General Guidelines and Penalty Clause

General Guidelines

  • Since there are different classifications of health facilities, an algorithm should be made to standardize the process.
  • The HIE policy should be consistent and transparent during deployment.
  • DOH shall develop a monitoring and evaluation mechanism and perform random visits and monitoring on the implementation of the PHIE program for check and balance purposes.
  • Each health facility shall have its respective policy on role-based access control.
  • Provisions of data like patient records shall be consistent with the guidelines of the hospital health information management manual issued by the DOH.
  • The health facility shall implement capacity building activities in the security aspect of PHIE.
  • Appointment of a Chief Privacy Officer shall be a requirement in the licensing of hospitals.
  • Compliance to required PHIE security measures shall be included as an item in the checklist for PhilHealth Accreditation or renewal of license to operate.
  • Information, education and communication materials on data privacy and security shall be provided to the patient.
  • A reporting policy on violations shall be made.


  • Revised disposal schedule of disposing records DOH no. 70 series 1986.
  • Private hospitals-interim guidelines on disposal on Health/Medical records affected by Typhoon Ondoy issued on Nov. 19, 2009.


  • Involve the National Archives of the Philippines in the drafting of policy guidelines on filing, storage, and disposal of electronic medical records.
  • Management of patient's complaints and its corresponding sanctions as prescribed by the civil service code shall be implemented.
  • A protocol for disaster response shall be developed.
  • Diagnoses that need to be reported and the exclusions shall be identified.


  • Information breach is the unauthorized disclosure of information and can be in the context of the patient and/or the institutions. An escalation process on incidents of breach of information shall be developed.
  • There shall be real-time reporting of the name of the authorized user/s who violated the privacy law.
  • The health facility shall create internal policies on disciplinary action, escalation of issues and concerns, among others.
  • Violations shall include unauthorized processing, improper disposal, unauthorized access, negligence.


  • Define the term incident for incident reporting.

See Also