PRIVACY PROTOCOL FOR A MUNICIPAL HEALTH OFFICE

eHealth Information Privacy in the Philippines
These rules adopt the principles of transparency, legitimate purpose and proportionality contained in the Data Privacy Act of 2012 for the processing of health information ad acknowledges the need to implement security measures for data protection. It adheres to the duty of maintaining confidentiality of patient’s medical records and health information as provided by the law, Rules of Court, and the Code of Ethics adopted by the different healthcare providers.

“Your practice - not your EHR [EMR] developer - is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of health information in your EHR.” – Guide to Privacy & Security of Electronic Health Information, HIT, USA, 2015

Specific Guidelines for _ Rural Health Unit

1. Policy
The management of _ Rural Health Unit is committed to protecting the privacy of our patients within our practice. Information collected is kept strictly confidential and used only for the medical and health care of patients.

2. Purpose
To ensure patients who receive care from the practice are comfortable in entrusting their health information to the practice. This policy provides information to patients as to how their personal information is collected and used within the practice and the circumstances in which information may be disclosed to third parties.

3. Scope
These rules shall apply to the Philippine Health Information Exchange system, Health Care Providers in the Rural Health Units, Municipal Health Offices, Barangay Health Centers, and any natural or juridical person involved in the processing of health information within the PHIE framework.
These rules shall also apply to patients who have given consent to participate in the PHIE and who have allowed sharing of personal health information among participating health care provider for purpose of treatment and care coordination.

4. Practice Procedure

The Municipal Health Office will:
a.) Provide a copy of this policy upon request.
b.) Ensure staff comply with the Privacy Protocol and deal appropriately with inquiries and concerns.
c.) Take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints.
d.) Collect personal information for the primary purpose of managing a patient's healthcare and for financial claims and payments.

Staff Responsibility
The practice staff will take reasonable steps to ensure patients understand:

• What information has been and is being collected;
  
• Why the information is being collected and whether this is due to a legal requirement;
• How the information will be used or disclosed;
• Why and when their consent is necessary;
• The Practice’s procedures for access and correction of information, and responding to complaints of information breaches, including by providing this policy.

Patient’s Responsibility

• Patients are responsible to provide correct information regarding his health and other personal details.
  
• Editing of patient’s data will require for the patient to visit the RHU or log-in their EMR accounts (in EMRs where patients have access to basic information via personal online access), to record necessary changes.
  
• Patients will provide implicit consent to have his health information used for health reporting. In addition, his health information may be used for research purposes; refusal form will be filled out by patients who do not consent to this provision. Their health information will be de-identified and still used solely for health reporting purposes.
  

Patient Consent

• _ Rural Health Unit will only interpret and apply a patient’s consent for the primary purpose for which it was provided.
• A separate, standard consent form for PHIE entitled “Consent for Participation to PHIE” shall be developed by health facilities. The consent form must be clear, simple, and have a local translation which the patient can understand. Within its contents there shall be an opt-out clause, a list of information to be gathered for shared purpose, date and time the consent was given, contact number of the patient or legal representative, and a provisions stating that the patient’s identity will be protected. Upon obtaining consent, the patient shall affix his/her printed name below the Patient Admission Form. If consent is denied, a refusal form shall be provided – patient’s data will be de-identified but will still be submitted as part of health reports or services rendered by the RHU.
  

• Alternatively, the staff explains that the patient will automatically be enrolled in the EMR with connection to the PHIE. Further, the data information generated will be used for health reports, PHIC purposes, and even in research. If this implicit consent is denied, a refusal form shall be provided – patient’s data will be de-identified but will still be submitted as part of health reports or services rendered by the RHU.
  

• A thumb mark may be considered once the consenting patient is incapable to imprint his signature but must be witnessed by a person of legal age.
  

• Duration of Validity. Health care providers shall comply with the medical records requirements electronically. For OPD 5 years, In-patient- 10 to 15 years, Medico-legal cases- lifetime.
  

5. Collection, Use, and Disclosure

• _ Rural Health Unit recognizes that the information we collect is often of a highly sensitive nature and as an organization we have adopted the privacy compliance standards relevant to _ Rural Health Unit to ensure personal information is protected.
  

• For administrative and billing purposes and to ensure quality and continuity of patient care a patient’s health information is shared between the medical practitioners of Samboan Rural Health Unit.
  

• Authorized personnel to collect data. Data collection and processing shall be done by an employee of the health facility and shall ensure that good clinical practice guidelines are observed when changing data.
  

• Collected personal information will include patient’s:
  

a.) Names, addresses and contact details;
b.) PHIC / PhilHealth number for identification and claiming purposes;
c.) Healthcare identifiers;
d.) Medical information including medical history, medications, allergies, adverse events, immunizations, social history, family history and risk factors.

• A patient’s personal information may be held at the practice in various forms:
  a.) As paper records
  b.) As electronic records / EMR
  c.) As visuals i.e. xrays, ct scans, videos & photos
  d.) As audio recordings
  
• The practice’s procedures for collecting personal information is set out below:
  a.) Practice staff collect patient’s personal and demographic information via registration when patients present to the clinic for the first time. Patients are encouraged to pay attention to the collection statement that they complete as a new patient.
  b.) During the course of providing medical services the practice’s healthcare practitioners will consequently collect further personal information.
  c.) Personal information may also be collected from the patient’s guardian or responsible person (where practicable and necessary) or from other involved healthcare specialists.
  
• The practice holds all personal information securely, whether in electronic format, in protected information systems or in hard copy in a secured environment.
  
• Personal information collected by _ Rural Health Unit may be used or disclosed in the following instances:
  a.) For medical defense purposes;
  b.) To assist in locating a missing person;
  c.) For the purpose the patient was advised during consult with the treating Doctor;
  d.) As required during the normal operation of services provided. i.e. for referral to a medical specialist or other health service provider;
  e.) For the purpose of a confidential dispute resolution process
  f.) Reportorial Requirements. In compliance with Act No. 3573 otherwise known as “Law on Reporting of Communicable Diseases”, all notifiable diseases/syndromes/events and conditions shall be immediately collected and reported to the local and national health authorities.
  g.)Health facilities shall share health information exclusively for continuity of medical services, whenever necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety.
  h.)Filing and Storage. All information collected at different levels of care shall be integrated into a common file. An electronic archiving system shall be developed for the storage of electronic data.
  j.)Some disclosure may occur to third parties engaged by or for the practice for the Practice for business purposes such as accreditation or for the provision of information technology. These third parties are required to comply with this policy.
  

6.Data Quality
Patient information collected and retained in our records for the purpose of providing quality health care will be complete, accurate, and up to date at the time of collection.

Identification of Patient. A national system of unique patient identifier shall be the PHIC or PhilHealth number. The lack of it poses difficult challenges for PHIE. A non-unique, out-of-date, or incorrect identifier can cause 2 types of errors:
False Negative- failure to find a patient’s information when it in fact exists. False Positive- finding information that is not, in fact, for the patient.

Point of de-identification. De-identification shall be done at the level of the Primary Health Care Provider. The Primary Health Care Provider shall transmit information from patient’s records to PHIE as shared health record or as part of PHIE’s data warehouse. If the patient consents, the patient’s health record may be processed in PHIE without the need for de-identification. If the patient does not consent, the patient’s health information shall be de-identified, containing only information necessary for immediate statistical reference. Only de-identified health information shall be stored in the PHIE Data Warehouse.

7.Data Security

All due care will be taken to ensure the protection of patient privacy during the transfer, storage and use of personal health information.Point of Collection of Information. Collection of information shall start at the time of registration in the health facility. This shall be done in the Admitting/Registration section and subsequent information shall be provided at different points of care undergone by the patient.

The Privacy Officer (or a duly authorized representative) shall be responsible for the orientation of the patients regarding PHIE implementation and validation of patient information.

The practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient.

The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s express consent.

The practice evaluates all unsolicited information it receives to decide if it should be kept, acted upon or destroyed.

Access to Patient Information & Correction

The following will apply with regard to accessing personal and private medical information by an individual, in accordance with the Data Privacy Act of 2012 and Privacy Policy _:

• An individual has the right to access their own personal information and request a copy of the record (indicating the basic information, clinical diagnosis, medications, and/or lab results);
  
• Doctor's Orders or Patient's chart may be obtained only via court order;
  
• Requests must be made in writing and an acknowledgement letter will be sent to the patient within 14 days confirming the request and detailing whether the request can be complied with and an indication of any costs associated with providing the information. Time spent and photocopying costs when processing a request can be passed on to the requesting patient. Information can be expected to be provided within 30 days;
  
• While the individual is not required to give a reason for obtaining the information, a patient may be asked to clarify the scope of the request;
  
• In some instances the request to obtain information may be denied, in these instances the patient will be advised;
  
• The material over which a Doctor has copyright might be subject to conditions that prevent or restrict further copying or publication without the Doctor's permission;
• The practice will take reasonable steps to correct personal information where it is satisfied they are not accurate or up to date. From time to time the practice will ask patients to verify the personal information held by the practice is correct and up to date;
  
• Patients may also request the Practice corrects or updates their information and patients should must such requests in writing;
  
• Upon request by the patient, the information held by this clinic will be made available to another health provider.
  

9.Parents/Guardians and Children
To protect the rights of a child’s privacy, access to a child’s medical information may at times be restricted for parents and guardians. Release of information may be referred back to the treating Doctor where their professional judgement and the law will be applied.

Complaints
The management of _ Rural Health Unit understands the importance of confidentiality and discretion with the way we manage and maintain the personal information of our patients. We take complaints and concerns about the privacy of patient’s personal information seriously. Patients should express any privacy concerns in writing. The Practice will then attempt to resolve it in accordance with its complaint resolution process.

All employees of _ Rural Health Unit are required to observe the obligations of confidentiality in the course of their employment and are required to sign Non-Disclosure Agreements.

In the instance where you are dissatisfied with the level of service provided within the clinic we encourage you to discuss any concerns relating to the privacy of your information with the Municipal Health Officer, (name of MHO)_.
If the complaint has not been resolved to your level of satisfaction all complaints should be directed to:
(Name of Privacy Officer)
PRIVACY OFFICER / DEVELOPMENT MANAGEMENT OFFICER
B.O.S.S. INTERLOCAL HEALTH ZONE
DEPARTMENT OF HEALTH REGION
(Address)

References:

• “Data Privacy Act of 2012”
• www.hawkinsmedical.com.au/privacy.html
• PRIVACY GUIDELINES FOR THE IMPLEMENTATION OF THE PHILIPPINE HEALTH INFORMATION EXCHANGE

• originally drafted by Dr. Ianne Jireh Ramos (MHO, Cebu)