**This is an old revision of the document!**
Table of Contents
privacyPH.org/rules
Privacy Set of Rules (SOR)
This is the wiki for the development of the Privacy Set of Rules (SOR) that will be the basis for the Implementing Rules and Regulations (IRR) of the Privacy Guidelines AO. Healthcare facilities will also evolve their own Privacy Protocols (PP) based on this SOR.
The initial rules were consolidated outputs from privacy workshops in Bacolod, Davao, Palawan, Metro Manila (including subsequent discussions via the PEG Mailing List).
Stakeholders may help revise this document.
For questions and concerns that cut across sections, please use the Discussion area below to raise them.
Introduction
Definitions
See Introduction
Collection and Processing of Health Information
Consent
See Consent Rules
Point of Collection
Identification of Patient
Data to be Collected
Information to be Shared
Filing / Storage
See Filing / Storage
Access of Health Information
Use and Disclosure of Health Information
Data Security
Administrative Security
Physical Security
Technical Safeguards
Use of Social Media
This subsection is deemed necessary for purposes of emphasis. See Use of Social Media
Cloud Computing
Compliance, Incident Reporting and Response
This section has been identified as one of the gaps left unaddressed in one place in any of the workshops.
See Compliance, Incident Reporting and Response
Special Areas
Human Resources
Prior to Employment
- All candidates for employment, contractors and third party users shall be adequately screened,especially for sensitive jobs.
- Employees, contractors and third party users of information processing facilities shall sign an agreement on security roles and responsibilities.
- Security roles and responsibilities of employees, contractors and third party users should be defined and documented in accordance with the organization's information security policy.
- Security roles and responsibilities should include the requirement to:
(a) implement and act in accordance with the organization's information security policies;
(b) protect assets from unauthorized access, disclosure, modification, destruction or interference;
© execute particular security processes of activities;
(d) ensure responsibility is assigned to the individual for actions taken;
(e) report security events or potential events or other security risks to the organization;
- Security roles and responsibilities shall be defined and clearly communicated to job candidates during the pre-employment process.
- Job descriptions can be used to document security roles and responsibilities. Security roles and responsibilities for individuals not engaged via the organization's employment process, e.g. engaged via a third party organization, should also be clearly defined and communicated.
- Background verification checks on all candidates for employment, contractors, and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
- Procedures should define criteria and limitations for verification checks (who is eligible to screen people, and how, when and why verification checks are carried out).
- A screening process should also be carried out for contractors, and third party users. Where contractors are provided through an agency, the contract with the agency should clearly specify the agency's responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. In the same way, the agreement with the third party should clearly specify all responsibilities and notification procedures for screening.
Health Research
- See this discussion
—-
Privacy Bodies
The Privacy Team of the Health Facility
This section has been identified in the discussions as a gap that deserves separate treatment.
See Privacy Team
Health Data Privacy Board (?)
Privacy Advisory Group (?)
General Guidelines and Penalty Clause
See General Guidelines and Penalty Clause
This subsection will be archived soon. The provisions here will the incorporated into other “live” subsections.
References
Discussion
The proposal for a MOA between PHIE and participating health care institution can be an option to support the IRR of Privacy Act. But what is the legal personality behind PHIE? Will the NPC and/or DOH and/or DOST be part of this MOA? Another option is through the LGU. eHATID LGU partners have started issuing local resolutions on ehealth operational issues, copies of which are being sent to DOH KMITS and DOST PCHRD.
Please see how you can “distribute” the concerns under “General Guidelines and Penalty Clause” section. The section looks weak.
May I know if there is a consolidated output from the Palawan workshop? Thank you
there was a question from the Davao workshop whether there should be a MOA between PHIE and a participating health care institution.