health Privacy Board may be able to assist the parties in clarifying privacy related complaints in health facilities due to the fact that they have a deeper understanding and better perspective of privacy issues concerning personal and sensitive health information. The Resolution of the Health Privacy Board may also serve as support document of cases filed before the National Privacy Commission, or regular courts.

B. Procedure for Complaint and Investigation

Sec. 1. Complaint. - A complaint shall be in writing and under oath or embodied in an affidavit.

Sec. 2. Who May File. - The complaint may be filed by any person, firm, partnership, association or corporation, through its duly authorized representative.

Sec. 3. Contents. - The complaint must be written in a clear, simple and concise language and shall contain the following:

  1. Full names and complete addresses of the complainant and the respondent;
  2. A brief narration of the material facts which show a violation of the privacy guidelines or related issuance, or the acts or omissions allegedly committed by the respondent amounting to a privacy concern.
  3. If the complaint contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the complainant shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies.
  4. If the complainant is an institution, the complaint shall be accompanied by the incident report or relevant document showing the results of the investigation conducted within the institution.
  5. Certified true copies of documentary evidence, and the affidavit/s of 
witness/es if any.
  6. A undertaking of the complainant, or in case of juridical person by a duly authorized representative, under oath or embodied in an affidavit, to the effect that the complainant agrees to abide by the final resolution of the Health Privacy Board, without prejudice to other legal remedies.

Sec. 4. Number of Copies. - The complaint, together with the documentary evidence and affidavit/s of witness/es, if any, shall be filed in such number as there are respondents, plus two (2) copies for the file. The affidavit/s required to be submitted shall state facts only of direct personal knowledge to the affiant and shall show the competence of the affiant to testify to the matters stated therein. A violation of the foregoing requirement shall be a ground for expunging the affidavit or portion thereof from the record.

Sec. 5. Where to File a Complaint. - A complaint may be filed at the office of the Health Privacy Board.

Sec. 6. Evaluation of Complaint. The Board shall evaluate the allegations of the complaint (1) to determine whether it involves a violation of the Privacy Guidelines or issues involving privacy of health information and (2) if based on its allegations, there is reason to believe that there is a violation of the Privacy Guidelines or related issuance. If both conditions are not satisfied, the complaint shall be dismissed.

Sec. 7. Issuance of Requests to Appear. 1. On the basis of the complaint, if there is reason to believe that there is a violation of the Privacy Guidelines, the Board shall request, in writing, the respondent to appear before it, furnishing the said respondent a copy of the complaint, and requiring the submission of a counter-affidavit within ten days from receiving the said request. 2. If the counter-affidavit contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the respondent shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies. 3. If the respondent appears before the Board, the respondent, or in case of juridical person by a duly authorized representative, shall be asked to sign an undertaking, under oath or embodied in an affidavit, to the effect that the respondent agrees to abide by the final resolution of the Health Privacy Board, without prejudice to other legal remedies.
Sec. 8. Procedure if the Respondent appears.

  1. The Board shall set a date to convene the parties involved in the complaint, sending notices to the parties, and requesting for them to appear before the Health Privacy Board, with their witnesses, if any.
  2. The Board shall ensure that before it convenes the parties:
  3. Both complainant and respondent have signed an undertaking that they agree to be bound by the Resolution of the Board.
  4. Proof that consent have been obtained from third parties when the affidavits or submitted evidence includes their personal and sensitive information, for purposes of resolving or adjudicating the complaint, before appropriate bodies.
  5. The Board may ask clarificatory questions when necessary.
  6. The Board shall identify the issues for resolution and mediate in order for the parties to reach an amicable settlement. In case the parties reach an amicable settlement, the Board shall issue a resolution on the agreement between parties, which shall be binding in view of their undertaking. Even if the parties have reached an amicable settlement, but the Board finds that the complaint constitutes a violation of law, it shall prepare a report and recommendation, and submit the same to the proper licensing regulatory or accrediting body, or to the National Privacy Commission.
  7. In case the parties are unable to reach an amicable settlement, the complaint shall be submitted for resolution. The Board may request the parties to submit a memorandum containing their arguments on the facts and issues for resolution.
  8. The Board shall adjudicate on the issues and issue a resolution containing its recommendation. The resolution shall be binding on the parties in view of their undertaking. Its resolution, with supporting documents shall be submitted to the proper licensing regulatory or accrediting body, or to the National Privacy Commission, for appropriate action, if necessary.
  9. The minutes of the proceeding shall be filed and maintained.

Sec. 9. Procedure if the Respondent does not Appear. – If the Respondent does not appear before the Board, the Board shall resolve the complaint on the basis of the affidavits and documents submitted by the complainant. Its resolution, with supporting documents shall be submitted to the proper licensing regulatory or accrediting body, or to the National Privacy Commission, for appropriate action, if necessary.

Sec. 10. Resolution. – The Board shall furnish the parties with copies of its resolution.

Reference: The rules of procedure in the PRC were used as guide.


In case of Breach

Notification in the Case of Breach
1. Each individual whose protected health information has been, or is reasonably believed by the health care provider or health facility to have been accessed, acquired or disclosed as a result of breach shall be notified within 60 calendar days upon discovery.
2. Health care providers shall have the burden of proof demonstrating that all notifications were made.
3. Notice shall be provided by the Health Care Provider to the Health Privacy Board and elevated to the National Privacy Commission when necessary. If the breach affects 500 or more individuals, notification must be provided immediately.

Forms of Notification
Notification of privacy breach may be in the form of:

  • Individual notice
  • Media notice. Media notice shall only be applicable if the unsecured protected health information of more than 500 individuals is reasonably believed to have been accessed, acquired, or disclosed during the breach.

Content of Notification
1. A brief description of what happened, including the date of breach and the date of discovery of the breach, if known.
2. A description of the types of unsecured health information that were compromised in the breach (such as full name, , date of birth, home address, account number).
3. Situations where individuals are at risk due to the breach and the steps that they should take to protect themselves from potential harm resulting from the breach.
4. A brief description of what the Health Care Provider involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
5. Contact procedures for individuals to ask questions or learn additional information, which shall include a telephone number, an e-mail address, website, or postal address.
6. Contact information of the National Privacy Commission. Email: privacycommissioner@privacy.gov.ph
7. Contact information of the National Bureau of Investigation (NBI) Office of Cybercrime, the Philippine National Police Anti-Cybercrime Group (ACG).

Delay of Notification

  • If the board/NPC determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed.

Reference: Health Information Technology for Economic and Clinical Health Act. (2009). Retrieved from https://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf




See Also