HI 201 Journey – A Look Back

It has been a rollercoaster of a semester for me. I entered this course not fully understanding what I was getting myself into, but at the same time I was very hopeful that I would find my niche. And after 16 weeks of blogging and learning about the basics of this course, I can honestly say that I feel I belong here. I’m still struggling and I know there is still much to learn; however, I can now also see that there are so many opportunities for me in this field, opportunities which I am excited to explore.

Before moving on to the next semester, l’d like to look back at what has transpired over the last few months. Below are the highlights of each blog:

Week 2: Informatics, Global Health and eHealth
HI 201 - W2 Concept Map
Driving Question:
What is the relevance of informatics to global health and eHealth?

Highlights: Introduction to the very basic concepts which I had previously confused with. These concepts served as the foundation for this course.

 

Week 3: Health Informatics in the Philippines
HI 201 - W3 - Infographic
Driving Question:
How can we advance the field of health informatics in the Philippines?

Highlights:  I was honestly surprised when I discovered all the progress our country has had in terms of eHealth. It was my first introduction to RxBox, CHITS, and other local initiatives. Prior to this I was somehow pessimistic about the state of healthcare in the Philippines.

 

 

Week 4: Health Information Systems in Developing Countries
HI 201 - W4 - Mind Map Ver. 2
Driving Question:

How can health information systems be sustainable in developing countries?

Highlights: I was introduced to the concept of hybrids and learned about the ITPOSMO dimensions of health information system design-reality gap.

 

Week 5: Governance and Management in Health Informatics
cobit-4
Driving Question: 
Why are governance and management important in health informatics?

Highlights: I learned about the COBIT 5 business framework and how it relates to governance and management.

 

 

Week 6: Establishing the Philippine Health Information Exchange 
hi-201-w6-flowchart-1
Driving Question: 
How can patients access their data from different healthcare providers as they transfer care?

Highlights: I learned more about the Philippine Health Information Exchange, which I thought was a very promising initiative and something which I hope I can actively get to be part of when I graduate this course.

Week 7: Enterprise Architecture in Healthcare
fea
Driving Question: 
In a multistakeholder, multicomponent health information system, how can you ensure that all the players are doing their part?

Highlights: This assignment was a struggle for me and I had a difficult time understand what EA was, but I eventually got there! *happy dance*

Week 8: Electronic Health Records: Issues and Challenges
ehr
Driving Question: 
What are the issues and challenges in implementing electronic health records in primary care?

Highlights: This, for me, helped reinforced what I already knew about EMRs (not EHRs yet) since we are using one in the company I am working for.

 

Week 9: Personal Health Records
phr
Driving Question: 
What features are considered critical or most useful by users of Personal Health Records?

Highlights: I was able to develop a scoring system for a PHR and use it to evaluate an app I bought from iTunes.

 

Week 10: Standards and Interoperability
hie-2
Driving Question: 
How can healthcare institutions adopt standards to ensure interoperability?

Highlights: I learned about significance of standards and interoperability, and the role they will play in the successful implementation of the PHIE.

 

Week 11: Clinical Decision Support
chitsDriving Question: How can Clinical Decision Support Systems (CDSS) improve the quality of healthcare?

Highlights: Learning about the 10 commandments for CDSS was interesting for me. It was also fun trying to come up with a CDSS that can incorporated into CHITS, although it was challenging at the same time since I’m not really familiar with it.

Week 12: Knowledge Management and Information Retrieval
screen-shot-2016-11-28-at-12-12-25-amDriving Question: How can knowledge management improve access to healthcare research?
Highlights: I liked how the concepts above was explained. I used to mix up the concepts of data, information and knowledge. Answering this assignment also led me to the dengue vector eradication efforts in Pangasinan, which I thought was really interesting.

Week 13: Privacy, Confidentiality, Security and Trust
data-privacyDriving Question: What policies are in place to protect the Filipino patient’s privacy and confidentiality of health information?

Highlights: This assignment helped me educate myself further on the policies that were in place that protected the privacy rights of the Filipino patient. It was the perfect jumping board for the next blog, which had to do with the Data Privacy Act of 2012.

Week 14: Legal and Regulatory Issues in eHealth
ra-10173
Driving Question: 
Is the Data Privacy Act adequate to protect confidential health information?

Highlights: I have a couple of cousins who are lawyers, and it was enlightening discussing this Act with them. After reviewing this Act and its IRR, I have a couple of reservations as to how effectively this can be implemented. But I think it’s good that something like this exists, considering we are in the age where information and communication technologies are integral to the processes of many businesses, including healthcare.

Week 15: Telehealth
telehealth
Driving Question: 
How can telehealth support healthcare delivery in the Philippines?

Highlights: I reviewed House Bill 4199 or the Telehealth Act of 2014 for this assignment. After reading the very comprehensive Data Privacy Act of 2012, I felt that this fell short in terms of comprehensiveness. I think this Act needs a lot of improvement before it can be implemented.

Week 16: mHealth

barriers_to_mobile_healthDriving Question: How can mobile applications be useful in primary care?

Highlights: I think that by the time I did this assignment, I was more or less convinced that my niche in health informatics is more of helping out the private sector, particularly the corporate world. While the general public, especially the underserved and the underprivileged need to be attended to, a population that also needs attention are the workers, especially those in the BPO or in similar industries. They present with unique health challenges, and this is what I would like to explore more in the future.

It was an incredible journey, indeed. I hope my blogs were informative enough. If you are medical student or an allied medical professional and you’re reading this, I hope I convinced you enough to give this field a shot. We need more like us!

As always, comments and questions are very much welcome. Leave them in the box below.

XO,
Eve

Advertisements

mHealth – How Can It Enhance Delivery of Care?

It’s the last blog (before the final paper)! *Does a happy dance.* For this final assignment, we will be talking about mobile applications. The question we were asked was…

“How can mobile applications be useful in primary care?”

We were tasked to propose an app idea for a primary health care scenario, and the app must not duplicate any application already available in the market.

Primary care, as defined by the American Academy of Family Physicians (n.d.), is “that care provided by physicians specifically trained for and skilled in comprehensive first contact and continuing care for persons with any undiagnosed sign, symptom, or health concern not limited by problem origin, organ system, or diagnosis. [It] includes health promotion, disease prevention, health maintenance, counseling, patient education, diagnosis and treatment of acute and chronic illnesses in a variety of health care settings (e.g., office, inpatient, critical care, long-term care, home care, day care, etc.).”

Mobile health or mHealth, on the other hand, is the use of mobile technology applications for healthcare (Qiang, et. al, 2012). It is a new and developing field with lots of untapped potential. The use of mobile phones has significantly skyrocketed starting the 2000s. Currently, there is an estimated 4.77 billion mobile phone users in the world (Statista, n.d.). Mobile phones have evolved from simply being a handy telephone to a more sophisticated device that can function similar to computers. It has allowed people easier access not only to their family, friends, or network of people but it has also afforded access to information that previously would have taken much effort to gather. It has shrunk the world (in a good way), and now information is at our fingertips.

How, then, can mobile phones improve the delivery of primary health care? For one, it has facilitated easier communication between healthcare professionals and patients. There are now more options on how to communicate, from email to call to messages. There are even applications on smartphones that allow free video calls, voice calls, or messages as long asscreen-shot-2016-12-11-at-3-10-46-pm a person has an internet connection. Many models of mobile phones are likewise equipped with cameras, which can be useful for documenting external conditions (e.g. skin problems). The messages can also be readily shared via several means. Aside from traditional uses, many applications have already been developed to aid in the collection and processing of health information. For example, iPhones have a built-in health app that could collect and monitor several health data. Data collection and analysis can be further enhanced by connecting it to other applications that supports the Apple Health App. These types of applications help in empowering patients to be more in charge of their health. On the other hand, healthcare professionals also benefit significantly from the use of mobile phones in healthcare. The same way patients gain increased access to information, so do the doctors. Knowledge from various sources like journals, clinical practice guidelines, etc. are now easier to get a hold of. Thousands of apps which enhance patient care are also present in the market. The CDC, for example, has applications on STDs, vaccination, and travel medicine which can help a healthcare professional make evidence-based decisions. Another advantage of mHealth is that it can reduce the cost of healthcare. By screen-shot-2016-12-11-at-8-11-06-pmimproving means of communication between HCP and patient, personal or face-to-face consultations can be reduced. A patient who needs monitoring may no longer need to be seen personally at frequent intervals if the monitoring can be done remotely. Continuity of care can also be enhanced by mHealth, because coordination of efforts among different providers can be done with mHealth. Better record-keeping is also made possible with mHealth, an advantage that is common with electronic processing systems. There are several other advantages of mHealth but the bottomline is better access and better delivery of health.


Like electronic medical records (EMRs) and electronic health records (EHRs), however, there are still many challenges when it comes to the use of mHealth. Since mHealth is a relatively young field, there are limited studies on their efficiency. Privacy issues are also present. Accountability and ownership of data is also an issue, especially since unlike EMRs and EHRs, mHealth is more accessible to patients. Standards and interoperability issues are also present, since mobile applications are not always interoperable and there are few standards on their creation and use. Nonetheless, there is much promise in this rapidly growing field. mHealth has much potential in terms of further improving the access and delivery to healthcare.

If I were to create an application for primary healthcare, I would develop something for my company’s use. I think that one of the best things about my company is the value we put on the health and safety of our employees. Aside from the primary care I deliver (with the clinic consultations), various health and wellness programs are in place that are either global initiatives or local initiatives. From what I know, developing an app for the company was already considered previously. However, it hasn’t been realized due to several concerns, particularly privacy and security of data that crosses transnational borders. But if I were to design the app and it would focus on health, it would have the following features:

  • Contains all medical and wellness offerings
    • Clinic
      • Option to schedule a consultation with available doctors (there are currently 3 in the company)
      • Option to schedule laboratory testing (since this is a service we can offer where employees can have some laboratory tests done in our own clinic)
    • Periodic medical examination (separate for employees and expatriates)
      • Schedules
      • Partner clinics
      • Guidelines
      • Results – to be reflected in app once they are available
    • Employee assistance program
      • Description/details of this employee benefit
      • Information on how to get in touch with the counselors
    • Vaccination
      • Calendar of vaccine offerings for the year
      • Information about the vaccines (locally adapted version of the Vaccine Information Statement from the CDC)
      • Guidelines – on how to sign-up, price, etc.
    • Wellness offerings
      • A calendar of activities to give an overview of the offerings
      • Description of the offerings, including the vendor or service provider we partnered with for the wellness offering
      • Sign-up option for activities
  • Feedback
    • Employees should be able to give feedback on the offerings clinic services and wellness offerings, as well as have the option to suggest activities which they would want us to offer

The idea is that the application will integrate all the services of the health and medical team, from the clinic services to all other health and wellness offerings. The mobile app should make it easier for employees to avail of the services, and more importantly to participate in health and wellness offerings. Features like notifications for new activities, sign-up options,  or reminders for due vaccinations will be part of the app. Ideally, the app should also be integrated to the EMR that we are currently using so that there are programs we can tailor fit to employees. For example, patients who are overweight may be targeted for our weight-loss initiatives, from learning sessions to gym memberships to in-house weight management activities. We also have a corporate program that include reporting of stress, and employees who scored high on those could be target for the stress-related initiatives that we have. The application should be able to generate reports, which we can then use to help evaluate how effective our activities are and give us an idea of the overall health of our employees. 

That is it for the last blog and assignment! What do you think? If you are working in a company, is the type of application I’m proposing (of course it has to be catered with what your company offers) attractive to you? Is it something that you’d use? As always, let me know in the comments below!

XO,
Eve


References

Telehealth – How Can It Change the Landscape of Health Care Delivery in the Philippines?

It’s the second to the last blog before the end of the semester. This week’s topic is all about telehealth. The question we were asked was…

How can telehealth support healthcare delivery in the Philippines?

To help answer this question, we were tasked to read and evaluate the Telehealth Act of 2014, and to suggest revisions, if any.

Telehealth, according to the Center for Connected Health Policy (n.d.) is “a collection of means or methods for enhancing health care, public health, and health education delivery and support using telecommunications technologies.” It is not a specific service but a term that describes the variety of technology and tactics to deliver virtual medical, health, and education services.

The practice of the use of telehealth services is more common in developed countries such as the US. In the Philippines, however, it is not as popular. Quite frankly, I finished nursing school and medical school without encountering a lecture on what it is and how it can be applied to our setting.

The Philippines is an archipelago composed of more than 7,600 islands. Our geography, while it has blessed us with incredible sights and natural wonders, has also made it more difficult for healthcare to be accessed and delivered. It is the same geography that constitutes the physical factors that characterize geographically isolated and disadvantaged areas or GIDAs. GIDAs are communities with marginalized population that are physically and socio-economically separated from mainstream society. They physical factors are mainly to geography and also includes difficult access due to weather conditions. Socio-economic factors, on the other hand, include high poverty incidence, presence of vulnerable sector, communities in or recovering from situation of crisis or armed conflict (Department of Health, n.d.).

With telehealth, the population that could potentially most benefit are those residing in GIDAs. The idea is that since they have difficulty access to healthcare, healthcare will be brought to them. This is one of the objectives of the Telehealth Act of 2014.

House Bill No. 4199, also known as the Telehealth Act of 2014, declares that “the State shall protect and promote right to health of the people and instill health consciousness among them. Henceforth, it is the intent of the Legislature to recognize the practice of telehealth as a legitimate means by which an individual may receive health care services from a health care provider without in-person contact with health provider. Telehealth or Telemedicine shall not be construed to alter the scope of practice of medicine or any health care provider or authorize delivery of health care services in a setting or in a manner not otherwise authorized by law.”

Aside from the objective I mentioned above, other objectives of this Bill are to reduce the costs, set standards and establish regulations regarding the field, and strengthen the health system and infrastructure.

There are 20 sections to this Act. I have chosen the following to evaluate.

Section 9. Database. – All telehealth center and originating sites shall coordinate with DOH for consolidation of pertinent databases. DOH shall maintain and manage a national database for consults on clinical cases as well as health and medical education exchanges. Considering how important documentation is especially for something like this, I feel as if this section is severely lacking.

Having read the comprehensive IRR of the Data Privacy Act of 2012 in the previous blog, this, to me, needs further details. At the very least, the basic contents of the database should be enumerated. I would like to know if there are other types of data that should be gathered/documented when a consultation is done via telehealth.

Section 16. Standard of care. – The standard of care is the same as regardless whether a health care provider provides health care services in person or by telemedicine. Telehealth or telemedicine shall not be construed to alter the scope of practice of medicine or any health care provider or authorize the delivery of health care services in a setting, or in a manner, not otherwise authorized by law. Telehealth shall not replace health care providers or relegate them less important role in the delivery of health care. The fundamental health care provider-patient can not only be preserved, but also augmented and enhanced. While I agree that the standard of care should be the same whether the consult is done in person or via telehealth, I think the Bill fails to capture the limitations on this type of service. Granted that the scope of medicine (or allied medical services) will not change in terms of what a doctor can do, it should also acknowledge that that the things a doctor cannot do. There  is a science to the practice of medicine (and other disciplines) that simply cannot be done via a video call or similar means. Section 5. Scope can be elaborated further to include limitations. Or limitations could be in a whole new section together, and in that section include what can and cannot be penalized. The way I see this Bill so far is that it is not healthcare provider-friendly. The providers are not protected the same way the patients are.

Overall, a good portion of the Bill, in my opinion, needs further refinement apart from the 2 sections I stated above. But the fact that it exists is promising, as this legitimizes the practice of telehealth (or telemedicine). This field will open up a lot of opportunities especially for patients and will help in positively changing the landscape of healthcare delivery to the Filipinos.

Have you read the Telehealth Act of 2014? What do you think? How open are you to the idea of using telehealth services? How do you think will that impact the way we practice medicine in the Philippines? Let me know in the comments below.

XO,
Eve


References

Data Privacy Act of 2012 – Is It Enough To Protect the Health Information of the Filipinos?

The countdown begins. Three more blogs to go before this semester closes. So for the 2nd to the last blog assignment (before the final paper/blog), we were asked this question…

Is the Data Privacy Act adequate to protect confidential health information?

There was supposed to be a debate about this. Due to lack of time, however, we were unable to conduct one. Nevertheless, let us discuss this latest law on data privacy.

In my previous blog, privacy was defined by Merriam-Webster (n.d) as “freedom from unauthorized intrusion.” As a constitutional right, it refers to “to make certain crucial decisions regarding their well-being without government coercion, intimidation, or interference (West’s Encyclopedia of American Law, 2008),” and is declared under Section 3 of the Bill of Rights in the 1987 Constitution (Official Gazette, n.d.), where it states that “the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.”

The latest law implemented relating to privacy is Republic Act (RA) 10173, otherwise known as the Data Privacy Act of 2012. Its implementing rules and regulations were promulgated last August 24, 2016. Under Section 2. Declaration of Policy, it states that “it is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected (Official Gazette, 2012).”

Since we want to evaluate this law in terms of its adequacy in terms of protecting confidential health information, below are some definitions based on the RA.

  • Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Sensitive personal information refers to personal information:
    • (2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings
    • (3) Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns

The Act encompasses to processing of all types of personal information; hence, it protects the processing of health information. However, I wanted to see if there were specific clauses related to health. They are as follows.

  • SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
    • (d) The processing is necessary to protect vitally important interests of the data subject, including life and health
    • (e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate
  • SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
    • (c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing
    • (e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured

Since health information are classified under sensitive personal information, all clauses in this Act are applicable to a Filipino patient’s health information, even if there specific clauses related to health are only in Sections 12 and 13.

I have read the both the Act (read it’s entirety here) and the IRR (read its entirety here), and I think that it is sufficient to safeguard the health information of the Filipino people.

I’d like to emphasize the Rule VIII. Rights of Data Subjects. It enumerated several rights of the data subject under it, including: right to be informed, right to object, right to access, right to correct, and right to rectification, erasure or blocking. I believe that these in particular, especially when applied to health information, will highly empower the patients because it explicitly states their rights on what can and cannot be done for their health information.

Now that we are shifting towards the use of technology for the delivery of health, it appears as if there are more threats to the privacy and confidentiality of patients. With the use of electronic medical records, for example, health information is now more accessible not just to patients but to a whole new group of people (ex. developers of the software, administrators, other clinic staff) who would not have had the same access if we were still using paper charts. In the Act, Section 47. Registration of Personal Data Processing Systems states that “The personal information controller or personal information processor that employs fewer than two hundred fifty (250) persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal information of at least one thousand (1,000) individuals.” This is very important because as mentioned above, we are in the era where health technology is on the rise. With registration of systems (especially in major institutions), registration of data processing systems provides an additional layer of protection for the patients since institutions will now be liable to the Commission especially in the event of data breaches. Personal information controllers and processors will be identified and held liable, and the Commission will be able to monitor said institutions or organizations.

While I think that the Act is sufficient, I feel that more specific clauses on processing of health information should have been included and explicitly stated. Categorizing them all under sensitive personal information is not enough. For me, health information requires more special consideration. For example, the right of the data subject (i.e. patient) to correct, rectify, erase or block his/her health data will not be as easily done compared to changing demographic data. Several factors come into play like the professional opinion or assessment of the healthcare personnel who inputted and/or processed the data. Differing opinions from different professionals may also make it appear like the data is inconsistent or false in the eyes of a data subject who may not fully understand his/her health status. In conclusion, I believe this Act can be improved to better fit the rapidly changing health information needs of the Filipino people.

What do you think about this law? How to do think this impact the health landscape in the Philippines? Does it make you feel more secure about your personal information in general, knowing that this Act is now in place? Let me know what you think in the comments below.

XO,
Eve


References

Privacy and Confidentiality – What Policies Are In Place?

We are nearing the end of the semester. For this blog, I am going to talk about privacy and confidentiality. The driving question we were asked was:

What policies are in place to protect the Filipino patient’s privacy and confidentiality of health information?

Additionally, we were tasked to pick a hospital evaluate their document on privacy and confidentiality, if they had any.

As always, let’s define a couple of things first.

Merriam-Webster (n.d) defines privacy as “freedom from unauthorized intrusion.” As a constitutional right, it refers to “to make certain crucial decisions regarding their well-being without government coercion, intimidation, or interference (West’s Encyclopedia of American Law, 2008).”

Confidentiality, on the other hand, is defined as the “nondisclosure of information except to another person” (Mosby’s Medical Dictionary, 2009). In healthcare, it is often referred to the “principle in medical ethics that the information a patient reveals toa  health care provider is private and has limits on how and when it can be disclosed to a third party” (Dorland’s Medical Dictionary for Health Consumers, 2007).

In the Philippines, there are several policies in place which protects the Filipino patient’s privacy and confidentiality. Under the Bill of Rights in the 1987 Constitution (Official Gazette, n.d.), the right to privacy is declared under Section 3, where it states that “the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.” There are additional laws that expound on and further protect this right, specific to privacy and confidentiality of health-related information. The table below is adapted from the paper of Antonio, Patdu and Marcelo (2013) on Health Information Privacy in the Philippines: Trends and Challenges in Privacy and Practice. It includes excerpts on the statutes and rules of court and administrative rules pertaining to the patient’s right to privacy in relation to the healthcare system.

The Medical Act of 1959

Republic Act No. 2382

(June 20, 1959)

Section 24. Grounds for reprimand, suspension or revocation of registration certificate. Any of the following shall be sufficient ground for reprimanding a physician, or for suspending or revoking a certificate of registration as physician:

(12) Violation of any provision of the Code of Ethics as approved by the Philippine Medical Association.

Philippine AIDS Prevention and Control Act of 1998

Republic Act No. 8504

(February 13,1998)

Section 2. (b) (1) The State shall extend to every person suspected or known to be infected with HIV/AIDS full protection of his/her human rights and civil liberties. Towards this end, the right of privacy of individuals with HIV shall be guaranteed.

Section 3. (n) Medical Confidentiality – refers to the relationship of trust and confidence created or existing between a patient or a person with HIV and his attending physician, consulting medical specialist, nurse, medical technologist and all other health workers or personnel involved in any counselling, testing or professional care of the former; it also applies to any person who, in any official capacity, has acquired or may have acquired such confidential information

Section 30, Article VI: Medical Confidentiality. – All health professionals, medical instructors, workers, employers,recruitment agencies, insurance companies, data encoders, and other custodians of any medical record, file, data, or test results are directed to strictly observe confidentiality in the handling of all medical information, particularly the identity and status of persons with HIV.

Section 31, Article VI: Exceptions to the Mandate of Confidentiality

Medical confidentiality shall not be considered breached in the following cases:

(a) when complying with reportorial requirements in conjunction with the AIDSWATCH programs provided in Section 27 of this Act;

(b) when informing other health workers directly involved or about to be involved in the treatment or care of a person with HIV/AIDS: Provided, That such treatment or care carry the risk of HIV transmission: Provided, further, That such workers shall be obliged to maintain the shared medical confidentiality;

(c) when responding to a subpoena duces tecum and subpoena ad testificandum issued by a Court with jurisdiction over a legal proceeding where the main issue is the HIV status of an individual: Provided, That the confidential medical record shall be properly sealed by its lawful custodian after being double-checked for accuracy by the head of the office or department, hand delivered and personally opened by the judge: Provided, further, That the judicial proceedings be held in executive session.

Comprehensive

Dangerous Drugs Act of 2002

Republic Act No. 9165

(June 7, 2002)

Section 36. Authorized Drug Testing. The following shall be subjected to undergo drug testing:

(a) Applicants for driver’s license.

(b) Applicants for firearm’s license and for permit to carry firearms outside of residence.

(c) Students of secondary and tertiary schools.

(d) Officers and employees of public and private offices.

(e) Officers and members of the military, police and other law enforcement agencies.

(f) All persons charged before the prosecutor’s office with a criminal offense having an imposable penalty of imprisonment of not less than six (6) years and one (1) day shall have to undergo a mandatory drug test; and

(g) All candidates for public office whether appointed or elected both in the national or local government shall undergo a mandatory drug test.

Section 40. Records Required for Transactions on Dangerous Drug and Precursors and Essential Chemicals.

(a) Every pharmacist dealing in dangerous drugs and/or controlled precursors and essential chemicals shall maintain and keep an original record of sales, purchases, acquisitions and deliveries of dangerous drugs,

Section 60. Confidentiality of Records Under the Voluntary Submission Program. – Judicial and medical records of drug dependents under the voluntary submission program shall be confidential and shall not be used against him for any purpose, except to determine how many times, by himself/herself or through his/her parent, spouse, guardian or relative within the fourth degree of consanguinity or affinity, he/she voluntarily submitted himself/herself for confinement,treatment and rehabilitation or has been committed to a Center under this program.

Section 64. Confidentiality of Records Under the Compulsory Submission Program. – The records of a drug dependent who was rehabilitated and discharged from the Center under the compulsory submission program, or who was charged for violation of Section 15 of this Act, shall be covered by Section 60 of this Act. However, the records of a drug dependent who was not rehabilitated, or who escaped but did not surrender himself/herself within the prescribed period, shall be forwarded to the court and their use shall be determined by the court, taking into consideration public interest and the welfare of the drug dependent.

Anti-Violence Against Women and Their Children Act of 2004 Republic Act No. 9262

(March 8, 2004)

Section 44. Confidentiality. – All records pertaining to cases of violence against women and their children including those in the barangay shall be confidential and all public officers and employees and public or private clinics to hospitals shall respect the right to privacy of the victim.
Revised Rules of Evidence, Rules of Court

(March 14, 1989)

Section 24 (c), Rule 128: Disqualification by reason of privileged communication. The following persons cannot testify as to matters learned in confidence in the following cases: A person authorized to practice medicine, surgery or obstetrics cannot in a civil case, without the consent of the patient, be examined as to any advice or treatment given by him or any information which he may have acquired in attending such patient in a professional capacity, which information was necessary to enable him to act in capacity, and which would blacken the reputation of the patient.
Department of Health Guidelines in the Planning and Design of a Hospital and other Health Facilities (2004) Auditory and Visual Privacy

A hospital and other health facilities shall observe acceptable sound level and adequate visual seclusion to achieve the acoustical and privacy requirements in designated areas allowing the unhampered conduct of activities.

Philippine Health Insurance Corporation Benchbook Self-Assessment and Accreditation Process Manual 3.b.1 Standard: The organization documents and follows policies and procedures for addressing patients’ needs for confidentiality, privacy, security, religious counseling and communication.

Criteria: The hospital systematically determines, monitors and improves the extent to which patients’ needs for confidentiality, privacy, security, counseling and communication are addressed.

1.5.b.1 Standard: The organization’s personnel discharge their functions according to codes of ethical behavior and other relevant professional and statutory standards.

Criteria: The organization identifies and monitors personnel compliance with the code of ethics relevant to their respective disciplines.

Note: Some clauses were edited for length. Violations for the policies were no longer included in the text.

Aside from the laws stated above, we also have the Data Privacy Act of 2012. Under Section 2. Declaration of Policy, it states that “It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected (Official Gazette, 2012).” Its implementing rules and regulations were released in August 2016, and there are clauses there that also pertain to privacy of health information. This Act will be discussed further in the next blog.

Now that we are aware of some of the policies that are in place to protect the Filipino patient’s privacy and confidentiality of health information, let us proceed to answering the task.

Unfortunately, I was not able to secure a privacy and confidentiality document from a hospital. However, since I am currently working as a medical officer, I have decided to review our privacy policy of our company.

There are several policies in place which aim to protect the privacy of the employees. Although there is no dedicated policy for health information except for the confidentiality and NDA for the electronic medical record (see below), the existing policies already include them.

To start, the company has defined personal data as “information that can directly or indirectly identify an individual, including employees, contractors, directors, shareholders, customers and anyone else with whom [the company] does business.” Sensitive personal data (SPD), on the other hand, is defined as a subset of Personal Data that has the potential of causing harm to an individual and therefore requires heightened protection and care. SPD should only be collected or handled when there is a specific legal, regulatory, or compelling business requirement and may require registration with local Data Processing authorities. SPD requires heightened security, and it should only be collected or processed when there is a specific legal, regulatory, or compelling business requirement.” Data collected for medical purposes (ex. pre-employment/periodic medical exams, consultations, etc.) are classified under sensitive personal data.  

Before discussing the policies, let me briefly enumerate 3 of the most important privacy imperatives of the company:

  • Only collect the personal data you need.
  • Only use personal data for the reason it was collected.
  • Don’t share personal data with anyone who doesn’t need it.

Now let us proceed to examples of policies/agreement that relate to information and privacy.

Data Privacy Within the normal course of business operations, the Company collects and processes personal data of individuals with whom the Company has business relationships. These personal data either identify a person or provide characteristics of an identifiable person. The Company respects the sensitivity of personal data; it is corporate policy that personal data be collected, processed, protected, transferred, stored, disclosed and disposed of in accordance with applicable laws and Company approved procedures.

It is the Company’s policy to:

  • Collect personal data in a legal manner and for specified legitimate business purposes only.
  • Process personal data only as necessary for the specified purposes.
  • Collect and process personal data by lawful and fair means and, where required, with the knowledge or consent of the individual.
  • Keep personal data as accurate and complete as possible for their intended purpose.
  • Permit individuals to review their personal data and to request correction of factual inaccuracies in accordance with and subject to Company standards, procedures and appropriate verification.
  • Secure personal data by reasonable and appropriate information protection safeguards as set forth by corporate policy on Information Protection.
  • Retain personal data in accordance with the corporate policy on Information Retention and when no longer required for the stated purpose or by law, destroy personal data in a manner which protects the confidentiality of the data.
  • Comply with all data privacy laws and regulations applicable to our business operations.
  • Integrate data privacy principles into our business activities, including, as necessary, agreements and arrangements with third parties, Joint Ventures and other companies with whom we have a business relationship.
  • Institute and maintain processes to coordinate enterprise-wide data privacy compliance activities, recognizing that many aspects of data privacy compliance can be implemented only at the local level.
  • Where appropriate, review and comment on proposed data privacy legislation, regulations or policies that may significantly impact our business; cooperate with appropriate government agencies to facilitate timely, reasonable and business-oriented solutions for data privacy issues that may arise.
  • Audit conformity with this policy through a comprehensive compliance program, including self-assessments and internal audits.
Information Protection The information assets of the Company are vital resources. These resources include information in any form, whether acquired or developed by the Company, and any systems that store, process, or transmit information. It is the policy of the Company to ensure the availability, integrity, and confidentiality of these resources in a manner that is consistent with risk and business value. All [company] Corporation employees and contractors have responsibility for properly protecting these resources.

It is the Company’s policy to:

  • Comply with all information protection laws and regulations.
  • Integrate information protection principles into every aspect of its business activities, including the structure of agreements and business arrangements with its Joint Venture, Alliance, and third party relationships.
  • Take cost-effective measures to ensure the availability, integrity, and confidentiality of Company information assets, considering current, as well as emerging, business needs and technology.
  • Ensure that processes are in place to manage enterprise-wide information protection issues, recognizing that some aspects of information protection can only be addressed at the Reporting Unit level.
  • Comply with established standards, follow good safeguarding practices and guidelines, and apply principles of risk assessment to ensure that Company information protection activities are conducted responsibly.
  • Participate in the formulation of information protection legislation, regulation, or policy issues that may significantly impact our business. Work actively with the appropriate governmental agencies to ensure timely, reasonable, and cost-effective solutions for issues wherever possible.
  • Ensure conformity with this policy through a comprehensive compliance program, including a self-assessment process.
Information Retention It is the Company’s policy to retain information for the minimum period necessary to:

  • Satisfy the Company’s operating requirements
  • Substantiate the Company’s holdings
  • Protect the Company’s interest in asserting and defending claims and lawsuits
  • Assure compliance with the retention requirements of applicable Government, Federal, State, and local laws and regulations

If a document or other form of information does not satisfy any one of these criteria, then it is not a Company “Record” and is not subject to retention and should not be retained.

Confidentiality and Non- Disclosure Agreement You are about to access patients’ protected health information (PHI). The system should only be accessed by authorized users. By logging in and accessing PHI, you acknowledge that you are doing so in accordance with HIPAA and your organization’s policies and procedures. Access is monitored and you will be held accountable for any activity on your login.

Organizational information may include, but is not limited to, financial, patient identifiable, employee identifiable, intellectual property, financially non-public, contractual, of a competitive advantage nature, and from any source or in any form (i.e. paper, magnetic or optical media, conversations, film, etc.), may be considered confidential. Information’s confidentiality and integrity are to be preserved and its availability maintained. The value and sensitivity of information is protected by law and by the strict policies of your organization. The intent of these laws and policies are to assure the confidential information will remain confidential through its use, only as a necessity to accomplish your organization’s mission.

While the first 3 are general policies for privacy, they are the same rules that my team and I follow when it comes to handling health data, and are also the same guidelines all health care professionals in our counterparts in other countries are using. Although not comprehensive, it makes it clear to us how to collect, process, store and destroy health data that we encounter. We also ensure to comply with local policies/guidelines set forth by the Department of Health (ex. policies on data retention and destruction). The general rule is that local laws supersede those of the company’s. In addition, since we are a private company, we have partner service providers/institutions that handle our employee’s health data. Examples are clinics where the employee’s perform their annual physical examinations. While we do not have direct control over how they handle data, we ensure that we do regular audits on said providers. We assess and verify if they are compliant with Philippine and company standards when it comes to managing health data. If they fail the audit, we discontinue our partnership with them.

As for the last example in the table above, it is the only guideline that is specific to the protection of health data. The agreement is posted at the login page of the electronic medical record. There was mention of the Health Insurance Portability and Accountability Act or HIPAA since our EMR was developed in the United States. The “policies of your organization” it was referring to are the first 3 policies that I have already discussed above.

The company policies, even though they are general policies on privacy and information, are acceptable in terms of safeguarding the privacy and confidentiality of health information of the employees. By following additional international and local policies on health, our practices on privacy and confidentiality are strengthened. I feel that considering our company’s primary business is not the delivery of healthcare, our operations in terms of health data privacy and confidentiality are comparable to those hospitals and clinics with the best standards of care.

Comments, as always, are welcome. Let me know your thoughts!

XO,
Eve


References: