Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
compliance_incident_reporting_response [2016/03/13 01:35] idp [Incidents] |
compliance_incident_reporting_response [2016/05/18 18:55] wikiadmin [See Also] |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| ---- | ---- | ||
| ## Incidents | ## Incidents | ||
| + | * Processes and procedures established by DOST-ICTO for detecting and reporting the occurrence of information security events (by human or automatic means) shall be implemented and observed accordingly.\\ | ||
| + | * All reported incidents must be identified to initiate immediate response actions to deal with the information security incident.\\ | ||
| + | * All information security incident report must be updated and collected into the information security event/incident database by information security incident response team member and must notify the team leader/manager and others as necessary.\\ | ||
| + | * All information security incidents that have been resolved or closed must be reviewed to: \\ | ||
| + | (a) conduct further analysis, as required; \\ | ||
| + | (b) Identify the lessons learned from information security incidents;\\ | ||
| + | (c) Identify improvements to information security and safeguard the implementation;\\ | ||
| + | (d) Identify the improvements to the information security response management plan as a whole to determine the effectiveness of the processes, procedures, reporting forms and/or the organizational structure.\\ | ||
| + | ##References: | ||
| + | * C.Evans., D. Laggui., A. Salvador., (2013). //Information Security Incident Response Manual// DOST-ICTO. | ||
| -------------------- | -------------------- | ||
| - | Draft Rules of Procedure in the Investigation of Complaints filed before the National Health Privacy Board | + | Draft Rules of Procedure in the Investigation of Complaints filed before the Health Privacy Board |
| A. General Principles | A. General Principles | ||
| - | The National Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board. | + | The Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board. |
| The National Health privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. | The National Health privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. | ||
| Line 49: | Line 59: | ||
| 3. If the respondent appears before the Board, the respondent, or in case of juridical person by a duly authorized representative, shall be asked to sign an undertaking, under oath or embodied in an affidavit, to the effect that the respondent agrees to abide by the final resolution of the National Health Privacy Board, without prejudice to other legal remedies. | 3. If the respondent appears before the Board, the respondent, or in case of juridical person by a duly authorized representative, shall be asked to sign an undertaking, under oath or embodied in an affidavit, to the effect that the respondent agrees to abide by the final resolution of the National Health Privacy Board, without prejudice to other legal remedies. | ||
| - | Sec. 9. Procedure if the Respondent appears. | + | Sec. 8. Procedure if the Respondent appears. |
| 1. The Board shall set a date to convene the parties involved in the complaint, sending notices to the parties, and requesting for them to appear before the National health Data Privacy Board, with their witnesses, if any. | 1. The Board shall set a date to convene the parties involved in the complaint, sending notices to the parties, and requesting for them to appear before the National health Data Privacy Board, with their witnesses, if any. | ||
| Line 69: | Line 79: | ||
| 9. The minutes of the proceeding shall be filed and maintained. | 9. The minutes of the proceeding shall be filed and maintained. | ||
| - | Sec. 10. Procedure if the Respondent does not Appear. – If the Respondent does not appear before the Board, the Board shall resolve the complaint on the basis of the affidavits and documents submitted by the complainant. Its resolution, with supporting documents shall be submitted to the proper licensing regulatory or accrediting body, or to the National Privacy Commission, for appropriate action, if necessary. | + | Sec. 9. Procedure if the Respondent does not Appear. – If the Respondent does not appear before the Board, the Board shall resolve the complaint on the basis of the affidavits and documents submitted by the complainant. Its resolution, with supporting documents shall be submitted to the proper licensing regulatory or accrediting body, or to the National Privacy Commission, for appropriate action, if necessary. |
| - | Sec. 11. Resolution. – The Board shall furnish the parties with copies of its resolution. | + | Sec. 10. Resolution. – The Board shall furnish the parties with copies of its resolution. |
| Reference: The rules of procedure in the PRC were used as guide. | Reference: The rules of procedure in the PRC were used as guide. | ||
| Line 79: | Line 89: | ||
| ------------------- | ------------------- | ||
| - | * procedure for complaints | + | ##In case of Breach |
| - | * procedure for addressing complaints | + | |
| - | * privacy breach mitigation | + | |
| - | * A description on how the event was handled and managed shall be included in an incident report. \\ | + | |
| - | Complaint Process:\\ | + | **Notification in the Case of Breach**\\ |
| - | 1. Filing of complaint to the Privacy Officer/Privacy Board.\\ | + | 1. Each individual whose protected health information has been, or is reasonably believed by the health care provider or health facility to have been accessed, acquired or disclosed as a result of breach shall be notified within 60 calendar days upon discovery.\\ |
| - | 2. Notification of the complaint is sent to the complainant and the affected party/parties involved.\\ | + | 2. Health care providers shall have the burden of proof demonstrating that all notifications were made. \\ |
| - | 3. Presentation of information about the incident from both parties.\\ | + | 3. Notice shall be provided by the Health Care Provider to the Health Privacy Board and elevated to the National Privacy Commission when necessary. If the breach affects 500 or more individuals, notification must be provided immediately.\\ |
| - | 4. Validation of information.\\ | + | |
| - | 5. Decision making. If a violation is proven, the board will elevate the case to the NPC for investigation/decision/sanction. If no violation is proven, the case will be resolved. \\ | + | **Forms of Notification**\\ |
| - | 6. Written decision of the case shall be sent to the parties involved.\\ | + | Notification of privacy breach may be in the form of: \\ |
| + | * Individual notice\\ | ||
| + | * Media notice. Media notice shall only be applicable if the unsecured protected health information of more than 500 individuals is reasonably believed to have been accessed, acquired, or disclosed during the breach.\\ | ||
| + | |||
| + | **Content of Notification**\\ | ||
| + | 1. A brief description of what happened, including the date of breach and the date of discovery of the breach, if known. \\ | ||
| + | 2. A description of the types of unsecured health information that were compromised in the breach (such as full name, social security number, date of birth, home address, account number). \\ | ||
| + | 3. Situations where individuals are at risk due to the breach and the steps that they should take to protect themselves from potential harm resulting from the breach.\\ | ||
| + | 4. A brief description of what the Health Care Provider involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.\\ | ||
| + | 5. Contact procedures for individuals to ask questions or learn additional information, which shall include a telephone number, an e-mail address, website, or postal address.\\ | ||
| + | 6. Contact information of the National Privacy Commission. Email: [email protected] \\ | ||
| + | 7. Contact information of the National Bureau of Investigation (NBI) Office of Cybercrime, the Philippine National Police Anti-Cybercrime Group (ACG).\\ | ||
| + | |||
| + | **Delay of Notification**\\ | ||
| + | * If the board/NPC determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed.\\ | ||
| + | |||
| + | Reference: Health Information Technology for Economic and Clinical Health Act. (2009). Retrieved from https://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf | ||
| - | References:\\ | ||
| - | * How OCR Enforces the HIPAA Privacy and Security Rules. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-OCR-enforces-the-HIPAA-privacy-and-security-rules/index.html \\ | ||
| - | * Professional Regulation Commission. Legal and Other Regulatory Services. Retrieved from http://prc.gov.ph/services/default.aspx?id=17 | ||
| \\ | \\ | ||
| Line 103: | Line 123: | ||
| ##See Also | ##See Also | ||
| * {{::complaint_process.docx|Notes on Complaint Process}} | * {{::complaint_process.docx|Notes on Complaint Process}} | ||
| - | * [[consolidated_workshop_outputs|Consolidated Workshop Outputs]] | + | * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]] |
| + | |||
| + | |||