Differences

This shows you the differences between two versions of the page.

--- compliance_incident_reporting_response [2016/03/13 01:36]
idp [Incidents]
+++ compliance_incident_reporting_response [2016/07/06 15:05]
jillian_nadette_de_leon
@@ Line 1: / Line 1: @@
 ##Compliance
+**Enforcement of the Privacy Code.** Health care facilities involved in the PHIE shall: \\
+a.) Register their data processing systems involved in the PHIE process to the health privacy board, including the data processing systems of contractors, employees and third parties entering into contracts with them that involve accessing or requiring sensitive personal health information from one thousand (1,000) or more individuals;\\
+b.) Notify the board of automatic processing operations being carried out by the health facility, its contractors and third parties;\\
+c.) Submit a copy of their privacy policy as well as a list of personnel having direct access to health information to the health privacy board;\\
+d.) Submit an annual report on documented security incidents to the health privacy board;\\
+e.) Comply with other requirements that may be provided in other issuance issued by the National Privacy Commission or the Health Privacy Board.\\
 ----
 ## Incidents
+  * Processes and procedures established by DOST-ICTO for detecting and reporting the occurrence of information security events (by human or automatic means) shall be implemented and observed accordingly.\\
+  * All reported incidents must be identified to initiate immediate response actions to deal with the information security incident.\\
+  * All information security incident report must be updated and collected into the information security event/incident database by information security incident response team member and must notify the team leader/manager and others as necessary.\\
+  * All information security incidents that have been resolved or closed must be reviewed to: \\
+(a) conduct further analysis, as required; \\
+(b) Identify the lessons learned from information security incidents;\\
+(c) Identify improvements to information security and safeguard the implementation;\\
+(d) Identify the improvements to the information security response management plan as a whole to determine the effectiveness of the processes, procedures, reporting forms and/or the organizational structure.\\
+##References:
+  * C.Evans., D. Laggui., A. Salvador., (2013). //Information Security Incident Response Manual// DOST-ICTO.
 --------------------
-Draft Rules of Procedure in the Investigation of Complaints filed before the National Health Privacy Board
+Draft Rules of Procedure in the Investigation of Complaints filed before the Health Privacy Board
 A. General Principles
-The National Health Privacy Board does not have quasi-judicial powers or the power to impose penalties.  Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement.  To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board.
+The Health Privacy Board does not have quasi-judicial powers or the power to impose penalties.  Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement.  To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board.
 The National Health privacy Board does not have subpoena powers or powers of contempt.   It relies on the documents and evidence voluntarily submitted by the parties.
@@ Line 79: / Line 96: @@
 -------------------
-  * procedure for complaints
+##In case of Breach
-  * procedure for addressing complaints
-  * privacy breach mitigation
-  * A description on how the event was handled and managed shall be included in an incident report. \\
-Complaint Process:\\
+**Notification in the Case of Breach**\\
-. Filing of complaint to the Privacy Officer/Privacy Board.\\
+. Each individual whose protected health information has been, or is reasonably believed by the health care provider or health facility to have been accessed, acquired or disclosed as a result of breach shall be notified within 60 calendar days upon discovery.\\
-. Notification of the complaint is sent to the complainant and the affected party/parties involved.\\
+. Health care providers shall have the burden of proof demonstrating that all notifications were made. \\
-. Presentation of information about the incident from both parties.\\
+. Notice shall be provided by the Health Care Provider to the Health Privacy Board and elevated to the National Privacy Commission when necessary. If the breach affects 500 or more individuals, notification must be provided immediately.\\
-. Validation of information.\\
-. Decision making. If a violation is proven, the board will elevate the case to the NPC for investigation/decision/sanction. If no violation is proven, the case will be resolved. \\
+**Forms of Notification**\\
-. Written decision of the case shall be sent to the parties involved.\\
+Notification of privacy breach may be in the form of: \\
+  * Individual notice\\
+  * Media notice. Media notice shall only be applicable if the unsecured protected health information of more than 500 individuals is reasonably believed to have been accessed, acquired, or disclosed during the breach.\\
+**Content of Notification**\\
+. A brief description of what happened, including the date of breach and the date of discovery of the breach, if known. \\
+. A description of the types of unsecured health information that were compromised in the breach (such as full name, social security number, date of birth, home address, account number). \\
+. Situations where individuals are at risk due to the breach and the steps that they should take to protect themselves from potential harm resulting from the breach.\\
+. A brief description of what the Health Care Provider involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.\\
+. Contact procedures for individuals to ask questions or learn additional information, which shall include a telephone number, an e-mail address, website, or postal address.\\
+. Contact information of the National Privacy Commission. Email: [email protected] \\
+. Contact information of the National Bureau of Investigation (NBI) Office of Cybercrime, the Philippine National Police Anti-Cybercrime Group (ACG).\\
+**Delay of Notification**\\
+  * If the board/NPC determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed.\\
+Reference: Health Information Technology for Economic and Clinical Health Act. (2009). Retrieved from https://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf
-References:\\
-* How OCR Enforces the HIPAA Privacy and Security Rules. Retrieved from http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-OCR-enforces-the-HIPAA-privacy-and-security-rules/index.html \\
-* Professional Regulation Commission. Legal and Other Regulatory Services. Retrieved from http://prc.gov.ph/services/default.aspx?id=17
 \\
@@ Line 103: / Line 130: @@
 ##See Also
   * {{::complaint_process.docx|Notes on Complaint Process}}
-  * [[consolidated_workshop_outputs|Consolidated Workshop Outputs]]
+  * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]]

compliance_incident_reporting_response.txt · Last modified: 2016/07/19 16:26 by jillian_nadette_de_leon

Privacy Wiki

Site Tools

User Tools

Differences

Site Tools

Page Tools

User Tools

Differences