Ahead of PHIE, Private Hospitals Complying with Data Privacy Act

With the upcoming implementation of the Philippine Health Information Exchange (PHIE), private hospitals have committed to comply with the Data Privacy Act (DPA) of 2012 and are implementing data protection measures in their data processing systems to protect sensitive personal information of their patients. This was revealed at the first general assembly of Data Protection Officers (DPO) of Private Hospitals.

The event, called DPO7 is the seventh in a series of DPO sectoral assemblies organized by the Commission this year and has gathered participants from private hospitals. DPO7 was coorganized in cooperation with the Private Hospitals Association of the Philippines, Incorporated(PHAPI).

The PHIE is an electronic health (eHealth) initiative of the Department of Health (DOH), the Department of Science and Technology (DOST) and the Philippine Health Insurance Corporation (PhilHealth) that would ensure accurate and timely health information exchange that can be instrumental in improving the services of these three agencies as well as the other organizations that could use the said data.

Privacy Commissioner Raymund Enriquez Liboro said that: “The efficient use of electronic medical records (EMR) for eHealth has a lot of potential benefits for our citizens. It is a good example of innovation in the free flow of information that the DPA espouses. The protection of personal information has to be prioritized in such systems as there is greater danger of data breaches with the increased number of users and processors” Commissioner Liboro added.

Health information is considered sensitive personal information that requires a higher level of data protection, and private hospitals agree with this. According to Dr. Rustico Jimenez of Medical Center Parañaque and PHAPI President: “Hospitals have always valued information privacy, this one of the reasons why our industry will soon be having the Health Privacy Code which is also in line with the Data Privacy Act of 2012. Hospitals are cleaning up their patient records to be ready for the full implementation of the Philippine Health Information Exchange (PHIE) which is currently under development.” Dr. Jimenez added.

In November of last year the NPC received a complaint about a hospital that did not have adequate security measures for their patient records. The NPC conducted a compliance check of the hospital and will be issuing a compliance order for the hospital to implement to ensure that patient data is protected.

Penalties for violations of data privacy that involve sensitive personal information (SPI) are higher than those that involve personal information, as such, SPI need to be accorded a higher level of protection. An example of this is unauthorized disclosure; under the DPA, the maximum fine of the unauthorized disclosure of personal information is one million pesos, while if it involves SPI it’s two million pesos.

Last month, the NPC announced the mandatory registration of data processing systems of Hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data. The mandatory registration applies to all entities that fall under these categories regardless of the number of employees or number of personal records it processes. The Implementing rules of the Data Privacy Act state that entities that have more than 250 employees or those that processes sensitive personal data of more than 1000 individuals are required to register their data processing systems with then NPC, beginning with the designation and registration of a DPO.

For medical research, patient information is invaluable and is a significant contributor to the development of new treatment methods, the anonymization of health data may be done to protect the identities of the patients in research. According to Deputy Privacy Commissioner Dr. Ivy Patdu; “We want to anonymize or de-identify health information, but we must also note that advancements in technology and the availability of volumes of data may make reidentification possible. The thrust should be towards incorporating ethics in use of information, and focusing on accountability. We may one day also consider data donation, for patients to donate their health information to science and research upon their death, the same way organs are donated.” Dr. Patdu added.

About NPC: The NPC is a regulatory and quasi-judicial body constituted in March 2016 by virtue of RA 10173. As the Philippines’ data privacy and data protection watchdog, the agency is mandated to uphold the right to data privacy and ensure the free flow of information, with a view to promoting economic growth and innovation. To know more about the NPC you can visit www.privacy.gov.ph