Draft notes only. Contribute; do not cite without permission.

Rationale

The Health Privacy Board is a broad sectoral response to health information privacy needs. It will support the health sector in complying with laws, issuance and administrative orders relating to health information privacy and further the development of policy and practice for health data protection.

Composition

The Health Privacy Board shall be composed of the Chairperson who shall be assisted by two Board Members, one to be responsible for Training and Capacity Building and one to be responsible for Compliance and Planning.

Appointment. Appointment of full-time Board Members with salary grade not lower than 26 shall be done by the Steering Committee of PHIE. They shall be provided with office and administrative staff.

Competencies and Qualifications.

Members of the Board shall have the following competencies and qualifications:

  • Background in law, education, and clinical or public heath, a bachelor's degree in management, information systems, human resources, health administration or other relevant fields.
  • Minimum 5 years experience in health care.
  • Demonstrates mastery of regulatory development and compliance, including standards, laws and regulations concerning information security and privacy.
  • Familiar with business functions and operations of large institutions (preferably health-related).
  • Strong organizational and problem-solving skills.
  • Work effectively with teams and stakeholders.
  • Have the ability to communicate with clarity both orally and in writing.

General Roles and Functions

  1. The Board shall assist in the implementation of the Privacy Guidelines and related issuance through Training and Capacity Building, and through Compliance Monitoring and Planning.
  2. It shall coordinate with the licensing authority of the health institution or other accreditation bodies, when necessary, in order to perform its function.
  3. The Board shall accept complaints, inquiries and requests for assistance from the health sector on matters related to the Privacy Guidelines and related issuance.
    a. Complaints. It shall promulgate rules and procedures for receiving and processing complaints. It shall mediate between parties to reach a compromise settlement, without prejudice to reporting before the NPC or licensing and regulatory authorities matters contrary to law, in which case it shall make its recommendation after proper evaluation.
    b. Inquiries and Requests for Assistance. It shall assist persons or institutions on the interpretation of privacy regulations. It shall elevate to the Privacy Experts Group issues which in its discretion requires advisory assistance.

  4. It shall provide the PEG a report of its activities, including case reports of issues brought before it that are of importance or significant impact.

  5. It shall make recommendations on change in policy or further policy development. It shall coordinate with appropriate agencies to incorporate emerging technologies and new regulations in existing policies.


Board Member for Training and Capacity Building

The Training and Capacity Building functions of the Board shall be spearheaded by the Board Member for Training and Capacity Building. He or she shall:

  1. Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the health sector.
  2. Develop and implement training modules for capacity building.
  3. Develop and implement programs to inform and educate the public of health information privacy and to promote a privacy culture in the health sector, including but not limited to IEC materials that may be used by health information privacy advocates.
  4. Conduct training workshops and accommodate requests for public information on the implementation of the privacy guidelines.



See Also Privacy Training Team of the Health Privacy Board



Board Member for Privacy Compliance and Planning

The Privacy Compliance and Planning functions of the Board shall be spearheaded by the Board Member for Privacy Compliance and Planning. He or she shall:\

  1. Oversee the monitoring of privacy compliance in health facilities. It shall develop procedures for assessment or privacy practices in health facilities, in accordance with standards for organizational, physical and technical security measures in the Privacy Guidelines and related issuance. It shall also coordinate with licensing and accreditation bodies to advocate inclusion of privacy standards in their evaluation of health facilities, in view of the requirement of existing laws.
  2. Review privacy codes voluntarily adhered to by personal information controllers and processors in the health sector and make recommendations to meet standards for the protection of personal health information.
  3. Identify gaps in current standards for organizational, physical and technical security measures for protection of personal health information and make recommendations for its improvement.
    4. Develop materials and documents such as templates for employment contracts and non-disclosure agreements to serve as a guide for the health facilities.
    5. Undertake regular planning activities to develop and recommend programs to support the implementation of the Privacy Guidelines.
    6. Maintain a record of all compliance and monitoring reports.

Job Order

In the process forming the Board, job order can be placed to ensure timely execution of duties.

  • Suggested salary: 60k x 1.2 x 6 months
  • Budget for the compensation of the Compliance and Planning officer will be from DOST (as suggested), provided that we add a research component to it. Funding for writeshops and protocol template development will likely come from DOH and partners.

Relationships

Between the Board and PEG

  1. PEG will be the advisory/council once the board comes in place.

Between the Board and NPC

Monitoring
1. NPC to monitor and ensure compliance of the country with International standards set for data protection.
2. NPC function- monitor compliance of other government agencies and recommend action to meet minimum standards pursuant to RA 10173.

Setting of security standards
1. Security of sensitive personal information maintained by the government agencies- secure with use of the most appropriate standard recognized by the ICT industry.
2. Appropriate security standard recommended by NPC.

Alignment of health laws and regulations with the requirements of RA 10173
1. Retention of records.

System registration
1. Contractors to register information processing system with NPC involving access to sensitive personal information from 1,000 or more individuals.

Education
1. Inform and educate the public about Data Privacy, Data Protection and fair information rights and responsibilities.



References

  • R.A. 10173. Data Privacy Act of 2012
  • HIPAA Privacy Rule