**This is an old revision of the document!**

Introduction

As a mandate of the Constitution to provide quality health care to the Filipino people while protecting and promoting the right to privacy, the Department of Health (DOH), in cooperation with the Department of Science and Technology (DOST), Philippine Health Insurance Corporation (PhilHealth), University of the Philippines-Manila (UPM), and Commission on Higher Education (CHED), established the National eHealth Program (NeHP) that envisions widespread information-technology (IT)-enabled health care services by 2020.

Guided by the Philippine eHealth Strategic Framework and Plan, one of the identified eHealth Project is the implementation of the Philippine Health Information Exchange (PHIE). The PHIE is the first major collaborative and convergence endeavor of the Health Cluster, and the initial step towards the realization of the National eHealth vision.

The PHIE will enable electronic transmission of healthcare-related data among facilities, health providers, health information organizations and government agencies, according to nation standards. It will allow different applications to exchange data with each other without loss of semantics and allowing health facilities in particular rural health unit, health centers, hospitals, DOH and PhilHealth to communicate with each other effectively and collaborate in the care of the patients and providers. The development and implementation of the PHIE will enable a patient's medical or health information to follow patient wherever health care services are provided within set of standards. Health care providers will be able to securely share or exchange patient's medical or health information to improve health care delivers and decision making.

To ensure that the privacy of the public is well protected during the implementation and operation of the PHIE, the DOH-DOST-PhilHealth Joint Administrative Order No. 2016-0002 was created. Consequently, this Implementing Rules and Regulation (IRR), herein after called “IRR” is promulgated pursuant to the aforementioned issuance.

About this Document

These Rules shall be known and cited as the Implementing Rules and Regulations of Joint Administrative Order No. 2016-0002, otherwise known as “Privacy Guidelines for the Implementation of the Philippine Health Information Exchange”. These Rules are hereby promulgated to prescribe the procedures and guidelines for the implementation of the Privacy Guidelines for the Implementation of the Philippine Information Exchange in order to provide greater conceptual and operational clarity, establish standards in safeguarding the privacy of individually identifiable health information, and facilitate rigorous compliance with the requirements for the use and disclosure of protected health information.

Definitions

  • Access- Refers to the instruction, communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network.
  • Alteration- Refers to the modification or change, in form or substance, of an existing computer data or program.
  • Authentication- The process of verifying that an individual, entity or software program accessing the PHIE is the authorized user the person, entity or program claims to be.
  • Authorization- The process of determining whether a user has the right to access the PHIE and establishing the privileges associated with such access.

* Breach- The unauthorized or impermissible acquisition, access, use, or disclosure of information and can be in the context of the patient and/or institutions.

  • Computing and Related equipment- computer network, telecommunications and peripheral equipment that support the information processing activities of organizations.
  • Confidentiality- A duty to maintain privacy of information and its protection against unauthorized disclosure.
  • Consent- Any freely, given, specific, informed indication of will, whereby an individual agrees to the collection and processing of personal information relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the individual by a lawful guardian or an agent specifically authorized by the individual to do so.
  • De-identification- Removal of identifiers to protect against inappropriate disclosure of personal information.
  • Electronic Medical Record- A medical or health record which is which received, recorded, transmitted, stored, processed, retrieved or produced electronically through computers or other electronic device.
  • Emergency- Unforeseen combination of circumstances which calls for immediate life-preserving or quality-of-life preserving actions (To preserve sight in one or both eyes, hearing in one or both ears, extremities at or above the ankle or wrist).
  • Health Care Provider- A health care institution devoted primarily to management, treatment and care of patients, or a health care professional, who is any doctor of medicine, nurse, midwife, dentist, or other health care practitioner.
  • Health Data Warehouse- A repository of the country's de-identified health information within the framework of the Philippine Health Information Exchange.
  • Health Information- Refers to personal and sensitive information that relates to an individual's past , present or future physical or mental health or condition, including demographic data, diagnosis and management, medication history, health financing record, cost of services and any other information related to the individual's total well-being. For purpose of A.O. 2016-0002, health information refer to personal health information which is individually identifiable health information or de-identified health information.
  • ICT systems- hardware, software, firmware of computers, telecommunications and network equipment or other electronic information handling systems and associated equipment
  • Individually Identifiable- Refers to information that contains data that can directly identify the individual or could reasonably be used to identify an individual.
  • Infrastructure- facilities and equipment to enable the ICT service, including but not limited to power supply, telecommunications connections and environmental controls.
  • Information System- application, service, information technology asset, or any other information handling component
  • Inpatient- A patient admitted in the hospital receiving healthcare services and who is provided room, board and continuous nursing services in a unit area of the healthcare facility.
  • Issuances- Refer to official write-up or documentation of statements, notices, announcements, and communications.
  • Interception- Refers to listening to, recording, monitoring or surveillance of the content of communications, including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring.
  • Medical Privacy or Health Privacy- Right to the protection of the confidential nature of personal health information, which includes communications between health care provider and patient, and personal data and information about a patient's conditional as contained in medical records.
  • Medical Record or Health Record- Primary repository of information concerning patient health care; a compilation of pertinent facts of a patient's life history including past and present illnesses and treatments entered by health professional contributing to the patient's care.
  • Outpatient- A patient who receives healthcare services without being admitted for inpatient medical care or healthcare services and does not occupy a bed for any length of time; or a patient who consults and receives healthcare services in the healthcare facility without being admitted.
  • Participating Health Care Provider (PHCP)- Health Care Providers whose application to participate in the PHIE is approved in accordance with Joint DOH-DOST-PhilHealth AO 2016-0001(Implementation of the PHIE), and through any other procedure promulgated by the DOH for participation.
  • Patient- A person availing of medical consultation, diagnostic examinations, treatment or health care services from a health care provider.
  • Patient Registry - refers to the organisation and process that supports a patient register, a set of patient records systematically collected and organized around a particular disease, condition or exposure, and serving “one or more predetermined scientific, clinical or policy purposes” (AHRQ, 2007)
  • Personal Information- Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Personal Information Controller- Refers to a person or organization that controls the collection, holding, processing or use of personal information, including a person or organization that instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

This term excludes:
(a) A person or organization who performs such functions as instructed by another person or organization; and (b) An individual who collects, holds, processes or uses personal information in connection with the individual's personal, family or household affairs.

  • Principle of Legitimate Purpose- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.
  • Principle of Proportionality- Principle that refers to processing of information that is adequate, relevant and not excessive in relation to a declared and specified purpose.
  • Principle of Transparency- Principle that refers to processing of information conducted in a manner where an individual is given adequate and relevant knowledge about the nature, purpose, extent and intended use of processing of information, and provided with the right to consent, limit or object to the processing.
  • Privacy- The right of a person to be free from intrusion or disturbance in one's personal and intimate life or affairs. It includes informational privacy, which refers to the right of an individual not to have his or her private information disclosed including the ability to control what information is disclosed, with whom, and for what purpose.
  • Processing- Refers to any operation performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
  • Public Health- Refers to all organized measures to prevent disease, promote health, and prolong life among the population as a whole, Its activities aim to provide conditions in which people can be healthy and focus on entire populations, not on individual patients or diseases.
  • Security- Refers to the organizational, technical and physical measures to ensure the safety and protection of the health information.
  • Sensitive Personal Information- Refers to personal information:

(a) About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; © Issued by government agencies peculiar to an individual which includes but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; (d) Specifically established by an executive order or an act of Congress to be kept classified.

  • Sharing- The process that allows the PHCP to access the patient's health information from the system.
  • Social Media- Electronic communication, websites or applications through which users connect, interact, or share information or other content with other individuals, collectively part of an online community. this includes Facebook, Twitter, Google+, Instagram, LinkedIn, Pinterest, Blogs, Social Networking Sites.
  • Third-party data processor. Third-party data processors refer to any person or entity other than
  1. the data subject,
  2. the data controller, or
  3. any data processor or other person duly authorized to process data for the data controller or processor.



References:

  • AO 2016-002- Privacy Guidelines for the Implementation of the Philippine Health Information Exchange
  • Gliklich, RE. Dreyer, NA. eds. (2007) Registries for Evaluating Patient Outcomes: A User’s Guide. AHRQ Publication No. 07- EHC001-1. Rockville, MD: Agency for Healthcare Research and Quality.

See Also