This document outlines the rules and guidelines for implementing the Philippine Health Information Exchange regarding the collection, use, and protection of patient health information. It discusses 12 rules that cover obtaining consent, limiting access, securing physical infrastructure, ensuring technical safeguards, using cloud services appropriately, social media guidelines, and research requirements. The overall goal is to prescribe procedures that ensure patient privacy within the national health information system.
This document outlines the rules and guidelines for implementing the Philippine Health Information Exchange regarding the collection, use, and protection of patient health information. It discusses 12 rules that cover obtaining consent, limiting access, securing physical infrastructure, ensuring technical safeguards, using cloud services appropriately, social media guidelines, and research requirements. The overall goal is to prescribe procedures that ensure patient privacy within the national health information system.
This document outlines the rules and guidelines for implementing the Philippine Health Information Exchange regarding the collection, use, and protection of patient health information. It discusses 12 rules that cover obtaining consent, limiting access, securing physical infrastructure, ensuring technical safeguards, using cloud services appropriately, social media guidelines, and research requirements. The overall goal is to prescribe procedures that ensure patient privacy within the national health information system.
ADMINISTRATIVE ORDER NO. 2016-0002 “PRIVACY 7. Reportorial requirements GUIDELINES FOR THE IMPLEMENTATION OF THE Ø RA # 3573 – Law on Reporting Communicable PHILIPPINE HEALTH INFORMATION ECHANGE” Disease – immediately collected and reported to local and national authorities JOINT because it involved: RULE 2: Access of Health Information • Department of Health (DOH), in cooperation with the Department of Science and Technology (DOST), 1. Access of Health Care Providers Philippine Health Insurance Corporation - upon patient consent, only a health care provider and (PhilHealth), authorized authorities shall have access to patient’s • University of the Philippines-Manila (UPM) and the health information Commission on Higher Education (CHED), Established the the National eHealth Program (NeHP) that 2. Access of Third party envisions widespread information-technology (IT)- - In cases required by law or authorized by the patient enabled health services by 2020. RULE 3: Use and Disclosure of Health Information PURPOSE - to prescribe the procedures and guidelines that 1.Use and disclosure ensure the protection of the privacy of a patient. Ø Planning of quality services SCOPE OF APPLICATION Ø Reporting of communicable, infectious and other - shall apply to the Phil Health Information Exchange notifiable disease (PHIE) system, Health Facilities, Health Care Ø Continuing care to patients Providers, and any natural or juridical person Ø Reporting of physical injury involved in the processing of health information Ø Reporting of interpersonal violence to proper within the PHIE framework. authorities RULE 1: Collection and Processing of Health Information Ø Mandatory reporting required by licensing and accreditation bodies 1. Consent – valid and informed 2. Privilege Communication Requirements: - Conversation or working relationship which takes place a. Competence – sound mind , 18 years old between two parties within the context of a protective b. Amount and accuracy of information relationship such as between healthcare provider and a - relevant & factual data – procedure, treatments, benefits, patient. risks possible complications Ø Consent of both patient and health care provider c. Patient understanding - language or dialect, education. must be secured prior to use d. Voluntariness – autonomous- understand that can 3. Training Hospitals and Academic or Clinical withdraw anytime Requirements Ø Comply with Professional Regulation Commission 2. Point of Collection of Information (PRC) requirements - start at the time of registration in the health facility, Ø Non-disclosure clause – included in the contract of admission, different points of care a school affiliated
3. Processing of Information RULE 4: Organizational Security Measures
- May be through an Electronic Health Record (EMR) or Health facility Information System 1. Policies and procedures - Encoding and processing will be coordinated through the Ø Privacy and security medical records section or health facility information 2. Contract with Third Party management system Ø Document storage and disposal Ø Data management processes – with tracking and 4. Patient Identifier controlling records, type of data sent and received - Unique – Philhealth Personal Identification Number and individuals who have access to records Ø Description of output reporting Ø Periodic staff training 5. Point of de-identification Ø Communication requirements - De identified health information – stored in PHIE data 3. The Information Technology personnel warehouse Ø Support implementation of security guidelines – - Patient’s consent – the health records as part of PHIE confidentiality of records maybe processed without de-identification otherwise, Ø Charged with conduct of system-related functions health information must be de-identified – leaving only including troubleshooting those necessary for immediate statistical reference 4. Medical records Officer Ø With privacy officer - authority to audit patient’s 6. Authorized persons to amend data if required shared health records – authorized employee of the health facility – when changing data: RULE 5: Physical Security Ø Original entry must be visible Ø Change must be dated and countersigned or logged 1. Inventory of Information technology Physical Devices Ø Reason for change must be entered or specified 2. Access to Physical Infrastructure (IT) NURSING INFORMATICS HEALTH PRIVACY CODE SHELA BALUNSAT DR. JOSEPHINE LORICA, DPA, RN
Ø Server Access – in designated area and complies 4. Research Data
with ISO 27001 standards - de-identified or destroyed Ø Computer Access – authorized personnel only Ø Devices registered to the health facility – can not be RULE 11: Patient Registeries brought outside health facility Ø Bring your own device (BYOD) – allowed with strict policies on access, processing, storage , 1. Registry Design – clear purpose, avoid ethical and transmission and output of data compliance issues 3. Business continuity and Disaster recovery 2. Informed Consent Ø Physical back up 3. Registry Data – conforms with standard definitions, Ø Business continuity – even during disaster – terminologies and specifications minimum data requirements identified by Data 4. Data Collection – close to place and time of care with Protection officer trained data collectors RULE 6: Technical Safeguards 5. Registry Data for research – appropriate design, data element, operating procedures and documented 1. Access controls – only to persons or software programs methodologies granted access rights Ø Information Access management (required) Ø User identification (required) Ø Emergency Access Procedure (required) Ø Automatic Log off (addressable) Ø Encryption and Decryption (addressable) Ø Multifactor authentication (addressable) 2. Audit controls – record who accessed, when and what operations were performed Ø Recording of Information (required) Ø Audit data life span (addressable) Ø Access to audit data (addressable) 3. Integrity controls – protection from improper alteration or destruction Ø Mechanism to authenticate Electronic health Information (addressable) Ø Digital Signature (required) Ø Sum verification (required) – determine if input data matches source data Ø Anti-virus software (required) Ø Data storage encryption (required) Ø Transmission encryption (required) Ø Proper handling of mechanical components (Addressable) Ø Offline modes and caching (addressable) Ø Interface Integration of Information Systems (Addressable) – for interoperability and data compatibility 4. Transmission security 5. Identity authentication 6. Storage Security
RULE 7: Cloud Services
Ø Must not compromise privacy or security Ø Contract – Health care provider and service provider RULE 8: Cloud Services Ø Unauthorized posting – penalized in accordance to Data Privacy Act Ø Guidelines should be established Ø Responsible social media use Ø Health education and promotion – caution must be observed RULE 10: Research 1. Research Subject 2. Research protocol 3. Research projects – 1,000 or more data sets – register with the National Privacy Commission