General Guidelines and Penalty Clause

• Since there are different classifications of health facilities, an algorithm should be made to standardize the process.
  
• The HIE policy should be consistent and transparent during deployment.
  
• DOH shall develop a monitoring and evaluation mechanism and perform random visits and monitoring on the implementation of the PHIE program for check and balance purposes.
  
• Each health facility shall have its respective policy on role-based access control.
  
• Provisions of data like patient records shall be consistent with the guidelines of the hospital health information management manual issued by the DOH.
  
• The health facility shall implement capacity building activities in the security aspect of PHIE.
  
• Appointment of a Chief Privacy Officer shall be a requirement in the licensing of hospitals.
  
• Compliance to required PHIE security measures shall be included as an item in the checklist for PhilHealth Accreditation or renewal of license to operate.
  
• Information, education and communication materials on data privacy and security shall be provided to the patient.
  
• A reporting policy on violations shall be made.
  

OTHER REFERENCES

• Revised disposal schedule of disposing records DOH no. 70 series 1986.
  
• Private hospitals-interim guidelines on disposal on Health/Medical records affected by Typhoon Ondoy issued on Nov. 19, 2009.
  

OTHERS

• Involve the National Archives of the Philippines in the drafting of policy guidelines on filing, storage, and disposal of electronic medical records.
  
• Management of patient's complaints and its corresponding sanctions as prescribed by the civil service code shall be implemented.
  
• A protocol for disaster response shall be developed.
  
• Diagnoses that need to be reported and the exclusions shall be identified.
  

• Information breach is the unauthorized disclosure of information and can be in the context of the patient and/or the institutions. An escalation process on incidents of breach of information shall be developed.
  
• There shall be real-time reporting of the name of the authorized user/s who violated the privacy law.
  
• The health facility shall create internal policies on disciplinary action, escalation of issues and concerns, among others.
  
• Violations shall include unauthorized processing, improper disposal, unauthorized access, negligence.
  

OTHERS

• Define the term incident for incident reporting.
  

• Consolidated Workshop Outputs