Privacy Wiki

Draft Rules of Procedure in the Investigation of Complaints filed before the National Health Privacy Board

A. General Principles

The National Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board.

The National Health privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. The investigations conducted by the Board shall be fact-finding and summary in nature, without prejudice, however, to the due process of law, and recourse to the National Privacy Commission or proper courts, when necessary.

The National Health Privacy Board may be able to assist the parties in clarifying privacy related complaints in health facilities due to the fact that they have a deeper understanding and better perspective of privacy issues concerning personal and sensitive health information. The Resolution of the National Health Privacy Board may also serve as support document of cases filed before the National Privacy Commission, or regular courts.

B. Procedure for Complaint and Investigation

Sec. 1. Complaint. - A complaint shall be in writing and under oath or embodied in an affidavit.

Sec. 2. Who May File. - The complaint may be filed by any person, firm, partnership, association or corporation, through its duly authorized representative.

Sec. 3. Contents. - The complaint must be written in a clear, simple and concise language and shall contain the following:

1. Full names and complete addresses of the complainant and the respondent;
2. A brief narration of the material facts which show a violation of the privacy guidelines or related issuances, or the acts or omissions allegedly committed by the respondent amounting to a privacy concern.
3. If the complaint contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the complainant shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies.
4. If the complainant is an institution, the complaint shall be accompanied by the incident report or relevant document showing the results of the investigation conducted within the institution.
5. Certified true copies of documentary evidence, and the affidavit/s of 
witness/es if any.
6. A undertaking of the complainant, or in case of juridical person by a duly authorized representative, under oath or embodied in an affidavit, to the effect that the complainant agrees to abide by the final resolution of the National Health Privacy Board, without prejudice to other legal remedies.

Sec. 4. Number of Copies. - The complaint, together with the documentary evidence and affidavit/s of witness/es, if any, shall be filed in such number as there are respondents, plus two (2) copies for the file. The affidavit/s required to be submitted shall state facts only of direct personal knowledge to the affiant and shall show the competence of the affiant to testify to the matters stated therein. A violation of the foregoing requirement shall be a ground for expunging the affidavit or portion thereof from the record.

Sec. 5. Where to File a Complaint. - A complaint may be filed at the office of the Health Privacy Board.

Sec. 6. Evaluation of Complaint. The Board shall evaluate the allegations of the complaint (1) to determine whether it involves a violation of the Privacy Guidelines or issues involving privacy of health information and (2) if based on its allegations, there is reason to believe that there is a violation of the Privacy Guidelines or related issuances. If both conditions are not satisfied, the complaint shall be dismissed.

Sec. 7. Issuance of Requests to Appear. 1. On the basis of the complaint, if there is reason to believe that there is a violation of the Privacy Guidelines, the Board shall request, in writing, the respondent to appear before it, furnishing the said respondent a copy of the complaint, and requiring the submission of a counter-affidavit within ten days from receiving the said request. 2. If the counter-affidavit contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the respondent shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies. 3. If the respondent appears before the Board, the respondent, or in case of juridical person by a duly authorized representative, shall be asked to sign an undertaking, under oath or embodied in an affidavit, to the effect that the respondent agrees to abide by the final resolution of the National Health Privacy Board, without prejudice to other legal remedies.
Sec. 9. Procedure if the Respondent appears. 1. The Board shall set a date to convene the parties involved in the complaint, sending notices to the parties, and requesting for them to appear before the National health Data Privacy Board, with their witnesses, if any. 2. The Board shall ensure that before it convenes the parties: 3. Both complainant and respondent have signed an undertaking that they agree to be bound by the Resolution of the Board.
4. Proof that consent have been obtained from third parties when the affidavits or submitted evidence includes their personal and sensitive information, for purposes of resolving or adjudicating the complaint, before appropriate bodies. 5. The Board shall ask clarificatory questions when necessary. 6. The Board shall identify the issues for resolution and mediate in order for the parties to reach an amicable settlement. In case the parties reach an amicable settlement, the Board shall issue a resolution on the agreement between parties, which shall be binding in view of their undertaking. Even if the parties have reached an amicable settlement, but the Board finds that the complaint constitutes a violation of law, it shall prepare a report and recommendation, and submit the same to the proper licensing regulatory or accrediting body, or to the National Privacy Commission.
7. In case the parties are unable to reach an amicable settlement, the complaint shall be submitted for resolution. The Board may request the parties to submit a memorandum containing their arguments on the facts and issues for resolution. 8. The Board shall adjudicate on the issues and issue a resolution containing its recommendation. The resolution shall be binding on the parties in view of their undertaking. Its resolution, with supporting documents shall be submitted to the proper licensing regulatory or accrediting body, or to the National Privacy Commission, for appropriate action, if necessary. 9. The minutes of the proceeding shall be filed and maintained.

Sec. 10. Procedure if the Respondent does not Appear. – If the Respondent does not appear before the Board, the Board shall resolve the complaint on the basis of the affidavits and documents submitted by the complainant. Its resolution, with supporting documents shall be submitted to the proper licensing regulatory or accrediting body, or to the National Privacy Commission, for appropriate action, if necessary.

Sec. 11. Resolution. – The Board shall furnish the parties with copies of its resolution.

• procedure for complaints
• procedure for addressing complaints
• privacy breach mitigation
• A description on how the event was handled and managed shall be included in an incident report.
  

Complaint Process:
1. Filing of complaint to the Privacy Officer/Privacy Board.
2. Notification of the complaint is sent to the complainant and the affected party/parties involved.
3. Presentation of information about the incident from both parties.
4. Validation of information.
5. Decision making. If a violation is proven, the board will elevate the case to the NPC for investigation/decision/sanction. If no violation is proven, the case will be resolved.
6. Written decision of the case shall be sent to the parties involved.

References:
* How OCR Enforces the HIPAA Privacy and Security Rules. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-OCR-enforces-the-HIPAA-privacy-and-security-rules/index.html
* Professional Regulation Commission. Legal and Other Regulatory Services. Retrieved from http://prc.gov.ph/services/default.aspx?id=17

• Notes on Complaint Process
• Consolidated Workshop Outputs