**This is an old revision of the document!**

Introduction

WHO defines eHealth as the use of information and communication technologies for health. It supports the delivery of health care services and management of health systems to become more efficient and effective. eHealth is described also as a means to ensure that the right health information is provided to the right person at the right place and time in a secure, electronic form to optimize the quality and efficiency of health care delivery, research, education and knowledge.

To implement a National eHealth in the country for greater efficiency in health care, workforce productivity and optimized of resources, the DOH and DOST signed a joint governance on eHealth. The Medium-Term Information and Communication Technology Initiative (MITHI) was established through DBM-NEDA-DOST Joint Memorandum Circular 2012-01. It is an e-Government and ICT support initiative that aims to harmonize and ensure interoperability among ICT-related resources, programs, and projects across the government containing three priority clusters: MITHI Higher Education Cluster, MITHI Justice, Peace and Order Cluster, and MITHI Health Cluster which is also known as eHealth.

The MITHI Health Cluster established the National eHealth Governance through the Joint DOH-DOST Department Memorandum 2013-0200. The National eHealth Governance Steering Committee spearheads and provides direction and guidance in the establishment of a harmonized National eHealth Program, while the National eHealth Governance Technical Working Group provides technical and administrative support to the Steering Committee. Various eHealth expert groups with different roles and responsibilities were created based on the seven (7) eHealth components to provide support and expertise to the eHealth Steering Committee and Technical Working Group; the eHealth Project Management Office serves as the technical and administrative secretariat of the National eHealth Program.

The eHealth TWG convenes twice a month and if there is an agendum/issue that needs to be resolved it will be discussed accordingly. If the eHealth TWG will have consensus, it will then be implemented consequently the eHealth Steering Committee will be informed of the said decision. However, if the eHealth TWF does not gain consensus, the issue shall be elevated to the eHealth Steering Committee for resolution.

The Philippine eHealth Strategic Framework and Plan is the result of comprehending what the Philippines needs to achieve in order to address its heath goals and challenges. The National eHealth Program envisions that “By 2020 eHealth will enable widespread access to health care services, health informaiton, and securely share and exchange patients' information in support to a safer, quality health care, more equitable and responsive health system for all the Filipino people by transforming the way information is used to plan, manage, deliver and monitor health services”.

As a stepping stone in achieving the National eHealth Vision, the program implementers started the Philippine Health Information Exchange (PHIE). PHIE is the major project of the National eHealth Program and aims to harmonize data sharing and avoid repetitive or double processes in data collection. This will serve as an infrastructure for data sharing and exchange between health care providers and facilities, and support access to the patient's record across providers in many geographic areas of the country. With this, there will be a single unified view of the patient's data/record across and between various health facilities.

The PHIE Architecture allows different systems in different health facilities to gain access from different registries through the health interoperability layer. However, PHIE is still compelled to different data guidelines to protect the privacy and confidentiality rights of the patient. With the use of PHIE, health facilities will now have easier and require less time in giving statistics/reports for the National Health Data Reporting. Furthermore, through PHIE there will be a health data standards terminology registry that serves as a common language for all systems.

About this Document

These Rules shall be known and cited as the Implementing Rules and Regulations of Joint Administrative Order No. 2016-0002, otherwise known as “Privacy Guidelines for the Implementation of the Philippine Health Information Exchange”. These Rules are hereby promulgated to prescribe the procedures and guidelines for the implementation of the Privacy Guidelines for the Implementation of the Philippine Information Exchange in order to provide greater conceptual and operational clarity, establish standards in safeguarding the privacy of individually identifiable health information, and facilitate rigorous compliance with the requirements for the use and disclosure of protected health information.

Definitions

  • Access- Refers to the instruction, communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network.
  • Alteration- Refers to the modification or change, in form or substance, of an existing computer data or program.
  • Authentication- The process of verifying that an individual, entity or software program accessing the PHIE is the authorized user the person, entity or program claims to be.
  • Authorization- The process of determining whether a user has the right to access the PHIE and establishing the privileges associated with such access.

* Breach- The unauthorized or impermissible acquisition, access, use, or disclosure of information and can be in the context of the patient and/or institutions.

  • Computing and Related equipment- computer network, telecommunications and peripheral equipment that support the information processing activities of organizations.
  • Confidentiality- A duty to maintain privacy of information and its protection against unauthorized disclosure.
  • Consent- Any freely, given, specific, informed indication of will, whereby an individual agrees to the collection and processing of personal information relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the individual by a lawful guardian or an agent specifically authorized by the individual to do so.
  • De-identification- Removal of identifiers to protect against inappropriate disclosure of personal information.
  • Electronic Medical Record- A medical or health record which is which received, recorded, transmitted, stored, processed, retrieved or produced electronically through computers or other electronic device.
  • Emergency- Unforeseen combination of circumstances which calls for immediate life-preserving or quality-of-life preserving actions (To preserve sight in one or both eyes, hearing in one or both ears, extremities at or above the ankle or wrist).
  • Health Care Provider- A health care institution devoted primarily to management, treatment and care of patients, or a health care professional, who is any doctor of medicine, nurse, midwife, dentist, or other health care practitioner.
  • Health Data Warehouse- A repository of the country's de-identified health information within the framework of the Philippine Health Information Exchange.
  • Health Information- Refers to personal and sensitive information that relates to an individual's past , present or future physical or mental health or condition, including demographic data, diagnosis and management, medication history, health financing record, cost of services and any other information related to the individual's total well-being. For purpose of A.O. 2016-0002, health information refer to personal health information which is individually identifiable health information or de-identified health information.
  • ICT systems- hardware, software, firmware of computers, telecommunications and network equipment or other electronic information handling systems and associated equipment
  • Individually Identifiable- Refers to information that contains data that can directly identify the individual or could reasonably be used to identify an individual.
  • Infrastructure- facilities and equipment to enable the ICT service, including but not limited to power supply, telecommunications connections and environmental controls.
  • Information System- application, service, information technology asset, or any other information handling component
  • Inpatient- A patient admitted in the hospital receiving healthcare services and who is provided room, board and continuous nursing services in a unit area of the healthcare facility.
  • Issuances- Refer to official write-up or documentation of statements, notices, announcements, and communications.
  • Interception- Refers to listening to, recording, monitoring or surveillance of the content of communications, including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring.
  • Medical Privacy or Health Privacy- Right to the protection of the confidential nature of personal health information, which includes communications between health care provider and patient, and personal data and information about a patient's conditional as contained in medical records.
  • Medical Record or Health Record- Primary repository of information concerning patient health care; a compilation of pertinent facts of a patient's life history including past and present illnesses and treatments entered by health professional contributing to the patient's care.
  • Outpatient- A patient who receives healthcare services without being admitted for inpatient medical care or healthcare services and does not occupy a bed for any length of time; or a patient who consults and receives healthcare services in the healthcare facility without being admitted.
  • Participating Health Care Provider (PHCP)- Health Care Providers whose application to participate in the PHIE is approved in accordance with Joint DOH-DOST-PhilHealth AO 2016-0001(Implementation of the PHIE), and through any other procedure promulgated by the DOH for participation.
  • Patient- A person availing of medical consultation, diagnostic examinations, treatment or health care services from a health care provider.
  • Personal Information- Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Personal Information Controller- Refers to a person or organization that controls the collection, holding, processing or use of personal information, including a person or organization that instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

This term excludes:
(a) A person or organization who performs such functions as instructed by another person or organization; and (b) An individual who collects, holds, processes or uses personal information in connection with the individual's personal, family or household affairs.

  • Principle of Legitimate Purpose- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.
  • Principle of Proportionality- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.
  • Principle of Transparency- Principle that refers to processing of information conducted in a manner where an individual is given adequate and relevant knowledge about the nature, purpose, extent and intended use of processing of information, and provided with the right to consent, limit or object to the processing.
  • Privacy- The right of a person to be free from intrusion or disturbance in one's personal and intimate life or affairs. It includes informational privacy, which refers to the right of an individual not to have his or her private information disclosed including the ability to control what information is disclosed, with whom, and for what purpose.
  • Processing- Refers to any operation performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
  • Public Health- Refers to all organized measures to prevent disease, promote health, and prolong life among the population as a whole, Its activities aim to provide conditions in which people can be healthy and focus on entire populations, not on individual patients or diseases.
  • Security- Refers to the organizational, technical and physical measures to ensure the safety and protection of the health information.
  • Sensitive Personal Information- Refers to personal information:

(a) About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; © Issued by government agencies peculiar to an individual which includes but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; (d) Specifically established by an executive order or an act of Congress to be kept classified.

  • Sharing- The process that allows the PHCP to access the patient's health information from the system.
  • Social Media- Electronic communication, websites or applications through which users connect, interact, or share information or other content with other individuals, collectively part of an online community. this includes Facebook, Twitter, Google+, Instagram, LinkedIn, Pinterest, Blogs, Social Networking Sites.
  • Third-party data processor. Third-party data processors refer to any person or entity other than
  1. the data subject,
  2. the data controller, or
  3. any data processor or other person duly authorized to process data for the data controller or processor.



References:

—-

See Also