Privacy Wiki

• Pre-deployment site assessment shall be conducted and the computers to be installed shall be fixed in one place and not portable.
  
• The area for data collection and processing shall be separate from the server room.
  
• The IT room shall only be accessible to authorized personnel and to personnel involved during quality assurance monitoring and HICC for monitoring.
  

COMPUTER ACCESS

• Computer access shall be limited to authorized personnel only. Role-based system access shall be implemented and there shall only be one account per user. Having multiple accounts are not allowed.
  
• A person requesting for access to a computer shall fill-out a request form.
  
• Only applications for the hospital information system shall be installed in the computer system. Other applications, most especially social media applications are strictly not allowed.
  
• In case of computer loss, the accounts in the computer system shall be reset and deactivated until it is retrieved or reported.
  

SERVERS

• The server room shall be a separate room from the IT office and a designated person shall be tasked to handle the servers.
  
• The health facility/hospital shall provide a designated area for the housing of servers or data centers. This area is to be marked as “Restricted” and shall only be accessible to authorized personnel. If the health facility/hospital cannot allot a space for the server room, at the minimum, a data cabinet shall be installed.
  
• For smaller health facilities/clinics, they may use cloud computing while hospitals use servers.
  

OTHER DEVICES

• Capturing of patient data using camera phones and bringing of electronic devices such as cellular/smart phones, laptops, tablets, cameras inside the medical records area is strictly not allowed.
  
• Facility-registered electronic devices shall not be brought outside the hospital premises except under circumstances such as disasters and vaccinations.
  
• USB devices shall be limited to office use but as may be practical, shall not be used.
  

POINTS TO CONSIDER

• State provisions regarding setting-up of infrastructure where physical servers or data center of hospital information system shall be located. Applicability of the existing administrative order containing provisions on IHOMP shall be considered. Implementation of an off-site back-up shall be done if the aforementioned AO shall be affected by this proposed set of rules.
  

(We have to discuss whether we really want to specify in the IRR that setting up of infrastructure is required. I think it is sufficient to just specify the conditions that must be complied with. Part of this has already been developed by Kit's group.-IP)

• Consolidated Workshop Outputs