Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
compliance_incident_reporting_response [2016/03/14 18:17] jillian_nadette_de_leon |
compliance_incident_reporting_response [2016/07/06 15:05] jillian_nadette_de_leon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ##Compliance | ##Compliance | ||
| + | |||
| + | **Enforcement of the Privacy Code.** Health care facilities involved in the PHIE shall: \\ | ||
| + | a.) Register their data processing systems involved in the PHIE process to the health privacy board, including the data processing systems of contractors, employees and third parties entering into contracts with them that involve accessing or requiring sensitive personal health information from one thousand (1,000) or more individuals;\\ | ||
| + | b.) Notify the board of automatic processing operations being carried out by the health facility, its contractors and third parties;\\ | ||
| + | c.) Submit a copy of their privacy policy as well as a list of personnel having direct access to health information to the health privacy board;\\ | ||
| + | d.) Submit an annual report on documented security incidents to the health privacy board;\\ | ||
| + | e.) Comply with other requirements that may be provided in other issuance issued by the National Privacy Commission or the Health Privacy Board.\\ | ||
| ---- | ---- | ||
| ## Incidents | ## Incidents | ||
| + | * Processes and procedures established by DOST-ICTO for detecting and reporting the occurrence of information security events (by human or automatic means) shall be implemented and observed accordingly.\\ | ||
| + | * All reported incidents must be identified to initiate immediate response actions to deal with the information security incident.\\ | ||
| + | * All information security incident report must be updated and collected into the information security event/incident database by information security incident response team member and must notify the team leader/manager and others as necessary.\\ | ||
| + | * All information security incidents that have been resolved or closed must be reviewed to: \\ | ||
| + | (a) conduct further analysis, as required; \\ | ||
| + | (b) Identify the lessons learned from information security incidents;\\ | ||
| + | (c) Identify improvements to information security and safeguard the implementation;\\ | ||
| + | (d) Identify the improvements to the information security response management plan as a whole to determine the effectiveness of the processes, procedures, reporting forms and/or the organizational structure.\\ | ||
| + | ##References: | ||
| + | * C.Evans., D. Laggui., A. Salvador., (2013). //Information Security Incident Response Manual// DOST-ICTO. | ||
| -------------------- | -------------------- | ||
| - | Draft Rules of Procedure in the Investigation of Complaints filed before the National Health Privacy Board | + | Draft Rules of Procedure in the Investigation of Complaints filed before the Health Privacy Board |
| A. General Principles | A. General Principles | ||
| - | The National Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board. | + | The Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. Parties who voluntarily submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint, and in reaching an amicable settlement. To ensure compliance with the Resolution of the Board, both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board. |
| The National Health privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. | The National Health privacy Board does not have subpoena powers or powers of contempt. It relies on the documents and evidence voluntarily submitted by the parties. | ||
| Line 82: | Line 99: | ||
| **Notification in the Case of Breach**\\ | **Notification in the Case of Breach**\\ | ||
| - | 1. Each individual whose protected health information has been, or is reasonably believed by the health care provider to have been accessed, acquired or disclosed as a result of breach shall be notified within 60 calendar days upon discovery.\\ | + | 1. Each individual whose protected health information has been, or is reasonably believed by the health care provider or health facility to have been accessed, acquired or disclosed as a result of breach shall be notified within 60 calendar days upon discovery.\\ |
| 2. Health care providers shall have the burden of proof demonstrating that all notifications were made. \\ | 2. Health care providers shall have the burden of proof demonstrating that all notifications were made. \\ | ||
| - | 3. Notice shall be provided by the Health Care Provider to the National Privacy Board and elevated to the National Privacy Commission when necessary. If the breach affects 500 or more individuals, notification must be provided immediately.\\ | + | 3. Notice shall be provided by the Health Care Provider to the Health Privacy Board and elevated to the National Privacy Commission when necessary. If the breach affects 500 or more individuals, notification must be provided immediately.\\ |
| **Forms of Notification**\\ | **Forms of Notification**\\ | ||
| Line 93: | Line 110: | ||
| **Content of Notification**\\ | **Content of Notification**\\ | ||
| 1. A brief description of what happened, including the date of breach and the date of discovery of the breach, if known. \\ | 1. A brief description of what happened, including the date of breach and the date of discovery of the breach, if known. \\ | ||
| - | 2. A description of the types of unsecured health information that were involved in the breach (such as full name, social security number, date of birth, home address, account number). \\ | + | 2. A description of the types of unsecured health information that were compromised in the breach (such as full name, social security number, date of birth, home address, account number). \\ |
| - | 3. The steps individuals should take to protect themselves from potential harm resulting from the breach.\\ | + | 3. Situations where individuals are at risk due to the breach and the steps that they should take to protect themselves from potential harm resulting from the breach.\\ |
| 4. A brief description of what the Health Care Provider involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.\\ | 4. A brief description of what the Health Care Provider involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.\\ | ||
| 5. Contact procedures for individuals to ask questions or learn additional information, which shall include a telephone number, an e-mail address, website, or postal address.\\ | 5. Contact procedures for individuals to ask questions or learn additional information, which shall include a telephone number, an e-mail address, website, or postal address.\\ | ||
| + | 6. Contact information of the National Privacy Commission. Email: [email protected] \\ | ||
| + | 7. Contact information of the National Bureau of Investigation (NBI) Office of Cybercrime, the Philippine National Police Anti-Cybercrime Group (ACG).\\ | ||
| + | |||
| + | **Delay of Notification**\\ | ||
| + | * If the board/NPC determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed.\\ | ||
| Reference: Health Information Technology for Economic and Clinical Health Act. (2009). Retrieved from https://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf | Reference: Health Information Technology for Economic and Clinical Health Act. (2009). Retrieved from https://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf | ||
| Line 108: | Line 130: | ||
| ##See Also | ##See Also | ||
| * {{::complaint_process.docx|Notes on Complaint Process}} | * {{::complaint_process.docx|Notes on Complaint Process}} | ||
| - | * [[consolidated_workshop_outputs|Consolidated Workshop Outputs]] | + | * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]] |
| + | |||
| + | |||