Privacy Wiki

POLICIES AND PROCEDURES

• Hospitals and health facilities shall formulate their health information security policy that is written down in paper and ensure that the following areas are covered:
  

1. Information on how data transfer will occur.
2. Process on how the release of information shall be done.
3. Sanctions for information security violation.
4. All employment contracts shall contain provisions regarding privacy and security.

• Information security manuals and training-related guidelines for capacity building shall be made by health facilities. They shall also provide a quality management system to put in place all processes, workflows among others in relation to the implementation of PHIE.
  
• Privacy related clause, information security clause and emphasis on the ownership of data shall be embedded in contracts of third party providers and job order personnel.
  
• A character/personality check shall be done prior to the hiring and/or the assignment of an employee who shall have direct access to health information. Upon assignment, the said employee shall sign a non-disclosure agreement. Non-allied health staff shall also sign a non-disclosure agreement upon employment.
  
• An orientation regarding privacy and security policies shall be done for all employees in the health facility with great emphasis to the information security personnel.
  
• For identification and authorization purposes, the authorizing entity shall provide any of the following for identification:
  

a. Biometrics
b. Specimen signature
c. E-signature

• The document retention policy issued by the National Archives of the Philippines shall be followed. For archiving purposes, the health facility can either have an internal archiving system or outsource an archiving specialist.
  
• Regular privacy and security audit shall be done.
  
• Allocation of budget for data security shall be included for government hospitals and LGUs.
  

ACCOUNTABILITY

• A health information security committee shall be organized rather than a single security officer. The team shall include the medical records officer, medical director, nurse, division heads of front liners, finance officer and legal officer. Their main role is to ensure that health information are made secure. Membership and role of the committee shall vary for other health facilities. Hospitals, LGUs, MHCO/MCO shall create their health information security committee.
  
• Roles and responsibilities of health information security committee shall include:
  

a. Policy making on health information security.
b. Procedures on disclosure of health information.
c. Management of incident reports including attempts on the disclosure of health information.
d. Validation of security officer rules.
e. Enforcement of sanctions on violations.
* The health facility shall have its own security department which would cover the management of security guards. The head of the security department shall be part of the quality committee and will have access to records for tracing purposes.

• Roles of the IT personnel:
  a. The IT shall be the custodian of security videos and they must adhere to the policy on confidentiality of medical records.
  b. They shall be the one to perform system related functions (ex. troubleshooting).
  
  • Roles of the Medical Records Officer:
    a. The MRO shall be the one to have access to patient's data. He/she has the authority to audit the patient record from time to time in order to determine the integrity of the patient record.
    
    
• The Chief Privacy Officer shall be the head of the facility or as may be assigned by the head.
  
  • A Privacy Officer, PHIE Compliance Officer and Management Information Systems Officer shall be assigned. The duties and responsibilities of the said officers shall include the following:
    a. Formulate a work flow on the process of accessing health information for standard implementation.
    b. Monitor, account and register devices used in the facility.
    c. Perform system or quality data check, compliance on the reporting form and safekeeping of back-up data.
    d. Delegate data collection to staff but should ensure that data collected are correct. The sole responsibility of encoding is on the appointed individual/unit.
    e. The privacy officer shall regularly audit the quality and integrity of patient records.
    
    • The following qualifications need to be met in order to become a Privacy Officer, PHIE Compliance Officer, and Management Information Systems Officer:
      a. A graduate of Master's of Science in Health Informatics.
      b. With IT, medical or clinical background.
      c. With training certifications on the security aspect of PHIE. Note however that DOH and PhilHealth shall set the minimum standards based on the body of knowledge for data security, which shall be the basis for hiring a Privacy Officer, PHIE Compliance Officer, and Management Information Systems Officer.
      

      ---

• Consolidated Workshop Outputs