1. Revised disposal schedule of disposing records DOH no. 70 series 1986
2. Backing up of electronic records, digital storage, archives,
3. Private hospitals - Interim guidelines on disposal on Health/Medical records affected by Typhoon Ondoy issued on Nov 14, 2009
4. Retention of medical records for both government and private health care facilities
5. Develop a monitoring and evaluation mechanism.
   
6. Each facility should have its respective policy regarding role-based access control.
   
7. Provision of data like patient records shall be consistent with the guidelines of hospital health information management manual issued by he DOH.
   
8. There should be an algorithm to standardize the process depending on the classification of health facilities.
   
9. Involve the National Archives of the Philippines in the drafting of policy guidelines on the filing, storage and disposal of electronic medical records.
   
10. Consistent and transparent deployment of HIE Policy, eradicating different interpretation on the field.
    
11. Management of patient's complaints and its corresponding sanctions as prescribed by the civil service code shall be implemented.
    
12. Capacity building in the security aspect of PHIE shall be implemented among health facilities.
    
13. Include chief privacy officer as a requirement in the licensing of hospitals.
    
14. Ascertain the authority of persons entering or encoding the data, ensure no unauthorized editing of data happens, document the entire process of editing data (request for editing, reason for editing, who did the editing, the process followed in editing, closing the process of editing)
    
15. Protocol for disaster response should be made.
    
16. Government-related policies:
    * include compliance to required PHIE security measures as item in the checklist for PhilHealth Accreditation of the hospital or renewal of license to operate.
    * Perform random visits and monitoring of DOH on the implementation of the PHIE program for check and balance purposes.
    * Identify the diagnosis that needs to be reported and specify exclusions.
    
17. Patient-related policies:
    * There should be a waiver from liability in the event of hacking from the patient.
    * There should be participation in reporting policy violations (e.g Hotline)
    * Provide information, education and communication (IEC) materials on data privacy and security to the patient.

1. Contracts, consultants should be considered, performance matrix,
2. Internal processes; incident reporting, investigation process
3. Unauthorized processing, authorized processing Philhealth, improper disposal, unauthorized access Reportorial, data subject transparency, negligence,
4. Freedom information vs data privacy and data protection.
5. There should be an escalation process regarding incidents of breach of information/data.
5a. Recommended definition: Information breach is the unauthorized disclosure of information.
5b. Information breach can be in the context of patient and institution.
5c. Sample breach can include:

• Capturing and posting of an image of a person despite being not identified (e.g. part of a body).
  
• Capturing and posting of an image of equipment, specimen, etc.
  

6. Real-time reporting of the name of the authorized users who violated the privacy law.
7. Internal policies on disciplinary action, escalation of issues and concerns, among others shall be crafted by the health facility.
8. Define the term incident for the purpose of incident reporting.

• Consolidated Workshop Outputs