Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
compliance_incident_reporting_response [2016/05/02 17:38] jillian_nadette_de_leon |
compliance_incident_reporting_response [2016/07/19 16:26] (current) jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ##Compliance | ##Compliance | ||
| + | |||
| + | **Compliance.** Health care facilities involved in the PHIE are required to: \\ | ||
| + | a.) Register their data processing systems involved in the PHIE process to the health privacy board, including the data processing systems of contractors, employees and third parties entering into contracts with them that involves accessing or requiring sensitive personal health information from one thousand (1,000) or more individuals;\\ | ||
| + | b.) Notify the health privacy board of automatic processing operations being carried out by the health facility, its contractors and third parties;\\ | ||
| + | c.) Submit a copy of their privacy policy as well as a list of personnel having direct access to health information to the health privacy board;\\ | ||
| + | d.) Submit an annual report on documented security incidents to the health privacy board;\\ | ||
| + | e.) Comply with other requirements that may be provided in other issuance issued by the National Privacy Commission or the Health Privacy Board.\\ | ||
| Line 12: | Line 19: | ||
| (c) Identify improvements to information security and safeguard the implementation;\\ | (c) Identify improvements to information security and safeguard the implementation;\\ | ||
| (d) Identify the improvements to the information security response management plan as a whole to determine the effectiveness of the processes, procedures, reporting forms and/or the organizational structure.\\ | (d) Identify the improvements to the information security response management plan as a whole to determine the effectiveness of the processes, procedures, reporting forms and/or the organizational structure.\\ | ||
| + | |||
| + | ##References: | ||
| + | * C.Evans., D. Laggui., A. Salvador., (2013). //Information Security Incident Response Manual// DOST-ICTO. | ||
| -------------------- | -------------------- | ||
| Line 20: | Line 30: | ||
| The Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board. | The Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board. | ||
| - | The National Health privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. | + | The Health Privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. |
| The investigations conducted by the Board shall be fact-finding and summary in nature, without prejudice, however, to the due process of law, and recourse to the National Privacy Commission or proper courts, when necessary. | The investigations conducted by the Board shall be fact-finding and summary in nature, without prejudice, however, to the due process of law, and recourse to the National Privacy Commission or proper courts, when necessary. | ||
| - | The National Health Privacy Board may be able to assist the parties in clarifying privacy related complaints in health facilities due to the fact that they have a deeper understanding and better perspective of privacy issues concerning personal and sensitive health information. The Resolution of the National Health Privacy Board may also serve as support document of cases filed before the National Privacy Commission, or regular courts. | + | The Health Privacy Board may be able to assist the parties in clarifying privacy related complaints in health facilities due to the fact that they have a deeper understanding and better perspective of privacy issues concerning personal and sensitive health information. The Resolution of the Health Privacy Board may also serve as support document of cases filed before the National Privacy Commission, or regular courts. |
| B. Procedure for Complaint and Investigation | B. Procedure for Complaint and Investigation | ||
| Line 35: | Line 45: | ||
| 1. Full names and complete addresses of the complainant and the respondent; | 1. Full names and complete addresses of the complainant and the respondent; | ||
| - | 2. A brief narration of the material facts which show a violation of the privacy guidelines or related issuances, or the acts or omissions allegedly committed by the respondent amounting to a privacy concern. | + | 2. A brief narration of the material facts which show a violation of the privacy guidelines or related issuance, or the acts or omissions allegedly committed by the respondent amounting to a privacy concern. |
| 3. If the complaint contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the complainant shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies. | 3. If the complaint contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the complainant shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies. | ||
| Line 43: | Line 53: | ||
| 5. Certified true copies of documentary evidence, and the affidavit/s of witness/es if any. | 5. Certified true copies of documentary evidence, and the affidavit/s of witness/es if any. | ||
| - | 6. A undertaking of the complainant, or in case of juridical person by a duly authorized representative, under oath or embodied in an affidavit, to the effect that the complainant agrees to abide by the final resolution of the National Health Privacy Board, without prejudice to other legal remedies. | + | 6. A undertaking of the complainant, or in case of juridical person by a duly authorized representative, under oath or embodied in an affidavit, to the effect that the complainant agrees to abide by the final resolution of the Health Privacy Board, without prejudice to other legal remedies. |
| Sec. 4. Number of Copies. - The complaint, together with the documentary evidence and affidavit/s of witness/es, if any, shall be filed in such number as there are respondents, plus two (2) copies for the file. The affidavit/s required to be submitted shall state facts only of direct personal knowledge to the affiant and shall show the competence of the affiant to testify to the matters stated therein. A violation of the foregoing requirement shall be a ground for expunging the affidavit or portion thereof from the record. | Sec. 4. Number of Copies. - The complaint, together with the documentary evidence and affidavit/s of witness/es, if any, shall be filed in such number as there are respondents, plus two (2) copies for the file. The affidavit/s required to be submitted shall state facts only of direct personal knowledge to the affiant and shall show the competence of the affiant to testify to the matters stated therein. A violation of the foregoing requirement shall be a ground for expunging the affidavit or portion thereof from the record. | ||
| Line 49: | Line 59: | ||
| Sec. 5. Where to File a Complaint. - A complaint may be filed at the office of the Health Privacy Board. | Sec. 5. Where to File a Complaint. - A complaint may be filed at the office of the Health Privacy Board. | ||
| - | Sec. 6. Evaluation of Complaint. The Board shall evaluate the allegations of the complaint (1) to determine whether it involves a violation of the Privacy Guidelines or issues involving privacy of health information and (2) if based on its allegations, there is reason to believe that there is a violation of the Privacy Guidelines or related issuances. If both conditions are not satisfied, the complaint shall be dismissed. | + | Sec. 6. Evaluation of Complaint. The Board shall evaluate the allegations of the complaint (1) to determine whether it involves a violation of the Privacy Guidelines or issues involving privacy of health information and (2) if based on its allegations, there is reason to believe that there is a violation of the Privacy Guidelines or related issuance. If both conditions are not satisfied, the complaint shall be dismissed. |
| Sec. 7. Issuance of Requests to Appear. | Sec. 7. Issuance of Requests to Appear. | ||
| 1. On the basis of the complaint, if there is reason to believe that there is a violation of the Privacy Guidelines, the Board shall request, in writing, the respondent to appear before it, furnishing the said respondent a copy of the complaint, and requiring the submission of a counter-affidavit within ten days from receiving the said request. | 1. On the basis of the complaint, if there is reason to believe that there is a violation of the Privacy Guidelines, the Board shall request, in writing, the respondent to appear before it, furnishing the said respondent a copy of the complaint, and requiring the submission of a counter-affidavit within ten days from receiving the said request. | ||
| 2. If the counter-affidavit contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the respondent shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies. | 2. If the counter-affidavit contains personal and sensitive information involving third parties, which information will be disclosed to the Board, the respondent shall include proof that consent of said parties have been obtained with regard to the use, access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint, before appropriate bodies. | ||
| - | 3. If the respondent appears before the Board, the respondent, or in case of juridical person by a duly authorized representative, shall be asked to sign an undertaking, under oath or embodied in an affidavit, to the effect that the respondent agrees to abide by the final resolution of the National Health Privacy Board, without prejudice to other legal remedies. | + | 3. If the respondent appears before the Board, the respondent, or in case of juridical person by a duly authorized representative, shall be asked to sign an undertaking, under oath or embodied in an affidavit, to the effect that the respondent agrees to abide by the final resolution of the Health Privacy Board, without prejudice to other legal remedies. |
| Sec. 8. Procedure if the Respondent appears. | Sec. 8. Procedure if the Respondent appears. | ||
| - | 1. The Board shall set a date to convene the parties involved in the complaint, sending notices to the parties, and requesting for them to appear before the National health Data Privacy Board, with their witnesses, if any. | + | 1. The Board shall set a date to convene the parties involved in the complaint, sending notices to the parties, and requesting for them to appear before the Health Privacy Board, with their witnesses, if any. |
| 2. The Board shall ensure that before it convenes the parties: | 2. The Board shall ensure that before it convenes the parties: | ||
| Line 91: | Line 101: | ||
| 1. Each individual whose protected health information has been, or is reasonably believed by the health care provider or health facility to have been accessed, acquired or disclosed as a result of breach shall be notified within 60 calendar days upon discovery.\\ | 1. Each individual whose protected health information has been, or is reasonably believed by the health care provider or health facility to have been accessed, acquired or disclosed as a result of breach shall be notified within 60 calendar days upon discovery.\\ | ||
| 2. Health care providers shall have the burden of proof demonstrating that all notifications were made. \\ | 2. Health care providers shall have the burden of proof demonstrating that all notifications were made. \\ | ||
| - | 3. Notice shall be provided by the Health Care Provider to the National Privacy Board and elevated to the National Privacy Commission when necessary. If the breach affects 500 or more individuals, notification must be provided immediately.\\ | + | 3. Notice shall be provided by the Health Care Provider to the Health Privacy Board and elevated to the National Privacy Commission when necessary. If the breach affects 500 or more individuals, notification must be provided immediately.\\ |
| **Forms of Notification**\\ | **Forms of Notification**\\ | ||
| Line 100: | Line 110: | ||
| **Content of Notification**\\ | **Content of Notification**\\ | ||
| 1. A brief description of what happened, including the date of breach and the date of discovery of the breach, if known. \\ | 1. A brief description of what happened, including the date of breach and the date of discovery of the breach, if known. \\ | ||
| - | 2. A description of the types of unsecured health information that were compromised in the breach (such as full name, social security number, date of birth, home address, account number). \\ | + | 2. A description of the types of unsecured health information that were compromised in the breach (such as full name, , date of birth, home address, account number). \\ |
| 3. Situations where individuals are at risk due to the breach and the steps that they should take to protect themselves from potential harm resulting from the breach.\\ | 3. Situations where individuals are at risk due to the breach and the steps that they should take to protect themselves from potential harm resulting from the breach.\\ | ||
| 4. A brief description of what the Health Care Provider involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.\\ | 4. A brief description of what the Health Care Provider involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.\\ | ||
| Line 120: | Line 130: | ||
| ##See Also | ##See Also | ||
| * {{::complaint_process.docx|Notes on Complaint Process}} | * {{::complaint_process.docx|Notes on Complaint Process}} | ||
| - | * [[consolidated_workshop_outputs|Consolidated Workshop Outputs]] | + | * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]] |
| + | |||
| + | |||