You are on page 1of 42

DEPARTMENT OF HEALTH

DEPARTMENT OF SCIENCE AND TECHNOLOGY
PHILIPPINE HEALTH INSURANCE CORPORATION

IMPLEMENTING RULES AND REGULTIONS OF JOINT
ADMINISTRATIVE ORDER NO. 2016- 0002 “PRIVACY GUIDELINES
FOR THE IMPLEMENTATION OF THE PHILIPPINE HEALTH
INFORMATION EXCHANGE”
WHEREAS, Joint Administrative Order No. 2016- 0002 entitled “PRIVACY
GUIDELINES FOR THE IMPLEMENTATION OF THE PHILIPPINE HEALTH
INFORMATION EXCHANGE” was approved on January 20, 2016 and took
effect on _____, _____ days after its complete publication in a major newspaper of
national circulation in the Philippines.
NOW THERFORE, the following rules and regulations are hereby promulgated:

CHAPTER I
GENERAL PROVISIONS

RULE I
PRELIMINARY PROVISIONS

Section 1. Introduction. As a mandate of the Constitution to provide quality health
care to the Filipino people while protecting and promoting the right to privacy, the
Department of Health (DOH), in cooperation with the Department of Science and
Technology (DOST), Philippine Health Insurance Corporation (PhilHealth),
University of the Philippines-Manila (UPM), and Commission on Higher
Education (CHED), established the National eHealth Program (NeHP) that
envisions widespread information-technology (IT)-enabled health care services by
2020.

Guided by the Philippine eHealth Strategic Framework and Plan, one of the
identified eHealth Project is the implementation of the Philippine Health
Information Exchange (PHIE). The PHIE is the first major collaborative and
convergence endeavor of the Health Cluster, and the initial step towards the
realization of the National eHealth vision.

The PHIE will enable electronic transmission of healthcare-related data among
facilities, health providers, health information organizations and government
agencies, according to nation standards. It will allow different applications to
exchange data with each other without loss of semantics and allowing health
facilities in particular rural health unit, health centers, hospitals, DOH and
PhilHealth to communicate with each other effectively and collaborate in the care
of the patients and providers. The development and implementation of the PHIE
will enable a patient’s medical or health information to follow the patient wherever
health care services are provided within set of standards. Health care providers will
be able to securely share or exchange patient’s medical or health information to
improve health care delivery and decision making.

To ensure that the privacy of the public is well protected during the
implementation and operation of the PHIE, the DOH-DOST-PhilHealth Joint
Administrative Order No. 2016-0002 was created. Consequently, this
Implementing Rules and Regulation (IRR), herein after called “IRR” is
promulgated pursuant to the aforementioned issuance.

Section 2. Title. These Rules shall be known and cited as the Implementing Rules
and Regulations of Joint Administrative Order No. 2016- 0002, otherwise known
as “Privacy Guidelines for the Implementation of the Philippine Health
Information Exchange.
Section 2. Purpose. These Rules are hereby promulgated to prescribe the
procedures and guidelines for the implementation of the Privacy Guidelines for the
Implementation of the Philippine Health Information Exchange in order to provide
greater conceptual and operational clarity, establish standards in safeguarding the
privacy of individually identifiable health information, and facilitate rigorous

compliance with the requirements for the use and disclosure of protected health
information.

Section 3. Declaration of Principles. These rules complement the following
issuances, resolutions or provisions:

Primacy of human rights. The Constitution declares that the State values the
dignity of every person and guarantees full respect for human rights. Health has
long been affirmed as a fundamental human right recognized universally. The right
to privacy is also an important human right guaranteed by the Constitution, and
further expounded in the Data Privacy Act of 2012.

Vital role of communication and information technology in nation-building. The
rules complement the Philippine Digital Strategy 2011-2016 which provides for
the national strategy to harness the potential and power of information and
communications technology to support the attainment of the government’s
obligations to the Filipino people, and the Philippines Development Plan 2011-
2016 which intends to prepare the country to take advantage of opportunities in a
digital economy and knowledge societies.

Improvement of health information systems for public health. The Philippines
adopts the generally accepted principles of international law as part of the law of
the land. The country is a signatory to a number of global agreements such as the
Millennium Development Goals, the Geneva Declaration on the World Summit on
Information Society, and the 58th World Health Assembly, wherein the Philippines
has pledged to meet specific commitments. These include the adoption of
information and communication technology to improve and extend health care and
health information systems for public health purpose, and mobilization of multi-
sectoral collaboration to develop an overall national eHealth strategy for the
implementation of eHealth and health data standards.

Achievement of better health outcomes. These rules support the 2011-2016
National Objective for Health and related regulations to utilize ICTs to provide
better health services to Geographically Isolated and Disadvantaged Areas, support

attainment of Millennium Development Goals, and contribute to the goal of
universal healthcare.

Protection of Health Information Privacy. These rules adopt the principles of
transparency, legitimate purpose and proportionality contained in the Data Privacy
Act of 2012 for the processing of health information ad acknowledges the need to
implement security measures for data protection. It adheres to the duty of
maintaining confidentiality of patient’s medical records and health information as
provided by the law, Rules of Court, and the Code of Ethics adopted by the
different healthcare providers.

Section 4. Scope of Application. These rules shall apply to the Philippine Health
Information Exchange system, Health Care Providers, and any natural or juridical
person involved in the processing of health information within the PHIE
framework.

These rules shall also apply to patients who have given consent to participate in the
PHIE and who have allowed sharing of personal health information among
participating health care provider for purpose of treatment and care coordination.

Section 5. Definition of Terms. (See Annex 2.0)

CHAPTER II
SPECIFIC GUIDELINES

RULE II
COLLECTION AND PROCESSING OF HEALTH INFORMATION

Section 1. The consent form. A separate, standard consent form for PHIE entitled
“Consent for Participation to PHIE” shall be developed by health facilities. The
consent form must be clear, simple, and have a local translation which the patient
can understand. Within its contents there shall be an opt-out clause, a list of
information to be gathered for shared purpose, date and time the consent was given,
contact number of the patient or legal representative, and a provisions stating that

a system shall be developed to indicate completion of consent taking.) Cohabitant partner for a minimum of 1 year. If consent was denied. Point of Consent Collection. The family’s decision may also be obtained by the physician. Upon obtaining consent.) Immediate relatives within the 3rd degree of consanguinity. For unconscious patients with no relative upon admission. b. and/or guardian. The consent procedure must adequately inform patients about the choices they have and the consequences of their choices. the patient shall affix his/her printed name below the Patient Admission Form. The procedure must be conducted in a manner that ensures that consent is entirely voluntary. To avoid missing consent. efforts should be made to obtain consent upon discharge. a refusal form shall be provided. . Manner of Obtaining Consent. Consent for the PHIE shall be obtained upon admission but if the patient does not give consent upon admission or is in an emergency case. The consent form shall take into account the decision of the deceased patient’s family members regarding organ donation. Consent shall be given either by the parents. For unconscious and minor patients. For patients who are physically or mentally incapable of giving consent. Section 3. Patient’s significant others can sign the consent however.the patient’s identity will be protected. The attending physician may decide in behalf of the patient. descendant. c. the consent for sharing information in PHIE shall not be applicable in the signed consent. Section 2. Persons authorized to sign the consent in their behalf are: a. ascendant. In emergency situations. spouse (if married).) Persons with special power of attorney.

c. .A. Admitting Order. the following situations do not need consent for information to be processed in the PHIE: a.the consenter’s right to make a decision freely without external pressure or coercion. Section 5. Admission. Persons to Obtain Consent.the consenter’s authorization for PHIE. d) Voluntariness.the consenter’s ability to understand the information to make judgments about the potential consequences of his or her decision. b) Capacity or Competence.10 to 15 years. c) Understanding or Comprehension. it must contain all of these 5 elements: a) Disclosure. e) Consent or Decision.the consenter has the information needed to make an autonomous decision. Exemptions for Consent. Emerging diseases identified in R. A designated staff. b. not necessarily a doctor shall obtain the consent for PHIE. A thumb mark may be considered once the consenting patient is incapable to imprint his signature but must be witnessed by a person of legal age. In-patient. For national security purpose. 3573. Section 4. Validity of Consent. Discharge.the consenter’s comprehension of the information provided. Health care providers shall comply with the medical records requirements electronically. Duration of Validity.lifetime. Medico- legal cases. For consent to be considered valid. Section 6. For OPD 5 years.Viable occasions to obtain consent: a.

. Collection of information shall start at the time of registration in the health facility. When patient becomes able (becomes conscious and is of legal age). encoding and processing of patient information will be through the medical records section or hospital information management section.finding information that is not. the patient’s health record may be processed in PHIE without the need for de-identification. If they have an electronic medical record or a Hospital Information System. De-identification shall be done at the level of the Primary Health Care Provider. The Primary Health Care Provider shall transmit information from patient’s records to PHIE as shared health record or as part of PHIE’s data warehouse. Point of Collection of Information. A valid court order shall prevail over written consent. for the patient. If the patient does not consent. False Positive. Point of de-identification. A non-unique. False Negative. Unconscious and minor patients. Provisions on revoking or reinstating consent. Section 8. Section 9. The lack of it poses difficult challenges for PHIE. This shall be done in the Admitting/Registration section and subsequent information shall be provided at different points of care undergone by the patient. the patient’s health information shall be de-identified. If the patient consents. containing only information necessary for immediate statistical reference. Identification of Patient.Section 7. he or she may revoke the consent previously given by their authorized representative. The Privacy Officer (or a duly authorized representative) shall be responsible for the orientation of the patients regarding PHIE implementation and validation of patient information. A national system of unique patient identifier shall be identified. out-of-date. If the hospital does not have an Electronic Medical Record in place. or incorrect identifier can cause 2 types of errors: 1. encoding and processing shall begin at the service transactions covered by the Hospital Information System.failure to find a patient’s information when it in fact exists. in fact. 2.

An electronic archiving system shall be developed for the storage of electronic data. and other vital data. In compliance with Act No. Access of Primary and Secondary Health Care Providers and Health Facilities. Section 11. RULE III ACCESS OF HEALTH INFORMATION Section 1. In so far as practicable. Section 10. Data collection and processing shall be done by a permanent employee of the health facility and shall ensure that good clinical practice guidelines are observed when changing data:  Original entry must be visible.  Reason for the change/s must be entered or specified. Health facilities shall share health information exclusively for continuity of medical services.Only de-identified health information shall be stored in the PHIE Data Warehouse. the medical social worker or some equivalent personnel shall collect information especially in salient points such as family information. Health facilities shall clearly define access rights and user roles of staff to ensure that only appropriate people have access to the minimum necessary protected health information The Health Facility shall create policies and procedures to specify the groups and positions that need to access health . socio-economic profile.Authorized personnel to collect data. all notifiable diseases/syndromes/events and conditions shall be immediately collected and reported to the local and national health authorities. All information collected at different levels of care shall be integrated into a common file. Filing and Storage.  Change must be dated and countersigned. Section 10. Information to be Shared. Reportorial Requirements. Section 11. 3573 otherwise known as “Law on Reporting of Communicable Diseases”.

Patients who gave consent for their information to be processed in PHIE shall have the preference to choose which portal provider to use and shall have access to their own record even if their doctors are not yet enrolled in PHIE. Treatment outcome (Final diagnoses shall be included whether clinical or confirmed). Accessible information for secondary healthcare providers shall be the following: a. The health facility shall ensure that disclosures and any subsequent changes are documented. Laboratory and diagnostic procedures. h. Approval of Access. e. Upon patient consent. Any information approved by the patient for viewing. f. b. History of past illness. only the attending physician shall have access to the patient’s information and read-only access shall be given to secondary healthcare providers.information to perform their job responsibilities. view. and request restriction over how their health information is used. g. The head of the section or unit (medical director. as well as the type of health information to which they need access. . d. Adverse effect of medications given. Family history of illness. c. The head of the facility shall approve the system access request. Access of User/Patient. Consenting patients shall have rights to access. request amendments to. The Chief of Health Facility shall issue a memorandum containing the list of names and information stated in the preceding statement and a copy shall be furnished to the DOH central office. Section 2. chief nurse) shall approve the creation of user credentials for personnel that shall have access to the hospital information system. Allergies. History of present illness.

Section 3. special power of attorney shall be allowed. and must contain specific information such as: a) A description of the health information to be used and disclosed. or legal guardian if one has been appointed by court will have the right to access. A protocol on how to identify authorized persons to access patient information shall be made. d) The purpose which the health information be used or disclosed. means any person other thani- a) the data subject. A “third party” in relation to personal data. b) The name of the person to whom the health care provider may disclose the health information. Section 4. RULE IV USE AND DISCLOSURE OF HEALTH INFORMATION Section 1. Patient’s medical records shall not be accessible for case study purposes. Authorization must be written in plain language. A formal procedure to authorize disclosure of personal health information shall be developed by health facilities. Authorization to Access Information. c) An expiration date. Access of Third Party. . or any data processor or other person authorized to process data for the data controller or processor. In cases when the person requesting for information is incapacitated. Joint parental authority. b) the data controller. If separated.For child. the one granted legal custody. either patient or legal guardian if one has been appointed shall have access to the child’s health information.

The Primary Health Care Provider has the authority to disclose information upon patient request for his legitimate personal use such as release of insurance or HMO required medical record provided that there is a clear agreement/contract made between the HMO and the patient. Privilege Communication. Anthrax f. For U. but not limited to: a. Food Poisoning (mass) c. Both patient and physician must provide consent for the use and disclosure of patient information otherwise.) Deceased Individuals. Disclosure of health information of a deceased individual shall be to the authorized legal representative. Section 2. Meningitis b. They should come with a signed consent in order to release their medical records. c) Continuing care to patients. d) Requirements and reporting for communicable and notifiable diseases as well as those with serious health and safety threat to the public such as.S.Use and disclosure of health information shall only be to the extent of consent given by the patient and for the following purposes: a) For planning of quality services. b) Department of Health reporting intervention and disease prevention. Emerging and re-emerging diseases g. f) Reporting of maltreated or abused child to proper authorities. war veteran patients. g) Mandatory reporting required by licensing and accreditation bodies (DOH. . Breakthrough epidemic of contagious disease d. PhilHealth. etc. Ebola e) Reporting of serious and less serious physical injury. information shall not be released. Biological or chemical warfare e.

This would be situations where time is of the essence such as: 1. Section 4. Legal Authorities and/or Government Agencies. 2. obtain consent of patient before death otherwise. They shall also agree to use appropriate safeguards to prevent use and disclosure of the health information other than as provided by contract with the primary health care provide or as required by law.Section 3. release of information shall be pursuant to hospital policy otherwise. consent should be obtained from next of kin. there must be a court order. Third party providers shall report to the primary health care provider any use or disclosure of health information not provided for by the agreement of which it . The following information may be disclosed after patient discharge from the health facility: a) Clinical abstract. For medical or financial assistance requesting abstracts or similar documents. For PNP Subpoena. patient records shall not be released or disclosed. Without a court order. Third Party Use and Disclosure. authorization of patient is required. Section 4. Information disclosed after discharge. 15 of the privacy guidelines. where disclosure can be done without court order. It is only in cases of emergency such as that provided in Sec. c) Doctor’s order. a cover letter shall be sent containing information reminding the recipient that the information contained is personal health information and must be handled in a confidential manner. A receiving copy shall be maintained by the health facility for record purposes. d) Discharge summary. When personal health information is released to legal authority. Before a disclosure is made to any other government agency. b) Laboratory result. Third party providers shall not disclose health information other than as provided by contract with the PHCP or as required by law.

and retained for at least 6 years. A non-disclosure clause shall be included in the contract of the schools with affiliations to a health facility. Privacy and security policies must be documented. They shall also provide a quality management system to put in place all processes. All research protocols pertaining to patient condition shall pass thru strict review by the Institutional Review Board to safeguard patient information. Information security manuals and training-related guidelines for capacity building shall be made by health facilities. Policies and Procedures. A regular privacy and security audit shall be done by health facilities.becomes aware. Training Hospitals and Licensure Purposes. information security clause and emphasis on the ownership of data shall be embedded in contracts of third party providers and job order personnel. Privacy-related clause. Protocols for requesting and accessing aggregate and de-identified information for research. CHAPTER III DATA SECURITY RULE V ADMINISTRATIVE SECURITY Section 1. Employment and Contracts. . Guidelines for retrieval of information for purposes of PRC requirements shall be made. including breaches of unsecured health information. Manuals and guidelines. maintained and updated as appropriate. shall be clearly defined. workflow among others in relation to the implementation of PHIE. and any security incident of which it becomes aware. both public and private. Research.

Contract with third-party providers.1. past criminal record. An assessment of the applicant’s personal information shall be done to determine if the person has the capacity to perform the functions being applied for.Upon assignment. past administrative record. An orientation regarding privacy and security policies shall be done for all employees in the health facility with great emphasis to the information security personnel. and the individuals who have access to records. This is also in line with ISO 27002 (17799). Once determined that the applicant is highly emotionally unstable. . d) Description of output reporting-either electronically or in hard copy-so data can be reviewed. Sec. f) Staff responsibilities for ensuring compliance and allocation of sufficient job time to the task. Contracts/agreements between health care provider and the third party shall include: a) Policies for document storage and disposal. monitored and reconciled. Non- allied health staff shall also sign a non-disclosure agreement upon employment. e) Periodic staff training in secure records handling and providing. he/she shall not be put in a position requiring a great deal of reliability and consistency. Other than personality assessment. and appropriate document management tools. b) Data management processes including methods for tracking and controlling records-such as dates and time stamps-as well as the type of data sent and received. especially those which may involve issues on honesty and moral turpitude. background checks on prior employers. other possible conditions for hiring employees may include background information. c) Description of the vendor’s privacy and security programs. g) Right to audit clauses.A formal process for ending a person’s employment or a user’s access shall be formulated so that inappropriate access to health information does not occur. 8.2. and . review of prior incidents. if any. if any. the said employee shall sign a non-disclosure agreement.

Division heads of front liners. Finance Officer and Legal Officer. Hospitals. c) Management of incident reports including attempts on the disclosure of health information. Membership and roles of the committee shall vary for other health facilities. For archiving purposes. b) Procedures on disclosure of health information. Local Government Units. The health facility shall have its own security department which would cover the management of security guards. A Health Information Security Committee shall be organized rather than a single security officer. The team shall include the Medical Records Officer. . Medical Director. Municipal Health Centers shall create their health information security committee. Nurse. d) Validation of security officer rules. Roles and responsibilities of the Health Information Security Committee: a) Policy making on health information security. Their main roles is to ensure that health information are made secure. The head of the security department shall be part of the quality committee and will have access to records for tracing purposes. For identification and authorization purposes. Section 2. Authorization and Document Retention. Security Department. h) Communication requirements regarding control deficiencies identified through internal or external sources. the health facility can either have an internal archiving system or outsource an archiving specialist. Health Information Security Committee. e) Enforcement of sanctions on violations. the authorizing entity shall provide any of the following for identification: a) Biometrics b) Specimen signature c) E-signature The document retention policy issued by the National Archives of the Philippines shall be followed.

b) With IT. Duties and Responsibilities of the Privacy Officer. PHIE Compliance Officer and Management Information Systems Officer shall be assigned per health facility. The Chief Privacy Officer shall be the head of the facility or as may be assigned by the head. RULE VI PHYSICAL SECURITY . Management Information Systems Officer: a) Formulate a workflow on the process of accessing health information for standard implementation. They shall be the one to perform system related functions such as but not limited to troubleshooting.Section 3. Section 4. medical for clinical background. The Information Technology Personnel. Management Information Systems Officer. A Privacy Officer. Chief Privacy Officer. d) Delegate data collection to staff but should ensure that data collected are correct. c) Perform system or quality data check. The Medical Records Officer shall be the one to have access to patient’s data. account and register devices used in the health facility. compliance on the reporting form and safekeeping of back-up data. Qualifications: a) A graduate of Masters of Science in Health Informatics. PHIE Compliance Officer. Section 5. He/she has the authority to audit the patient record from time to time in order to determine the integrity of the patient record. The sole responsibility of encoding is on the appointed individual/unit. b) Monitor. The Medical Records Officer. c) With training certifications on the security aspect of PHIE. PHIE Compliance Officer. The IT shall be the custodian of security videos and must adhere to the policy on confidentiality of medical records. e) The privacy officer shall regularly audit the quality and integrity of patient records.

Computers shall be accessible to authorized personnel only and role-based system access shall be implemented. the accounts in the computer system shall be reset and deactivated until it is retrieved or reported. The IT room shall only be accessible to authorized personnel and to personnel involved during quality assurance monitoring. It shall be a separate are from the data collection and processing as well as from the IT office. Pre-deployment site assessment shall be conducted and computers to be installed shall be non-portable and fixed in one place. Section 3.Section 1. at the minimum. but also prevent anyone from seeing what is on the screen unless directly in front of the computer. If the heath facility cannot allot a space for the server room. A designated IT personnel shall be tasked to handle the servers. Computer Access. Facility-registered electronic devices shall not brought outside the hospital premises except under circumstances such as disasters and . The server room shall be marked as “Restricted” and shall only be accessible to authorized personnel. Applications. This will not only help reduce glare. most especially social media applications are strictly not allowed. Multiple accounts per user are not allowed. For smaller health facilities or clinics. A person requesting for access to a computer shall fill-out a request form. Other applications. The health facility shall provide a designated area for the housing of servers/data centers. Each user shall have one account only. Anti-glare filters on computer monitors shall be installed. Computer loss. Other Devices. they may use cloud computing while bigger facilities use servers. a data cabinet shall be installed. Section 2. IT Room. Only applications for the hospital information system shall be installed in the computer system. Servers. In case of computer loss.

Data on many computer devices can be damaged by being moved. User IDs of employees or staff who are on extended leave of absence shall be disabled until they return for work. Access Controls. tablets. laptops. have an upper case. and cameras inside the medical records area is strictly not allowed.  Something they have (secure token). USB devices shall be limited to office use but as may be practical. knocked or even when turned off. Leave of Absence. Passwords shall have the following characteristics: minimum of eight (8) characters in length. Multi-factor authentication shall be implemented. Section 2. There shall be a three way process for authentication of users:  Something they know (password). Data Protection. the heads on . especially for administrative and supervisory accounts. Mobile devices used for job responsibilities are subject to audits even if an employee owns it. There shall be an automatic screen or keyboard locking after 5 minutes of inactivity.  Something they are (biometrics). The last user ID that logged in must not be displayed on the log-in screen. lower case and special character in it.vaccinations. If there is a hard disk. Capturing of patient data using camera phones and bringing of electronic devices such as cellular phones. RULE VII TECHNICAL SAFEGUARDS Section 1. Standard user IDs shall be given to each staff whose work entails the need to access or process health information. shall not be used. Passwords.

appropriate audit mechanisms and tools should be in place to determine how data is stored. Cloud Services. Anti-virus. There shall be a regular monitoring and maintenance of database and networks of health facilities to be conducted by the Database and Network administrator of the PHIE group. It is important to document how the computer system is organized to know when and how to disconnect additional pieces of equipment such as telephone modems. important information can be lost. Back-up data tapes shall not be stored near a computer monitor or uninterruptible power supply. Data back-up. A risk management program should also be in place that is flexible enough to deal with the continuously evolving and shifting risk landscape. it is important to seize all the different cables and chargers for the seized equipment.once a month or every few months. The cloud provider’s electronic discovery capabilities and processes must not compromise the privacy or security of the data and applications of the health facility. Configuration management. Section 4. and printers from the system. . auto-dialers.the drive should be “parked” before moving the system to avoid destroying stored information. and used. Section 3. Complete back-ups of the system shall be done periodically. Anti-virus software must be loaded in every computer possible. For cloud service providers. protected. Otherwise.the electromagnetic interference coming from these devices can corrupt data on them or completely delete them. to validate services and to verify policy enforcement. The software needs to be configured regularly and automatically download updates for the latest threats. Due to different variations of computer variations of computers and types of connections.

b) the cloud provider acquires not rights or licenses throughout the agreement. including ownership. The underlying system .Health facilities shall ensure that they have knowledge of a cloud provider’s security measures to conduct risk management. Adequate and secure network communications infrastructure shall be in place. Health facilities should understand the privacy and security controls of the cloud service. Health care providers must understand the technologies the cloud provider uses to provision services and the implications the technical controls involved have on security and privacy of the system throughout its lifecycle. such as the threshold for alerts and notifications. The health care facility’s ownership rights over the data must be firmly established in the service contract to enable the basis of trust and privacy of data. establish adequate arrangements in the service agreement. c) the cloud provider does not acquire and may not claim any interest in the data due to security. Ideally. to use the health facility’s data for its own purposes. opting out of collection or distribution and fair use. including intellectual property rights or licenses. and the organization’s rights over metadata. and the level of detail and schedule of reports. Service agreements should include some means for the health facility to gain visibility into the security controls and processes employed by the cloud provider and their performance over time. In so far as practicable. the contract between the health care facility and cloud service provider should state clearly that: a) the health facility retains ownership over all its data. making any needed adjustments. the protection afforded the metadata. the health facility will have control over aspects of the means of visibility to accommodate its needs. and monitor compliance of the service controls with the terms of the agreement. Contracts/agreements shall clarify the types of metadata collected by the cloud provider. Contract between health facility and cloud provider.

and the remedies and recourse available should problems occur. his profession and his colleagues thus take into account that content once posted can be disseminated to others. At all times. Health care professionals shall always be conscious of his or her online image and how it impacts his or her profession. Health care professionals must ensure that in his or her social media activity. social media activity of all physicians. the individual shall respect the privacy of others. An individual who witnesses unprofessional behavior or misinformation in social media or sees social media activity that violates patient privacy or privacy of other individuals shall report the same to supervisory or regulatory authorities within the facility. Responsible Social Media Use. employees and other health facility staff including students or residents in training. affiliated or otherwise connected. Health care professionals shall always be mindful of his or her duties to the patient and community. Cloud services that use third-party providers to outsource or subcontract some of their services should specify the scope of control of the third party. . Section 2. libel and cybercrime laws. In so far as practicable. practicing their profession. there is no law violated. RULE VIII USE OF SOCIAL MEDIA Section 1. working or fulfilling academic and clinical requirements within the health facility. including copyright.architecture of a cloud can be decomposed and mapped to a framework of security and privacy controls that can be used to assess and manage risk. or the institution where he or she is professionally employed. whether temporary or permanent shall be monitored by health facilities to check for privacy breach. responsibilities involved. Administrative Responsibilities. Composite Services.

Health Education and Promotion. Section 3. Use of social media should include statements that a person should not rely on the advice given online. The individual shall be careful in posting or publishing his or her opinion and shall ensure that such opinion will not propagate misinformation or constitute a misrepresentation. Social media shall not be used to dispense specific medical diagnosis.The health care professional shall practice due diligence in keeping their social media accounts safe such as through regular password change and logging out after social media use. This may include comments which patients are described with enough sufficient detail to be identified. The individual shall not make any misrepresentations in his or her social media activity relating to content. The individual using social media for health information and/or promotion must be well-informed of the matter subject of the social media post. Information posted online shall be beneficial to the Filipino people. comment or other activity. Information that will compromise patient confidentiality and privacy shall not be posted online. treatment or projection but shall consist of general opinions only. The individual shall refrain from any activity which spreads or tends to spread misinformation. his or her employment or credentials. and that medical concerns are best addressed in the appropriate setting. advice. An article written by an individual posted in social media must be evidence-based and disclose connections with pharmaceutical or health product companies or other sources of possible conflict of interest. . and any other information that may be misconstrued or taken out of context. Heath care professionals shall refrain from any activity which spreads or tends to spread misinformation. referring to patients in a degrading or demeaning manner.

A health care professional shall strive to develop. Health care professionals shall conduct himself or herself in social media or online the same way that he/she would in public. or patients without their consent. support and maintain a privacy culture in the health facility. other health facility staff. Health care professionals shall refrain from posting. or using photos or videos taken within the facility. or that would inspire trust in the service he or she provides. mindful of acting in a manner befitting his profession.The health care professional shall be careful in posting or publishing his or her opinion and shall ensure that such opinion will not propagate misinformation or constitute misrepresentation. which would give the impression of unprofessionalism. He or she shall abide by the social media use policy of the institution. Online contact with patients or former patients blur distinction between a professional and personal relationship thus must refrain from adding patients in their personal social networking sites. unless there is justification to do so. especially if the individual has not separated his or her professional and personal accounts in social media. Health care professionals shall maintain a professional boundary between patients. Health care professionals are discouraged from using a single account for both professional and private use. An individual shall not identify himself or herself as a representative or an institution in social media without being authorized to do so. or other symbol of an institution without proper authority in his or her social media activity. sharing. employees. logo. A health care professional shall not use copyrighted materials other than for fair use where there is proper citation of source and author. . or those which includes colleagues. Professionalism. Section 4. show parts of the health facility where there is an expectation of privacy. Health care professionals shall refrain from using the name.

shared or used in social media. harass. 3. A post. 2. A health care professional may “like” a defamatory post but he or she must use caution when sharing. use access and disclosure. or contributing anything that might be construed as a new defamatory statement.) The activity imputes a discreditable act or condition of another.) The use or access of personal social media accounts of others without authority. when such recording. stalk or bully another person or institution. groufies. sharing or otherwise using recorded conversations between doctor. surgical specimens or that show patients in the background without their consent or any information that will compromise patient’s dignity and privacy shall not be poste.) Posting. sharing or otherwise using any information intended to be private or obtained through access to electronic data messages or documents. individuals or patients.) The person or institution defamed is identified or readily identifiable.) The activity is viewed or seen by any other person. . Consent for use of personal health information shall be written or evidenced by electronic means. comment. or other social media activity is considered defamatory if: 1. 4. whether audio or video was obtained without consent of all parties to the conversation.) Social media activities that defame. 2. Consent shall be obtained after explaining to the patient the purpose of the intended collection. 3.) Posting.A health care professional is prohibited from: 1.) There is malice or intent to damage the reputation of another. 4. retweeting. or videos during encounters with patients that include patient’s body parts. Disclosing identifiable information/ personal health information about a patient including taking selfies.

Security roles and responsibilities shall be clearly defined and communicated. d) Ensure responsibility is assigned to the individual for actions taken. e) Report security events or potential events or other security risks to the organization. Security roles and responsibilities of employees. destruction or interference. Security roles and responsibilities for individuals not engaged via the . This document shall be signed as an agreement by employees. those who have undergone drug rehabilitation. c) Execute particular security processes of activities. rape and child abuse. contractors. share or otherwise use any information relating to the identity. status and personal details of persons with HIV. Job descriptions can be used to document security roles and responsibilities. On-boarding of employees. disclosure. All candidates for employment. b) Protect assets from unauthorized access. Security roles and responsibilities shall include the requirement to: a) Implement and act in accordance with the health care facility’s information security policies. especially for sensitive jobs. and third party users of information processing facilities.An individual shall not post. contractors and third party users shall be adequately screened. contractors and third party users shall be defined and documented in accordance with the facility’s information security policy. CHAPTER IV SPECIAL AREAS RULE IX HUMAN RESOURCES Section 1. and victims of domestic violence. modification.

copyright laws or data protection legislation). contractor or third party user. A screening process shall be carried out for contractors.organization’s employment process (e. and third party users. when and why verification checks are carried out). c) Responsibilities for the classification of information and management of organizational assets associated with information systems and services handled by the employee. Where contractors are provided through an agency. and proportional to the business requirements. . the contract with the agency should clearly specify the agency’s responsibilities for the screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern.g. the agreement with the third party should clearly specify all responsibilities and notification procedures for screening. contractor or third party user for the handling of information received from other companies or external parties. Background verification checks on all candidates for employment. and third party users shall be carried out in accordance with relevant laws. contractor’s and any other user’s legal responsibilities and rights (e.g. via a third party organization) shall be clearly defined and communicated. b) The employee’s. contractors and third party users who are given access to sensitive information shall sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities. the classification of the information to be accessed. regulations and ethics. Employees. which would state their and the health facility’s responsibilities for information security. Terms and conditions of employment shall reflect the health care facility’s security policy in addition to clarifying: a) That all employees. In the same way. contractors and third party users shall agree and sign the terms and conditions of their employment contract. contractors. d) Responsibilities of the employee. Procedures shall define criteria and limitations for verification checks (who is eligible to screen people. and how. and the perceived risks.

e) Responsibilities of the organization for the handling of personal information. An adequate level of awareness. Section 2. A formal disciplinary process for handling security breaches shall be established.2. which includes the health care facility’s information security policy and appropriate methods of working. Management responsibilities should be defined to ensure that security is applied throughout an individual’s employment within the organization. or in the course of. including personal information created as a result of. Section 2. Awareness and Training. contractor or third-party user disregards the organization’s security requirements. Section 2. education. Management responsibilities shall ensure that employees.1. g) Actions to be taken if the employee. f) continue to have the appropriate skills and qualifications. c) Are motivated to fulfill the security policies of the health care facility. b) Are provided with guidelines to state security expectations of their role within the health care facility. . d) Achieve a level of awareness of security relevant to their roles and responsibilities within the health care facility. Management Responsibilities. During Employment. employment with the organization. f) Responsibilities that are extended outside the organization’s premises and outside normal working hours. contractors and third party users: a) Are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems. contractors and third party users. e) Conform to the terms and conditions of employment. and training in security procedures and the correct use of information processing facilities should be provided to all employees.

the process shall allow for instant removal of duties.g. use of software packages and information on the disciplinary process). relevant legislation. log-on procedure. In serious cases of misconduct.All employees of the health care facility and. The formal disciplinary process shall ensure correct and fair treatment for employees who are suspected of committing breaches of privacy and security. A graduated response that takes into consideration factors such as the nature and gravity of breach and its impact on business. access rights and privileges. responsibilities and skills.3. contractors and third party users should receive appropriate awareness training and regular updates in organization policies and procedures. as well as training in the correct use of information processing facilities (e. and for immediate escorting out of the site. education. and should include information on known threats. and training activities should be suitable and relevant to the person’s role. whether or not the violator was properly trained. if necessary. The security awareness. Awareness training shall commence with a formal induction process designed to introduce the health care facility’s security policies and expectations before access to information or services is granted. whether or not it is a first or repeat offence. where relevant. as relevant for their job function. Section 2. There shall be a formal disciplinary process for employees who have committed a security breach. . Disciplinary Process. business contracts and other factors as required shall be provided. who to contact for further security advice and the proper channels for reporting information security incidents. Ongoing training shall include security requirements. legal responsibilities and business controls. and shall not be commenced without prior verification that a privacy breach has occurred.

Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned. this termination responsibility process may be undertaken by an agency responsible for the contractor. where appropriate. Return of Assets. contractor or third party user has knowledge that is important to ongoing operation. and the terms and conditions of employment continuing for a defined period after the end of the employee’s. responsibilities contained within any confidentiality agreement. In the case of a contractor. corporate documents. access cards. or agreement. Responsibilities and duties still valid after termination of employment shall be contained in employee’s contractor’s or third party user’s contracts. manuals. and equipment. contractors and third party users shall return all of the health care facility’s assets in their possession upon termination of their employment. Termination or Off-boarding of Employees. The communication of termination responsibilities shall include ongoing security requirements and legal responsibilities and. The Human Resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving to manage the security aspects of the relevant procedures.4. the information shall be documented and transferred to the organization. and any other security breaches. All employees. The termination process shall be formalized to include the return of all previously issued software.The disciplinary shall be used as a deterrent to prevent employees. Section 2. contract. contractor’s or third party user’s employment. Other organizational assets such as mobile computing devices. . contractors and third party users in violating organization security policies and procedures. and in case of another user this might be handled by their organization. In cases where an employee. credit cards. and information stored on electronic media also need to be returned. software.

contractor or third party user has known password for accounts remaining active. contractors and third party users involved to no longer share this information with the person departing. contractor or third party user (e. or by management and the reason of termination. contractors and third party users to information and information processing facilities shall be removed upon termination of their employment. c) The value of the assets currently accessible. Access rights for information assets and information processing facilities shall be reduced or removed before the employment terminates or changes. depending on the evaluation risk factors such as: a) Whether the termination or change is initiated by the employee. In such circumstances. RULE X HEALTH RESEARCH Section 1. Section 2.Access Rights. or adjusted upon change.g. The access rights of all employees. contractor or any other user. group IDs). The research participant must understand that he or she can opt-out of the study or have their personal information deleted from the project’s database if they so request in writing. departing individuals shall be removed from any group access lists and arrangement shall be made to advise other employees. Rationale. Research Subject. contract or agreement. . If a departing employee. b) The current responsibilities of the employee. contract or agreement. In certain circumstances access rights may be allocated on the bases of being available to more people than the departing employee. these shall be changed upon termination or change of employment. contractor or third party user.

Protocols shall describe how the participant’s privacy will be protected in the entire research process and shall also include provisions on how to protect data and samples during use and subsequent storage. Research Projects. media (social or tri-media). letter or email to colleagues or healthcare staff to distribute to potentially eligible individuals. Data breach reporting protocol shall be followed and researchers must ensure that there is privacy protection of data during the entire research process: recruitment. Section 4. Study protocols shall incorporate data protection measures. Individuals. retaining sensitive information obtained at screening without the consent of those who either failed to qualify or refused to participate for possible future study participation.000 or more data subjects shall register with the National Privacy Commission or its duly deputized body (for health research. patient registry) for qualified subjects and having a researcher with no prior contact with potential subject recruit. and even after study conduct. study proper. Unacceptable recruitment methods include (but not limited to): searching through medical records or databases (e. in pre-op room). websites. A research project involving 1. close-out. Acceptable recruitment methods may include: advertisements. Unacceptable recruitment methods. recruiting subjects immediately prior to sensitivie or invasive procedure (e. security and confidentiality of identifiable information prior to accessing any personal information of data or research subject. notices.g. organizations or third-party data processors who may access identifiable information shall be identified in the research protocol and in registration with review bodies.g. Research Protocol. All personnel involved in the study will be required to sign statements agreeing to protect the privacy.Acceptable recruitment methods. Section 3. possibly the National Health Privacy Board). .

Aside from the ones indicated in the study protocol and the original consent document. Identifiers will be removed from study-related information. and documented methodologies. Where an authorization for the use and disclosure of registry data for future research does not exist. RULE XI PATIENT REGISTRIES Section 1. as necessary. Research Data. Health information registries for research shall incorporate an appropriate design and data elements. Data Sharing. Paper-based records are to be kept in a secure location and made accessible to personnel involved in the study only. health care provider or health insurance plan maintaining the registry shall need to obtain an additional authorization for the research from individuals or seek a waiver of authorization from an Institutional Research Board or Privacy Board. Paper-based records. to ensure the fulfillment of a valid scientific purpose. Registry developers shall prospectively apply careful scrutiny to the proposed purposes for and activities of a registry to avoid both ethical and compliance issues that may undermine achievement of the registry’s objectives. Electronic records. Data or specimen collected from research shall be de- identified or destructed as deemed appropriate. . written operating procedures. Audio or video recording of subjects will be transcribed and then destroyed to eliminate audible or visual identification of data.Section 5. Computer-based files will be encrypted and made available to personnel involved in the study through the use of secure access privileges and passwords. whenever feasible. the research subject shall give his or her permission prior to data sharing arrangements.

inquiries and requests for assistance from the health sector on matters related to the Privacy Guidelines and related issuances. It shall promulgate rules and procedures for receiving and processing complaints. 1. Section 3. An independent review of privacy risks (e. The National Health Privacy Board is a broad sectoral response to health information privacy needs. Composition. Complaints. It shall mediate between parties to reach a . children and patients having rate diseases shall employ special efforts to protect identities of these subjects. It will support the health sector in complying with issuance and administrative orders relating the health information privacy and further the development of policy and practice for health data protection. Rationale. CHAPTER IV NATIONAL HEALTH PRIVACY BOARD Section 1. It shall coordinate with the licensing authority of the heath institution or other accreditation bodies. when necessary. human fetuses. The National Health Privacy Board shall be composed of the Chairperson who shall be assisted by two Board Members. reidentification. a. neonates. General Roles and Functions. one to be responsible for Training and Capacity Building and one to be responsible for Compliance and Planning. The Board shall assist in the implementation of the Privacy Guidelines and related issuance through Training and Capacity Building. and through Compliance Monitoring and Planning. prisoners. 2. Section 2. in order to perform its function.g.Registries compiling health information from vulnerable population such as but not limited to pregnant women. The Board shall accept complaints. fraud) involved must be conducted if a dataset is going to be linked to another.

It shall also coordinate with licensing and accreditation bodies to advocate inclusion of privacy standards in their evaluation of health facilities. It shall coordinate with appropriate agencies to incorporate emerging technologies and new regulations in existing policies. including case reports of issues brought before it that are of importance or significant impact. without prejudice to reporting before the NPC or licensing and regulatory authorities matters contrary to law. It shall assist persons or institutions on the interpretation of privacy regulations. It shall make recommendations on change in policy or further policy development. He or she shall: 1. The Training and Capacity Building functions of the Board shall be spearheaded by the Board Member for Training and Capacity Building. 4. in accordance with standards for organizational. in which case it shall make its recommendation after proper evaluation. 2. physical and technical security measures in the Privacy Guidelines and related issuances. Inquiries and Requests for Assistance. It shall elevate to the Privacy Experts Group issues which in its discretion requires advisory assistance. including powerpoint presentations and articles that may be used by health information privacy advocates. Oversee the monitoring of privacy compliance in health facilities. Develop and implement training modules for capacity building. He or she shall: 1. . b. Privacy Compliance and Planning. 4. 3. Section 5. Develop and implement programs to inform and educate the public of health information privacy and to promote a privacy culture in the health sector. Training and Capacity Building. Section 4. in view of the requirement of existing laws. compromise settlement. 3. It shall provide the PEG a report of its activities. It shall develop procedures for assessment of privacy practices in health facilities. The Privacy Compliance and Planning functions of the Board shall be spearheaded by the Board Member for Privacy Compliance and Planning. Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the health sector. Conduct training workshops and accommodate requests for public information on the implementation of the privacy guidelines.

including standards. Undertake regular planning activities to develop and recommend programs to support the implementation of the Privacy Guidelines. 2. f) Strong organizational and problem-solving skills. education. information systems. 4. d) Demonstrate mastery of regulatory development and compliance. the Privacy Officer (PO) shall be designated at a health facility. The PO’s identity shall be made known to any data subject upon request. health administration. In a facility where . Competencies and Qualifications. and clinical or public health background. human resources. Maintain a record of all compliance and monitoring reports. 3. Review privacy codes voluntarily adhered to by personal information controllers and processors in the health sector and make recommendations to meet standards for the protection of personal health information. e) Familiar with business functions and operation of large institutions (preferably health-related). g) Work effectively with teams and stakeholders. b) At least a bachelor’s degree in management. CHAPTER V THE PRIVACY TEAM OF A HEALTH FACILITY Section 1. Expected to have some personnel with specialized privacy roles are regional health units (RHUs) and bigger health facilities. Rationale. c) Minimum 5 years’ experience in health care. laws and regulations concerning information security and privacy. Members of the Board shall have the following competencies and qualifications: a) Law. Identify gaps in current standards for organizational. or other relevant fields. In so far as practicable. It is recommended that the PO has to be on the Vice- president level (or equivalent) to have sufficient authority to uphold privacy in the institution. Section 6. physical and technical security measures for protection of personal health information and make recommendation for its improvement. Develop materials and documents such as templates for employment contracts and non-disclosure agreements to serve as a guide for the health facilities. 6. 5. h) Have the ability to communicate with clarity both orally and in writing.

. and stake-holding functions. capacity-building. b) Assumes advocacy. g) Identifies how personal health information is created. k) Continually updates the staff’s knowledge of privacy rule guidelines. Section 2. d) PO and the privacy team shall identify the governance structure from national level down to RHU and align with them their facilities’ privacy goals and initiatives. e) Ascertains the authority and delegates data collection to staff. the PO sees to it that overall compliance is observed at the institution.the process followed in editing. Other roles of the PO shall include: a) Developing and implementing privacy policies and procedures. the Privacy Officer is the person responsible for the privacy policy compliance at the health facility. who did the editing. and new regulations and must train workforce on these requirements. and closing the editing. c) Manages the privacy aspect in the different areas of the operations. processing or use of personal information. Ultimately. f) Ensures that the entire process of editing data is documented: request for editing. The privacy officer is not automatically the personal information controller “who controls the collection. He or she regularly audits the quality and integrity of patient records. stored or disclosed in paper and electronic format and maintains an inventory of how we use or disclose all personal health information.” While the latter is directly accountable for the protection of privacy. a Privacy- Officer-Designate shall be appointed. j) Distributes the health facility’s privacy protocols to all new patients and post the update health facility’s privacy protocols on the isntitution’s website or on its public bulletin boards. i) Maintains a record of complaints and brief description of how they were resolved.plantilla position for a privacy officer could not be immediately secured. holding. The PO shall update the health facility’s privacy protocols. h) Is the contact person responsible for receiving complaints and providing individuals with further information about matters contained in the health facility’s privacy protocols. Roles and Functions. developments.

compliance on the reporting forma nd safekeeping of backup data. and sanctions imposed on workforce members. consents. in accordance with the facility’s policies and procedure. A government health facility shall appoint Privacy Officer Designate while waiting for the official plantilla assignment. president. risk. including imposing sanctions on workforce members that breach an individual’s privacy. o) Consistently apply sanctions. Section 3. n) Reviews all business associate agreements or contracts for privacy compliance. v) Reports directly to the hospital director. p) Regularly communicates the status of legal complaints. t) Coordinate and communicate to practice leaders and audits of the National Health Privacy Board or any other governmental or accrediting organization. documentation. authorization. q) Serve as the practice’s resource for regulatory and accrediting bodies on matters relating to privacy and security. . u) Coordinate with the institution’s Risk Manager (if any) to address privacy risks. acknowledgement forms. Those with less than 300 beds may affiliate with other health facilities to employ a shared Privacy Officer. Appointment. Health facilities with at least 300 beds are required to employ a Privacy Officer. l) Effectively communicates technical and legal information to nontechnical and non-legal staff for employee training. board of directors. r) Perform system or quality data check. and other forms as required and ensures that the workforce adheres to the policies and procedires. s) Coordinate privacy safeguards with the practice’s security officer to ensure consistency in development. and training for security and privacy requirements. m) PO and privacy team shall account for devices used in facility and ensure devices containing electronic personal health information are encrypted as required by health facility’s privacy protocols.

Qualifications. The National Health Privacy Board does not have quasi-judicial powers or the power to impose penalties. f) Work effectively with teams and stakeholders. Section 5. b) Minimum 5 years’ experience in health care. Staff. laws and regulations concerning information security and privacy. including standards. The Privacy Officer shall have the following qualifications: a) At least a bachelor’s degree in management. human resources. While the PO is responsible for privacy management and compliance. CHAPTER VII COMPLIANCE. General Principles. INCIDENT REPORTING. d) Familiar with business functions and operation of large institutions (preferably health-related). Section 4. h) Must undergo data privacy and security training from reputable training providers.Rural Health Units may share a Privacy Officer in the provincial level. RESPONSE RULE I COMPLIANCE RULE II INCIDENT REPORTING Section 1. information systems. preferably working with the Provincial Health Unit. c) Familiar with regulatory development and compliance. health administration. Parties who voluntarily . He or She may delegate responsibilities to others within the organization if they are trained and would communicate promptly with the privacy official on these matters. g) Have the ability to communicate with clarity both orally and in writing. e) Strong organizational and problem-solving skills. or other relevant field.

A brief narration of the material facts which show a violation of the privacy guidelines or related issuance. to the due process of law. firm.1. .3. Contents. 2. Who May File.2. The National Health Privacy Board does not have subpoena powers or powers of contempt. when necessary. simple and concise language and shall contain the following: 1. Full names and complete addresses of the complainant and the respondent. The complaint must be written in a clear. The complaint may be filed by any person. Complaint. partnership. both parties must submit an undertaking under oath or embodies in an affidavit that the parties agree to be bound by the Resolution of the Board. and in reaching an amicable settlement. Section 2. through its duly authorized representative. or the acts or omissions allegedly committed by the respondent amounting to a privacy concern. Section 2.submit their complaints or issues for resolution may be assisted in clarifying the issues subject of the complaint. or regular courts. association or corporation. The investigations conducted by the Board shall be fact-finding and summary in nature. Section 2. Section 2. without prejudice. The Resolution of the National Health Privacy Board may also serve as support document of cases filed before the National Privacy Commission. The National Health Privacy Board may be able to assist the parties in clarifying privacy related complaints in health facilities due to the fact that they have a deeper understanding and better perspective of privacy issues concerning personal and sensitive health information. however. Procedure for Complaint and Investigation. To ensure compliance with the Resolution of the Board. and recourse to the National Privacy Commission or proper courts.A complaint shall be in writing and under oath ot embodied in an affidavit. It relies on the documents and evidence voluntarily submitted by the parties.

which information will be disclosed to the Board.4. Section 2. plus two (2) copies for the file. The affidavit/s required to be submitted shall state facts only of direct personal knowledge to the affiant and shall show the competence of the affiant to testify to the matters stated therein. without prejudice to other legal remedies. A violation of the foregoing requirement shall be a ground for expunging the affidavit or portion thereof from the record. Number of Copies. and the affidavit/s of witness/es if any. Section 2. the complaint shall be dismissed. 3.6. Where to File A Complaint. A complaint may be filed at the office of the Health Privacy Board. 6. . before appropriate bodies. The Board shall evaluate the allegations of the complaint (1) to determine whether it involves a violation of the Privacy Guidelines or issues involving privacy of health information and (2) if based on its allegations. or in case of juridical person by a duly authorized representative. the complaint shall be accompanied by the incident report or relevant document showing the results of the investigation conducted within the institution. 5. Section 2. shall be filed in such number as there are respondents. to the effect that the complainant agrees to abide by the final resolution of the National Health Privacy Board. If the Complainant is an institution. Certified true copies of documentary evidence. access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint. the complainant shall include proof that consent of said parties have been obtained with regard to the use. together with the documentary evidence and affidavit/s of witness/es.7. there is reason to believe that there is a violation of the Privacy Guidelines or related issuances. Section 2. If both conditions are not satisfied. If the complainant contains personal and sensitive information involving third parties. if any. under oath or embodied in an affidavit.5. Evaluation of Complaint. The complainant. An undertaking of the complaint. Issuance of Requests to Appear. 4.

3. 4. The Board shall ensure that before it convenes the parties: 3. Section 2. in writing. Even if the parties have reached an amicable settlement. If the counter-affidavit contains personal and sensitive information involving third parties. the respondent. In case the parties reach an amicable settlement. the Board shall request. furnishing the said respondent a copy of the complaint. before appropriate bodies. Both complainant and respondent have signed and undertaking that they agree to be bound by the Resolution of the Board. to the effect that the respondent agrees to abide by the final resolution of the National Health Privacy Board. 1. shall be asked to sign and undertaking. the respondent shall include proof that consent of said parties have been obtained with regard to the use. with their witnesses. 6. the respondent to appear before it. without prejudice to other legal remedies. access and disclosure of said personal or sensitive information for purposes of resolving or adjudicating the complaint. and requiring the submission of a counter-affidavit within ten days from receiving the said request. Proof that consent have been obtained from third parties when the affidavits or submitted evidence includes their personal and sensitive information. which shall be binding in view of their undertaking. 2. 2. 1. if there is reason to believe that there is a violation of the Privacy Guidelines. sending notices to the parties. 5. which information will be disclosed to the Board. If the respondent appears before the Board. if any. The Board may ask clarificatory questions when necessary. but the Board finds that the . or in case of juridical person by a duly authorized representative. The Board shall identify the issues for resolution and mediate in order for the parties to reach an amicable settlement. the Board shall issue a resolution on the agreement between parties.8. under oath or embodied in an affidavit. before appropriate bodies. On the basis of the complaint. for purposes of resolving or adjudicating the complaint. and requesting for them to appear before the National Health Data Privacy Board. The Board shall set a date to convene the parties involved in the complaint. Procedure if the Respondent Appears.

if necessary. or to the National Privacy Commission.9. for appropriate action. The minutes of the proceeding shall be filed and maintained. Its resolution. or to the National Privacy Commission. or to the National Privacy Commission. 8. complaint constitutes a violation of law. it shall prepare a report and recommendation. the Board shall resolve the complaint on the basis of the affidavits and documents submitted by the complainant. The Board may request the parties to submit a memorandum containing their arguments on the facts and issues for resolution. . Section 2. with supporting documents shall be submitted to the proper licensing regulatory or accrediting body. the complaint shall be submitted for resolution. with supporting documents shall be submitted to the proper licensing regulatory or accrediting body. 7. for appropriate action. The resolution shall be binding on the parties in view of their undertaking. The Board shall furnish the parties with copies of its resolution. In case the parties are unable to reach an amicable settlement. Section 3. and submit the same to the proper licensing regulatory or accrediting body. Procedure if the Respondent does not Appear. Its resolution. The Board shall adjudicate on the issues and issue a resolution containing its recommendation. if necessary. If the Respondent does not appear before the Board. Resolution. 9.