Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
introduction [2016/05/24 18:36]
wikiadmin [Definitions]
introduction [2016/07/25 15:27] (current)
jillian_nadette_de_leon
Line 5: Line 5:
 Guided by the Philippine eHealth Strategic Framework and Plan, one of the identified eHealth Project is the implementation of the Philippine Health Information Exchange (PHIE). The PHIE is the first major collaborative and convergence endeavor of the Health Cluster, and the initial step towards the realization of the National eHealth vision.\\ Guided by the Philippine eHealth Strategic Framework and Plan, one of the identified eHealth Project is the implementation of the Philippine Health Information Exchange (PHIE). The PHIE is the first major collaborative and convergence endeavor of the Health Cluster, and the initial step towards the realization of the National eHealth vision.\\
  
-The PHIE will enable electronic transmission of healthcare-related data among facilities, health providers, health information organizations and government agencies, according to nation ​standards. It will allow different applications to exchange data with each other without loss of semantics and allowing ​health facilities ​in particular ​rural health unit, health centers, hospitals, DOH and PhilHealth to communicate with each other effectively and collaborate in the care of the patients ​and providers. The development and implementation of the PHIE will enable a patient'​s medical or health information to follow patient wherever health care services are provided ​within set of standards. Health care providers will be able to securely share or exchange patient'​s medical or health information to improve health care delivers ​and decision making.\\ +The PHIE will enable electronic transmission of healthcare-related data among facilities, health ​care providers, health information organizations and government agencies, according to national ​standards. It will allow different applications to exchange data with each other without loss of semantics and will enable ​health facilities ​particularly ​rural health unit, health centers, hospitals, DOH and PhilHealth to communicate with each other effectively and to collaborate ​with the health care providers ​in the care of the patients. The development and implementation of the PHIE will enable a patient'​s medical or health information to follow ​the patient wherever health care services are provided. Health care providers will be able to securely share or exchange patient'​s medical or health information to improve health care delivery ​and decision making.\\
- +
-To ensure that the privacy of the public is well protected during the implementation and operation of the PHIE, the DOH-DOST-PhilHealth Joint Administrative Order No. 2016-0002 was created. Consequently,​ this Implementing Rules and Regulation (IRR), herein after called "​IRR"​ is promulgated pursuant to the aforementioned issuance.\\+
  
 ##About this Document ##About this Document
- These Rules shall be known and cited as the Implementing Rules and Regulations ​of Joint Administrative Order No. 2016-0002otherwise known as "​Privacy Guidelines for the Implementation of the Philippine Health Information Exchange"​. ​These Rules are hereby promulgated to prescribe the procedures and guidelines ​for the implementation of the Privacy Guidelines for the Implementation of the Philippine Information Exchange in order to provide greater conceptual and operational clarity, establish standards in safeguarding ​the privacy of individually identifiable health information,​ and facilitate rigorous compliance with the requirements for the use and disclosure of protected ​health information.\\+ This shall be known and cited as the **Health Privacy Code** ​of the Joint Administrative Order No. 2016-0002 otherwise known as "​Privacy Guidelines for the Implementation of the Philippine Health Information Exchange"​. ​The **Health Privacy Code** is hereby promulgated to prescribe the procedures and guidelines to ensure that the privacy of the patient is well protected.\\
  
 ##​Definitions ##​Definitions
   * //Access//- Refers to the instruction,​ communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network.\\   * //Access//- Refers to the instruction,​ communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network.\\
 +  * //​Addressable//​- Flexible specifications allowing the health care facility or health care provider to do one of the following actions:\\
 +a.) Implement the addressable implementation specification;​\\
 +b.) Implement one or more alternative security measures to accomplish the same purpose;\\
 +c.) Not implement either an addressable implementation specification or an alternative.\\
   *// Alteration//​- Refers to the modification or change, in form or substance, of an existing computer data or program.\\   *// Alteration//​- Refers to the modification or change, in form or substance, of an existing computer data or program.\\
   * //​Authentication//​- The process of verifying that an individual, entity or software program accessing the PHIE is the authorized user the person, entity or program claims to be.\\   * //​Authentication//​- The process of verifying that an individual, entity or software program accessing the PHIE is the authorized user the person, entity or program claims to be.\\
   * //​Authorization//​- The process of determining whether a user has the right to access the PHIE and establishing the privileges associated with such access.\\   * //​Authorization//​- The process of determining whether a user has the right to access the PHIE and establishing the privileges associated with such access.\\
  *// Breach//- The unauthorized or impermissible acquisition,​ access, use, or disclosure of information and can be in the context of the patient and/or institutions.\\  *// Breach//- The unauthorized or impermissible acquisition,​ access, use, or disclosure of information and can be in the context of the patient and/or institutions.\\
 +  * //Cache//- a special high-speed storage mechanism which can either be a reserved section of main memory or an independent high-speed storage device.\\
 +  * //​Caching//​- the process of storing data in a cache.\\
   * //Computing and Related equipment//​- computer network, telecommunications and peripheral equipment that support the information processing activities of organizations.\\   * //Computing and Related equipment//​- computer network, telecommunications and peripheral equipment that support the information processing activities of organizations.\\
   * //​Confidentiality//​- A duty to maintain privacy of information and its protection against unauthorized disclosure.\\   * //​Confidentiality//​- A duty to maintain privacy of information and its protection against unauthorized disclosure.\\
-  * //​Consent//​- Any freelygiven, specific, informed indication of will, whereby an individual agrees to the collection and processing of personal information relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the individual by a lawful guardian or an agent specifically authorized by the individual to do so.\\+  * //​Consent//​- Any freely-given, specific, informed indication of will, whereby an individual agrees to the collection and processing of personal information relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the individual by a lawful guardian or an agent specifically authorized by the individual to do so.\\ 
 +  * //Data Processor//​- in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.\\ 
 +  * //​Decryption//​- the process of transforming data that has been rendered unreadable through encryption back to its unencrypted form.\\
   * //​De-identification//​- Removal of identifiers to protect against inappropriate disclosure of personal information.\\   * //​De-identification//​- Removal of identifiers to protect against inappropriate disclosure of personal information.\\
-  * //​Electronic Medical Record//- A medical or health record which is which received, recorded, transmitted,​ stored, processed, retrieved or produced electronically through computers or other electronic device.\\+  ​* //Digital Signature//​- a specific type of electronic signature based on public-key cryptography,​ used within a framework known as public-key infrastructure.\\ 
 +  * //​Discharge//​- The release of a patient from a provider'​s care, usually referring to the date at which a patient checks out of a health facility or hospital.\\ 
 +  ​* //​Electronic Medical Record//- A medical or health record which is received, recorded, transmitted,​ stored, processed, retrieved or produced electronically through computers or other electronic device.\\ 
 +  * //​Electronic Signature//​- refers to any representation in electronic form that can be used to express intent, including a printed name at the bottom of an e-mail, a digitized copy of a handwritten signature, a biometric mark, a sound, or digital structure.\\
   * //​Emergency//​- Unforeseen combination of circumstances which calls for immediate life-preserving or quality-of-life preserving actions (To preserve sight in one or both eyes, hearing in one or both ears, extremities at or above the ankle or wrist).\\ ​   * //​Emergency//​- Unforeseen combination of circumstances which calls for immediate life-preserving or quality-of-life preserving actions (To preserve sight in one or both eyes, hearing in one or both ears, extremities at or above the ankle or wrist).\\ ​
 +  * //​Encryption//​- The use of an algorithmic process to transform data into a form which there is low probability of assigning meaning without use of a confidential process or key.\\
 +  * //Health Care Clearinghouse//​- a public or private entity, including a billing service, repricing company, community heath management information system or community health information system, and "​value-added"​ networks and switches that does either of the following functions:​\\
 +(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data into standard data elements or a standard transaction.\\
 +(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.\\
   * //Health Care Provider//- A health care institution devoted primarily to management, treatment and care of patients, or a health care professional,​ who is any doctor of medicine, nurse, midwife, dentist, or other health care practitioner.\\   * //Health Care Provider//- A health care institution devoted primarily to management, treatment and care of patients, or a health care professional,​ who is any doctor of medicine, nurse, midwife, dentist, or other health care practitioner.\\
   * //Health Data Warehouse//​- A repository of the country'​s de-identified health information within the framework of the Philippine Health Information Exchange.\\   * //Health Data Warehouse//​- A repository of the country'​s de-identified health information within the framework of the Philippine Health Information Exchange.\\
-  * //Health Information//​- Refers to personal and sensitive information that relates to an individual'​s past , present or future physical or mental health or condition, including demographic data, diagnosis and management, medication history, health financing record, cost of services and any other information related to the individual'​s total well-being. For purpose of A.O. 2016-0002, health information ​refer to personal health information which is individually identifiable health information or de-identified health information.\\ +  * //Health Information//​- Refers to personal and sensitive information that relates to an individual'​s past , present or future physical or mental health or condition, including demographic data, diagnosis and management, medication history, health financing record, cost of services and any other information related to the individual'​s total well-being. For purpose of A.O. 2016-0002, health information ​refers ​to personal health information which is individually identifiable health information or de-identified health information.\\ 
-  * //ICT systems//- hardware, software, firmware of computers, telecommunications and network equipment or other electronic information handling systems and associated equipment \\+  * //Information and Communication Technology (ICTsystems//- hardware, software, firmware of computers, telecommunications and network equipment or other electronic information handling systems and associated equipment\\
   * //​Individually Identifiable//​- Refers to information that contains data that can directly identify the individual or could reasonably be used to identify an individual.\\   * //​Individually Identifiable//​- Refers to information that contains data that can directly identify the individual or could reasonably be used to identify an individual.\\
   * //​Infrastructure//​- facilities and equipment to enable the ICT service, including but not limited to power supply, telecommunications connections and environmental controls.\\   * //​Infrastructure//​- facilities and equipment to enable the ICT service, including but not limited to power supply, telecommunications connections and environmental controls.\\
Line 34: Line 47:
   * //​Issuances//​- Refer to official write-up or documentation of statements, notices, announcements,​ and communications.\\   * //​Issuances//​- Refer to official write-up or documentation of statements, notices, announcements,​ and communications.\\
   * //​Interception//​- Refers to listening to, recording, monitoring or surveillance of the content of communications,​ including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring.\\   * //​Interception//​- Refers to listening to, recording, monitoring or surveillance of the content of communications,​ including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring.\\
-  * //Medical Privacy or Health Privacy//- Right to the protection of the confidential nature of personal health information,​ which includes communications between health care provider and patient, and personal data and information about a patient'​s ​conditional ​as contained in medical records.\\+  ​* //​Interpersonal Violence//- Violence that occurs between family members, intimate partners, friends, acquaintances and strangers, and includes child maltreatment,​ youth violence, sexual violence and elder abuse.\\ 
 +  ​* //Medical Privacy or Health Privacy//- Right to the protection of the confidential nature of personal health information,​ which includes communications between health care provider and patient, and personal data and information about a patient'​s ​condition ​as contained in medical records.\\
   * //Medical Record or Health Record//- Primary repository of information concerning patient health care; a compilation of pertinent facts of a patient'​s life history including past and present illnesses and treatments entered by health professional contributing to the patient'​s care.\\   * //Medical Record or Health Record//- Primary repository of information concerning patient health care; a compilation of pertinent facts of a patient'​s life history including past and present illnesses and treatments entered by health professional contributing to the patient'​s care.\\
-  * //​Outpatient//​- A patient who receives ​healthcare ​services without being admitted for inpatient medical care or healthcare ​services and does not occupy a bed for any length of time; or a patient who consults and receives ​healthcare ​services in the healthcare ​facility without being admitted. ​+  * //​Outpatient//​- A patient who receives ​health care services without being admitted for inpatient medical care or health care services and does not occupy a bed for any length of time; or a patient who consults and receives ​health care services in the health care facility without being admitted. ​
   *// Participating Health Care Provider (PHCP)//- Health Care Providers whose application to participate in the PHIE is approved in accordance with Joint DOH-DOST-PhilHealth AO 2016-0001(Implementation of the PHIE), and through any other procedure promulgated by the DOH for participation.\\   *// Participating Health Care Provider (PHCP)//- Health Care Providers whose application to participate in the PHIE is approved in accordance with Joint DOH-DOST-PhilHealth AO 2016-0001(Implementation of the PHIE), and through any other procedure promulgated by the DOH for participation.\\
   *//​Patient//​- A person availing of medical consultation,​ diagnostic examinations,​ treatment or health care services from a health care provider.\\   *//​Patient//​- A person availing of medical consultation,​ diagnostic examinations,​ treatment or health care services from a health care provider.\\
-  * //Patient Registry// - refers to the organisation and process that supports ​a //patient register//a set of patient records ​systematically collected and organized ​around a particular disease, condition or exposure, and serving "one or more predetermined scientific, clinical or policy purposes"​ (AHRQ, 2007) +  * //Patient Registry// - refers to the organisation and processes supporting ​a //patient register//--a set of patient records ​systematized ​around a particular disease, condition or exposure, and serving "one or more predetermined scientific, clinical or policy purposes"​ (AHRQ, 2007) 
-  *//Personal Information//​- ​Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information,​ or when put together with other information would directly and certainly identify an individual.\\ +  *//Personal Information//​- ​Any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information,​ or when put together with other information would directly and certainly identify an individual.\\ 
-  *//Personal Information Controller//​- ​Refers to a person or organization that controls the collection, holding, processing or use of personal information,​ including a person or organization that instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.\\ ​+  *//Personal Information Controller//​- ​person or organization that controls the collection, holding, processing or use of personal information,​ including a person or organization that instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.\\ ​
 This term excludes:\\ This term excludes:\\
 (a) A person or organization who performs such functions as instructed by another person or organization;​ and (a) A person or organization who performs such functions as instructed by another person or organization;​ and
 (b) An individual who collects, holds, processes or uses personal information in connection with the individual'​s personal, family or household affairs.\\ (b) An individual who collects, holds, processes or uses personal information in connection with the individual'​s personal, family or household affairs.\\
-  * //Principle of Legitimate Purpose//- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.\\ 
-  * //Principle of Proportionality//​- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.\\ 
-  * //Principle of Transparency//​- Principle that refers to processing of information conducted in a manner where an individual is given adequate and relevant knowledge about the nature, purpose, extent and intended use of processing of information,​ and provided with the right to consent, limit or object to the processing.\\ 
   * //​Privacy//​- The right of a person to be free from intrusion or disturbance in one's personal and intimate life or affairs. It includes informational privacy, which refers to the right of an individual not to have his or her private information disclosed including the ability to control what information is disclosed, with whom, and for what purpose.\\   * //​Privacy//​- The right of a person to be free from intrusion or disturbance in one's personal and intimate life or affairs. It includes informational privacy, which refers to the right of an individual not to have his or her private information disclosed including the ability to control what information is disclosed, with whom, and for what purpose.\\
-  * //​Processing//​- ​Refers to any operation performed upon personal information including, but not limited to, the collection, recording, organization,​ storage, updating or modification,​ retrieval, consultation,​ use, consolidation,​ blocking, erasure or destruction of data.\\ +  ​* //Privilege Communication//​- Conversation or working relationship which takes place between two parties within the context of a protective relationship such as between healthcare provider and a patient.  
-  * //Public Health//​- ​Refers to all organized measures to prevent disease, promote health, and prolong life among the population as a wholeIts activities aim to provide conditions in which people can be healthy and focus on entire populations,​ not on individual patients or diseases.\\ +  ​* //​Processing//​- ​Any operation performed upon personal information including, but not limited to, the collection, recording, organization,​ storage, updating or modification,​ retrieval, consultation,​ use, consolidation,​ blocking, erasure or destruction of data.\\ 
-  * //​Security//​- ​Refers to the organizational,​ technical and physical measures to ensure the safety and protection of the health information.\\ +  * //​Publication//​- The act or process of producing a book, magazine, etc., and making it available to the public. (Merriam-Webster,​ 2016).\\ 
-  * //Sensitive Personal Information//​- ​Refers to personal ​information:​ \\+  * //Public Health//​- ​All organized measures to prevent disease, promote health, and prolong life among the population as a wholeIts activities aim to provide conditions in which people can be healthy and focus on entire populations,​ not on individual patients or diseases.\\ 
 +  * //Public Health Emergency//​- an occurrence or imminent threat of an illness or health condition, caused by bio terrorism, epidemic or pandemic disease, or a novel and highly fatal infectious agent or biological toxin, that poses a substantial risk of a significant number of human facilities or incidents or permanent or long-term disability.\\ 
 +  * //​Security//​- ​The organizational,​ technical and physical measures to ensure the safety and protection of the health information.\\ 
 +  * //Sensitive Personal Information//​- ​Personal ​information:​ \\
 (a) About an individual'​s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;​ (a) About an individual'​s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;​
 (b) About an individual'​s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings,​ or the sentence of any court in such proceedings; ​ (b) About an individual'​s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings,​ or the sentence of any court in such proceedings; ​
Line 58: Line 72:
 (d) Specifically established by an executive order or an act of Congress to be kept classified.\\ (d) Specifically established by an executive order or an act of Congress to be kept classified.\\
   * //​Sharing//​- The process that allows the PHCP to access the patient'​s health information from the system.\\   * //​Sharing//​- The process that allows the PHCP to access the patient'​s health information from the system.\\
-  * //Social Media//- Electronic communication,​ websites or applications through which users connect, interact, or share information or other content with other individuals,​ collectively part of an online community. ​this includes Facebook, Twitter, Google+, Instagram, LinkedIn, Pinterest, Blogs, Social Networking Sites.\\ +  ​* //Shared Health Record//- An operational,​ real-time transactional data source that serves as a means of allowing different services to share health data stored in a centralized data repository. It contains a subset of normalized data for a patient from various systems such as Electronic Medical Record (EMR).\\ 
-  * //​Third-party ​data processor//. Third-party data processors refer to any person or entity ​other than  +  ​* //Social Media//- Electronic communication,​ websites or applications through which users connect, interact, or share information or other content with other individuals,​ collectively part of an online community. ​This includes Facebook, Twitter, Google+, Instagram, LinkedIn, Pinterest, Blogs, Social Networking Sites.\\ 
-  - the data subject, +  * //​Third-party//​ - Any person, entity ​or institution ​other than the patient (data subject)health care provider or health facility (data controller/processor), or any other duly authorized data processor ​or person desiring to have access to patient'​s health information. (i.e. HMOs, Researchers,​ among others).
-  - the data controller, or +
-  - any data processor or other person ​duly authorized ​to process ​data for the data controller or processor.+
 \\ \\
 \\ \\
Line 68: Line 80:
 ##​References: ​ ##​References: ​
   * AO 2016-002- Privacy Guidelines for the Implementation of the Philippine Health Information Exchange   * AO 2016-002- Privacy Guidelines for the Implementation of the Philippine Health Information Exchange
 +  * Gliklich, RE. Dreyer, NA. eds. (2007) Registries for Evaluating Patient Outcomes: A User’s Guide. ​ AHRQ Publication No. 07- EHC001-1. Rockville, MD: Agency for Healthcare Research and Quality.
 +  * Data Protection Act of 1998
   * {{:​philippine_ehealth_strategic_framework_and_plan.pdf|}}   * {{:​philippine_ehealth_strategic_framework_and_plan.pdf|}}
   * {{:​phie_architecture.png?​linkonly|}}   * {{:​phie_architecture.png?​linkonly|}}
 +
 ---- ----
 +
  
 ##See Also ##See Also
   * [[consolidated_workshop_outputs|Privacy Set of Rules]]\\   * [[consolidated_workshop_outputs|Privacy Set of Rules]]\\