NURSING INFORMATICS
HEALTH PRIVACY CODE
SHELA BALUNSAT
DR. JOSEPHINE LORICA, DPA, RN
HEALTH PRIVACY CODE IMPLEMENTING THE JOINT
ADMINISTRATIVE ORDER NO. 2016-0002 “PRIVACY
GUIDELINES FOR THE IMPLEMENTATION OF THE
PHILIPPINE HEALTH INFORMATION ECHANGE”
JOINT because it involved:
• Department of Health (DOH), in cooperation with
the
Department of Science and Technology (DOST),
Philippine Health Insurance Corporation
(PhilHealth),
• University of the Philippines-Manila (UPM) and the
Commission on Higher Education (CHED),
Established the the National eHealth Program (NeHP) that
envisions widespread information-technology (IT)-
enabled health services by 2020.
PURPOSE
- to prescribe the procedures and guidelines that
ensure the protection of the privacy of a patient.
SCOPE OF APPLICATION
- shall apply to the Phil Health Information Exchange
(PHIE) system, Health Facilities, Health Care
Providers, and any natural or juridical person
involved in the processing of health information
within the PHIE framework.
RULE 1: Collection and Processing of Health Information
1. Consent – valid and informed
Requirements:
a. Competence – sound mind , 18 years old
b. Amount and accuracy of information
- relevant & factual data – procedure, treatments, benefits,
risks possible complications
c. Patient understanding - language or dialect, education.
d. Voluntariness – autonomous- understand that can
withdraw anytime
2. Point of Collection of Information
- start at the time of registration in the health facility,
admission, different points of care
3. Processing of Information
- May be through an Electronic Health Record (EMR) or
Health facility Information System
- Encoding and processing will be coordinated through the
medical records section or health facility information
management system
4. Patient Identifier
- Unique – Philhealth Personal Identification Number
5. Point of de-identification
- De identified health information – stored in PHIE data
warehouse
- Patient’s consent – the health records as part of PHIE
maybe processed without de-identification otherwise,
health information must be de-identified – leaving only
those necessary for immediate statistical reference
6. Authorized persons to amend data if required
– authorized employee of the health facility
– when changing data:
Ø Original entry must be visible
Ø Change must be dated and countersigned or logged
Ø Reason for change must be entered or specified
7. Reportorial requirements
Ø RA # 3573 – Law on Reporting Communicable
Disease – immediately collected and reported to
local and national authorities
RULE 2: Access of Health Information
1. Access of Health Care Providers
- upon patient consent, only a health care provider and
authorized authorities shall have access to patient’s
health information
2. Access of Third party
- In cases required by law or authorized by the patient
RULE 3: Use and Disclosure of Health Information
1.Use and disclosure
Ø Planning of quality services
Ø Reporting of communicable, infectious and other
notifiable disease
Ø Continuing care to patients
Ø Reporting of physical injury
Ø Reporting of interpersonal violence to proper
authorities
Ø Mandatory reporting required by licensing and
accreditation bodies
2. Privilege Communication
- Conversation or working relationship which takes place
between two parties within the context of a protective
relationship such as between healthcare provider and a
patient.
Ø Consent of both patient and health care provider
must be secured prior to use
3. Training Hospitals and Academic or Clinical
Requirements
Ø Comply with Professional Regulation Commission
(PRC) requirements
Ø Non-disclosure clause – included in the contract of
a school affiliated
RULE 4: Organizational Security Measures
1. Policies and procedures
Ø Privacy and security
2. Contract with Third Party
Ø Document storage and disposal
Ø Data management processes – with tracking and
controlling records, type of data sent and received
and individuals who have access to records
Ø Description of output reporting
Ø Periodic staff training
Ø Communication requirements
3. The Information Technology personnel
Ø Support implementation of security guidelines –
confidentiality of records
Ø Charged with conduct of system-related functions
including troubleshooting
4. Medical records Officer
Ø With privacy officer - authority to audit patient’s
shared health records
RULE 5: Physical Security
1. Inventory of Information technology Physical Devices
2. Access to Physical Infrastructure (IT)
 NURSING INFORMATICS
HEALTH PRIVACY CODE
SHELA BALUNSAT
DR. JOSEPHINE LORICA, DPA, RN

Ø Server Access – in designated area and complies 4. Research Data

with ISO 27001 standards - de-identified or destroyed
Ø Computer Access – authorized personnel only
Ø Devices registered to the health facility – can not be RULE 11: Patient Registeries
brought outside health facility
Ø Bring your own device (BYOD) – allowed with strict
policies on access, processing, storage , 1. Registry Design – clear purpose, avoid ethical and
transmission and output of data compliance issues
3. Business continuity and Disaster recovery 2. Informed Consent
Ø Physical back up 3. Registry Data – conforms with standard definitions,
Ø Business continuity – even during disaster – terminologies and specifications
minimum data requirements identified by Data 4. Data Collection – close to place and time of care with
Protection officer trained data collectors
RULE 6: Technical Safeguards 5. Registry Data for research – appropriate design, data
element, operating procedures and documented
1. Access controls – only to persons or software programs methodologies
granted access rights
Ø Information Access management (required)
Ø User identification (required)
Ø Emergency Access Procedure (required)
Ø Automatic Log off (addressable)
Ø Encryption and Decryption (addressable)
Ø Multifactor authentication (addressable)
2. Audit controls – record who accessed, when and what
operations were performed
Ø Recording of Information (required)
Ø Audit data life span (addressable)
Ø Access to audit data (addressable)
3. Integrity controls – protection from improper alteration or
destruction
Ø Mechanism to authenticate Electronic health
Information (addressable)
Ø Digital Signature (required)
Ø Sum verification (required) – determine if input data
matches source data
Ø Anti-virus software (required)
Ø Data storage encryption (required)
Ø Transmission encryption (required)
Ø Proper handling of mechanical components
(Addressable)
Ø Offline modes and caching (addressable)
Ø Interface Integration of Information Systems
(Addressable) – for interoperability and data
compatibility
4. Transmission security
5. Identity authentication
6. Storage Security

RULE 7: Cloud Services

Ø Must not compromise privacy or security
Ø Contract – Health care provider and service
provider
RULE 8: Cloud Services
Ø Unauthorized posting – penalized in accordance to
Data Privacy Act
Ø Guidelines should be established
Ø Responsible social media use
Ø Health education and promotion – caution must be
observed
RULE 10: Research
1. Research Subject
2. Research protocol
3. Research projects
– 1,000 or more data sets – register with the National
Privacy Commission