1. Policies and Procedures. The Health Facility shall be required to create its own privacy protocol. Privacy and security policies must be documented, maintained and updated as appropriate.
1.1. The PHCP shall create policies and procedures to specify the groups and positions that need to access health information to perform their job responsibilities, as well as the type of health information to which they need access.
1.2. Participating Health Care Providers shall provide an orientation regarding privacy and security policies for all employees in the health facility with great emphasis to the information security personnel.
1.3. Participating Health Care Providers shall clearly define access rights and user roles of staff to ensure that only appropriate people have access to the minimum necessary health information.
1.4. The Chief of Health Facility shall issue a memorandum containing the list of names and information stated in the preceding statement and a copy shall be furnished to the DOH central office.
1.5. A regular privacy and security audit shall be done by participating health care providers.
2. Contract with Third Party.Contract or agreements between health care providers and a third party shall include:
a.) Policies for document storage and disposal;
b.) Data management process including methods for tracking and controlling records- such as dates and time stamps- as well as the type of data sent and received, and the individuals who have access to records;
c.) Description of the privacy and security programs of the third party;
d.) Description of output reporting-either electronically or in hard copy- so data can be viewed, monitored and reconciled;
e.) Periodic staff training in secure records handling and providing, and appropriate document management tools;
f.) Staff responsibilities for ensuring compliance and allocation of sufficient job time to the task; and
g.) Communication requirements regarding control deficiencies identified through internal or external sources.
3. Authorization and Document Retention. For identification and authorization purposes, the authorizing entity shall provide any of the following for identification:
a.) Biometrics
b.) Specimen signature
c.) E-signature
The document retention policy issued by the National Archives of the Philippines shall be followed. For archiving purposes, the PHCP can either have an internal archiving system or outsource an archiving specialist.
4. The Information Technology Personnel. Authorized personnel responsible for supporting the implementation of security guidelines must adhere to the policy on confidentiality of medical records. They shall be the one to perform system related functions such as, but not limited to, troubleshooting.
5. The Medical Records Officer. The Medical Records Officer with the Privacy Officer has the authority to audit the patient's shared health record.
References: