PRIVACY PROTOCOL FOR A MUNICIPAL HEALTH OFFICE
eHealth Information Privacy in the Philippines
These rules adopt the principles of transparency, legitimate purpose and proportionality contained in the Data Privacy Act of 2012 for the processing of health information ad acknowledges the need to implement security measures for data protection. It adheres to the duty of maintaining confidentiality of patient’s medical records and health information as provided by the law, Rules of Court, and the Code of Ethics adopted by the different healthcare providers.
“Your practice - not your EHR [EMR] developer - is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of health information in your EHR.”
– Guide to Privacy & Security of Electronic Health Information, HIT, USA, 2015
Specific Guidelines for _ Rural Health Unit
1. Policy
The management of _ Rural Health Unit is committed to protecting the privacy of our patients within our practice. Information collected is kept strictly confidential and used only for the medical and health care of patients.
2. Purpose
To ensure patients who receive care from the practice are comfortable in entrusting their health information to the practice. This policy provides information to patients as to how their personal information is collected and used within the practice and the circumstances in which information may be disclosed to third parties.
3. Scope
These rules shall apply to the Philippine Health Information Exchange system, Health Care Providers in the Rural Health Units, Municipal Health Offices, Barangay Health Centers, and any natural or juridical person involved in the processing of health information within the PHIE framework.
These rules shall also apply to patients who have given consent to participate in the PHIE and who have allowed sharing of personal health information among participating health care provider for purpose of treatment and care coordination.
4. Practice Procedure
The Municipal Health Office will:
a.) Provide a copy of this policy upon request.
b.) Ensure staff comply with the Privacy Protocol and deal appropriately with inquiries and concerns.
c.) Take such steps as are reasonable in the circumstances to implement practices, procedures and systems to ensure compliance with the APP and deal with inquiries or complaints.
d.) Collect personal information for the primary purpose of managing a patient's healthcare and for financial claims and payments.
Staff Responsibility
The practice staff will take reasonable steps to ensure patients understand:
Patient’s Responsibility
Patient Consent
5. Collection, Use, and Disclosure
a.) Names, addresses and contact details;
b.) PHIC / PhilHealth number for identification and claiming purposes;
c.) Healthcare identifiers;
d.) Medical information including medical history, medications, allergies, adverse events, immunizations, social history, family history and risk factors.
6.Data Quality
Patient information collected and retained in our records for the purpose of providing quality health care will be complete, accurate, and up to date at the time of collection.
Identification of Patient. A national system of unique patient identifier shall be the PHIC or PhilHealth number. The lack of it poses difficult challenges for PHIE. A non-unique, out-of-date, or incorrect identifier can cause 2 types of errors:
False Negative- failure to find a patient’s information when it in fact exists.
False Positive- finding information that is not, in fact, for the patient.
Point of de-identification. De-identification shall be done at the level of the Primary Health Care Provider. The Primary Health Care Provider shall transmit information from patient’s records to PHIE as shared health record or as part of PHIE’s data warehouse. If the patient consents, the patient’s health record may be processed in PHIE without the need for de-identification. If the patient does not consent, the patient’s health information shall be de-identified, containing only information necessary for immediate statistical reference.
Only de-identified health information shall be stored in the PHIE Data Warehouse.
7.Data Security
All due care will be taken to ensure the protection of patient privacy during the transfer, storage and use of personal health information.Point of Collection of Information. Collection of information shall start at the time of registration in the health facility. This shall be done in the Admitting/Registration section and subsequent information shall be provided at different points of care undergone by the patient.
The Privacy Officer (or a duly authorized representative) shall be responsible for the orientation of the patients regarding PHIE implementation and validation of patient information.
The practice will not disclose personal information to any third party other than in the course of providing medical services, without full disclosure to the patient or the recipient, the reason for the information transfer and full consent from the patient.
The Practice will not use any personal information in relation to direct marketing to a patient without that patient’s express consent.
The practice evaluates all unsolicited information it receives to decide if it should be kept, acted upon or destroyed.
Access to Patient Information & Correction
The following will apply with regard to accessing personal and private medical information by an individual, in accordance with the Data Privacy Act of 2012 and Privacy Policy _:
9.Parents/Guardians and Children
To protect the rights of a child’s privacy, access to a child’s medical information may at times be restricted for parents and guardians. Release of information may be referred back to the treating Doctor where their professional judgement and the law will be applied.
Complaints
The management of _ Rural Health Unit understands the importance of confidentiality and discretion with the way we manage and maintain the personal information of our patients. We take complaints and concerns about the privacy of patient’s personal information seriously. Patients should express any privacy concerns in writing. The Practice will then attempt to resolve it in accordance with its complaint resolution process.
All employees of _ Rural Health Unit are required to observe the obligations of confidentiality in the course of their employment and are required to sign Non-Disclosure Agreements.
In the instance where you are dissatisfied with the level of service provided within the clinic we encourage you to discuss any concerns relating to the privacy of your information with the Municipal Health Officer, (name of MHO)_.
If the complaint has not been resolved to your level of satisfaction all complaints should be directed to:
(Name of Privacy Officer)
PRIVACY OFFICER / DEVELOPMENT MANAGEMENT OFFICER
B.O.S.S. INTERLOCAL HEALTH ZONE
DEPARTMENT OF HEALTH REGION
(Address)
References: