Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
introduction [2016/05/10 13:29]
jillian_nadette_de_leon
introduction [2016/07/25 15:27] (current)
jillian_nadette_de_leon
Line 1: Line 1:
 #​Introduction #​Introduction
  
-WHO defines eHealth as the use of information and communication technologies for health. It supports ​the delivery of health care services and management of health systems ​to become more efficient ​and effective. eHealth is described also as a means to ensure that the right health information is provided ​to the right person at the right place and time in a secureelectronic form to optimize ​the quality ​and efficiency of health care delivery, research, education and knowledge. \\+As a mandate ​of the Constitution to provide quality ​health care to the Filipino people while protecting ​and promoting ​the right to privacy, ​the Department of Health (DOH), in cooperation with the Department of Science ​and Technology (DOST)Philippine Health Insurance Corporation (PhilHealth),​ University of the Philippines-Manila (UPM), ​and Commission on Higher Education (CHED), established the National eHealth Program (NeHP) that envisions widespread information-technology (IT)-enabled ​health care services by 2020.\\
  
-To implement a National eHealth in the country for greater efficiency in health careworkforce productivity and optimized ​of resources, ​the DOH and DOST signed a joint governance on eHealth. The Medium-Term ​Information ​and Communication Technology Initiative ​(MITHIwas established through DBM-NEDA-DOST Joint Memorandum Circular 2012-01It is an e-Government ​and ICT support initiative that aims to harmonize and ensure interoperability among ICT-related resources, programs, ​ and projects across ​the government containing three priority clusters: MITHI Higher Education ​Cluster, ​MITHI Justice, Peace and Order Cluster, and MITHI Health Cluster which is also known as eHealth.\\+Guided by the Philippine eHealth Strategic Framework and Planone of the identified ​eHealth ​Project is the implementation of the Philippine Health ​Information ​Exchange ​(PHIE). The PHIE is the first major collaborative ​and convergence endeavor of the Health ​Cluster, and the initial step towards the realization of the National ​eHealth ​vision.\\
  
-The MITHI Health Cluster established the National eHealth Governance through the Joint DOH-DOST Department Memorandum 2013-0200. The National eHealth Governance Steering Committee spearheads ​and provides direction and guidance in the establishment of a harmonized National eHealth Programwhile the National eHealth Governance Technical Working Group provides technical and administrative support ​to the Steering CommitteeVarious eHealth expert groups with different ​roles and responsibilities were created based on the seven (7) eHealth components ​to provide support and expertise to the eHealth Steering Committee and Technical Working Group; the eHealth Project Management Office serves as the technical and administrative secretariat ​of the National eHealth Program.\\ +The PHIE will enable electronic transmission of healthcare-related data among facilities, health care providers, health information organizations ​and government agenciesaccording ​to national standardsIt will allow different ​applications ​to exchange data with each other without loss of semantics ​and will enable health ​facilities particularly rural health unit, health ​centers, hospitalsDOH and PhilHealth to communicate with each other effectively ​and to collaborate with the health care providers ​in the care of the patientsThe development ​and implementation ​of the PHIE will enable ​a patient'​s ​medical or health ​information ​to follow ​the patient wherever ​health ​care services are providedHealth care providers will be able to securely share or exchange ​patient's medical or health ​information to improve health care delivery ​and decision making.\\
- +
-The eHealth TWG convenes twice a month and if there is an agendum/​issue that needs to be resolved it will be discussed accordingly. If the eHealth TWG will have consensus, it will then be implemented consequently the eHealth Steering Committee will be informed of the said decision. However, if the eHealth TWF does not gain consensus, the issue shall be elevated to the eHealth Steering Committee for resolution.\\ +
- +
-The Philippine eHealth Strategic Framework and Plan is the result of comprehending what the Philippines needs to achieve in order to address its heath goals and challenges. The National eHealth Program envisions that "By 2020 eHealth ​will enable ​widespread access to health ​care services, health ​informaiton, and securely share and exchange patients'​ information in support ​to a safer, quality ​health care, more equitable and responsive health system for all the Filipino people by transforming the way information is used to plan, manage, deliver and monitor health services"​. \\ +
- +
-As a stepping stone in achieving ​the National eHealth Vision, the program implementers started the Philippine Health Information Exchange (PHIE). PHIE is the major project ​of the National eHealth Program and aims to harmonize data sharing and avoid repetitive or double processes in data collectionThis will serve as an infrastructure for data sharing ​and exchange between health care providers and facilities, and support access to the patient'​s record across providers in many geographic areas of the country. With this, there will be single unified view of the patient'​s ​data/record across and between various ​health ​facilities. \\ +
- +
-The PHIE Architecture allows different systems in different health facilities ​to gain access from different registries through ​the health ​interoperability layerHowever, PHIE is still compelled ​to different data guidelines to protect the privacy and confidentiality rights of the patient. With the use of PHIE, health ​facilities will now have easier ​and require less time in giving statistics/​reports for the National Health Data Reporting. Furthermore,​ through PHIE there will be a health data standards terminology registry that serves as a common language for all systems.\\+
  
 ##About this Document ##About this Document
- These Rules shall be known and cited as the Implementing Rules and Regulations ​of Joint Administrative Order No. 2016-0002otherwise known as "​Privacy Guidelines for the Implementation of the Philippine Health Information Exchange"​. ​These Rules are hereby promulgated to prescribe the procedures and guidelines ​for the implementation of the Privacy Guidelines for the Implementation of the Philippine Information Exchange in order to provide greater conceptual and operational clarity, establish standards in safeguarding ​the privacy of individually identifiable health information,​ and facilitate rigorous compliance with the requirements for the use and disclosure of protected ​health information.\\+ This shall be known and cited as the **Health Privacy Code** ​of the Joint Administrative Order No. 2016-0002 otherwise known as "​Privacy Guidelines for the Implementation of the Philippine Health Information Exchange"​. ​The **Health Privacy Code** is hereby promulgated to prescribe the procedures and guidelines to ensure that the privacy of the patient is well protected.\\
  
 ##​Definitions ##​Definitions
   * //Access//- Refers to the instruction,​ communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network.\\   * //Access//- Refers to the instruction,​ communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network.\\
 +  * //​Addressable//​- Flexible specifications allowing the health care facility or health care provider to do one of the following actions:\\
 +a.) Implement the addressable implementation specification;​\\
 +b.) Implement one or more alternative security measures to accomplish the same purpose;\\
 +c.) Not implement either an addressable implementation specification or an alternative.\\
   *// Alteration//​- Refers to the modification or change, in form or substance, of an existing computer data or program.\\   *// Alteration//​- Refers to the modification or change, in form or substance, of an existing computer data or program.\\
   * //​Authentication//​- The process of verifying that an individual, entity or software program accessing the PHIE is the authorized user the person, entity or program claims to be.\\   * //​Authentication//​- The process of verifying that an individual, entity or software program accessing the PHIE is the authorized user the person, entity or program claims to be.\\
   * //​Authorization//​- The process of determining whether a user has the right to access the PHIE and establishing the privileges associated with such access.\\   * //​Authorization//​- The process of determining whether a user has the right to access the PHIE and establishing the privileges associated with such access.\\
  *// Breach//- The unauthorized or impermissible acquisition,​ access, use, or disclosure of information and can be in the context of the patient and/or institutions.\\  *// Breach//- The unauthorized or impermissible acquisition,​ access, use, or disclosure of information and can be in the context of the patient and/or institutions.\\
 +  * //Cache//- a special high-speed storage mechanism which can either be a reserved section of main memory or an independent high-speed storage device.\\
 +  * //​Caching//​- the process of storing data in a cache.\\
   * //Computing and Related equipment//​- computer network, telecommunications and peripheral equipment that support the information processing activities of organizations.\\   * //Computing and Related equipment//​- computer network, telecommunications and peripheral equipment that support the information processing activities of organizations.\\
   * //​Confidentiality//​- A duty to maintain privacy of information and its protection against unauthorized disclosure.\\   * //​Confidentiality//​- A duty to maintain privacy of information and its protection against unauthorized disclosure.\\
-  * //​Consent//​- Any freelygiven, specific, informed indication of will, whereby an individual agrees to the collection and processing of personal information relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the individual by a lawful guardian or an agent specifically authorized by the individual to do so.\\+  * //​Consent//​- Any freely-given, specific, informed indication of will, whereby an individual agrees to the collection and processing of personal information relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the individual by a lawful guardian or an agent specifically authorized by the individual to do so.\\ 
 +  * //Data Processor//​- in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.\\ 
 +  * //​Decryption//​- the process of transforming data that has been rendered unreadable through encryption back to its unencrypted form.\\
   * //​De-identification//​- Removal of identifiers to protect against inappropriate disclosure of personal information.\\   * //​De-identification//​- Removal of identifiers to protect against inappropriate disclosure of personal information.\\
-  * //​Electronic Medical Record//- A medical or health record which is which received, recorded, transmitted,​ stored, processed, retrieved or produced electronically through computers or other electronic device.\\+  ​* //Digital Signature//​- a specific type of electronic signature based on public-key cryptography,​ used within a framework known as public-key infrastructure.\\ 
 +  * //​Discharge//​- The release of a patient from a provider'​s care, usually referring to the date at which a patient checks out of a health facility or hospital.\\ 
 +  ​* //​Electronic Medical Record//- A medical or health record which is received, recorded, transmitted,​ stored, processed, retrieved or produced electronically through computers or other electronic device.\\ 
 +  * //​Electronic Signature//​- refers to any representation in electronic form that can be used to express intent, including a printed name at the bottom of an e-mail, a digitized copy of a handwritten signature, a biometric mark, a sound, or digital structure.\\
   * //​Emergency//​- Unforeseen combination of circumstances which calls for immediate life-preserving or quality-of-life preserving actions (To preserve sight in one or both eyes, hearing in one or both ears, extremities at or above the ankle or wrist).\\ ​   * //​Emergency//​- Unforeseen combination of circumstances which calls for immediate life-preserving or quality-of-life preserving actions (To preserve sight in one or both eyes, hearing in one or both ears, extremities at or above the ankle or wrist).\\ ​
 +  * //​Encryption//​- The use of an algorithmic process to transform data into a form which there is low probability of assigning meaning without use of a confidential process or key.\\
 +  * //Health Care Clearinghouse//​- a public or private entity, including a billing service, repricing company, community heath management information system or community health information system, and "​value-added"​ networks and switches that does either of the following functions:​\\
 +(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data into standard data elements or a standard transaction.\\
 +(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.\\
   * //Health Care Provider//- A health care institution devoted primarily to management, treatment and care of patients, or a health care professional,​ who is any doctor of medicine, nurse, midwife, dentist, or other health care practitioner.\\   * //Health Care Provider//- A health care institution devoted primarily to management, treatment and care of patients, or a health care professional,​ who is any doctor of medicine, nurse, midwife, dentist, or other health care practitioner.\\
   * //Health Data Warehouse//​- A repository of the country'​s de-identified health information within the framework of the Philippine Health Information Exchange.\\   * //Health Data Warehouse//​- A repository of the country'​s de-identified health information within the framework of the Philippine Health Information Exchange.\\
-  * //Health Information//​- Refers to personal and sensitive information that relates to an individual'​s past , present or future physical or mental health or condition, including demographic data, diagnosis and management, medication history, health financing record, cost of services and any other information related to the individual'​s total well-being. For purpose of A.O. 2016-0002, health information ​refer to personal health information which is individually identifiable health information or de-identified health information.\\ +  * //Health Information//​- Refers to personal and sensitive information that relates to an individual'​s past , present or future physical or mental health or condition, including demographic data, diagnosis and management, medication history, health financing record, cost of services and any other information related to the individual'​s total well-being. For purpose of A.O. 2016-0002, health information ​refers ​to personal health information which is individually identifiable health information or de-identified health information.\\ 
-  * //ICT systems//- hardware, software, firmware of computers, telecommunications and network equipment or other electronic information handling systems and associated equipment \\+  * //Information and Communication Technology (ICTsystems//- hardware, software, firmware of computers, telecommunications and network equipment or other electronic information handling systems and associated equipment\\
   * //​Individually Identifiable//​- Refers to information that contains data that can directly identify the individual or could reasonably be used to identify an individual.\\   * //​Individually Identifiable//​- Refers to information that contains data that can directly identify the individual or could reasonably be used to identify an individual.\\
   * //​Infrastructure//​- facilities and equipment to enable the ICT service, including but not limited to power supply, telecommunications connections and environmental controls.\\   * //​Infrastructure//​- facilities and equipment to enable the ICT service, including but not limited to power supply, telecommunications connections and environmental controls.\\
Line 40: Line 47:
   * //​Issuances//​- Refer to official write-up or documentation of statements, notices, announcements,​ and communications.\\   * //​Issuances//​- Refer to official write-up or documentation of statements, notices, announcements,​ and communications.\\
   * //​Interception//​- Refers to listening to, recording, monitoring or surveillance of the content of communications,​ including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring.\\   * //​Interception//​- Refers to listening to, recording, monitoring or surveillance of the content of communications,​ including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring.\\
-  * //Medical Privacy or Health Privacy//- Right to the protection of the confidential nature of personal health information,​ which includes communications between health care provider and patient, and personal data and information about a patient'​s ​conditional ​as contained in medical records.\\+  ​* //​Interpersonal Violence//- Violence that occurs between family members, intimate partners, friends, acquaintances and strangers, and includes child maltreatment,​ youth violence, sexual violence and elder abuse.\\ 
 +  ​* //Medical Privacy or Health Privacy//- Right to the protection of the confidential nature of personal health information,​ which includes communications between health care provider and patient, and personal data and information about a patient'​s ​condition ​as contained in medical records.\\
   * //Medical Record or Health Record//- Primary repository of information concerning patient health care; a compilation of pertinent facts of a patient'​s life history including past and present illnesses and treatments entered by health professional contributing to the patient'​s care.\\   * //Medical Record or Health Record//- Primary repository of information concerning patient health care; a compilation of pertinent facts of a patient'​s life history including past and present illnesses and treatments entered by health professional contributing to the patient'​s care.\\
-  * //​Outpatient//​- A patient who receives ​healthcare ​services without being admitted for inpatient medical care or healthcare ​services and does not occupy a bed for any length of time; or a patient who consults and receives ​healthcare ​services in the healthcare ​facility without being admitted. ​+  * //​Outpatient//​- A patient who receives ​health care services without being admitted for inpatient medical care or health care services and does not occupy a bed for any length of time; or a patient who consults and receives ​health care services in the health care facility without being admitted. ​
   *// Participating Health Care Provider (PHCP)//- Health Care Providers whose application to participate in the PHIE is approved in accordance with Joint DOH-DOST-PhilHealth AO 2016-0001(Implementation of the PHIE), and through any other procedure promulgated by the DOH for participation.\\   *// Participating Health Care Provider (PHCP)//- Health Care Providers whose application to participate in the PHIE is approved in accordance with Joint DOH-DOST-PhilHealth AO 2016-0001(Implementation of the PHIE), and through any other procedure promulgated by the DOH for participation.\\
   *//​Patient//​- A person availing of medical consultation,​ diagnostic examinations,​ treatment or health care services from a health care provider.\\   *//​Patient//​- A person availing of medical consultation,​ diagnostic examinations,​ treatment or health care services from a health care provider.\\
-  *//Personal Information//​- ​Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information,​ or when put together with other information would directly and certainly identify an individual.\\ +  ​* //Patient Registry// - refers to the organisation and processes supporting a //patient register//​--a set of patient records systematized around a particular disease, condition or exposure, and serving "one or more predetermined scientific, clinical or policy purposes"​ (AHRQ, 2007) 
-  *//Personal Information Controller//​- ​Refers to a person or organization that controls the collection, holding, processing or use of personal information,​ including a person or organization that instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.\\ ​+  ​*//Personal Information//​- ​Any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information,​ or when put together with other information would directly and certainly identify an individual.\\ 
 +  *//Personal Information Controller//​- ​person or organization that controls the collection, holding, processing or use of personal information,​ including a person or organization that instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.\\ ​
 This term excludes:\\ This term excludes:\\
 (a) A person or organization who performs such functions as instructed by another person or organization;​ and (a) A person or organization who performs such functions as instructed by another person or organization;​ and
 (b) An individual who collects, holds, processes or uses personal information in connection with the individual'​s personal, family or household affairs.\\ (b) An individual who collects, holds, processes or uses personal information in connection with the individual'​s personal, family or household affairs.\\
-  * //Principle of Legitimate Purpose//- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.\\ 
-  * //Principle of Proportionality//​- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.\\ 
-  * //Principle of Transparency//​- Principle that refers to processing of information conducted in a manner where an individual is given adequate and relevant knowledge about the nature, purpose, extent and intended use of processing of information,​ and provided with the right to consent, limit or object to the processing.\\ 
   * //​Privacy//​- The right of a person to be free from intrusion or disturbance in one's personal and intimate life or affairs. It includes informational privacy, which refers to the right of an individual not to have his or her private information disclosed including the ability to control what information is disclosed, with whom, and for what purpose.\\   * //​Privacy//​- The right of a person to be free from intrusion or disturbance in one's personal and intimate life or affairs. It includes informational privacy, which refers to the right of an individual not to have his or her private information disclosed including the ability to control what information is disclosed, with whom, and for what purpose.\\
-  * //​Processing//​- ​Refers to any operation performed upon personal information including, but not limited to, the collection, recording, organization,​ storage, updating or modification,​ retrieval, consultation,​ use, consolidation,​ blocking, erasure or destruction of data.\\ +  ​* //Privilege Communication//​- Conversation or working relationship which takes place between two parties within the context of a protective relationship such as between healthcare provider and a patient.  
-  * //Public Health//​- ​Refers to all organized measures to prevent disease, promote health, and prolong life among the population as a wholeIts activities aim to provide conditions in which people can be healthy and focus on entire populations,​ not on individual patients or diseases.\\ +  ​* //​Processing//​- ​Any operation performed upon personal information including, but not limited to, the collection, recording, organization,​ storage, updating or modification,​ retrieval, consultation,​ use, consolidation,​ blocking, erasure or destruction of data.\\ 
-  * //​Security//​- ​Refers to the organizational,​ technical and physical measures to ensure the safety and protection of the health information.\\ +  * //​Publication//​- The act or process of producing a book, magazine, etc., and making it available to the public. (Merriam-Webster,​ 2016).\\ 
-  * //Sensitive Personal Information//​- ​Refers to personal ​information:​ \\+  * //Public Health//​- ​All organized measures to prevent disease, promote health, and prolong life among the population as a wholeIts activities aim to provide conditions in which people can be healthy and focus on entire populations,​ not on individual patients or diseases.\\ 
 +  * //Public Health Emergency//​- an occurrence or imminent threat of an illness or health condition, caused by bio terrorism, epidemic or pandemic disease, or a novel and highly fatal infectious agent or biological toxin, that poses a substantial risk of a significant number of human facilities or incidents or permanent or long-term disability.\\ 
 +  * //​Security//​- ​The organizational,​ technical and physical measures to ensure the safety and protection of the health information.\\ 
 +  * //Sensitive Personal Information//​- ​Personal ​information:​ \\
 (a) About an individual'​s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;​ (a) About an individual'​s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;​
 (b) About an individual'​s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings,​ or the sentence of any court in such proceedings; ​ (b) About an individual'​s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings,​ or the sentence of any court in such proceedings; ​
Line 63: Line 72:
 (d) Specifically established by an executive order or an act of Congress to be kept classified.\\ (d) Specifically established by an executive order or an act of Congress to be kept classified.\\
   * //​Sharing//​- The process that allows the PHCP to access the patient'​s health information from the system.\\   * //​Sharing//​- The process that allows the PHCP to access the patient'​s health information from the system.\\
-  * //Social Media//- Electronic communication,​ websites or applications through which users connect, interact, or share information or other content with other individuals,​ collectively part of an online community. ​this includes Facebook, Twitter, Google+, Instagram, LinkedIn, Pinterest, Blogs, Social Networking Sites.\\ +  ​* //Shared Health Record//- An operational,​ real-time transactional data source that serves as a means of allowing different services to share health data stored in a centralized data repository. It contains a subset of normalized data for a patient from various systems such as Electronic Medical Record (EMR).\\ 
-  * //​Third-party ​data processor//. Third-party data processors refer to any person or entity ​other than  +  ​* //Social Media//- Electronic communication,​ websites or applications through which users connect, interact, or share information or other content with other individuals,​ collectively part of an online community. ​This includes Facebook, Twitter, Google+, Instagram, LinkedIn, Pinterest, Blogs, Social Networking Sites.\\ 
-  - the data subject, +  * //​Third-party//​ - Any person, entity ​or institution ​other than the patient (data subject)health care provider or health facility (data controller/processor), or any other duly authorized data processor ​or person desiring to have access to patient'​s health information. (i.e. HMOs, Researchers,​ among others).
-  - the data controller, or +
-  - any data processor or other person ​duly authorized ​to process ​data for the data controller or processor.+
 \\ \\
 \\ \\
Line 73: Line 80:
 ##​References: ​ ##​References: ​
   * AO 2016-002- Privacy Guidelines for the Implementation of the Philippine Health Information Exchange   * AO 2016-002- Privacy Guidelines for the Implementation of the Philippine Health Information Exchange
 +  * Gliklich, RE. Dreyer, NA. eds. (2007) Registries for Evaluating Patient Outcomes: A User’s Guide. ​ AHRQ Publication No. 07- EHC001-1. Rockville, MD: Agency for Healthcare Research and Quality.
 +  * Data Protection Act of 1998
   * {{:​philippine_ehealth_strategic_framework_and_plan.pdf|}}   * {{:​philippine_ehealth_strategic_framework_and_plan.pdf|}}
   * {{:​phie_architecture.png?​linkonly|}}   * {{:​phie_architecture.png?​linkonly|}}
 +
 ---- ----
 +
  
 ##See Also ##See Also
   * [[consolidated_workshop_outputs|Privacy Set of Rules]]\\   * [[consolidated_workshop_outputs|Privacy Set of Rules]]\\