breach this trust are grounds for
WEEK 11: CONFIDENTIALITY AND MANAGEMENT
OF HEALTHCARE INFORMATION
I. CONFIDENTIALITY: A PRINCIPLE WITH
QUALIFICATIONS
- Keeping private information is the easiest
principle to understand but the hardest to
honor
- Invasion of Privacy → unjustifiable intrusion
into the personal life of another without consent
(eg. talking about a patient in the cafeteria or
gossiping is a breach of trust)
- Foundation of Trust → belief that privacy will be
honored which gives patients freedom to share
sensitive information
CONFIDENTIALITY- the state of keeping or being kept
secret or private
- This is an expectation of the patient-provider
relationship and dates way back.
- Early Greeks
● first healthcare practitioners who
pledged to respect confidentiality
● Inscribed patient information along the
walls of the temple and limiting access
to others not part of the care group
- Right to Confidentiality of the patient can be
defended with the use of the four systematic
approaches to ethical decision making
FOUR SYSTEMATIC APPROACHES TO ETHICAL
DECISION MAKING
1. Utilitarian Ethics - outcome based
2. Deontological Ethics - duty based
3. Virtue Ethics - virtue based
4. Divine Command - faith based
In terms of Confidentiality, the end point of these
approaches agree upon each other → there is no
argument to such right
UTILITARIAN PERSPECTIVE
- Long-term consequences of disclosing
information to the public is the chilling effect
on the relationship
● Chilling Effect → discouraging free
speech and association rights
- Healthcare practitioners are conducted under
tacit agreement (meaning they choose to
agree upon certain terms) that those who
BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
consequences.
- Example: psychotherapy ward → patient is
encouraged to take risks by disclosing
personal information in the hopes of quality
care. (if patient does not disclose or has lost
confidence, then care would be limited and
ineffective)
DUTY-ORIENTED PERSPECTIVE
- Personal privacy is a basic right
- Foundation of such:
● Professional practice
● Common law
- Common violations of confidentiality are
grounds for lawsuits and cases:
● Unwarranted disclosure of private
affairs
● Unauthorized use of photograph
● Exploitation of person’s name
These examples give rise to legal action on
the grounds og invasion of right to privacy.
- Individuals in the society have the
autonomous right to control their personal
information and protect personal privacy
PRIVACY CONFIDENTIALITY
Person’s right Professional’s duty
VIRTUE ETHICS PERSPECTIVE
- Confidentiality is one that forms a virtue of a
good practitioner
- Confidentiality → critical principle
- Patient information can be shared among
practitioners in the account of care but are not
allowed to take place in elevators, cafeterias
or parties.
REAL QUESTION: IS CONFIDENTIALITY A MORAL
ABSOLUTE?
- The answer would be no. Medical
practitioners are allowed to share patient
information only when in collaboration of the
care for the client. Any situation outside care
disclosure is a breach in confidentiality.
WHEN CAN CONFIDENTIALITY BE LEGALLY
Right to Privacy Zone of Privacy
BROKEN?
- When a patient is endangering himself/herself - Generic concept - Described by
or when he/she possesses a threat to the encompassing a Justice Douglas
safety of the people around him. variety of rights - Forbade
thought to be governmental
necessary for intrusion into the
TARASOFF CASE
ordered democracy homes and lives of
A famous case involving a psychiatric patient, citizens
Prosenjit Poddar, who told his doctor that he intends
to kill a woman named Tatiana. When the doctor knew
of this, he admitted the patient for 72 hours for This constitutional recognition of a right to privacy and
observation. However, the patient convinced the self determination formed the basis of the Roe v.
security guards that he was rational and sane and Wade case in 1973.
promised to stay away from the girl.
Roe v. Wade (1973)
The next day, the man killed the girl. - A legal case in the United States Supreme
Court on January 22, 1973, ruled that the
It is at this time that healthcare practitioners are to Constitution of the United States protects a
keep patient confidentiality no matter what since they pregnant woman’s liberty to choose to have
were not required to protect the lives of others but an abortion without excessive government
their patient. restriction.

Later on, the Code of Ethics added an addition to the
principle of confidentiality which is the Harm
Principle.
HARM PRINCIPLE OF CONFIDENTIALITY
- A principle that gives power to healthcare
practitioners to break confidentiality and report
the situation when patients are endangering
themselves or endangering the people around
them.
- The healthcare practitioners are given the
power to break trust and confidentiality only
when harm comes to people.
COMMON CASE: WHAT WOULD WE DO IF WE
HAVE AN HIV POSITIVE PATIENT?
- Be discrete with the information since the HIV
disease is surrounded with issues like
discrimination and deprivation of rights.
- Only healthcare providers who are assigned
to the case should know. Certain measures
should be made to prevent the family of the
patient from acquiring the disease. The
healthcare provider may tell the direct SO of
the patient to help with preventive measures.
II. LEGAL FOUNDATION OF PRIVACY
The Supreme Court determined that a woman’s right
to make this personal choice rested on;
1. The avoidance of disclosing personal matters
2. The need to provide for an arena where
independent decision making could take
place.
We have the right to;
- Make fundamental choices involving
ourselves, our families, and our relationships
with others free from scrutiny as long as these
assertion of these rights is consistent with the
law or public policy
- Maintain our private lives
- Restrict the collection, processing, use, and
dissemination of information about our
personal attributes and activities
The law provides legal redress against those who
would infringe on our legitimate right to privacy from
motives of malice, greed, curiosity, or gain.
Four Classes of Tort Actions
1.) Misappropriation
- Deals with the unpermitted use of a
person’s name or likeness for another’s
benefit or advantage
2.) Intrusion

BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
 - Involves the intrusion upon another’s
solitude or seclusion; a clinical
example might be the allowance of
unessential or lay personnel to be
present during a surgical procedure or
examination.
3.) Public disclosure of private facts
- Involves publicity of an objectionable
nature of private information
4.) Presenting someone in a false light to the
public
- Involves publication of information that
leads to the public regarding the
plaintiff falsely.
Many state statutes and few federal regulations
require the reporting of certain types of information
from the medical record, to appropriate agencies with
or without the patient’s authorization.
● Maintained privacy
Present
● Electronic/Paperless
● Easily accessed
● Accessed by many
● Prone to be stolen and misused
Today over 80% of direct patient care is provided by
allied health and nursing professionals. In the
hospital, only about a third of the patient’s record is
maintained by physicians, with the rest being
recorded by other members of the medical team.
On average, 5 days of inpatient care within a teaching
hospital as 150 staff (from nursing, respiratory care,
radiology, and billing clerks) have legitimate access to
a patient’s record to provide both direct and/or
supportive services

Common Legal Reporting Requirements

A patient’s data can be used for:
● Child abuse
1. Administration
● Drug abuse
2. Payment
● Communicable disease
3. Utilization Review
● Births and deaths
4. Teaching
● Injuries with guns or knives
5. Research
● Blood transfusion reactions
● Poison and industrial accidents
● Misadministration of radioactive materials
Aside from the health care team, who gets access to
These reporting requirements deal with issues the patient’s records? They can be:
thought to be vital to community health and welfare. ● Insurance Companies
- they pay the bills
In absence of a legal regulation to provide patient ● Public Health Agencies
information, a police agency has NO authority to - to assist in monitoring and investigating
examine a medical record without the patient’s disease outbreak pattern
authorization ● Employers
- to assess job-related injuries
III. MODERN HEALTHCARE AND ● Local Government Agencies
CONFIDENTIALITY - to develop health care programs and
allocate resources
Medical Records: ● Attorneys and Law Enforcement
- as evidence for civil or criminal matters
Past ● Media
● Paper charts - to report health hazards or reports health
● Poorly indexed research developments
● Poor handwriting ● Accreditation, Licensing, Certification
● Less “outside” access Agencies
● Accessed by physician and small direct care - to assess compliance with various criteria
staff and standards
● Third-Party Payers

BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
By the early 1990’s, it was clear that the use of
computers and complex database retrieval systems
was making confidentiality of patient information
difficult to maintain.
*there was an incident in which surplus computers
sold by medical schools and other agencies, and in
those computers still contained information regarding
case details of thousands of patients*
Prior to the enactment of HIPAA (Health Insurance
Portability and Accountability Act) and the Privacy
Rule there was no unifying federal privacy act for
medical records.
NEWS:
Massive Hack of Hospital Network Files - 4.5
Million Records
UCLA Hospital System’s President, Dr. James
Atkinson, apologized to the public for the potential
loss of millions of records. Information lost included
patient’s names, medical information, Social
Security Numbers, Medicare Numbers, health plan
IDs, birthdays, and physical addresses. The
hospital group is not notifying staff and patients,
offering them one year of identity theft recovery.
THe UCLA system is just one of many health
systems who have lost control of millions of
records. Their systems are under near constant
attack by hackers, some of which are operating in
foreign countries. Hospitals, health insurance
companies, and universities have all become a
frequent targets for hackers seeking massive
databases of personal information. Profile data,
Social Security Numbers,and health records sell on
the black market. Illegal data brokers amass large
databases of this stolen information and then sell
access to identity thieves.
IV. HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT (HIPAA)
● Enacted by the Congress in 1996 to:
○ Encourage the use of electronic
transmission of health information
○ Assist in cost containment
○ Provide new safeguards to protect the
security and confidentiality of the
information
● HIPAA has three self-declared major purposes
BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
○ To protect and enhance the rights of
consumers by providing them access
to their health information and
controlling the inappropriate use of
that information.
○ To improve the quality of healthcare in
the United States by restoring trust in
the healthcare system among
consumers, healthcare practitioners,
and the multitude of organizations
committed to the delivery of care,
○ To improve the efficiency and
effectiveness of healthcare delivery by
creating a national framework for
health privacy protection that builds on
efforts by states, health systemd,
individual organizations, and
individuals.
● Those required to follow HIPAA Privacy Rule:
○ Doctors, nurses, allied health
professionals, pharmacies, hospitals,
clinics, nursing homes, and many
other healthcare providers.
○ Most employer health plans, HMOs,
and health insurance companies.
○ Certain government programs that pay
for health care, such as Medicare and
Medicaid.
● Protected information:
○ Information your doctor, nurses, and
other healthcare providers put in your
medical record.
○ Conversations your doctor had about
your care or treatment with nurses and
other healthcare professionals.
○ Information about you in your health
insurer’s computer system.
○ Billing information about you from your
clinic/healthcare provider.
○ Most other health information about
you, held by those who must follow
this law.
● Information can be used and shared:
○ For treatment and care coordination.
○ To pay physicians and hospitals for
the patient’s health care.
○ With family, relatives, friends, and
others the patient identifies as being
 involved with their healthcare or health - Auditing functions
care bills, unless the patient objects. - Administrative functions
- Research
● Without the patient’s authorization, healthcare - Public health reporting
providers generally cannot: - Criminal law requirements
○ Give information to the patient’s Professional Education
employer. - The need for professional education permits
○ Use or share the patient’s information information regarding in-house patients to be
for marketing or advertising purposes. exchanged for these purposes:
○ Share private notes about the patient’s - Medicine
mental health counselling sessions. - Nursing
- Allied Health
● Patient’s rights - Psychology
○ Right to see and get a copy of your - Social Services
health records. Research
○ Right to have corrections added to - Data in regard to the conducting or research
your medical records. can be shared to all researchers involved.
○ Right to receive a notice as to how - Hospitals that permit their staff to engage in
your health information may be used research have research committees to screen
or shared. the protocols.
○ Right to a report on how and why your International Review Boards (IRBs)
health information was shared. - An administrative body established to protect
○ Right to due process if your rights the rights and welfare of human research
were denied. subjects recruited to participate in research
○ Right to decide if you want to give activities conducted under the auspices of the
permission before your health institution with which it is affiliated.
information may be used or shared. - Attempts to balance the potential risk to the
patient against the potential benefits of the
V. LEGITIMATE INTEREST research.
Legitimate interest Research standards:
- is a standard to determine whether an 1. The results should be presented in such a
enforcing party has a protectible, valid, and fashion as to protect the anonymity of the
legal interest that allows them to create some patients.
type of restriction or perform a specific action. 2. Only those involved in the study will have
Medical record: access to the raw data.
- Medical information about the patient’s 3. Safeguards to protect the patient's privacy will
condition be part of the research protocol.
- Contains patient’s personal data 4. Patient confidentiality should be maintained in
- Patient’s financial and social nature the conduct of medical research.
- A property of the hospital or clinic
- Patient has legal interests and rights to the Health records and legitimate access
information
Access to the medical record is limited to: Level 1 - direct ● Physicians
- Patient patient care ● Nurses
● Institutional services
- Authorized representatives of the patient
● Therapists/Technologists
- Attending physician
- Hospital staff members who have a legitimate Level 2 - ● Service payers
interest supportive ● Risk management
● Quality care reviews
Grounds of legitimate interest: services
- Professional education
Level 3 - Social ● Insurance
- Patient care services ● Licensing

BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
 ● Employment decisions
Basic Principles of Human Subject Research
● Civil/criminal judicial review
● Public health reporting
● Research
● Education
● Media
● Law enforcement
● Rehabilitation
Documentation
- A material that provides official information or
evidence or that serves as a record.
- The less confidential information written
explicitly into the record, the fewer
opportunities there are for harmful disclosures
involving patient privacy.
- It is essential and required by law that
hospitals establish procedures to protect the
content of medical records.
- This is not only in the standpoint of
patient confidentiality, but also against
the possibility of intentional
falsification and alteration of record.
VI. HUMAN SUBJECT RESEARCH
What is Human Subject Research?
- Research projects generally are described in
a protocol that sets forth the explicit objectives
and formal procedures designed to reach
these objectives.
Objectives of Human Subject Research
1. Gaining understanding of normal and
abnormal physiological, psychological, and
sociological phenomena
2. Evaluating the efficacy of diagnostic,
therapeutic, or preventive interventions and
variations in service or practice.
Methods to Reach the Objectives of Human
Subject Research
● Invasive and Non-invasive procedures
● Collection of body tissues and fluids
● Administration of chemical substances
● Randomization of subjects
● Modification of diet or daily routine
● Orchestration of strenuous physical exercise
● Alteration of environment
● Administration of questionnaires
● Reviews of Records
BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
● AUTONOMY
- First consideration is that subjects are
individual autonomous agents and
have the right to expect that the
researcher will support their opinions
and choices while refraining from
obstructing their actions unless they
are clearly detrimental to others. This
is applied through the use of Informed
Consent.
- Second consideration deals with the
fact that not all individuals are capable
of self determination. For individuals
who have either not gained the
capacity for self-determination or have
lost this capacity due to illness, mental
disability, or circumstances that
severely restrict liberty, special
considerations need to be put in place
to ensure their protection, even if this
means excluding them from
participation in the research.
● BENEFICENCE & NON-MALEFICENCE
- Patient benefit and risk calculations
should always be considered in
human research. Every effort should
be made to secure for all participants
their well-being. Two general rules that
have been formulated to extend these
activities are (1) do no harm, and (2)
maximize possible benefits and
minimize possible harm.
● CONFIDENTIALITY
- Privacy refers to “persons and to their
interest in controlling the access of
others to themselves,” and no
participant should ever be forced to
reveal information to the researcher
that the participant does not wish to
reveal.
- Depending on the type of study,
personal identifiers such as names,
birthdates, places of residence etc.
may or may not have to be collected.
 ● JUSTICE
- Research supported by public funds
that leads to improvement of
technologies or therapies should
benefit more than those who can
afford them and that the research
should not depend unduly on
populations unlikely to be among the
beneficiaries of the applications of
research findings
Professional and Ethical Standards to be followed
in Human Subject Research
1. Risks the subjects are minimized by using
procedures consistent with sound research design
that do not unnecessarily expose subjects to risk.
Whenever appropriate, the research will use
procedures already being performed on the subjects
for diagnostic or treatment purposes
2. Risks to subjects are reasonable in relation to
anticipated benefits, if any, to them, and the
importance of the knowledge that may reasonably be
expected to result. Researchers should consider only
risks and benefits that may result from the research
(as distinguished from risks and benefits of therapies
subjects would receive if they were not participating in
the research.) researchers should not consider the
long range effects of applying knowledge gained in
the research (e.g., the possible effects of the research
on public policy) as among those research risks that
fall within the purview of their responsibilities.
3. Selection of subjects is equitable. In making this
assessment, the researcher should take into account
the purposes of the research and the setting in which
the research will be conducted. The researcher also
should be particularly cognizant of the special
problems of research involving vulnerable
populations, such as children, prisoners, pregnant
women, mentally disabled persons, or economically
or educationally disadvantaged persons.
4. Informed consent will be sought and appropriately
documented from the subject or the subject’s legal
representative, in accordance with the requirements
of law and ethical practice.
5. There will be appropriate provision for monitoring
the data collected to ensure the safety of subjects.
BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
6. There will be adequate provision for the protection
of privacy and the maintenance of confidentiality of
collected data.
VII. INSTITUTIONAL REVIEW BOARDS
Institutional Review Boards
● To ensure satisfactory compliance with
appropriate research standards, institutions
create institutional review boards
● To review the research protocols prior to
implementation.
● One of the important activities gathered under
the aegis role of duty is service on IRB.
● These boards are established to protect the
rights and welfare of human subjects recruited
to participate in research activities under the
auspices of the institution with which a board
is affiliated.
Research
- A systematic investigation, including research
development, testing, and evaluation,
designed to develop or contribute to
generalizable knowledge.
Human Subjects
- Living individuals about whom an investigator
(whether professional or student) conducting
research obtains:
● Data through intervention or interaction with
the individual
● Identifiable private information
Code and Documents (end of World War II)
1. Nuremberg Code of 1947
- August 1947, in Nuremberg, Germany
- The Nuremberg Code aimed to protect
human subjects from enduring the
kind of cruelty and exploitation the
prisoners endured at concentration
camps.
The 10 elements of the code are:
● Voluntary consent is essential
● The results of any experiment must be for the
greater good of society
● Human experiments should be based on
previous animal experimentation
● Experiments should be conducted by avoiding
physical/mental suffering and injury
● No experiments should be conducted if it is
believed to cause death/disability
● The risks should never exceed the benefits
● Adequate facilities should be used to protect
subjects
● Experiments should be conducted only by
qualified scientists
● Subjects should be able to end their
participation at any time
● The scientist in charge must be prepared to
terminate the experiment when injury,
disability, or death is likely to occur
2. Helsinki Declaration of 1964 (with later
revisions)
- Formal statement of ethical principles
published by the World Medical
Association (WMA) to guide the
protection of human participants in
medical research.
- Adopted in 1964 by the 18th WMA
General Assembly, at Helsinki
● 1975 (first revision)
● 1983 (second revision)
● 1989 (third revision)
● 1996 (fourth revision)
● 2000 (fifth revision)
● 2008 (sixth revision)
● 2013 (seventh revision)
3. Belmont Report of 1979
- The report was issued on 30
September 1978and published in the
Federal Register on 18 April 1979.
- The three basic ethical principles
identified and set forth as guidelines
for the conduct of biomedical and
behavioral research involving human
subjects - respect for persons,
beneficence, and justice - remain
particularly relevant and necessary for
today’s clinical trials.
- The Belmont Report summarizes
ethical principles and guidelines for
research involving human subjects.
Three core principles are identified:
respect for persons, beneficence, and
justice. Three primary areas of
application are also stated. They are
informed consent, assessment of risks
and benefits, and selection of
subjects. According to Vollmer and
BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
Howard, the Belmont Report allows for
a positive solution, which at times may
be difficult to find, to future subjects
who are not capable to make
independent decisions
4. U.S. Department of Health and Human
Services Title 45 of 2001
- Laws set by the U.S. Department of
Health and Human Services (DHHS)
to protect a person from risks in
research studies that any federal
agency or department has a part in.
Also called 45 Code of Federal
Regulations Part 46, human
participant protection regulations, and
Protection of Human Subjects.
- In the United States, the Code of
Federal Regulations Title 45: Public
Welfare, part 46 (45 CFR 46) provides
protection for human subjects in
research carried out or supported by
most federal departments and
agencies. 45 CFR 46 created a
common federal policy for the
protection of such human subjects that
was accepted by the Office of Science
and Technology Policy and issued by
each of the departments and agencies
listed in the document. The code is
divided into four subparts: basic
protection applicable to all human
research subjects; additional
protections for women, human
fetuses, and neonates; additional
protections for prisoners; and
additional protections for children.
Although 45 CFR 46 contains
additional protections for human
fetuses, it is important to note that
these protections last only from
implantation to birth, and are not
extended to embryos before
implantation.
5. American Psychological Association Code
for conduct of social and behavioral
research
- Includes an introduction, preamble, a
list of five aspirational principles and a
list of ten enforceable standards that
psychologists use to guide ethical
 decisions in practice, research, and
education.
Five principles for research ethics
● PRINCIPLE A:
COMPETENCE
● PRINCIPLE B: INTEGRITY
● PRINCIPLE C:
PROFESSIONAL AND
SCIENTIFIC
RESPONSIBILITY
● PRINCIPLE D: RESPECT
FOR PEOPLE'S RIGHTS
AND DIGNITY
● PRINCIPLE E: CONCERN
FOR OTHERS' WELFARE
● PRINCIPLE F: SOCIAL
RESPONSIBILITY
If psychologists’ ethical responsibilities conflict with
law, regulations, or other governing legal authority,
psychologists make known their commitment to this
Ethics Code and take steps to resolve the conflict in a
responsible manner in keeping with basic principles of
human rights.

In addition:
A fundamental principle of nursing practice is respect
for the inherent dignity, worth, unique attributes, and
human rights of all individuals.1 Nurses who
understand legal and ethical protections for human
subjects can contribute to research by serving as
advocates for their patients and helping to ensure that
studies are conducted in an ethical, legal, and
scientifically valid manner.

BUENA.FETILUNA.MONTERO.FRANCISCO.MORRE.JESENA.KUIZON.TUICO.TECSONK | BSN 2C
DATA PRIVACY ACT OF 2012
CHAPTER 1
GENERAL PROVISIONS
SECTION 1. Short Title. – This Act shall
be known as the “Data Privacy Act of
2012”.
SEC. 2. Declaration of Policy. – It is the
policy of the State to protect the
fundamental human right of privacy, of
communication while ensuring free flow of
information to promote innovation and
growth. The State recognizes the vital role
of information and communications
technology in nation-building and its
inherent obligation to ensure that personal
information in information and
communications systems in the
government and in the private sector are
secured and protected.
SEC. 3. Definition of Terms. – Whenever
used in this Act, the following terms shall
have the respective meanings hereafter
set forth:
(a) Commission shall refer to the National
Privacy Commission created by virtue of
this Act.
(b) Consent of the data subject refers to
any freely given, specific, informed
indication of will, whereby the data subject
agrees to the collection and processing of
personal information about and/or relating
to him or her. Consent shall be evidenced
by written, electronic or recorded means. It
may also be given on behalf of the data
subject by an agent specifically authorized
by the data subject to do so.
(c) Data subject refers to an individual
whose personal information is processed.
(d) Direct marketing refers to
communication by whatever means of any
advertising or marketing material which is
directed to particular individuals.
(e) Filing system refers to any act of
information relating to natural or juridical
persons to the extent that, although the
information is not processed by equipment
operating automatically in response to
instructions given for that purpose, the set
is structured, either by reference to
individuals or by reference to criteria
relating to individuals, in such a way that
specific information relating to a particular
person is readily accessible.
(f) Information and Communications
System refers to a system for generating,
sending, receiving, storing or otherwise
processing electronic data messages or
electronic documents and includes the
computer system or other similar device
by or which data is recorded, transmitted
or stored and any procedure related to the
recording, transmission or storage of
electronic data, electronic message, or
electronic document.
(g) Personal information refers to any
information whether recorded in a material
form or not, from which the identity of an
individual is apparent or can be
reasonably and directly ascertained by the
entity holding the information, or when put
together with other information would
directly and certainly identify an individual.
(h) Personal information controller refers
to a person or organization who controls
the collection, holding, processing or use
of personal information, including a person
or organization who instructs another
person or organization to collect, hold,
process, use, transfer or disclose personal
information on his or her behalf. The term
excludes:
(1) A person or organization who performs
such functions as instructed by another
person or organization; and
(2) An individual who collects, holds,
processes or uses personal information in
connection with the individual’s personal,
family or household affairs.
(i) Personal information processor refers
to any natural or juridical person qualified
to act as such under this Act to whom a
personal information controller may
outsource the processing of personal data
pertaining to a data subject.
(j) Processing refers to any operation or
any set of operations performed upon
personal information including, but not
limited to, the collection, recording,
organization, storage, updating or
modification, retrieval, consultation, use,
consolidation, blocking, erasure or
destruction of data.
(k) Privileged information refers to any and
all forms of data which under the Rules of
Court and other pertinent laws constitute
privileged communication.
(l) Sensitive personal information refers to
personal information:
(1) About an individual’s race, ethnic
origin, marital status, age, color, and
religious, philosophical or political
affiliations;
(2) About an individual’s health, education,
genetic or sexual life of a person, or to any
proceeding for any offense committed or
alleged to have been committed by such
person, the disposal of such proceedings,
or the sentence of any court in such
proceedings;
(3) Issued by government agencies
peculiar to an individual which includes,
but not limited to, social security numbers,
previous or current health records,
licenses or its denials, suspension or
revocation, and tax returns; and
(4) Specifically established by an
executive order or an act of Congress to
be kept classified.
SEC. 4. Scope. – This Act applies to the
processing of all types of personal
information and to any natural and juridical
person involved in personal information
processing including those personal
information controllers and processors
who, although not found or established in
the Philippines, use equipment that are
located in the Philippines, or those who
maintain an office, branch or agency in the
Philippines subject to the immediately
succeeding paragraph: Provided, That the
requirements of Section 5 are complied
with.
This Act does not apply to the following:
(a) Information about any individual who is
or was an officer or employee of a
government institution that relates to the
position or functions of the individual,
including:
(1) The fact that the individual is or was an
officer or employee of the government
institution;
(2) The title, business address and office
telephone number of the individual;
(3) The classification, salary range and
responsibilities of the position held by the
individual; and
(4) The name of the individual on a
document prepared by the individual in the
course of employment with the
government;
(b) Information about an individual who is
or was performing service under contract
for a government institution that relates to
the services performed, including the
terms of the contract, and the name of the
individual given in the course of the
performance of those services;
(c) Information relating to any
discretionary benefit of a financial nature
such as the granting of a license or permit
given by the government to an individual,
including the name of the individual and
the exact nature of the benefit;
(d) Personal information processed for
journalistic, artistic, literary or research
purposes;
(e) Information necessary in order to carry
out the functions of public authority which
includes the processing of personal data
for the performance by the independent,
central monetary authority and law
enforcement and regulatory agencies of
their constitutionally and statutorily
mandated functions. Nothing in this Act
shall be construed as to have amended or
repealed Republic Act No. 1405,
otherwise known as the Secrecy of Bank
Deposits Act; Republic Act No. 6426,
otherwise known as the Foreign Currency
Deposit Act; and Republic Act No. 9510,
otherwise known as the Credit Information
System Act (CISA);
(f) Information necessary for banks and
other financial institutions under the
jurisdiction of the independent, central
monetary authority or Bangko Sentral ng
Pilipinas to comply with Republic Act No.
9510, and Republic Act No. 9160, as
amended, otherwise known as the
Anti-Money Laundering Act and other
applicable laws; and
(g) Personal information originally
collected from residents of foreign
jurisdictions in accordance with the laws of
those foreign jurisdictions, including any
applicable data privacy laws, which is
being processed in the Philippines.
SEC. 5. Protection Afforded to Journalists
and Their Sources. – Nothing in this Act
shall be construed as to have amended or
repealed the provisions of Republic Act
No. 53, which affords the publishers,
editors or duly accredited reporters of any
newspaper, magazine or periodical of
general circulation protection from being
compelled to reveal the source of any
news report or information appearing in
said publication which was related in any
confidence to such publisher, editor, or
reporter.
SEC. 6. Extraterritorial Application. – This
Act applies to an act done or practice
engaged in and outside of the Philippines
by an entity if:
(a) The act, practice or processing relates
to personal information about a Philippine
citizen or a resident;
(b) The entity has a link with the
Philippines, and the entity is processing
personal information in the Philippines or
even if the processing is outside the
Philippines as long as it is about Philippine
citizens or residents such as, but not
limited to, the following:
(1) A contract is entered in the Philippines;
(2) A juridical entity unincorporated in the
Philippines but has central management
and control in the country; and
(3) An entity that has a branch, agency,
office or subsidiary in the Philippines and
the parent or affiliate of the Philippine
entity has access to personal information;
and
(c) The entity has other links in the
Philippines such as, but not limited to:
(1) The entity carries on business in the
Philippines; and
(2) The personal information was collected
or held by an entity in the Philippines.
CHAPTER II
THE NATIONAL PRIVACY COMMISSION
SEC. 7. Functions of the National Privacy
Commission. – To administer and
implement the provisions of this Act, and
to monitor and ensure compliance of the
country with international standards set for
data protection, there is hereby created an
independent body to be known as the
National Privacy Commission, winch shall
have the following functions:
(a) Ensure compliance of personal
information controllers with the provisions
of this Act;
(b) Receive complaints, institute
investigations, facilitate or enable
settlement of complaints through the use
of alternative dispute resolution
processes, adjudicate, award indemnity on
matters affecting any personal information,
prepare reports on disposition of
complaints and resolution of any
investigation it initiates, and, in cases it
deems appropriate, publicize any such
report: Provided, That in resolving any
complaint or investigation (except where
amicable settlement is reached by the
parties), the Commission shall act as a
collegial body. For this purpose, the
Commission may be given access to
personal information that is subject of any
complaint and to collect the information
necessary to perform its functions under
this Act;
(c) Issue cease and desist orders, impose
a temporary or permanent ban on the
processing of personal information, upon
finding that the processing will be
detrimental to national security and public
interest;
(d) Compel or petition any entity,
government agency or instrumentality to
abide by its orders or take action on a
matter affecting data privacy;
(e) Monitor the compliance of other
government agencies or instrumentalities
on their security and technical measures
and recommend the necessary action in
order to meet minimum standards for
protection of personal information
pursuant to this Act;
(f) Coordinate with other government
agencies and the private sector on efforts
to formulate and implement plans and
policies to strengthen the protection of
personal information in the country;
(g) Publish on a regular basis a guide to
all laws relating to data protection;
(h) Publish a compilation of agency
system of records and notices, including
index and other finding aids;
(i) Recommend to the Department of
Justice (DOJ) the prosecution and
imposition of penalties specified in
Sections 25 to 29 of this Act;
(j) Review, approve, reject or require
modification of privacy codes voluntarily
adhered to by personal information
controllers:Provided, That the privacy
codes shall adhere to the underlying data
privacy principles embodied in this Act:
Provided, further,That such privacy codes
may include private dispute resolution
mechanisms for complaints against any
participating personal information
controller. For this purpose, the
Commission shall consult with relevant
regulatory agencies in the formulation and
administration of privacy codes applying
the standards set out in this Act, with
respect to the persons, entities, business
activities and business sectors that said
regulatory bodies are authorized to
principally regulate pursuant to the law:
Provided, finally. That the Commission
may review such privacy codes and
require changes thereto for purposes of
complying with this Act;
(k) Provide assistance on matters relating
to privacy or data protection at the request
of a national or local agency, a private
entity or any person;
(l) Comment on the implication on data
privacy of proposed national or local
statutes, regulations or procedures, issue
advisory opinions and interpret the
provisions of this Act and other data
privacy laws;
(m) Propose legislation, amendments or
modifications to Philippine laws on privacy
or data protection as may be necessary;
(n) Ensure proper and effective
coordination with data privacy regulators
in other countries and private
accountability agents, participate in
international and regional initiatives for
data privacy protection;
(o) Negotiate and contract with other data
privacy authorities of other countries for
cross-border application and
implementation of respective privacy laws;
(p) Assist Philippine companies doing
business abroad to respond to foreign
privacy or data protection laws and
regulations; and
(q) Generally perform such acts as may be
necessary to facilitate cross-border
enforcement of data privacy protection.
SEC. 8. Confidentiality. – The Commission
shall ensure at all times the confidentiality
of any personal information that comes to
its knowledge and possession.
SEC. 9. Organizational Structure of the
Commission. – The Commission shall be
attached to the Department of Information
and Communications Technology (DICT)
and shall be headed by a Privacy
Commissioner, who shall also act as
Chairman of the Commission. The Privacy
Commissioner shall be assisted by two (2)
Deputy Privacy Commissioners, one to be
responsible for Data Processing Systems
and one to be responsible for Policies and
Planning. The Privacy Commissioner and
the two (2) Deputy Privacy Commissioners
shall be appointed by the President of the
Philippines for a term of three (3) years,
and may be reappointed for another term
of three (3) years. Vacancies in the
Commission shall be filled in the same
manner in which the original appointment
was made.
The Privacy Commissioner must be at
least thirty-five (35) years of age and of
good moral character, unquestionable
integrity and known probity, and a
recognized expert in the field of
information technology and data privacy.
The Privacy Commissioner shall enjoy the
benefits, privileges and emoluments
equivalent to the rank of Secretary.
The Deputy Privacy Commissioners must
be recognized experts in the field of
information and communications
technology and data privacy. They shall
enjoy the benefits, privileges and
emoluments equivalent to the rank of
Undersecretary.
The Privacy Commissioner, the Deputy
Commissioners, or any person acting on
their behalf or under their direction, shall
not be civilly liable for acts done in good
faith in the performance of their duties.
However, he or she shall be liable for
willful or negligent acts done by him or her
which are contrary to law, morals, public
policy and good customs even if he or she
acted under orders or instructions of
superiors: Provided, That in case a lawsuit
is filed against such official on the subject
of the performance of his or her duties,
where such performance is lawful, he or
she shall be reimbursed by the
Commission for reasonable costs of
litigation.
SEC. 10. The Secretariat. – The
Commission is hereby authorized to
establish a Secretariat. Majority of the
members of the Secretariat must have
served for at least five (5) years in any
agency of the government that is involved
in the processing of personal information
including, but not limited to, the following
offices: Social Security System (SSS),
Government Service Insurance System
(GSIS), Land Transportation Office (LTO),
Bureau of Internal Revenue (BIR),
Philippine Health Insurance Corporation
(PhilHealth), Commission on Elections
(COMELEC), Department of Foreign
Affairs (DFA), Department of Justice
(DOJ), and Philippine Postal Corporation
(Philpost).
CHAPTER III
PROCESSING OF PERSONAL
INFORMATION
SEC. 11. General Data Privacy Principles.
– The processing of personal information
shall be allowed, subject to compliance
with the requirements of this Act and other
laws allowing disclosure of information to
the public and adherence to the principles
of transparency, legitimate purpose and
proportionality.
Personal information must, be:,
(a) Collected for specified and legitimate
purposes determined and declared before,
or as soon as reasonably practicable after
collection, and later processed in a way
compatible with such declared, specified
and legitimate purposes only;
(b) Processed fairly and lawfully;
(c) Accurate, relevant and, where
necessary for purposes for which it is to
be used the processing of personal
information, kept up to date; inaccurate or
incomplete data must be rectified,
supplemented, destroyed or their further
processing restricted;
(d) Adequate and not excessive in relation
to the purposes for which they are
collected and processed;
(e) Retained only for as long as necessary
for the fulfillment of the purposes for which
the data was obtained or for the
establishment, exercise or defense of
legal claims, or for legitimate business
purposes, or as provided by law; and
(f) Kept in a form which permits
identification of data subjects for no longer
than is necessary for the purposes for
which the data were collected and
processed: Provided, That personal
information collected for other purposes
may lie processed for historical, statistical
or scientific purposes, and in cases laid
down in law may be stored for longer
periods: Provided, further,That adequate
safeguards are guaranteed by said laws
authorizing their processing.
The personal information controller must
ensure implementation of personal
information processing principles set out
herein.
SEC. 12. Criteria for Lawful Processing of
Personal Information. – The processing of
personal information shall be permitted
only if not otherwise prohibited by law, and
when at least one of the following
conditions exists:
(a) The data subject has given his or her
consent;
(b) The processing of personal information
is necessary and is related to the
fulfillment of a contract with the data
subject or in order to take steps at the
request of the data subject prior to
entering into a contract;
(c) The processing is necessary for
compliance with a legal obligation to which
the personal information controller is
subject;
(d) The processing is necessary to protect
vitally important interests of the data
subject, including life and health;
(e) The processing is necessary in order
to respond to national emergency, to
comply with the requirements of public
order and safety, or to fulfill functions of
public authority which necessarily includes
the processing of personal data for the
fulfillment of its mandate; or
(f) The processing is necessary for the
purposes of the legitimate interests
pursued by the personal information
controller or by a third party or parties to
whom the data is disclosed, except where
such interests are overridden by
fundamental rights and freedoms of the
data subject which require protection
under the Philippine Constitution.
SEC. 13. Sensitive Personal Information
and Privileged Information. – The
processing of sensitive personal
information and privileged information
shall be prohibited, except in the following
cases:
(a) The data subject has given his or her
consent, specific to the purpose prior to
the processing, or in the case of privileged
information, all parties to the exchange
have given their consent prior to
processing;
(b) The processing of the same is
provided for by existing laws and
regulations: Provided, That such
regulatory enactments guarantee the
protection of the sensitive personal
information and the privileged information:
Provided, further, That the consent of the
data subjects are not required by law or
regulation permitting the processing of the
sensitive personal information or the
privileged information;
(c) The processing is necessary to protect
the life and health of the data subject or
another person, and the data subject is
not legally or physically able to express his
or her consent prior to the processing;
(d) The processing is necessary to
achieve the lawful and noncommercial
objectives of public organizations and their
associations: Provided, That such
processing is only confined and related to
the bona fide members of these
organizations or their associations:
Provided, further, That the sensitive
personal information are not transferred to
third parties: Provided, finally, That
consent of the data subject was obtained
prior to processing;
(e) The processing is necessary for
purposes of medical treatment, is carried
out by a medical practitioner or a medical
treatment institution, and an adequate
level of protection of personal information
is ensured; or
(f) The processing concerns such personal
information as is necessary for the
protection of lawful rights and interests of
natural or legal persons in court
proceedings, or the establishment,
exercise or defense of legal claims, or
when provided to government or public
authority.
SEC. 14. Subcontract of Personal
Information. – A personal information
controller may subcontract the processing
of personal information: Provided, That the
personal information controller shall be
responsible for ensuring that proper
safeguards are in place to ensure the
confidentiality of the personal information
processed, prevent its use for
unauthorized purposes, and generally,
comply with the requirements of this Act
CHAPTER IV
RIGHTS OF THE DATA SUBJECT
SEC. 16. Rights of the Data Subject. –
The data subject is entitled to:
(a) Be informed whether personal
information pertaining to him or her shall
be, are being or have been processed;
(b) Be furnished the information indicated
hereunder before the entry of his or her
personal information into the processing
system of the personal information
controller, or at the next practical
opportunity:
(1) Description of the personal information
to be entered into the system;
(2) Purposes for which they are being or
are to be processed;
(3) Scope and method of the personal
information processing;
(4) The recipients or classes of recipients
to whom they are or may be disclosed;
(5) Methods utilized for automated access,
if the same is allowed by the data subject,
and other laws for processing of personal
information. The personal information
processor shall comply with all the
requirements of this Act and other
applicable laws.
SEC. 15. Extension of Privileged
Communication. – Personal information
controllers may invoke the principle of
privileged communication over privileged
information that they lawfully control or
process. Subject to existing laws and
regulations, any evidence gathered on
privileged information is inadmissible.
and the extent to which such access is
authorized;
(6) The identity and contact details of the
personal information controller or its
representative;
(7) The period for which the information
will be stored; and
(8) The existence of their rights, i.e., to
access, correction, as well as the right to
lodge a complaint before the Commission.
Any information supplied or declaration
made to the data subject on these matters
shall not be amended without prior
notification of data subject: Provided, That
the notification under subsection (b) shall
not apply should the personal information
be needed pursuant to a subpoena or
when the collection and processing are for
obvious purposes, including when it is
necessary for the performance of or in
relation to a contract or service or when
necessary or desirable in the context of an
employer-employee relationship, between
the collector and the data subject, or when
the information is being collected and
processed as a result of legal obligation;
(c) Reasonable access to, upon demand,
the following:
(1) Contents of his or her personal
information that were processed;
(2) Sources from which personal
information were obtained;
(3) Names and addresses of recipients of
the personal information;
(4) Manner by which such data were
processed;
(5) Reasons for the disclosure of the
personal information to recipients;
(6) Information on automated processes
where the data will or likely to be made as
the sole basis for any decision significantly
affecting or will affect the data subject;
(7) Date when his or her personal
information concerning the data subject
were last accessed and modified; and
(8) The designation, or name or identity
and address of the personal information
controller;
(d) Dispute the inaccuracy or error in the
personal information and have the
personal information controller correct it
immediately and accordingly, unless the
request is vexatious or otherwise
unreasonable. If the personal information
have been corrected, the personal
information controller shall ensure the
accessibility of both the new and the
retracted information and the
simultaneous receipt of the new and the
retracted information by recipients thereof:
Provided, That the third parties who have
previously received such processed
personal information shall he informed of
its inaccuracy and its rectification upon
reasonable request of the data subject;
(e) Suspend, withdraw or order the
blocking, removal or destruction of his or
her personal information from the personal
information controller’s filing system upon
discovery and substantial proof that the
personal information are incomplete,
outdated, false, unlawfully obtained, used
for unauthorized purposes or are no
longer necessary for the purposes for
which they were collected. In this case,
the personal information controller may
notify third parties who have previously
received such processed personal
information; and
(f) Be indemnified for any damages
sustained due to such inaccurate,
incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal
information.
SEC. 17. Transmissibility of Rights of the
Data Subject. – The lawful heirs and
assigns of the data subject may invoke the
rights of the data subject for, which he or
she is an heir or assignee at any time after
the death of the data subject or when the
data subject is incapacitated or incapable
of exercising the rights as enumerated in
the immediately preceding section.
SEC. 18. Right to Data Portability. – The
data subject shall have the right, where
personal information is processed by
electronic means and in a structured and
commonly used format, to obtain from the
personal information controller a copy of
data undergoing processing in an
electronic or structured format, which is
commonly used and allows for further use
by the data subject. The Commission may
specify the electronic format referred to
above, as well as the technical standards,
modalities and procedures for their
transfer.
SEC. 19. Non-Applicability. – The
immediately preceding sections are not
applicable if the processed personal
information are used only for the needs of
scientific and statistical research and, on
the basis of such, no activities are carried
out and no decisions are taken regarding
the data subject: Provided, That the
personal information shall be held under
strict confidentiality and shall be used only
for the declared purpose. Likewise, the
immediately preceding sections are not
applicable to processing of personal
information gathered for the purpose of
investigations in relation to any criminal,
administrative or tax liabilities of a data
subject.
CHAPTER V
SECURITY OF PERSONAL
INFORMATION
SEC. 20. Security of Personal Information.
– (a) The personal information controller
must implement reasonable and
appropriate organizational, physical and
technical measures intended for the
protection of personal information against
any accidental or unlawful destruction,
alteration and disclosure, as well as
against any other unlawful processing.
(b) The personal information controller
shall implement reasonable and
appropriate measures to protect personal
information against natural dangers such
as accidental loss or destruction, and
human dangers such as unlawful access,
fraudulent misuse, unlawful destruction,
alteration and contamination.
(c) The determination of the appropriate
level of security under this section must
take into account the nature of the
personal information to be protected, the
risks represented by the processing, the
size of the organization and complexity of
its operations, current data privacy best
practices and the cost of security
implementation. Subject to guidelines as
the Commission may issue from time to
time, the measures implemented must
include:
(1) Safeguards to protect its computer
network against accidental, unlawful or
unauthorized usage or interference with or
hindering of their functioning or
availability;
(2) A security policy with respect to the
processing of personal information;
(3) A process for identifying and accessing
reasonably foreseeable vulnerabilities in
its computer networks, and for taking
preventive, corrective and mitigating
action against security incidents that can
lead to a security breach; and
(4) Regular monitoring for security
breaches and a process for taking
preventive, corrective and mitigating
action against security incidents that can
lead to a security breach.
(d) The personal information controller
must further ensure that third parties
processing personal information on its
behalf shall implement the security
measures required by this provision.
(e) The employees, agents or
representatives of a personal information
controller who are involved in the
processing of personal information shall
operate and hold personal information
under strict confidentiality if the personal
information are not intended for public
disclosure. This obligation shall continue
even after leaving the public service,
transfer to another position or upon
termination of employment or contractual
relations.
(f) The personal information controller
shall promptly notify the Commission and
affected data subjects when sensitive
personal information or other information
that may, under the circumstances, be
used to enable identity fraud are
reasonably believed to have been
acquired by an unauthorized person, and
the personal information controller or the
Commission believes (bat such
unauthorized acquisition is likely to give
rise to a real risk of serious harm to any
affected data subject. The notification shall
at least describe the nature of the breach,
the sensitive personal information possibly
involved, and the measures taken by the
entity to address the breach. Notification
may be delayed only to the extent
necessary to determine the scope of the
breach, to prevent further disclosures, or
to restore reasonable integrity to the
information and communications system.
(1) In evaluating if notification is
unwarranted, the Commission may take
into account compliance by the personal
information controller with this section and
existence of good faith in the acquisition of
personal information.
(2) The Commission may exempt a
personal information controller from
notification where, in its reasonable
judgment, such notification would not be in
the public interest or in the interests of the
affected data subjects.
(3) The Commission may authorize
postponement of notification where it may
hinder the progress of a criminal
investigation related to a serious breach.
CHAPTER VI
ACCOUNTABILITY FOR TRANSFER OF
PERSONAL INFORMATION
SEC. 21. Principle of Accountability. –
Each personal information controller is
responsible for personal information under
its control or custody, including information
that have been transferred to a third party
for processing, whether domestically or
internationally, subject to cross-border
arrangement and cooperation.
(a) The personal information controller is
accountable for complying with the
requirements of this Act and shall use
contractual or other reasonable means to
provide a comparable level of protection
while the information are being processed
by a third party.
(b) The personal information controller
shall designate an individual or individuals
who are accountable for the organization’s
compliance with this Act. The identity of
the individual(s) so designated shall be
made known to any data subject upon
request.
CHAPTER VII
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
SEC. 22. Responsibility of Heads of
Agencies. – All sensitive personal
information maintained by the
government, its agencies and
instrumentalities shall be secured, as far
as practicable, with the use of the most
appropriate standard recognized by the
information and communications
technology industry, and as recommended
by the Commission. The head of each
government agency or instrumentality
shall be responsible for complying with the
security requirements mentioned herein
while the Commission shall monitor the
compliance and may recommend the
necessary action in order to satisfy the
minimum standards.
SEC. 23. Requirements Relating to
Access by Agency Personnel to Sensitive
Personal Information. – (a) On-site and
Online Access – Except as may be
allowed through guidelines to be issued by
the Commission, no employee of the
government shall have access to sensitive
personal information on government
property or through online facilities unless
the employee has received a security
clearance from the head of the source
agency.
(b) Off-site Access – Unless otherwise
provided in guidelines to be issued by the
Commission, sensitive personal
information maintained by an agency may
not be transported or accessed from a
location off government property unless a
request for such transportation or access
is submitted and approved by the head of
the agency in accordance with the
following guidelines:
(1) Deadline for Approval or Disapproval –
In the case of any request submitted to
the head of an agency, such head of the
agency shall approve or disapprove the
request within two (2) business days after
the date of submission of the request. In
case there is no action by the head of the
agency, then such request is considered
disapproved;
(2) Limitation to One thousand (1,000)
Records – If a request is approved, the
head of the agency shall limit the access
to not more than one thousand (1,000)
records at a time; and
(3) Encryption – Any technology used to
store, transport or access sensitive
personal information for purposes of
off-site access approved under this
subsection shall be secured by the use of
the most secure encryption standard
recognized by the Commission.
The requirements of this subsection shall
be implemented not later than six (6)
months after the date of the enactment of
this Act.
SEC. 24. Applicability to Government
Contractors. – In entering into any contract
that may involve accessing or requiring
sensitive personal information from one
thousand (1,000) or more individuals, an
agency shall require a contractor and its
employees to register their personal
information processing system with the
Commission in accordance with this Act
and to comply with the other provisions of
this Act including the immediately
preceding section, in the same manner as
agencies and government employees
comply with such requirements.
CHAPTER VIII
PENALTIES
SEC. 25. Unauthorized Processing of
Personal Information and Sensitive
Personal Information. – (a) The
unauthorized processing of personal
information shall be penalized by
imprisonment ranging from one (1) year to
three (3) years and a fine of not less than
Five hundred thousand pesos
(Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be
imposed on persons who process
personal information without the consent
of the data subject, or without being
authorized under this Act or any existing
law.
(b) The unauthorized processing of
personal sensitive information shall be
penalized by imprisonment ranging from
three (3) years to six (6) years and a fine
of not less than Five hundred thousand
pesos (Php500,000.00) but not more than
Four million pesos (Php4,000,000.00)
shall be imposed on persons who process
personal information without the consent
of the data subject, or without being
authorized under this Act or any existing
law.
SEC. 26. Accessing Personal Information
and Sensitive Personal Information Due to
Negligence. – (a) Accessing personal
information due to negligence shall be
penalized by imprisonment ranging from
one (1) year to three (3) years and a fine
of not less than Five hundred thousand
pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall
be imposed on persons who, due to
negligence, provided access to personal
information without being authorized
under this Act or any existing law.
(b) Accessing sensitive personal
information due to negligence shall be
penalized by imprisonment ranging from
three (3) years to six (6) years and a fine
of not less than Five hundred thousand
pesos (Php500,000.00) but not more than
Four million pesos (Php4,000,000.00)
shall be imposed on persons who, due to
negligence, provided access to personal
information without being authorized
under this Act or any existing law.
SEC. 27. Improper Disposal of Personal
Information and Sensitive Personal
Information. – (a) The improper disposal of
personal information shall be penalized by
imprisonment ranging from six (6) months
to two (2) years and a fine of not less than
One hundred thousand pesos
(Php100,000.00) but not more than Five
hundred thousand pesos (Php500,000.00)
shall be imposed on persons who
knowingly or negligently dispose, discard
or abandon the personal information of an
individual in an area accessible to the
public or has otherwise placed the
personal information of an individual in its
container for trash collection.
(b) The improper disposal of sensitive
personal information shall be penalized by
imprisonment ranging from one (1) year to
three (3) years and a fine of not less than
One hundred thousand pesos
(Php100,000.00) but not more than One
million pesos (Php1,000,000.00) shall be
imposed on persons who knowingly or
negligently dispose, discard or abandon
the personal information of an individual in
an area accessible to the public or has
otherwise placed the personal information
of an individual in its container for trash
collection.
SEC. 28. Processing of Personal
Information and Sensitive Personal
Information for Unauthorized Purposes. –
The processing of personal information for
unauthorized purposes shall be penalized
by imprisonment ranging from one (1) year
and six (6) months to five (5) years and a
fine of not less than Five hundred
thousand pesos (Php500,000.00) but not
more than One million pesos
(Php1,000,000.00) shall be imposed on
persons processing personal information
for purposes not authorized by the data
subject, or otherwise authorized under this
Act or under existing laws.
The processing of sensitive personal
information for unauthorized purposes
shall be penalized by imprisonment
ranging from two (2) years to seven (7)
years and a fine of not less than Five
hundred thousand pesos (Php500,000.00)
but not more than Two million pesos
(Php2,000,000.00) shall be imposed on
persons processing sensitive personal
information for purposes not authorized by
the data subject, or otherwise authorized
under this Act or under existing laws.
SEC. 29. Unauthorized Access or
Intentional Breach. – The penalty of
imprisonment ranging from one (1) year to
three (3) years and a fine of not less than
Five hundred thousand pesos
(Php500,000.00) but not more than Two
million pesos (Php2,000,000.00) shall be
imposed on persons who knowingly and
unlawfully, or violating data confidentiality
and security data systems, breaks in any
way into any system where personal and
sensitive personal information is stored.
SEC. 30. Concealment of Security
Breaches Involving Sensitive Personal
Information. – The penalty of
imprisonment of one (1) year and six (6)
months to five (5) years and a fine of not
less than Five hundred thousand pesos
(Php500,000.00) but not more than One
million pesos (Php1,000,000.00) shall be
imposed on persons who, after having
knowledge of a security breach and of the
obligation to notify the Commission
pursuant to Section 20(f), intentionally or
by omission conceals the fact of such
security breach.
SEC. 31. Malicious Disclosure. – Any
personal information controller or personal
information processor or any of its
officials, employees or agents, who, with
malice or in bad faith, discloses
unwarranted or false information relative
to any personal information or personal
sensitive information obtained by him or
her, shall be subject to imprisonment
ranging from one (1) year and six (6)
months to five (5) years and a fine of not
less than Five hundred thousand pesos
(Php500,000.00) but not more than One
million pesos (Php1,000,000.00).
SEC. 32. Unauthorized Disclosure. – (a)
Any personal information controller or
personal information processor or any of
its officials, employees or agents, who
discloses to a third party personal
information not covered by the
immediately preceding section without the
consent of the data subject, shall he
subject to imprisonment ranging from one
(1) year to three (3) years and a fine of not
less than Five hundred thousand pesos
(Php500,000.00) but not more than One
million pesos (Php1,000,000.00).
(b) Any personal information controller or
personal information processor or any of
its officials, employees or agents, who
discloses to a third party sensitive
personal information not covered by the
immediately preceding section without the
consent of the data subject, shall be
subject to imprisonment ranging from
three (3) years to five (5) years and a fine
of not less than Five hundred thousand
pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00).
SEC. 33. Combination or Series of Acts. –
Any combination or series of acts as
defined in Sections 25 to 32 shall make
the person subject to imprisonment
ranging from three (3) years to six (6)
years and a fine of not less than One
million pesos (Php1,000,000.00) but not
more than Five million pesos
(Php5,000,000.00).
SEC. 34. Extent of Liability. – If the
offender is a corporation, partnership or
any juridical person, the penalty shall be
imposed upon the responsible officers, as
the case may be, who participated in, or
by their gross negligence, allowed the
commission of the crime. If the offender is
a juridical person, the court may suspend
or revoke any of its rights under this Act. If
the offender is an alien, he or she shall, in
addition to the penalties herein prescribed,
be deported without further proceedings
after serving the penalties prescribed. If
the offender is a public official or
employee and lie or she is found guilty of
acts penalized under Sections 27 and 28
of this Act, he or she shall, in addition to
the penalties prescribed herein, suffer
perpetual or temporary absolute
disqualification from office, as the case
may be.
SEC. 35. Large-Scale. – The maximum
penalty in the scale of penalties
respectively provided for the preceding
offenses shall be imposed when the
personal information of at least one
hundred (100) persons is harmed, affected
or involved as the result of the above
mentioned actions.
SEC. 36. Offense Committed by Public
Officer. – When the offender or the person
responsible for the offense is a public
officer as defined in the Administrative
Code of the Philippines in the exercise of
his or her duties, an accessory penalty
consisting in the disqualification to occupy
public office for a term double the term of
criminal penalty imposed shall he applied.
SEC. 37. Restitution. – Restitution for any
aggrieved party shall be governed by the
provisions of the New Civil Code.
CHAPTER IX
MISCELLANEOUS PROVISIONS
SEC. 38. Interpretation. – Any doubt in the
interpretation of any provision of this Act
shall be liberally interpreted in a manner
mindful of the rights and interests of the
individual about whom personal
information is processed.
SEC. 39. Implementing Rules and
Regulations (IRR). – Within ninety (90)
days from the effectivity of this Act, the
Commission shall promulgate the rules
and regulations to effectively implement
the provisions of this Act.
SEC. 40. Reports and Information. – The
Commission shall annually report to the
President and Congress on its activities in
carrying out the provisions of this Act. The
Commission shall undertake whatever
efforts it may determine to be necessary
or appropriate to inform and educate the
public of data privacy, data protection and
fair information rights and responsibilities.
SEC. 41. Appropriations Clause. – The
Commission shall be provided with an
initial appropriation of Twenty million
pesos (Php20,000,000.00) to be drawn
from the national government.
Appropriations for the succeeding years
shall be included in the General
Appropriations Act. It shall likewise receive
Ten million pesos (Php10,000,000.00) per
year for five (5) years upon
implementation of this Act drawn from the
national government.
SEC. 42. Transitory Provision. – Existing
industries, businesses and offices affected
by the implementation of this Act shall be
given one (1) year transitory period from
the effectivity of the IRR or such other
period as may be determined by the
Commission, to comply with the
requirements of this Act.
In case that the DICT has not yet been
created by the time the law takes full force
and effect, the National Privacy
Commission shall be attached to the
Office of the President.
SEC. 43. Separability Clause. – If any
provision or part hereof is held invalid or
unconstitutional, the remainder of the law
or the provision not otherwise affected
shall remain valid and subsisting.
SEC. 44. Repealing Clause. – The
provision of Section 7 of Republic Act No.
9372, otherwise known as the “Human
Security Act of 2007”, is hereby amended.
Except as otherwise expressly provided in
this Act, all other laws, decrees, executive
orders, proclamations and administrative - Electronic health records (EHRs)
regulations or parts thereof inconsistent simplify patient information
herewith are hereby repealed or modified sharing; eliminating redundant
accordingly. testing and procedures and
reducing discomfort,
inconvenience, medical expenses
and risks.
SEC. 45. Effectivity Clause. – This Act - Using this technology, patients can
shall take effect fifteen (15) days after its immediately authorize access to
publication in at least two (2) national timely and relevant information that
newspapers of general circulation. is needed by their caregivers.
Benefits of technology 4. Efficient Care Coordination
1. Increased Patient Safety - Easy access to information
facilitates collaboration among
- Care providers that have
multiple care providers. This
implemented HIT and EHR
transparency helps to eliminate
systems have experienced
errors and risks, such as conflicting
significant safety improvements
prescriptions and treatments. Care
due to the real-time information
providers use monitoring
accessibility afforded to all
technology to trigger alerts when
stakeholders.
such discrepancies arise in
- Additionally, these technologies
patients’ electronic health records.
allow researchers to analyze
information with extraordinary 5. Faster Lab Results
detail and accuracy.
- Electronic health records allow
2. Improved Scheduling caregivers to retrieve patient
information faster than
- Many unforeseen and
conventional methods, facilitating
counterproductive circumstances
timely test scheduling and
may arise during a typical care
treatment.
provider workday, which is
- Furthermore, caregivers can
compounded when staffing
access test results as soon as they
shortages occur. To mitigate this
become available
risk, healthcare managers use a
technology called 6. Increased Patient Information
resource-demand management Accessibility
that analyzes caseload information
and staff availability. A similar - By law, citizens have the right to
technology, access their own medical
workforce-management solutions, information to check for, and
performs largely the same tasks, correct, errors and omissions.
while also helping managers - To this end, some care providers
control costs and service quality. offer patients online access to
their medical records.
3. Reduced Test and Procedure - This practice increases information
Redundancy transparency and in many cases
 enables patients to more quickly 20-percent, reducing patient stay
find answers to their questions. times in those cases.
- Likewise, the National Center for
7. Enhanced Performance Analysis Policy Analysis reports that
facilities using HIT systems
- While EHRs greatly reduce drug reduce average patient stays
errors, some mistakes still occur. from 5.7 days to 5.5 days.
- Errors typically happen while - This effectiveness has led
administering,dispensing, researchers to explore other
prescribing or transcribing benefits to using electronic
medications. health records and HIT, such as
- Electronic information whether telemonitoring can
management allows caregivers delay nursing home
to identify areas for admittance among elderly patients.
improvement and increase
patient safety.

8.Streamlined Records Administration 10.Reduced Operational Costs

- Electronic health records replace - Cost reduction represents one

the paper charts historically criterion for satisfying the Triple
used during care provider Aim objective of the Agency
visits.-As more providers adopt for Health Research and Quality.
EHR technology, patients will be - Healthcare information
asked less frequently to fill out technology plays a key role in
information during visits, significantly reducing operational
because providers will already costs.
have current data on file. - Caregiving organizations that
- Furthermore, EHRs streamline the incorporate health information
traditional intake process, which technology often see significant
can sometimes seem excessive cost savings within the first year of
for relatively minor medical implementation.
needs. -
- EHRs also reduce errors by - CHAPTER VII
making current patient - SECURITY OF SENSITIVE
information immediately PERSONAL
accessible to all - INFORMATION IN
network-connected care providers. GOVERNMENT
- SEC. 22. Responsibility of Heads
9. Reduced Hospital Stays of Agencies. – All sensitive
personal information maintained by
- According to the Office of
the government, its agencies and
the National Coordinator (ONC)
instrumentalities shall be secured,
for Health Information
as far as practicable, with the use
Technology, electronic
of the most appropriate standard
record implementation
recognized by the information and
reduces the time needed to
communications technology
assess fall victims by
industry, and as recommended by
 the Commission. The head of each
government agency or
instrumentality shall be responsible
for complying with the security
requirements mentioned herein
while the Commission shall
monitor the compliance and may
recommend the necessary action
in order to satisfy the minimum
standards.
- SEC. 23. Requirements Relating to
Access by Agency Personnel to
Sensitive Personal Information. –
(a) On-site and Online Access –
Except as may be allowed through
guidelines to be issued by the
Commission, no employee of the
government shall have access to
sensitive personal information on
government property or through
online facilities unless the
employee has received a security
clearance from the head of the
source agency.
- (b) Off-site Access – Unless
otherwise provided in guidelines to
be issued by the Commission,
sensitive personal information
maintained by an agency may not
be transported or accessed from a
location off government property
unless a request for such
transportation or access is
submitted and approved by the
head of the agency in accordance
with the following guidelines:
- (1) Deadline for Approval or
Disapproval – In the case of any
request submitted to the head of
an agency, such head of the
agency shall approve or
disapprove the request within two
(2) business days after the date of
submission of the request. In case
there is no action by the head of
the agency, then such request is
considered disapproved;
- (2) Limitation to One thousand
(1,000) Records – If a request is
approved, the head of the agency
shall limit the access to not more
than one thousand (1,000) records
at a time; and
- (3) Encryption – Any technology
used to store, transport or access
sensitive personal information for
purposes of off-site access
approved under this subsection
shall be secured by the use of the
most secure encryption standard
recognized by the Commission.
- The requirements of this
subsection shall be implemented
not later than six (6) months after
the date of the enactment of this
Act.
- SEC. 24. Applicability to
Government Contractors. – In
entering into any contract that may
involve accessing or requiring
sensitive personal information from
one thousand (1,000) or more
individuals, an agency shall require
a contractor and its employees to
register their personal information
processing system with the
Commission in accordance with
this Act and to comply with the
other provisions of this Act
including the immediately
preceding section, in the same
manner as agencies and
government employees comply
with such requirements.
- CHAPTER VIII
- PENALTIES
- SEC. 25. Unauthorized Processing
of Personal Information and
Sensitive Personal Information. –
(a) The unauthorized processing of
personal information shall be
penalized by imprisonment ranging
from one (1) year to three (3) years
and a fine of not less than Five
hundred thousand pesos
 (Php500,000.00) but not more than
Two million pesos
(Php2,000,000.00) shall be
imposed on persons who process
personal information without the
consent of the data subject, or
without being authorized under this
Act or any existing law.
- (b) The unauthorized processing of
personal sensitive information shall
be penalized by imprisonment
ranging from three (3) years to six
(6) years and a fine of not less
than Five hundred thousand pesos
(Php500,000.00) but not more than
Four million pesos
(Php4,000,000.00) shall be
imposed on persons who process
personal information without the
consent of the data subject, or
without being authorized under this
Act or any existing law.
- SEC. 26. Accessing Personal
Information and Sensitive Personal
Information Due to Negligence. –
(a) Accessing personal information
due to negligence shall be
penalized by imprisonment ranging
from one (1) year to three (3) years
and a fine of not less than Five
hundred thousand pesos
(Php500,000.00) but not more than
Two million pesos
(Php2,000,000.00) shall be
imposed on persons who, due to
negligence, provided access to
personal information without being
authorized under this Act or any
existing law.
- (b) Accessing sensitive personal
information due to negligence shall
be penalized by imprisonment
ranging from three (3) years to six
(6) years and a fine of not less
than Five hundred thousand pesos
(Php500,000.00) but not more than
Four million pesos
(Php4,000,000.00) shall be
imposed on persons who, due to
negligence, provided access to
personal information without being
authorized under this Act or any
existing law.
- SEC. 27. Improper Disposal of
Personal Information and Sensitive
Personal Information. – (a) The
improper disposal of personal
information shall be penalized by
imprisonment ranging from six (6)
months to two (2) years and a fine
of not less than One hundred
thousand pesos (Php100,000.00)
but not more than Five hundred
thousand pesos (Php500,000.00)
shall be imposed on persons who
knowingly or negligently dispose,
discard or abandon the personal
information of an individual in an
area accessible to the public or
has otherwise placed the personal
information of an individual in its
container for trash collection.
- (b) The improper disposal of
sensitive personal information shall
be penalized by imprisonment
ranging from one (1) year to three
(3) years and a fine of not less
than One hundred thousand pesos
(Php100,000.00) but not more than
One million pesos
(Php1,000,000.00) shall be
imposed on persons who
knowingly or negligently dispose,
discard or abandon the personal
information of an individual in an
area accessible to the public or
has otherwise placed the personal
information of an individual in its
container for trash collection.
- SEC. 28. Processing of Personal
Information and Sensitive Personal
Information for Unauthorized
Purposes. – The processing of
personal information for
unauthorized purposes shall be
penalized by imprisonment ranging
 from one (1) year and six (6)
months to five (5) years and a fine
of not less than Five hundred
thousand pesos (Php500,000.00)
but not more than One million
pesos (Php1,000,000.00) shall be
imposed on persons processing
personal information for purposes
not authorized by the data subject,
or otherwise authorized under this
Act or under existing laws.
- The processing of sensitive
personal information for
unauthorized purposes shall be
penalized by imprisonment ranging
from two (2) years to seven (7)
years and a fine of not less than
Five hundred thousand pesos
(Php500,000.00) but not more than
Two million pesos
(Php2,000,000.00) shall be
imposed on persons processing
sensitive personal information for
purposes not authorized by the
data subject, or otherwise
authorized under this Act or under
existing laws.
- SEC. 29. Unauthorized Access or
Intentional Breach. – The penalty
of imprisonment ranging from one
(1) year to three (3) years and a
fine of not less than Five hundred
thousand pesos (Php500,000.00)
but not more than Two million
pesos (Php2,000,000.00) shall be
imposed on persons who
knowingly and unlawfully, or
violating data confidentiality and
security data systems, breaks in
any way into any system where
personal and sensitive personal
information is stored.
- SEC. 30. Concealment of Security
Breaches Involving Sensitive
Personal Information. – The
penalty of imprisonment of one (1)
year and six (6) months to five (5)
years and a fine of not less than
Five hundred thousand pesos
(Php500,000.00) but not more than
One million pesos
(Php1,000,000.00) shall be
imposed on persons who, after
having knowledge of a security
breach and of the obligation to
notify the Commission pursuant to
Section 20(f), intentionally or by
omission conceals the fact of such
security breach.
- SEC. 31. Malicious Disclosure. –
Any personal information controller
or personal information processor
or any of its officials, employees or
agents, who, with malice or in bad
faith, discloses unwarranted or
false information relative to any
personal information or personal
sensitive information obtained by
him or her, shall be subject to
imprisonment ranging from one (1)
year and six (6) months to five (5)
years and a fine of not less than
Five hundred thousand pesos
(Php500,000.00) but not more than
One million pesos
(Php1,000,000.00).
- SEC. 32. Unauthorized Disclosure.
– (a) Any personal information
controller or personal information
processor or any of its officials,
employees or agents, who
discloses to a third party personal
information not covered by the
immediately preceding section
without the consent of the data
subject, shall he subject to
imprisonment ranging from one (1)
year to three (3) years and a fine of
not less than Five hundred
thousand pesos (Php500,000.00)
but not more than One million
pesos (Php1,000,000.00).
- (b) Any personal information
controller or personal information
processor or any of its officials,
employees or agents, who
 discloses to a third party sensitive
personal information not covered
by the immediately preceding
section without the consent of the
data subject, shall be subject to
imprisonment ranging from three
(3) years to five (5) years and a
fine of not less than Five hundred
thousand pesos (Php500,000.00)
but not more than Two million
pesos (Php2,000,000.00).
- SEC. 33. Combination or Series of
Acts. – Any combination or series
of acts as defined in Sections 25 to
32 shall make the person subject
to imprisonment ranging from three
(3) years to six (6) years and a fine
of not less than One million pesos
(Php1,000,000.00) but not more
than Five million pesos
(Php5,000,000.00).
- SEC. 34. Extent of Liability. – If the
offender is a corporation,
partnership or any juridical person,
the penalty shall be imposed upon
the responsible officers, as the
case may be, who participated in,
or by their gross negligence,
allowed the commission of the
crime. If the offender is a juridical
person, the court may suspend or
revoke any of its rights under this
Act. If the offender is an alien, he
or she shall, in addition to the
penalties herein prescribed, be
deported without further
proceedings after serving the
penalties prescribed. If the
offender is a public official or
employee and lie or she is found
guilty of acts penalized under
Sections 27 and 28 of this Act, he
or she shall, in addition to the
penalties prescribed herein, suffer
perpetual or temporary absolute
disqualification from office, as the
case may be.
- SEC. 35. Large-Scale. – The
maximum penalty in the scale of
penalties respectively provided for
the preceding offenses shall be
imposed when the personal
information of at least one hundred
(100) persons is harmed, affected
or involved as the result of the
above mentioned actions.
- SEC. 36. Offense Committed by
Public Officer. – When the offender
or the person responsible for the
offense is a public officer as
defined in the Administrative Code
of the Philippines in the exercise of
his or her duties, an accessory
penalty consisting in the
disqualification to occupy public
office for a term double the term of
criminal penalty imposed shall he
applied.
- SEC. 37. Restitution. – Restitution
for any aggrieved party shall be
governed by the provisions of the
New Civil Code.
- CHAPTER IX
- MISCELLANEOUS PROVISIONS
- SEC. 38. Interpretation. – Any
doubt in the interpretation of any
provision of this Act shall be
liberally interpreted in a manner
mindful of the rights and interests
of the individual about whom
personal information is processed.
- SEC. 39. Implementing Rules and
Regulations (IRR). – Within ninety
(90) days from the effectivity of this
Act, the Commission shall
promulgate the rules and
regulations to effectively implement
the provisions of this Act.
- SEC. 40. Reports and Information.
– The Commission shall annually
report to the President and
Congress on its activities in
carrying out the provisions of this
Act. The Commission shall
undertake whatever efforts it may
 determine to be necessary or
appropriate to inform and educate
the public of data privacy, data
protection and fair information
rights and responsibilities.
- SEC. 41. Appropriations Clause. –
The Commission shall be provided
with an initial appropriation of
Twenty million pesos
(Php20,000,000.00) to be drawn
from the national government.
Appropriations for the succeeding
years shall be included in the
General Appropriations Act. It shall
likewise receive Ten million pesos
(Php10,000,000.00) per year for
five (5) years upon implementation
of this Act drawn from the national
government.
- SEC. 42. Transitory Provision. –
Existing industries, businesses and
offices affected by the
implementation of this Act shall be
given one (1) year transitory period
from the effectivity of the IRR or
such other period as may be
determined by the Commission, to
comply with the requirements of
this Act.
- In case that the DICT has not yet
been created by the time the law
takes full force and effect, the
National Privacy Commission shall
be attached to the Office of the
President.
- SEC. 43. Separability Clause. – If
any provision or part hereof is held
invalid or unconstitutional, the
remainder of the law or the
provision not otherwise affected
shall remain valid and subsisting.
- SEC. 44. Repealing Clause. – The
provision of Section 7 of Republic
Act No. 9372, otherwise known as
the “Human Security Act of 2007”,
is hereby amended. Except as
otherwise expressly provided in
this Act, all other laws, decrees,
executive orders, proclamations
and administrative regulations or
parts thereof inconsistent herewith
are hereby repealed or modified
accordingly.
- SEC. 45. Effectivity Clause. – This
Act shall take effect fifteen (15)
days after its publication in at least
two (2) national newspapers of
general circulation.
Challenges of Technology
Security
● primary concern in healthcare
applications
HOW TO AVOID: To build a
compliant telehealth application,
specific encryption algorithms and
data security standards need to be
followed
The Challenge of Interoperability
● electronic health records (EHRs) is
they allow practitioners to access
relevant patient data instantly
● interoperability is proving to be a
challenge
● Patient identification isn't
standardized
● Nearly anyone can input
information into a patient's EHR
HOW TO AVOID: to implement
cloud-base HER’s, which
centralize the database while still
providing the necessary security.
Keeping up with old technology
● many facilities still use out-of-date
technology
● Outdated software creates security
holes and allows hackers to easily
access the system
HOW TO AVOID:
● to upgrade software immediately
when possible
● The facility’s IT department should
be fluent in every operating system
that is currently in use
Unfriendly User Interfaces
● As medical technology advances
user interface is still difficult to use
HOW TO AVOID:
 ● engage with manufacturers during
the research and development
phase and let them know what's
needed
● take the time to learn how
unfriendly interfaces work
Overcomplicated Asset Tracking
● Asset tracking through electronic
health records can be both a
blessing and a curse.
● physicians often complain that
poorly designed systems impede
their work, making them a slave to
their EHRs
HOW TO AVOID:
● While this challenge is not
avoidable, physicians can reduce
the strain and chance of
technology burnout by participating
in training offered by providers
Overall Implementation
● Without a comprehensive
understanding, trying to use
medical technology can lead to
practitioner error and malpractice.
HOW TO AVOID:
● Hospital administrators, medical
professionals and IT teams need to
tackle this challenge head-on
● take the time to adapt with the
changing times.
● commit insurance fraud.
Current Technology: Issues and
Dilemma
The industrial revolution of the nineteenth
century gave rise to a number of
unforeseen ethical and social issues—for
instance, concerns about workplace
safety, wages, discrimination, and child
labor—which led to real changes in worker
protections, labor practices, and law.
Similarly, the technology revolution of the
twentieth century—starting with the
widespread use of the Internet and home
computers—has spawned a new set of
ethical and social concerns that people a
hundred years ago couldn’t have
imagined.
1. PHISHING
● a cybercrime in which scammers
try to lure sensitive information or
data from a person , by disguising
themselves as a trustworthy
source.
● Attacks can facilitate access to a
person's online accounts and
personal data, obtain permissions
to modify and compromise
connected systems--such as point
of sale terminals and order
processing systems--and in some
cases hijack entire computer
networks until a ransom fee is
delivered.
The Threat of Phishing Attacks on the
Healthcare Industry
Phishing attacks on the healthcare
industry usually have one of two
objectives – to obtain access to PHI
(Protected Health Information) or to deliver
ransomware.
● PHI is now a valuable commodity
on the black market as it can be
used to create false identities,
obtain free medical treatment, and
Many of the successful attacks are
attributable to the increasing number of
employees using their mobile devices at
work, who fail to translate their online
security training to their mobile online
activities.
How Phishing Attacks on the Healthcare
Industry are Deployed
Most phishing attacks on the healthcare
industry are deployed by email. The
communications generally look authentic,
and instruct employees to follow a link to a
web page – where they will be asked
complete some action that will trigger a
malware download or enter their
username and password to continue.
The malware download may not
necessarily contain ransomware.
Surveillance software such as adware and
keystroke loggers can be downloaded to
follow an employee´s online activities and
record their usernames and passwords. If
the phishing attempt has been successful
in obtaining a username and password,
the hacker will likely be able to access PHI
almost immediately.
How to Protect Healthcare Data from
Phishing
Because there are so many vehicles
through which employees can receive
communications instructing them to visit
an unsafe website, the best way to protect
healthcare data from phishing is to
prevent employees from being able to visit
the unsafe website. This can be achieved
through the use of a web filter that is
configured to deny access to fake
websites and websites harboring malware,
and that will block the downloading of file
types most commonly associated with
malware.
Web filters protect healthcare data from
phishing attacks:
1. Blacklists
2. Category filters
3. Keyword filters
These three mechanisms work in unison
to protect healthcare data from phishing
and to prevent other web-borne threats.
2. MOBILE SECURITY
Mobile security is the protection of
smartphones, tablets, laptops and other
portable computing devices, and the
networks they connect to, from threats and
vulnerabilities associated with wireless
computing. Mobile security is also known
as wireless security.
According to Mobile Device Security:
Perspectives of Future Healthcare
Workers (Hewitt, 2017), Healthcare
professionals are responsible for
protecting the privacy, security, and
confidentiality of electronic health
information. Although the use of mobile
devices by healthcare professionals
increases connectivity and enables remote
logins to electronic health records, it also
introduces many significant new security
risks. Major healthcare data breach is
because of Hacking/information
technology incident and laptop theft.
Given that all the patient’s data is
confidential, precautions should be done
in order to protect their data. In many
ways, protecting patient information on
mobile devices comes down to the same
common sense principles that one would
use to protect his or her own personal
data.
The following is the 6 Best Practices for
Mobile Device Security in Healthcare
1. Implement user authentication
controls. One of the biggest dangers to
any device, in and outside of healthcare,
is inadequate security controls. Locking
the device with a passcode and using
biometrics can go a long way to keeping
the device data safe from prying eyes.
Providers should use any and all device
locking mechanisms to secure devices
used for work.
2. Implement remote and automatic
lock and wipe capabilities for use when
a device is lost or stolen, or after an
excessive number of incorrect login
attempts.
3. Install security programs. With
hackers and viruses now targeting mobile
devices with the same intensity as desktop
computers, it’s important for health care
professionals to install Internet security
software onto their mobile devices as well,
to prevent harmful apps and malware from
infiltrating the health care networks and
compromising protected data.
4. Employ encryption. Whether on a
device or an app-by-app basis, data that is
stored or transmitted via the device should
be encrypted. Email and attachments
should also be secured and encrypted to
ensure that unauthorized individuals do
not see it — even by accident.
5. Develop an application policy. In
BYOD environment’s controlling the
applications installed on personal devices
is a touchy subject, but it is vital for health
care users to understand the potential
risks associated with harmful applications.
At the very least, providers must be
educated on how to evaluate apps, or
seek approval for the installation of
unapproved apps on devices used for
work. At the very least, file-sharing
applications should be banned, and
providers prohibited from using
unapproved and unsecured filing-sharing
services to share patient data.
6. Encourage regular updates. Updating
operating systems regularly is an
important part of any security strategy.
Hackers target vulnerabilities in operating
systems, and installing updates helps
close those holes and protect data.
Develop a policy of notifying providers of
important updates and enforce update
requirements.
3. CYBER SECURITY THREATS
● A cyber or cybersecurity threat is a
malicious act that seeks to damage
data, steal data, or disrupt digital
life in general. Cyber attacks
include threats like computer
viruses, data breaches, and Denial
of Service (DoS) attacks.
● Healthcare cybersecurity has
become one of the significant
threats in the healthcare industry.
As a whole, IT professionals must
continually address healthcare
data security issues because of
specifics outlined in the Health
Insurance Portability and
Accountability Act (HIPAA) laws as
well as the ethical commitment to
help patients and the damage that
healthcare security breaches can
have on their lives.
● Electronic health records, also
referred to as EHRs, contain a
host of sensitive information about
patients’ medical histories, making
hospital network security a primary
IT concern. EHRs make it possible
for physicians and other healthcare
professionals, as well as insurance
companies, to share essential
information. This makes it easier to
both coordinate care and facilitate
insurance matters.
Types of Cyber Threats:
A. Computer viruses
- Perhaps the most well-known
computer security threat, a
computer virus is a program written
to alter the way a computer
operates, without the permission or
 knowledge of the user. A virus
replicates and executes itself,
usually doing damage to your
computer in the process.
- Carefully evaluating free software,
downloads from peer-to-peer file
sharing sites, and emails from
unknown senders are crucial to
avoiding viruses. Most web
browsers today have security
settings which can be ramped up
for optimum defense against online
threats. the single most-effective
way of fending off viruses is
up-to-date antivirus software from
a reputable provider.
B. Spyware Threats
- A serious computer security threat,
spyware is any program that
monitors your online activities or
installs programs without your
consent for profit or to capture
personal information.
- While many users won't want to
hear it, reading terms and
conditions is a good way to build
an understanding of how your
activity is tracked online. And of
course, if a company you don't
recognize is advertising for a deal
that seems too good to be true, be
sure you have an internet security
solution in place and click with
caution.
How to prevent Cyber Security Threats?
1. Keep your software and systems
fully up to date
- Often cyber attacks happen
because your systems or software
aren’t fully up to date, leaving
weaknesses. Hackers exploit these
weaknesses so cybercriminals
exploit these weaknesses to gain
access to your network. Once they
are in – it’s often too late to take
preventative action.
- To counteract this, it’s smart to
invest in a patch management
system that will manage all
software and system updates,
keeping your system resilient and
up to date.
2. Install a Firewall
- There are so many different types
of sophisticated data breaches and
new ones surface every day and
even make comebacks.
- Putting your network behind a
firewall is one of the most effective
ways to defend yourself from any
cyber attack. A firewall system will
block any brute force attacks made
on your network and/or systems
before it can do any damage.
3. Control access to your systems
- Believe it or not, one of the attacks
that you can receive on your
systems can be physical, having
control over who can access your
network is really important.
Somebody can simply walk into
your office or enterprise and plug
in a USB key containing infected
files into one of your computers
allowing them access to your entire
network or infect it.
- It’s essential to control who has
access to your computers. Having
a perimeter security system
installed is a very good way to stop
cybercrime as much as break ins.
4. Backup your data
- In the event of a disaster (often a
cyber attack) you must have your
data backed up to avoid serious
downtime, loss of data and serious
financial loss.
REFERENCES:

Types of computer security threats.

(2018). Retrieved April 16, 2021, from
https://www.webroot.com/us/en/resources/
tips-articles/computer-security-threats

Hewitt, B., Dolezel, D., & McLeod, A.

(2017, January 1). Mobile device security:
Perspectives of future healthcare workers.
Retrieved April 16, 2021, from
https://www.ncbi.nlm.nih.gov/pmc/articles/
PMC5430111/

Leaders, O. (2015, November 03). 5

best practices for mobile device
security in healthcare. Retrieved
April 16, 2021, from
https://hitconsultant.net/2015/11/03/5
-best-practices-for-mobile-device-se
curity-in-healthcare/#.YHlQdugzbIU

HIPAA Journal. (n.d.). Protect Healthcare

Data from Phishing.
https://www.hipaajournal.com/protect-healt
hcare-data-from-phishing/#:~:text=The%2
0Threat%20of%20Phishing%20Attacks%2
0on%20the%20Healthcare%20Industry&t
ext=Phishing%20attacks%20are%20beco
ming%20a,Saint%20Agnes%20Heath%20
Care%20Inc.
GROUP 3: BIOETHICS AND RESEARCH
A. Principles of Ethics in Research
a. Nuremberg Code - developed following
the Nuremberg Military Tribunal as a
standard by which to judge human
experimentation conducted by the Nazis.
This code covers several basic principles
in the ethical conduct of using humans
for research, including voluntary
consent.
- The first trial was called The
Doctor’s Trial officially known as
The United States of America v.
Karl Brandt, et al.
Significance:
- It influenced the principles of Good
Clinical Practice which provides a
standard for study design,
implementation, conduct and
analysis
- Protects participants of clinical
research from exploitation, abuse,
injury, and death
10 Basic Principles:
1. The voluntary consent of the human
subject is ABSOLUTELY
ESSENTIAL.
2. The experiment should be used to
yield fruitful results for the good of
the society, unprocurable by other
methods or means of study, and not
random and unnecessary in nature
3. The experiment should be so
designed and based on the results of
animal experimentation and a
knowledge of the natural history of
the disease or other problem under
study that the anticipated results
justify the performance of the
experiment
4. The experiment should be so
conducted as to avoid all
unnecessary physical and mental
suffering and injury
5. No experiment should be conducted
where there is an a priori reason to
believe that death or disabling injury
will occur; except, perhaps, in those
experiments where the experimental
physicians also serve as subjects
6. The degree of risk to be taken should
never exceed that determined by the
humanitarian importance of the
problem to be solved by the
experiment
7. Proper preparations should be made
and adequate facilities provided to
protect the experimental subject
against even remote possibilities of
injury, disability, or death
8. The experiment should be conducted
only by scientifically qualified
persons. The highest degree of skill
and care should be required through
all stages of the experiment of those
who conduct or engage in the
experiment.
9. During the course of the experiment,
the human subject should be at
liberty to bring the experiment to an
end if he has reached the physical or
mental state where continuation of
the experiment seems to him to be
impossible.
10. During the course of the experiment,
the scientist in charge must be
prepared to terminate the experiment
at any stage, if he has probable
cause to believe, in the exercise of
the good faith, superior skill and
careful judgement required of him,
that a continuation of the experiment
is likely to result in injury, disability, or
death to the experimental subject.
b. Declaration of Helsinki
A statement outlining the ethical principles for
medical research involving human subjects
which was initially adopted by the 18th Assembly
of the World Medical Association in Helsinki,
Finland.
- It was developed from the 10 principles in
the Nuremberg code and further
incorporated elements from the
Declaration of Geneva.
- Addressed primarily to physicians, but
encourages others involved in medical
research involving human subjects to
adopt these principles.
General Principles
The general principles act as the foundation for
ethical standards including:
- Protecting patient health
 - Knowledge cannot trample rights
- Additional considerations
- Following local regulatory norms
The following are the General Principles of the
Declaration of Helsinki:
1) The Declaration of Geneva of the WMA
binds the physician with the words, “The
health of my patient will be my first
consideration,” and the International
Code of Medical Ethics declares that, “A
physician shall act in the patient’s best
interest when providing medical care.”
2) It is the duty of the physician to promote
and safeguard the health, well-being and
rights of patients, including those who are
involved in medical research. The
physician’s knowledge and conscience are
dedicated to the fulfilment of this duty.
3) Medical progress is based on research
that ultimately must include studies
involving human subjects.
4) The primary purpose of medical research
involving human subjects is to
understand the causes, development
and effects of diseases and improve
preventive, diagnostic and therapeutic
interventions (methods, procedures and
treatments). Even the best proven
interventions must be evaluated
continually through research for their
safety, effectiveness, efficiency,
accessibility and quality.
5) Medical research is subject to ethical
standards that promote and ensure
respect for all human subjects and protect
their health and rights.
6) While the primary purpose of medical
research is to generate new knowledge,
this goal can never take precedence over
the rights and interests of individual
research subjects.
7) It is the duty of physicians who are
involved in medical research to protect
the life, health, dignity, integrity, right
to self-determination, privacy, and
confidentiality of personal information
of research subjects. The responsibility
for the protection of research subjects
must always rest with the physician or
other health care professionals and never
with the research subjects, even though
they have given consent.
8) Physicians must consider the ethical, legal
and regulatory norms and standards for
research involving human subjects in their
own countries as well as applicable
international norms and standards. No
national or international ethical, legal or
regulatory requirement should reduce or
eliminate any of the protections for
research subjects set forth in this
Declaration.
9) Medical research should be conducted in
a manner that minimises possible harm to
the environment.
10) Medical research involving human
subjects must be conducted only by
individuals with the appropriate ethics and
scientific education, training and
qualifications. Research on patients or
healthy volunteers requires the
supervision of a competent and
appropriately qualified physician or other
health care professional.
11) Groups that are underrepresented in
medical research should be provided
appropriate access to participation in
research.
12) Physicians who combine medical research
with medical care should involve their
patients in research only to the extent that
this is justified by its potential preventive,
diagnostic or therapeutic value and if the
physician has good reason to believe that
participation in the research study will not
adversely affect the health of the patients
who serve as research subjects.
13) Appropriate compensation and treatment
for subjects who are harmed as a result of
participating in research must be ensured.
Specific Sections addressed within the
Declaration of Helsinki
- Risks, Burdens and Benefits
- Vulnerable Groups and Individuals
- Scientific Requirements and Research
Protocols
- Research Ethics Committees
- Privacy and Confidentiality
- Informed Consent
- Use of Placebo
- Post-Trial Provisions
- Research Registration and Publication
and Dissemination of Results
- Unproven interventions in clinical practice
Risk, Burdens and Benefits
Medical research must only be conducted if the
importance of the findings outweigh the risks and
burdens to the research subjects. This involves
reflecting on the impacts on the individual
participating, as well as the potential benefits to
them and others who may be similarly affected by
the disease.
1) Medical research involving human
subjects may only be conducted if the
importance of the objective outweighs the
risks and burdens to the research
subjects.
2) All medical research involving human
subjects must be preceded by careful
assessment of predictable risks and
burdens to the individuals and groups
involved in the research in comparison
with foreseeable benefits to them and to
other individuals or groups affected by the
condition under investigation. Measures
to minimise the risks must be
implemented. The risks must be
continuously monitored, assessed and
documented by the researcher.
3) Physicians may not be involved in a
research study involving human subjects
unless they are confident that the risks
have been adequately assessed and can
be satisfactorily managed. When the risks
are found to outweigh the potential
benefits or when there is conclusive proof
of definitive outcomes, physicians must
assess whether to continue, modify or
immediately stop the study.
Vulnerable Groups and Individuals
Special protections must be implemented to
protect some individuals and groups who are
particularly vulnerable with a higher likelihood of
becoming wronged or incurring additional harm
due to their status.
1) Some groups and individuals are
particularly vulnerable and may have an
increased likelihood of being wronged or
of incurring additional harm. All
vulnerable groups and individuals
should receive specifically considered
protection.
2) Medical research with a vulnerable group
is only justified if the research is
responsive to the health needs or
priorities of this group and the
research cannot be carried out in a
non-vulnerable group. In addition, this
group should stand to benefit from the
knowledge, practices or interventions that
result from the research.
Scientific Requirements and Research
Protocol
The basis for medical research must rest in sound
scientific inquiry. This requires thorough
knowledge of the existing scientific literature,
other relevant sources of information, and
techniques of experimentation.
1) Medical research involving human
subjects must conform to generally
accepted scientific principles, be based on
a thorough knowledge of the scientific
literature, other relevant sources of
information, and adequate laboratory and,
as appropriate, animal experimentation.
The welfare of animals used for research
must be respected.
2) The design and performance of each
research study involving human subjects
must be clearly described and justified in a
research protocol. The protocol should
contain a statement of the ethical
considerations involved and should
indicate how the principles in this
Declaration have been addressed. The
protocol should include information
regarding funding, sponsors, institutional
affiliations, potential conflicts of interest,
incentives for subjects and information
regarding provisions for treating and/or
compensating subjects who are harmed
as a consequence of participation in the
research study. In clinical trials, the
protocol must also describe appropriate
arrangements for post-trial provisions.
Research Ethics Committees
Before starting a study, researchers should
submit their protocol for review by the Research
Ethics Committee.
1) The research protocol must be submitted
for consideration, comment, guidance and
approval to the concerned research ethics
committee before the study begins. This
committee must be transparent in its
 functioning, must be independent of the
researcher, the sponsor and any other
undue influence and must be duly
qualified. It must take into consideration
the laws and regulations of the country or
countries in which the research is to be
performed as well as applicable
international norms and standards but
these must not be allowed to reduce or
eliminate any of the protections for
research subjects set forth in this
Declaration.
The committee must have the right to
monitor ongoing studies. The researcher
must provide monitoring information to the
committee, especially information about
any serious adverse events. No
amendment to the protocol may be made
without consideration and approval by the
committee. After the end of the study, the
researchers must submit a final report to
the committee containing a summary of
the study’s findings and conclusions.
Privacy and Confidentiality
The Declaration of Helsinki also underscores the
need for researchers to keep the personal
information of the subjects confidential.
1) Every precaution must be taken to protect
the privacy of research subjects and the
confidentiality of their personal
information.
Informed Consent
Participation in medical research must be
voluntary and informed consent should be
obtained in writing from those who are able to
provide it.
1) Participation by individuals capable of
giving informed consent as subjects in
medical research must be voluntary.
Although it may be appropriate to consult
family members or community leaders, no
individual capable of giving informed
consent may be enrolled in a research
study unless he or she freely agrees.
2) In medical research involving human
subjects capable of giving informed
consent, each potential subject must be
adequately informed of the aims, methods,
sources of funding, any possible conflicts
of interest, institutional affiliations of the
researcher, the anticipated benefits and
potential risks of the study and the
discomfort it may entail, post-study
provisions and any other relevant aspects
of the study. The potential subject must be
informed of the right to refuse to
participate in the study or to withdraw
consent to participate at any time without
reprisal. Special attention should be given
to the specific information needs of
individual potential subjects as well as to
the methods used to deliver the
information. After ensuring that the
potential subject has understood the
information, the physician or another
appropriately qualified individual must
then seek the potential subject’s
freely-given informed consent, preferably
in writing. If the consent cannot be
expressed in writing, the non-written
consent must be formally documented and
witnessed. All medical research subjects
should be given the option of being
informed about the general outcome and
results of the study.
3) When seeking informed consent for
participation in a research study the
physician must be particularly cautious if
the potential subject is in a dependent
relationship with the physician or may
consent under duress. In such situations
the informed consent must be sought by
an appropriately qualified individual who is
completely independent of this
relationship.
4) For a potential research subject who is
incapable of giving informed consent, the
physician must seek informed consent
from the legally authorised representative.
These individuals must not be included in
a research study that has no likelihood of
benefit for them unless it is intended to
promote the health of the group
represented by the potential subject, the
research cannot instead be performed
with persons capable of providing
informed consent, and the research
entails only minimal risk and minimal
burden.
5) When a potential research subject who is
deemed incapable of giving informed
consent is able to give assent to decisions
 about participation in research, the
physician must seek that assent in
addition to the consent of the legally
authorised representative. The potential
subject’s dissent should be respected.
6) Research involving subjects who are
physically or mentally incapable of giving
consent, for example, unconscious
patients, may be done only if the physical
or mental condition that prevents giving
informed consent is a necessary
characteristic of the research group. In
such circumstances the physician must
seek informed consent from the legally
authorised representative. If no such
representative is available and if the
research cannot be delayed, the study
may proceed without informed consent
provided that the specific reasons for
involving subjects with a condition that
renders them unable to give informed
consent have been stated in the research
protocol and the study has been approved
by a research ethics committee. Consent
to remain in the research must be
obtained as soon as possible from the
subject or a legally authorised
representative.
7) The physician must fully inform the patient
which aspects of their care are related to
the research. The refusal of a patient to
participate in a study or the patient’s
decision to withdraw from the study must
never adversely affect the
patient-physician relationship.
8) For medical research using identifiable
human material or data, such as research
on material or data contained in biobanks
or similar repositories, physicians must
seek informed consent for its collection,
storage and/or reuse. There may be
exceptional situations where consent
would be impossible or impracticable to
obtain for such research. In such
situations the research may be done only
after consideration and approval of a
research ethics committee.
Use of Placebo
As a general rule, new interventions must be
tested against the existing gold standard, the best
proven treatment that presently exists.
1) The benefits, risks, burdens and
effectiveness of a new intervention must
be tested against those of the best proven
intervention(s), except in the following
circumstances:
➢ Where no proven intervention
exists, the use of placebo, or no
intervention, is acceptable; or
➢ Where for compelling and
scientifically sound methodological
reasons the use of any intervention
less effective than the best proven
one, the use of placebo, or no
intervention is necessary to
determine the efficacy or safety of
an intervention; and
➢ the patients who receive any
intervention less effective than the
best proven one, placebo, or no
intervention will not be subject to
additional risks of serious or
irreversible harm as a result of not
receiving the best proven
intervention.
Extreme care must be taken to avoid
abuse of this option.
Post-Trivial Provisions
1) In advance of a clinical trial, sponsors,
researchers and host country
governments should make provisions for
post-trial access for all participants who
still need an intervention identified as
beneficial in the trial. This information
must also be disclosed to participants
during the informed consent process.
Research Registration and Publication and
Dissemination of Results
1) Every research study involving human
subjects must be registered in a publicly
accessible database before recruitment of
the first subject.
2) Researchers, authors, sponsors, editors
and publishers all have ethical obligations
with regard to the publication and
dissemination of the results of research.
Researchers have a duty to make publicly
available the results of their research on
human subjects and are accountable for
the completeness and accuracy of their
reports. All parties should adhere to
accepted guidelines for ethical reporting.
 Negative and inconclusive as well as
positive results must be published or
otherwise made publicly available.
Sources of funding, institutional affiliations
and conflicts of interest must be declared
in the publication. Reports of research not
in accordance with the principles of this
Declaration should not be accepted for
publication.
Unproven Interventions in Clinical Practice
1) In the treatment of an individual patient,
where proven interventions do not exist or
other known interventions have been
ineffective, the physician, after seeking
expert advice, with informed consent from
the patient or a legally authorised
representative, may use an unproven
intervention if in the physician’s judgement
it offers hope of saving life, re-establishing
health or alleviating suffering. This
intervention should subsequently be made
the object of research, designed to
evaluate its safety and efficacy. In all
cases, new information must be recorded
and, where appropriate, made publicly
available.
BELMONT REPORT
- Also known as the Ethical Principles and
Guidelines for the Protection of Human
Subjects of Research
- The report was written by the National
Commission for the Protection of Human
Subjects of Biomedical and Behavioral
Research
- National Commission for the Protection of
Human Subjects of Biomedical and
Behavioral Research
- The commission identifies basic
ethical principles that should
underlie the conduct of biomedical
and behavioral research involving
human subjects
- develops guidelines which should
be followed to assure that such
research is conducted in
accordance with those principles
- Commission was directed to consider
1. the boundaries between
biomedical and behavioral
research and the accepted
and routine practice of
medicine
2. the role of assessment of
risk-benefit criteria in the
determination of the
appropriateness of
research involving human
subjects,
3. appropriate guidelines for
the selection of human
subjects for participation in
such research
4. the nature and definition of
informed consent in various
research settings.
- Belmont Report attempts to summarize
the basic ethical principles identified by
the Commission in the course of its
deliberations
- It is a statement of basic ethical principles
and guidelines that should assist in
resolving the ethical problems that
surround the conduct of research with
human subjects
- Ethical Principles & Guidelines for
Research Involving Human Subjects
under the belmont report
- Three principles, or general
prescriptive judgments, that are
relevant to research involving
human subjects are identified in
this statement.
1. Respect for persons
2. Beneficence
3. Justice
Part A: Boundaries Between Practice & Research
- It is important to distinguish between
biomedical and behavioral research, and
the practice of accepted therapy on the
other, in order to know what activities
ought to undergo review for the protection
of human subjects of research
- practice refers to interventions that are
designed solely to enhance the well-being
of an individual patient or client and that
have a reasonable expectation of
success. The purpose of medical or
behavioral practice is to provide diagnosis,
preventive treatment or therapy to
particular individuals
- Research designates an activity designed
to test an hypothesis, permit conclusions
to be drawn, and thereby to develop or
 contribute to generalizable knowledge
Research is usually described in a formal
protocol that sets forth an objective and a
set of procedures designed to reach that
objective
- Research and practice may be carried on
together when research is designed to
evaluate the safety and efficacy of a
therapy
Part B: Basic Ethical Principles
- The expression "basic ethical principles"
refers to those general judgments that
serve as a basic justification for the many
particular ethical prescriptions and
evaluations of human actions.
- Respect for Persons:
- In the report it incorporates at least
two ethical convictions: first, that
individuals should be treated as
autonomous agents, and second,
that persons with diminished
autonomy are entitled to
protection. The principle of
respect for persons thus divides
into two separate moral
requirements: the requirement to
acknowledge autonomy and the
requirement to protect those with
diminished autonomy
- respect for persons demands that
subjects enter into the research
voluntarily and with adequate
information
- Beneficence.
- Persons are treated in an ethical
manner not only by respecting their
decisions and protecting them from
harm, but also by making efforts to
secure their well-being.
- In the Belmont report, beneficence
is understood in a stronger sense,
as an obligation.
- Two general rules have been
formulated as complementary
expressions of beneficent actions
in this sense: (1) do not harm and
(2) maximize possible benefits and
minimize possible harms.
- Justice.
- ensuring reasonable,
non-exploitative, and
well-considered procedures are
administered fairly — the fair
distribution of costs and benefits to
potential research participants —
and equally
- justice demands both that these
not provide advantages only to
those who can afford them and
that such research should not
unduly involve persons from
groups unlikely to be among the
beneficiaries of subsequent
applications of the research
Part C: Applications
- Informed Consent. -- Respect for
persons requires that subjects, to the
degree that they are capable, be given the
opportunity to choose what shall or shall
not happen to them. controversy prevails
over the nature and possibility of an
informed consent. Nonetheless, there is
widespread agreement that the consent
process can be analyzed as containing
three elements: information,
comprehension and voluntariness.
✓ Information. Most codes of
research establish specific items
for disclosure intended to assure
that subjects are given sufficient
information. These items generally
include: the research procedure,
their purposes, risks and
anticipated benefits, alternative
procedures (where therapy is
involved), and a statement offering
the subject the opportunity to ask
questions and to withdraw at any
time from the research. Additional
items have been proposed,
including how subjects are
selected, the person responsible
for the research, etc
✓ Comprehension. The manner and
context in which information is
conveyed is as important as the
information itself Because the
subject's ability to understand is a
function of intelligence, rationality,
maturity and language, it is
necessary to adapt the
presentation of the information to
the subject's capacities.
Investigators are responsible for
 ascertaining that the subject has
comprehended the information
✓ Voluntariness. An agreement to
participate in research constitutes
a valid consent only if voluntarily
given. This element of informed
consent requires conditions free of
coercion and undue influence.
Coercion occurs when an overt
threat of harm is intentionally
presented by one person to
another in order to obtain
compliance. Unjustifiable
pressures usually occur when
persons in positions of authority or
commanding influence -- especially
where possible sanctions are
involved
- Assessment of Risks and Benefits. --
The assessment of risks and benefits
requires a careful arrayal of relevant data,
including, in some cases, alternative ways
of obtaining the benefits sought in the
research. requirement that research be
justified on the basis of a favorable
risk/benefit assessment bears a close
relation to the principle of beneficence,
just as the moral requirement that
informed consent be obtained is derived
primarily from the principle of respect for
persons. The term "risk" refers to a
possibility that harm may occur. However,
when expressions such as "small risk" or
"high risk" are used, they usually refer
both to the chance of experiencing a harm
and the severity of the envisioned harm.
"benefit" is used in the research context
to refer to something of positive value
related to health or welfare
- Selection of Subjects. -- Just as the
principle of respect for persons finds
expression in the requirements for
consent, and the principle of beneficence
in risk/benefit assessment, the principle of
justice gives rise to moral requirements
that there be fair procedures and
outcomes in the selection of research
subjects. Justice is relevant to the
selection of subjects of research at two
levels: the social and the individual.
Individual justice in the selection of
subjects would require that researchers
exhibit fairness: thus, they should not offer
potentially beneficial research only to
some patients who are in their favor or
select only "undesirable" persons for risky
research. Social justice requires that
distinction be drawn between classes of
subjects that ought, and ought not, to
participate in any particular kind of
research, based on the ability of members
of that class to bear burdens and on the
appropriateness of placing further burdens
on already burdened persons.
B. Ethical Issues in Evidence-Based
Practice
Driven by increased accountability, the
widespread and convenient availability of
information spawned by the Information
Age, the health care community is turning
increased attention towards evaluating
established practices or what is
commonly known as Evidence-Based
Practice.
UNDERSTANDING THE TERMS
Evidence: It is something that furnishes proof
or testimony or something legally submitted to
ascertain in the truth of matter.
Evidence based medicine or practice- The
conscientious, explicit and judicious use of
current best evidence in making decisions
about the care of individual patients. (Dr. David
Sackett, Rosenberg, 1996)
Evidence based nursing- it is a process by
which nurses make clinical decisions using the
best available research evidence, their clinical
expertise and patient preferences (mulhall,
1998). •
In recent decades, EBP has become a key
component of exceptional patient care.
Registered nurses (RN) deliver care to patients
by applying validated interventions. In a
Bachelor of Science in Nursing (BSN) program,
nurses learn about evidence-based practice
(EBP), which aids them in pinpointing care
strategies that can help their patients.
The inclusion of EBP in nursing provides nurses
with the scientific research to make well-founded
decisions. Through EBP, nurses can
● Stay updated about new medical protocols
for patient care. By searching for
documented interventions that fit the
profiles of their patients, nurses can
increase their patients' chances for
recovery.
● EBP enables nurses to evaluate research
so they understand the risks or
effectiveness of a diagnostic test or
treatments.
● The application of EBP enables nurses to
include patients in their care plan. This
allows patients to have a proactive role in
their own healthcare since they can voice
concerns, share their values and
preferences and make suggestions on
how they want to proceed.
BUT HOW IS THE CONSIDERATION OF
ETHICS INVOLVED IN
EVIDENCE-BASED PRACTICE?
The primary reason for implementing
evidence-based practice is to produce the
most effective medical, rehabilitation and
health outcomes. However, each patient
care encounter includes issues related to
the established practices of the discipline,
what the patient prefers, concern for
quality of life, and contextual
features-personal story that places the
experience within a real-life context for the
patient.
. settings. Practitioners must not
Ethical issues are part of every health care
encounter and moral principles such as
truth, fairness, avoiding harm, and
respecting autonomy lie at the heart of
these concerns
Since Evidence based practice focuses on
searching and appraising available
evidence on the advantages and
disadvantages of various interventions.
Thus, the consideration of ethics in
research is of growing importance
especially to the participant (patient)
involved in the research as it is our
responsibility to consider whether any type
of harm could occur when planning and
implementing research since this involves
human intervention.
WHY IS IT IMPORTANT TO CONSIDER
THESE ETHICAL ISSUES ?
The identification of these issues is not
intended to diminish the importance of the
evidence-based practice but, rather, to
point out that ethical issues are embedded
throughout the health care practices. To
the extent that we are aware of them, we
are better prepared to avoid
complications.
ETHICAL CONCERNS OF EBP
● Status of Evidence
Available evidence in health care
areas consists mostly of expert
opinions where despite important
advances in research, only few
have amassed sufficient data to
enable research-based confidence
in treatment interventions
This means that much of traditional
rehabilitation practice unfortunately
lacks sufficient research for the
careful, well-documented analyses
expected in making confident,
evidence-based decisions. More
research is needed to provide
evidence to guide interventions
that reduce disability for specific
conditions, populations, and
solely based on expert opinions
but must also acknowledge the
basis of a given intervention such
as clinical tradition and anecdotal
results.
Some types of knowledge are
not included in EBP. EBP
discounts types of knowledge that
are used by practitioners and
which are important for good
practice; these include experience,
and intuition.

In health care, EBP fits best with
tightly defined areas of practice,
particularly pharmacology, but is ill
suited for the more craft-like areas,
such as surgery and nursing. In
these areas, experience counts for
a great deal, and a patient would
be better served by an
experienced practitioner rather
than one well-versed in recent
research evidence.
Example, despite EBP-based
guidelines, a practitioner decided
to carry on treating a patient who
unexpectedly revived and left
hospital relatively well or a surgeon
implemented an intervention.
Another example, A surgeon
during a procedure might decide to
try something new on the basis of
strong intuition, even though little
or no EBP-evidence exists to
support it. (BrantZawadzki 2012).
Another is, a new evidence based
treatment may not be effective to
those who would find it difficult to
establish new routines.
● Client Autonomy
In most cases, patients lose
choice; they are constrained to
have what the evidence tells them
to, a phenomenon that has been
described as evidence-based
paternalism.
Patient and family participation in
planning intervention (autonomy) is
an important dimension of
rehabilitation. This participation
should also include decision
making under difficult
circumstances by the client when
competing interests are decided.
● Conflict of Interest
May be represented when clinical
trials are subjected to questions
about the validity of their
conclusions. Although studies
designed with high levels of control
for competing hypotheses are
emphasized as necessary for
achieving valid conclusions, the
ethical threats involved in
conducting such research are
sometimes understated. Again,
scientists rather than patients
mostly determine decisions about
who participates in studies and
whether intervention continues,
thus creating a conflict of interest.
This may also lead to bias
tendencies which may affect the
client’s autonomy.
● Informed Consent
The idea of informed consent is
again grounded in the principle of
autonomy. This principle respects
the right of a person to weigh the
pros and cons of a decision and to
make a choice on the basis of his
or her consideration of alternatives.
To make a fully informed choice,
potential participants must be
advised of the expected benefits
and risks.
C. Ethic-Moral Obligation of the Nurse in
Evidence-Based Practice
Evidence‐based practice (EBP) is
a problem‐solving approach to the
delivery of health care that integrates the
best evidence from well‐designed studies
and evidence‐based theories with a
clinician's expertise and a patient's
preferences and values in making the best
clinical decisions (Melnyk &
Fineout‐Overholt, 2014). Clinical practice
guidelines, which should be routinely
incorporated into EBP, are statements with
recommendations for clinical practice that
are rigorously developed based on
systematic reviews of evidence and an
evaluation of their benefits and harms
(Melnyk et al., 2012). Guidelines are
important tools in EBP that can reduce
healthcare variation and improve patient
outcomes. However, guidelines produced
from multiple sources often conflict with
 one another, which can be confusing for
clinicians. Further, many clinicians
unknowingly follow recommendations and
guidelines that have not undergone
rigorous development.
a. Introduction to Good Clinical Practice
Guidelines
What is a good clinical practice?
Good Clinical Practice (GCP) is an
international ethical and scientific
standard for conducting biomedical and
behavioral research involving human
participants.
It also serves to protect the rights,
integrity and confidentiality of trial
subjects.Today, the ICH-GCP guidelines
are used in clinical trials throughout the
globe with the main aim of protecting
and preserving human rights.
Good clinical practice guidelines
should be followed when generating
clinical trial data that are intended to be
submitted to regulatory authorities.
Evidence‐based practice (EBP) is a
problem‐solving approach to the delivery
of health care that integrates the best
evidence from well‐designed studies and
evidence‐based theories with a
clinician's expertise and a patient's
preferences and values in making the
best clinical decisions (Melnyk &
Fineout‐Overholt, 2014). Clinical
practice guidelines, which should be
routinely incorporated into EBP, are
statements with recommendations for
clinical practice that are rigorously
developed based on systematic reviews
of evidence and an evaluation of their
benefits and harms (Melnyk et al., 2012).
Guidelines are important tools in EBP
that can reduce healthcare variation and
improve patient outcomes. However,
guidelines produced from multiple
sources often conflict with one another,
which can be confusing for clinicians.
Further, many clinicians unknowingly
follow recommendations and guidelines
that have not undergone rigorous
development.
Practice guidelines serve
to:
An important milestone in the
formation of the ICH-GCP guidelines was
The Belmont Report which was issued in
April 1979 by the National Commission
for Protection of Human Subjects of
Biomedical and Behavioural Research.
The principles of this report are as
follows:
● Respect for Persons: This principle
acknowledges the dignity and
freedom of every person. It
requires obtaining informed
consent from research subjects (or
their legally authorised
representatives)
● Beneficence: This principle
requires that researchers maximise
benefits and minimise harms
associated with research.
Research-related risks must be
reasonable in light of the expected
benefits.
● Justice: This principle requires
equitable selection and recruitment
and fair treatment of research
subjects.
The current system of Good Clinical
Practice has evolved, in part, in
response to revelations of past episodes
in which research participants were
grossly abused. Exposure of these
incidents, provided much of the
momentum for the development of
regulations and ethical guidelines on the
protection of human research
participants.
Why is GCP training necessary?
This training is important for all staff
involved in Clinical Research and
ensures an understanding of the
principles adopted in research.
● GCP is widely accepted and
expected in all research involving
human participants.
 ● GCP is not specific to a protocol,
but rather is general and applicable
to all protocols.

What are the Good Clinical Practice

guidelines?

The Good Clinical Practice (GCP)

guidelines were prepared in association
with the International Council for
Harmonization (ICH). Consolidating
many of the same principles set out in
earlier codes of medical ethics, the GCP
guidelines provide a framework for the
fair, scientifically sound conduct of
research studies involving human
participants.

The purpose of the ICH GCP guidelines

is twofold:

● To ensure that the rights, safety,

and confidentiality of participants in
clinical trials are protected.
● To ensure that the data collected in
clinical trials, as well as the
reported results of clinical trials,
are accurate and credible.

The principles in this guideline may be

applied to all clinical investigations
involving human participants, such as
those involving an investigational
product, a marketed drug, a medical
device, or a behavioral intervention.
VIII. Ethical Consideration in
Leadership Management
A. MORAL DECISION MAKING
Leaders are seen as moral persons when
they demonstrate certain traits, behaviors,
and decision-making patterns. Critical
traits include integrity, trustworthiness, and
honesty. The corresponding behaviors
generally reveal a concern for other
people, openness, and a personal morality
(Treviño et al. 2000).
While it is important that these traits and
behaviors be recognized as ethical from
an external perspective, a leader that
self-identifies as a moral person –
otherwise known as having a moral
identity – will more successfully make
ethical decisions and influence others to
behave in ethical ways (Mayer et al. 2012)
Being a moral person is essential to being
an ethical leader, but this quality alone
does not enable a leader to consistently
influence the decision-making of others. In
addition to demonstrating personal
morality, which means that they make
decisions that can be based from their
moral compass in life which ultimately
defines them, ethical leaders are moral
managers, which means they can manage
moral decisions according to specific
situations.
● PRINCIPLE OF MORAL
DISCERNMENT
What is Discernment?
- refers to the ability to discern the
moral good, discern a moral right
from wrong, and must have the
standard to measure or compare
the good thing and bad thing.
What is Moral Discernment?
- Moral discernment defines the
moral convictions that determine
one’s behavior and ultimately one’s
life. The person with moral integrity
can live consistent with convictions
or beliefs of themselves.
- Carter (1996) defined the people
that have moral integrity that are
consistent to hold the moral
principle, conviction.
- Olson (2002) defined moral
discernment refers to the ability to
discern what is morally right from
morally wrong that requires moral
reflectiveness on the meaning of
good and bad. It refers to the
ability to draw conclusions from the
discernment to develop
convictions.
- Livesey (2012) defined
discernment that includes both rule
knowledge and reasoning.
Moral Development and Abstract
Dilemmas
James Rest (Rest and Narvaez 1994), a
developmental psychologist who studied
moral and ethical development, identified
four components of moral development:
 ● Moral sensitivity—the ability to
interpret a situation in moral and
ethical terms;
● Moral judgment—the ability to
determine a course of action in the
context of what is just;
● Moral motivation—the ability to
select an appropriate course of
action among multiple good
alternatives; and
● Moral character—the courage
and skills to follow a course of
action in response to a situation
The Four Principles of Moral
Discernment
● Principle of formal cooperation
● Principle of Material cooperation
● Principle of lesser evil
● Principle of double effect
1. Principle of Formal Cooperation-
it occurs when someone
intentionally helps another
person carry out a sinful act.
Formal cooperation means that the
person cooperating intends,
desires, or approves the
wrongdoer's conduct. Thus, for
example if the nurse helps in the
operation because she wants the
operation performed, if the servant
transports the letters because he
approves of the liaison, if the priest
intends that the sinner receive
communion, or if the judge
applauds the couple's divorce —
then, regardless of any other
distinctions, the cooperator is also
wrong. We cannot formally
cooperate in morally wrong activity,
because we cannot intend wrong
conduct. For this reason the
Vatican held that no Catholic
healthcare facility could ever
formally cooperate in providing
sterilizations-that is, no facility
could perform sterilizations on the
basis of an institutional policy that
welcomed and sanctioned routine
sterilizations.
2. Principle of Material
Cooperation - when a person's
actions unintentionally help
another person do something
wrong.
Material cooperation simply means that
although we do not share the intention of
the wrongdoer, we are involved in the
matter or the actual doing of the action.
Thus the distinction between formal and
material asks whether we intend, desire,
or approve the wrong activity. If we do, we
are wrongdoers too. If not, then we should
consider the other issues.
3. Principle of Lesser Evil - The
principle that when faced with
selecting from two immoral
options, the one which is least
immoral should be chosen.
The principle of lesser evil simply states,
where a person must choose between an
evil and a greater evil, he must choose the
lesser. The way one applies this principle
depends on the circumstances, which is a
philosophical study of its own. In a political
context, there are, generally speaking, two
main circumstances where the principle of
lesser evil applies.
The first is inside the system, and the
second is outside the system. Until
circumstances bring about the necessity of
working outside the system, the people
must work within the system. In both
cases, the principle of lesser evil applies.
Let’s get a clearer picture of what this
means.
The principle of lesser evil manifests itself
most clearly when extreme conditions
force our choice. For example, the Jews
who were captured and enslaved by
Hitler’s regime had to choose between
submission or resistance to tyrants. For
most of them, submitting to evil was less
evil than having scores, hundreds and
thousands of Jews mercilessly and
immediately killed for resisting or
disobeying. So Ecclesiastes 9:4 says, “a
living dog is better than a dead lion.”
4. Principle of Double Effect - This
principle aims to provide
specific guidelines for
determining when it is morally
permissible to perform an action
in pursuit of a good end in full
knowledge that the action will
also bring about bad results.
The principle of double effect can be
outlined briefly as follows. Sometimes the
same act causes both a good result and
an evil result at the same time. Can such
an act be performed?
The answer is that it can be, provided that
all the following four conditions
are met:
● First, the act itself must be good or
indifferent.
● Second, the good effect must not
be caused by the evil effect.
● Third, the good effect and not the
evil effect must be directly intended
by the agent.
● Fourth, there must be a
proportionality between the good
and evil result (i.e., the good must
outweigh the evil)
● The Principle of
Well-Formed Conscience
- Indicates that people are
obligated to inform themselves
about ethical norms, incorporate
that knowledge into their daily lives
, act according to that knowledge,
and take responsibility for those
actions.
What is Conscience?
- A judgement of reason by which the
human person recognizes the moral
quality of a concrete act
The conscience judges a concrete act as
good or evil in accord with a norm of
morality given to it. And this norm is the
natural law.
- Represents both the general ability
we have to know what is good and right to
make the concrete judgements we make
in.
- This may be affected by: Family,
Environment, School, Church and
individual own biases.
- In religion, it is the inner sanctuary in
which we listen to the voice of God.
Formation of Conscience
-The dignity of the human person implies
and demands the rectitude of the moral
conscience, that is, its being based on
truth. One must seriously seek a right
conscience or, in other words, one must
try to make sure that one’s moral
judgment is right.
- Lifelong process, involving the total
person- one’s reason, emotions,
embodied and social experience,
imagination and intuition.
- It is the comprehensive in the sense
that it enagages the whole person in the
pursuit of the true and the good.
This can be achieved by:
● Diligently learning the laws of the
moral life (through spiritual
formation), just as the referee must
be interested in knowing well the
rules of the game,
● Seeking expert advice in difficult
cases (spiritual direction), just as
doctors hold consultations when
the diagnosis of a serious illness is
not clear,
● Asking God for light (prayer),
● Removing the obstacles to right
judgment, such as habitual moral
disorder, or bad habits (ascetical
struggle)
● Personal examination of
conscience.
The expression formation of one’s
conscience precisely refers to the careful
preparation of that judgment.9 A person is
called prudent when he chooses
according to that judgment. Among the
above-listed conditions for reaching a right
judgment, two can especially benefit from
a careful preparation: the intellect’s
knowledge of moral laws, and the will’s
removal of obstacles. Thus, the formation
of one’s conscience is a long and
comprehensive process that will later
facilitate an immediate and right judgment
in any concrete situation.
Types of Conscience:
A. Good Conscience
-Makes judgements that conform to
reason and the good that is willed by the
Wisdom of God.
-It is important to identify between our
subjective self and whats is objectively
true outside ourselves.
- If there is an incorrect conscience,
that means that the conscience is
erroneous in its view of the truth.
- “Certain” conscience is that we
believe that our conscience is in
conformity with what is objectively true.
B. Invincibly ignorant conscience
- Refers to an error of which the person is
unaware and for which she is not
responsible.
C. Culpably ignorant conscience
-Refers to an error which the person is
responsible.
Rules to follow in obeying one’s
conscience:
- Always follow a certain conscience
- An incorrect conscience must be
changed if possible
- Do not act with a doubtful conscience
- Obey certain judgments of our
conscience, realizing that our conscience
can be incorrect
● STRATEGIES OF MORAL
DECISION MAKING PROCESS
1. Recognizing your
circumstances
Thinking about origins of the
problem, individuals involved, and relevant
principles, goals & values; considering
one’s own role in causing and/or resolving
the problem.
 2. Seeking outside help
Talking with a supervisor, peer, or
institutional resource, or learning from
others’ behaviors in similar situations.
3. Questioning your own and
others’ judgment
Considering problems that people
often have with making ethical decisions,
remembering that decisions are seldom
perfect.
4. Dealing with emotions
Assessing and regulating
emotional reactions to the situation.
5. Anticipating consequences of
actions
Thinking about many possible
outcomes such as consequences for
others, short & long term outcomes based
upon possible decision alternatives.
6. Analyzing personal motivations
Considering one’s own biases,
effects of one’s values and goals, how to
explain/justify one’s actions to others, &
questioning ability to make ethical
decisions.
7. Considering the effects of
actions on others
Being mindful of others’
perceptions, concerns, and the impact of
your actions on others, socially and
professionally.
STEPS OF MORAL DECISION MAKING
PROCESS
● Gather the facts
● Define the ethical issues
● Identify the affected parties
● Identify the consequences
● Identify the obligations
(principles, rights, justice)
● Consider your character and
integrity
● Think creatively about potential
actions
● Check your gut
● Decide on the proper ethical
action and be prepared to deal
with opposing arguments
ETHICAL DILEMMA
● Also known as ethical paradox
● A problem in the
decision-making process
● between two possible options,
neither of which is absolutely
acceptable from an ethical
● perspective.
● Extremely complicated
challenges that cannot be easily
solved.
● Involves unclear choices of what
is right and what is wrong
Ethical values usually arise as a result
of dilemmas between four sets of
values:
- Societal Values: The law
- Corporate Values: Principles of
the organization where the
individual works
- Personal Values: Principles of
self
- Professional Values: The values
and principles of the
professional body
SPOTTING AN ETHICAL DILEMMA:
- An issue of integrity
- Professional competence
- Confidentiality: to be maintained
- Conflict of interest
- Objectivity
Conditions:
1. Agent must make a decision
about which course of action is
best.
2. There must be different courses
of action to choose from.
3. No matter what course of action
is taken, some ethical principle
is compromised. In other words,
there is no perfect solution.
APPROACHES TO SOLVE AN ETHICAL
DILEMMA
1. Refute the paradox: The
situation must be carefully
analyzed. In some cases, the
existence of the dilemma can be
logically refuted.
2. Value theory approach: Choose
the alternative that offers the
greater good or the lesser evil.
3. Find alternative solutions: In
some cases, the problem can be
reconsidered, and new
alternative solutions may arise.
B. MEANING AND SERVICE
VALUE OF MEDICAL CARE
-The gap between supply and demand not
only contributes to a delay in meeting
patients' needs, but it can also be
expensive and generate waste in the
system. The experience of many health
care organizations demonstrates that
demand is not really insatiable, but
actually predictable
Demand for health care is characterized
by the level of actual consumption of an
individual incase of facing illness/injury,
this consumption could differ in
accordance with demand factors such as
income, cost of care, education, social
norms and traditions, and the quality and
appropriateness of the services provided.
Solutions were implemented and one
example is Value-based healthcare, also
known as value-based care, is a payment
model that rewards healthcare providers
for providing quality care to patients.
Under this approach, providers seek to
achieve the triple aim of providing better
care for patients and better health for
populations at a lower cost.
Value-based care focuses on care
coordination that ensures patients are
given the right care by the right provider at
the right time. Thus, in a value-based
healthcare model, physicians may
collaborate with each other on a patient's
care, rather than making decisions
separately that can lead to gaps or
overlaps in care.
ALLOCATION OF HEALTHCARE
SERVICES
When resources are limited and demand
exceeds supply, allocation becomes a
problem.These considerations apply to
healthcare as much as they do to anything
else.
Policies for allocating scarce health care
resources can impede their ability to fulfill
that obligation, whether those policies
address situations of chronically limited
resources, such as ICU (intensive care
unit) beds, medications, or solid organs for
transplantation, or “triage” situations in
times of scarcity, such as access to
ventilators during an influenza pandemic.
Individually and collectively through the
profession, physicians should advocate for
policies and procedures that allocate
scarce health care resources fairly among
patients, in keeping with the following
criteria:
A. Base allocation policies on criteria
relating to medical need, including
urgency of need, likelihood and
anticipated duration of benefit, and
change in quality of life.
B. Give first priority to those patients
for whom treatment will avoid
premature death or extremely poor
outcomes, then to patients who will
experience the greatest change in
quality of life, when there are very
substantial differences among
patients who need access to the
scarce resource(s).
C. Use an objective, flexible,
transparent mechanism to
determine which patients will
receive the resource(s)
D. Explain the applicable allocation
policies or procedures to patients
who are denied access to the
scarce resource(s) and to the
public.
ISSUES INVOLVING ACCESS TO CARE
- Access to health services means "the
timely use of personal health services to
achieve the best health outcomes." It
requires
Three distinct steps:
● Gaining entry into the healthcare
system (usually through insurance
coverage)
● Accessing a location where needed
health care services are provided
(geographic availability)
● Finding a health care provider whom
the patient trusts and can communicate
with (personal relationship)
Why Is Resource Allocation Needed?
Rising Cost of Healthcare
● Resources spent on healthcare have
increased over the
last century. Americans are spending far
more resources
on healthcare than do citizens of any other
industrialized
nation. Why?
- Continued medical advances have led to
more accurate diagnoses and better
treatments, but also have increased the
cost of healthcare.
- The aging population is growing. Nearly
36 million Americans (more than the entire
population of Canada) are age 65 or older
and account for a majority of healthcare
expenditures.
- More people are living with chronic
disease and disabilities, including AIDS.
Access to Health Services
encompasses three components:
1. Coverage
● Health insurance coverage helps
patients gain entry into the
healthcare system. Lack of
adequate coverage makes it
difficult for people to get the health
care they need and, when they do
get care, burdens them with large
medical bills. Uninsured people
are:
■ More likely to have poor health status
■ Less likely to receive medical care
■ More likely to be diagnosed later
■ More likely to die prematurely
2. Services
● Improving access to health care
services depends in part on
ensuring that people have a usual
and ongoing source of care (that
is, a provider or facility where one
regularly receives care). People
with a usual source of care have
better health outcomes, fewer
disparities, and lower costs.
● Having a usual Primary Care
Provider is associated with:
■ Greater patient trust in the provider
■ Better patient-provider communication
■ Increased likelihood that patients will
receive appropriate care
■ Lower mortality from all causes
● In addition to primary care and
preventive services, emergency
medical services (EMS) are a
crucial link in the chain of care.
EMS include basic and advanced
life support. Notable progress has
been made in recent years to
ensure that everyone has access
to rapidly responding EMS; it is an
● important effort in improving the
health of the population.
3. Timeliness
● The health care system's ability to
provide health care quickly after a
need is recognized. Measures of
timeliness include:
■ Availability of appointments and care for
illness or injury when it is needed.
■ Time spent waiting in doctors' offices
and emergency departments (EDs).
● The delay in time between
identifying a need for a specific test
or treatment and actually receiving
those services can negatively
impact health and costs of care.
For example, delays in getting care
can lead to:
■ Increased emotional distress
■ Increased complications
■ Higher treatment costs
■ Increased hospitalizations
● Actual and perceived difficulties or
delays in getting care when
patients are ill or injured likely
reflect significant barriers to care.
Prolonged ED wait time:
■ Decreases patient satisfaction
■ Increases the number of patients who
leave before being seen
■ Is associated with clinically significant
delays in care
Barriers to Health Services include:
● High cost of care
● Inadequate or no insurance coverage
● Lack of availability of services
● Lack of culturally competent care
● Access to care also often varies based
on race, ethnicity, socioeconomic status,
age, sex, disability status, sexual
orientation, gender identity, and residential
location.
These barriers to accessing health
services lead to:
● Unmet health needs
● Delays in receiving appropriate care
● Inability to get preventive services
● Financial burdens
● Preventable hospitalizations
Responses and Attempted Solutions to
the Problem of Limited Healthcare
Resources Since health is valued very
highly in American society, There have
been many attempts to reform the system.
These reforms have attempted to either
increase the financial resources directed
to healthcare or to use limited resources in
the best way possible. Reform attempts
have included efforts to:
● Increase efficiency. By curtailing waste
and unnecessary care, providers can be
more efficient. Methods include evaluating
health technologies and expanding
prevention programs.
● Distribute resources equitably. The
basis of distribution is value-based and
can take many forms: strict equality,
access to a determined level of care,
access to an equal opportunity for care,
limiting access to people responsible for
their health problems, and access based
on age or other factors.
● Adopt managed care plans. Managed
care has been offered as an
organizational structure that hopes to
distribute healthcare resources more
efficiently and wisely by having physicians
review policies that balance the healthcare
of the individual patient (and the cost of
caring for that patient) with the goals and
costs of providing healthcare to the entire
group.