Privacy Wiki

• A formal procedure to authorize disclosure of personal health information shall be developed by health facilities.
  
• Use and disclosure of health information shall only be to the extent of consent given by the patient and for the following purposes:
  a. For planning of quality services.
  b. DOH reporting intervention and disease prevention.
  c. Continuing care to patients.
  d. Requirements and reporting for communicable and notifiable diseases as well as those with serious health and safety threat to the public such as, but not limited to:
  Meningitis
  Food poisoning (mass)
  Breakthrough epidemic of contagious disease
  Biological or chemical warfare
  Anthrax
  Emerging and re-emerging diseases
  Ebola
  e. Reporting of serious and less serious physical injury.
  f. Reporting of maltreated or abused child to proper authorities.
  g. Mandatory reporting required by licensing and accreditation bodies (DOH, PhilHealth, etc). A list of mandatory requirements shall be stipulated.
  Privilege Communication
  
• Both patient and physician must provide consent for its use and disclosure otherwise, information shall not be released.
  
• The PHCP has the authority to disclose information upon patient request for his legitimate personal use such as release of insurance/HMO required medical record provided that there is a clear agreement/contract made between the HMO and the patient.
  
• For patients who are U.S. war veterans, they should come with a signed consent in order to release their medical records.
  

Information disclosed after discharge

• The following information may be disclosed after patient discharge from the health facility:
  

a. Clinical abstract
b. Laboratory result
c. Doctor's order
d. Discharge summary

• * Disclosure of health information of a deceased individual shall be to the authorized legal representative.
  

Use and disclosure of health information to legal authorities/government agencies:
* Before a disclosure is made to any other government agency, there must be a court order. It is only in cases of emergency such as that provided in Sec. 15, where disclosure can be done without court order. This would be situations where time is of the essence such as:
a. For PNP subpoena, obtain consent of patient before death otherwise, consent should be obtained from next of kin.
b. For medical/financial assistance requesting abstracts or similar documents, authorization of patient is required.

• When personal health information is released to legal authority, a cover letter shall be sent containing information reminding the recipient that the information contained is personal health information and must be handled in a confidential manner. A receiving copy shall be maintained by the health facility for record purposes.
  
• Without a court order, release of information shall be pursuant to hospital policy otherwise, patient records shall be released or disclosed.
  
• A process on how to disclose medico-legal cases should be defined. PNP Duces Tecum shall be honored and complied with if signed by the head of the agency.
• Guidelines for retrieval of information for purposes of PRC requirements shall be made.
  

Use and Disclosure of Health Information by a third party:

• Third party providers shall not disclose health information other than as provided by contract with the PHCP or as required by law. They shall also agree to use appropriate safeguards to prevent use and disclosure of the health information other than as provided by contract with the primary health care provider or as required by law.
• Third party providers shall report to the primary health care provider any use or disclosure of health information not provided for by the agreement of which it becomes aware, including breaches of unsecured health information, and any security incident of which it becomes aware.
  
• A non-disclosure clause shall be included in the contract of the schools with affiliations to a health facility.
  

* All research protocols pertaining to patient condition shall pass thru strict review by the Institutional Review Board to safeguard patient information. Protocols for requesting and accessing aggregate and de-identified information for research, both public and private, should be clearly defined.

• For facilities not participating in PHIE, they shall:
  

a Make a workflow and a notification protocol for reporting requirements (Suggestion: to use the present epidemiologic surveillance framework).
b. Immediately notify the RESU (using the present framework) then the DOH will notify the EMR, the EMR to the facility. The EMR must have codes which gives them the signal to release the information.

• Patient orientation regarding data privacy disclosure shall be done.

References:

• Herold R., Beaver K. (2015). The Practical Guide to HIPAA Privacy and Security Compliance. 2nd edition. Boca Raton, FL: CRC Press.

• Consolidated Workshop Outputs