We are nearing the end of the semester. For this blog, I am going to talk about privacy and confidentiality. The driving question we were asked was:
What policies are in place to protect the Filipino patient’s privacy and confidentiality of health information?
Additionally, we were tasked to pick a hospital evaluate their document on privacy and confidentiality, if they had any.
As always, let’s define a couple of things first.
Merriam-Webster (n.d) defines privacy as “freedom from unauthorized intrusion.” As a constitutional right, it refers to “to make certain crucial decisions regarding their well-being without government coercion, intimidation, or interference (West’s Encyclopedia of American Law, 2008).”
Confidentiality, on the other hand, is defined as the “nondisclosure of information except to another person” (Mosby’s Medical Dictionary, 2009). In healthcare, it is often referred to the “principle in medical ethics that the information a patient reveals toa health care provider is private and has limits on how and when it can be disclosed to a third party” (Dorland’s Medical Dictionary for Health Consumers, 2007).
In the Philippines, there are several policies in place which protects the Filipino patient’s privacy and confidentiality. Under the Bill of Rights in the 1987 Constitution (Official Gazette, n.d.), the right to privacy is declared under Section 3, where it states that “the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.” There are additional laws that expound on and further protect this right, specific to privacy and confidentiality of health-related information. The table below is adapted from the paper of Antonio, Patdu and Marcelo (2013) on Health Information Privacy in the Philippines: Trends and Challenges in Privacy and Practice. It includes excerpts on the statutes and rules of court and administrative rules pertaining to the patient’s right to privacy in relation to the healthcare system.
|The Medical Act of 1959
Republic Act No. 2382
(June 20, 1959)
|Section 24. Grounds for reprimand, suspension or revocation of registration certificate. Any of the following shall be sufficient ground for reprimanding a physician, or for suspending or revoking a certificate of registration as physician:
(12) Violation of any provision of the Code of Ethics as approved by the Philippine Medical Association.
|Philippine AIDS Prevention and Control Act of 1998
Republic Act No. 8504
|Section 2. (b) (1) The State shall extend to every person suspected or known to be infected with HIV/AIDS full protection of his/her human rights and civil liberties. Towards this end, the right of privacy of individuals with HIV shall be guaranteed.
Section 3. (n) Medical Confidentiality – refers to the relationship of trust and confidence created or existing between a patient or a person with HIV and his attending physician, consulting medical specialist, nurse, medical technologist and all other health workers or personnel involved in any counselling, testing or professional care of the former; it also applies to any person who, in any official capacity, has acquired or may have acquired such confidential information
Section 30, Article VI: Medical Confidentiality. – All health professionals, medical instructors, workers, employers,recruitment agencies, insurance companies, data encoders, and other custodians of any medical record, file, data, or test results are directed to strictly observe confidentiality in the handling of all medical information, particularly the identity and status of persons with HIV.
Section 31, Article VI: Exceptions to the Mandate of Confidentiality
Medical confidentiality shall not be considered breached in the following cases:
(a) when complying with reportorial requirements in conjunction with the AIDSWATCH programs provided in Section 27 of this Act;
(b) when informing other health workers directly involved or about to be involved in the treatment or care of a person with HIV/AIDS: Provided, That such treatment or care carry the risk of HIV transmission: Provided, further, That such workers shall be obliged to maintain the shared medical confidentiality;
(c) when responding to a subpoena duces tecum and subpoena ad testificandum issued by a Court with jurisdiction over a legal proceeding where the main issue is the HIV status of an individual: Provided, That the confidential medical record shall be properly sealed by its lawful custodian after being double-checked for accuracy by the head of the office or department, hand delivered and personally opened by the judge: Provided, further, That the judicial proceedings be held in executive session.
Dangerous Drugs Act of 2002
Republic Act No. 9165
(June 7, 2002)
|Section 36. Authorized Drug Testing. The following shall be subjected to undergo drug testing:
(a) Applicants for driver’s license.
(b) Applicants for firearm’s license and for permit to carry firearms outside of residence.
(c) Students of secondary and tertiary schools.
(d) Officers and employees of public and private offices.
(e) Officers and members of the military, police and other law enforcement agencies.
(f) All persons charged before the prosecutor’s office with a criminal offense having an imposable penalty of imprisonment of not less than six (6) years and one (1) day shall have to undergo a mandatory drug test; and
(g) All candidates for public office whether appointed or elected both in the national or local government shall undergo a mandatory drug test.
Section 40. Records Required for Transactions on Dangerous Drug and Precursors and Essential Chemicals.
(a) Every pharmacist dealing in dangerous drugs and/or controlled precursors and essential chemicals shall maintain and keep an original record of sales, purchases, acquisitions and deliveries of dangerous drugs,
Section 60. Confidentiality of Records Under the Voluntary Submission Program. – Judicial and medical records of drug dependents under the voluntary submission program shall be confidential and shall not be used against him for any purpose, except to determine how many times, by himself/herself or through his/her parent, spouse, guardian or relative within the fourth degree of consanguinity or affinity, he/she voluntarily submitted himself/herself for confinement,treatment and rehabilitation or has been committed to a Center under this program.
Section 64. Confidentiality of Records Under the Compulsory Submission Program. – The records of a drug dependent who was rehabilitated and discharged from the Center under the compulsory submission program, or who was charged for violation of Section 15 of this Act, shall be covered by Section 60 of this Act. However, the records of a drug dependent who was not rehabilitated, or who escaped but did not surrender himself/herself within the prescribed period, shall be forwarded to the court and their use shall be determined by the court, taking into consideration public interest and the welfare of the drug dependent.
|Anti-Violence Against Women and Their Children Act of 2004 Republic Act No. 9262
(March 8, 2004)
|Section 44. Confidentiality. – All records pertaining to cases of violence against women and their children including those in the barangay shall be confidential and all public officers and employees and public or private clinics to hospitals shall respect the right to privacy of the victim.
|Revised Rules of Evidence, Rules of Court
(March 14, 1989)
|Section 24 (c), Rule 128: Disqualification by reason of privileged communication. The following persons cannot testify as to matters learned in confidence in the following cases: A person authorized to practice medicine, surgery or obstetrics cannot in a civil case, without the consent of the patient, be examined as to any advice or treatment given by him or any information which he may have acquired in attending such patient in a professional capacity, which information was necessary to enable him to act in capacity, and which would blacken the reputation of the patient.
|Department of Health Guidelines in the Planning and Design of a Hospital and other Health Facilities (2004)
||Auditory and Visual Privacy
A hospital and other health facilities shall observe acceptable sound level and adequate visual seclusion to achieve the acoustical and privacy requirements in designated areas allowing the unhampered conduct of activities.
|Philippine Health Insurance Corporation Benchbook Self-Assessment and Accreditation Process Manual
||3.b.1 Standard: The organization documents and follows policies and procedures for addressing patients’ needs for confidentiality, privacy, security, religious counseling and communication.
Criteria: The hospital systematically determines, monitors and improves the extent to which patients’ needs for confidentiality, privacy, security, counseling and communication are addressed.
1.5.b.1 Standard: The organization’s personnel discharge their functions according to codes of ethical behavior and other relevant professional and statutory standards.
Criteria: The organization identifies and monitors personnel compliance with the code of ethics relevant to their respective disciplines.
Note: Some clauses were edited for length. Violations for the policies were no longer included in the text.
Aside from the laws stated above, we also have the Data Privacy Act of 2012. Under Section 2. Declaration of Policy, it states that “It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected (Official Gazette, 2012).” Its implementing rules and regulations were released in August 2016, and there are clauses there that also pertain to privacy of health information. This Act will be discussed further in the next blog.
Now that we are aware of some of the policies that are in place to protect the Filipino patient’s privacy and confidentiality of health information, let us proceed to answering the task.
There are several policies in place which aim to protect the privacy of the employees. Although there is no dedicated policy for health information except for the confidentiality and NDA for the electronic medical record (see below), the existing policies already include them.
To start, the company has defined personal data as “information that can directly or indirectly identify an individual, including employees, contractors, directors, shareholders, customers and anyone else with whom [the company] does business.” Sensitive personal data (SPD), on the other hand, is defined as a subset of Personal Data that has the potential of causing harm to an individual and therefore requires heightened protection and care. SPD should only be collected or handled when there is a specific legal, regulatory, or compelling business requirement and may require registration with local Data Processing authorities. SPD requires heightened security, and it should only be collected or processed when there is a specific legal, regulatory, or compelling business requirement.” Data collected for medical purposes (ex. pre-employment/periodic medical exams, consultations, etc.) are classified under sensitive personal data.
Before discussing the policies, let me briefly enumerate 3 of the most important privacy imperatives of the company:
- Only collect the personal data you need.
- Only use personal data for the reason it was collected.
- Don’t share personal data with anyone who doesn’t need it.
Now let us proceed to examples of policies/agreement that relate to information and privacy.
||Within the normal course of business operations, the Company collects and processes personal data of individuals with whom the Company has business relationships. These personal data either identify a person or provide characteristics of an identifiable person. The Company respects the sensitivity of personal data; it is corporate policy that personal data be collected, processed, protected, transferred, stored, disclosed and disposed of in accordance with applicable laws and Company approved procedures.
It is the Company’s policy to:
- Collect personal data in a legal manner and for specified legitimate business purposes only.
- Process personal data only as necessary for the specified purposes.
- Collect and process personal data by lawful and fair means and, where required, with the knowledge or consent of the individual.
- Keep personal data as accurate and complete as possible for their intended purpose.
- Permit individuals to review their personal data and to request correction of factual inaccuracies in accordance with and subject to Company standards, procedures and appropriate verification.
- Secure personal data by reasonable and appropriate information protection safeguards as set forth by corporate policy on Information Protection.
- Retain personal data in accordance with the corporate policy on Information Retention and when no longer required for the stated purpose or by law, destroy personal data in a manner which protects the confidentiality of the data.
- Comply with all data privacy laws and regulations applicable to our business operations.
- Integrate data privacy principles into our business activities, including, as necessary, agreements and arrangements with third parties, Joint Ventures and other companies with whom we have a business relationship.
- Institute and maintain processes to coordinate enterprise-wide data privacy compliance activities, recognizing that many aspects of data privacy compliance can be implemented only at the local level.
- Where appropriate, review and comment on proposed data privacy legislation, regulations or policies that may significantly impact our business; cooperate with appropriate government agencies to facilitate timely, reasonable and business-oriented solutions for data privacy issues that may arise.
- Audit conformity with this policy through a comprehensive compliance program, including self-assessments and internal audits.
||The information assets of the Company are vital resources. These resources include information in any form, whether acquired or developed by the Company, and any systems that store, process, or transmit information. It is the policy of the Company to ensure the availability, integrity, and confidentiality of these resources in a manner that is consistent with risk and business value. All [company] Corporation employees and contractors have responsibility for properly protecting these resources.
It is the Company’s policy to:
- Comply with all information protection laws and regulations.
- Integrate information protection principles into every aspect of its business activities, including the structure of agreements and business arrangements with its Joint Venture, Alliance, and third party relationships.
- Take cost-effective measures to ensure the availability, integrity, and confidentiality of Company information assets, considering current, as well as emerging, business needs and technology.
- Ensure that processes are in place to manage enterprise-wide information protection issues, recognizing that some aspects of information protection can only be addressed at the Reporting Unit level.
- Comply with established standards, follow good safeguarding practices and guidelines, and apply principles of risk assessment to ensure that Company information protection activities are conducted responsibly.
- Participate in the formulation of information protection legislation, regulation, or policy issues that may significantly impact our business. Work actively with the appropriate governmental agencies to ensure timely, reasonable, and cost-effective solutions for issues wherever possible.
- Ensure conformity with this policy through a comprehensive compliance program, including a self-assessment process.
||It is the Company’s policy to retain information for the minimum period necessary to:
- Satisfy the Company’s operating requirements
- Substantiate the Company’s holdings
- Protect the Company’s interest in asserting and defending claims and lawsuits
- Assure compliance with the retention requirements of applicable Government, Federal, State, and local laws and regulations
If a document or other form of information does not satisfy any one of these criteria, then it is not a Company “Record” and is not subject to retention and should not be retained.
|Confidentiality and Non- Disclosure Agreement
||You are about to access patients’ protected health information (PHI). The system should only be accessed by authorized users. By logging in and accessing PHI, you acknowledge that you are doing so in accordance with HIPAA and your organization’s policies and procedures. Access is monitored and you will be held accountable for any activity on your login.
Organizational information may include, but is not limited to, financial, patient identifiable, employee identifiable, intellectual property, financially non-public, contractual, of a competitive advantage nature, and from any source or in any form (i.e. paper, magnetic or optical media, conversations, film, etc.), may be considered confidential. Information’s confidentiality and integrity are to be preserved and its availability maintained. The value and sensitivity of information is protected by law and by the strict policies of your organization. The intent of these laws and policies are to assure the confidential information will remain confidential through its use, only as a necessity to accomplish your organization’s mission.
While the first 3 are general policies for privacy, they are the same rules that my team and I follow when it comes to handling health data, and are also the same guidelines all health care professionals in our counterparts in other countries are using. Although not comprehensive, it makes it clear to us how to collect, process, store and destroy health data that we encounter. We also ensure to comply with local policies/guidelines set forth by the Department of Health (ex. policies on data retention and destruction). The general rule is that local laws supersede those of the company’s. In addition, since we are a private company, we have partner service providers/institutions that handle our employee’s health data. Examples are clinics where the employee’s perform their annual physical examinations. While we do not have direct control over how they handle data, we ensure that we do regular audits on said providers. We assess and verify if they are compliant with Philippine and company standards when it comes to managing health data. If they fail the audit, we discontinue our partnership with them.
As for the last example in the table above, it is the only guideline that is specific to the protection of health data. The agreement is posted at the login page of the electronic medical record. There was mention of the Health Insurance Portability and Accountability Act or HIPAA since our EMR was developed in the United States. The “policies of your organization” it was referring to are the first 3 policies that I have already discussed above.
The company policies, even though they are general policies on privacy and information, are acceptable in terms of safeguarding the privacy and confidentiality of health information of the employees. By following additional international and local policies on health, our practices on privacy and confidentiality are strengthened. I feel that considering our company’s primary business is not the delivery of healthcare, our operations in terms of health data privacy and confidentiality are comparable to those hospitals and clinics with the best standards of care.
Comments, as always, are welcome. Let me know your thoughts!