Protecting the Filipino Patient’s Privacy and Confidentiality: What Policies are in Place?
(Combined week 13-14 assignments for #HI201 #MSMHI)
These are some of the policies we have in place, protecting the Filipino Patient’s Privacy and Confidentiality—(1) The Bill of Rights in our 1987 Constitution; (2) Republic Act 10175 or the Cybercrime Prevention Act of 2012; (3) Republic Act 10173 or the Data Privacy Act of 2012; (4) the Philippine Medical Association’s Code of Ethics, and (5) the Magna Carta of Patient’s Bill of Rights and Obligations, among others.
Bill of Rights, Philippine Constitution 1987
In the Philippines’ 1987 Constitution, the Filipino patient’s right to privacy and confidentiality is guaranteed under Article 3, Section 3:
“ The privacy of communication an correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.”
Republic Act 10175: Cybercrime Prevention Act of 2012
Under the Cybercrime law, pertinent sections that protects patient privacy are under Chapter II, SEC. 4. Cybercrime Offenses. — The following acts constitute the offense of cybercrime punishable under this Act: (a) Offenses against the confidentiality, integrity and availability of computer data and systems: (1) Illegal Access. – The access to the whole or any part of a computer system without right. (2) Illegal Interception. – The interception made by technical means without right of any nonpublic transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data. (3) Data Interference. — The intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses. …”
Republic Act 10173: Data Privacy Act of 2012
Under the Data Privacy Act, protection of patient privacy and confidentiality is protected under the following:
“Section 13. Sensitive Personal Information and Privileged Information. The processing of sensitive personal information and privileged information shall be prohibited, …except in the following instances: data subject consent; existing laws and regulations; to protect the life and health of data subject; lawful and noncommercial objectives of public organizations and associations; medical treatment; protection of lawful rights and interest of natural or legal person in court proceedings; or the establishment, exercise, or defense of legal claims; or, when provided to governments or public authority.”
Sec 19. Non Applicability. The …preceding sections are not applicable if the processed personal information are used only for the needs of scientific and statistical research….the personal information shall be held under strict confidentiality and …used only for the declared purpose.
Chapter V. Security of Personal Information.
SEC. 20. Security of Personal Information. – (a) The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. (b) The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. (c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include: (1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability; (2) A security policy with respect to the processing of personal information; (3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and (4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach. (d) The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision. (e) The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations. (f) The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes (bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. (1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information. (2) The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects. (3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach.”
The Philippine Medical Association’s (PMA) Code of Ethics
Under the PMA’s Code of Ethics patient privacy and confidentiality is covered by Article 2. Duties of Physicians to their Patients, in the PMA Code:
“Section 6. The physician should hold as sacred and highly confidential whatever may be discovered or learned pertinent to the patient even after death, except when required in the promotion of justice, safety and public health.”
The Magna Carta of Patient’s Bill of Rights and Obligations
The Magna Carta stating patient’s bill of rights and obligations has made to to the house of Congress several times. One version is sponsored by Senator Pia Cayetano, during the 16th Congress:
“Right To Privacy and Confidentiality–The patient has the right to privacy and protection from unwarranted publicity. The right to privacy shall include the patient’s right not to be subjected to exposure, private or public, either by photography, publications, video-taping, discussion, or by any other means that would otherwise tend to reveal his person and identity and the circumstances under which he was, he is, or he will be, under medical or surgical care or treatment. … All identifiable information about a patient’s health status, medical condition, diagnosis, prognosis and treatment, and all other information of a personal kind, must be kept confidential even after death. Provided, That descendants may have a right of access to information that will inform them of their health risks. All identifiable Patient data must also be protected. The protection of the data must be appropriate as to the manner of its storage. Human substance from which identifiable data can be derived must be likewise protected.
Confidential information can be disclosed in the following cases: i. When the patient’s medical or physical condition is in controversy in a court litigation and the court, in its discretion, orders the patient to submit to physical or mental examination of a physician; ii. When public health or safety so demands; iii. When the Patient, or in his incapacity, his/her legal representative, expressly gives the consent; iv. When the patient’s medical or surgical condition is discussid in a medical or scientific forum for expert discussion for I his/her benefit or for the advancement of science and 6 medicine, Provided however, That the identity of the Patient should not be revealed; and v. When it is otherwise required by law.”
Entities like the PHILHEALTH and other accrediting agencies (e.g., ICO, JCIA) did not wait for the Patient’s Bill of Rights to be signed into law, and required that the same rights be communicated to the patient in a formal education material. Patient rights to privacy and confidentiality, data security, as well as informed consent are tenets that are followed even without an enabling law.
In addition, major hospitals, aside from the PMA Code of Ethics, also have written codes of professional conduct for staff to follow. The same is true for the subspecialty societies such as the Philippine College of Physicians and the Philippine Academy of Ophthalmology, which espouse the tenets of protecting patient confidentiality and privacy.
What needs to be done?
Despite the presence of these laws, however, RA 10175 and RA 10173 are still waiting for “Implementing Rules and Regulations” before full implementation. These need to be crafted before the law can become an implementable law.
1. 1987 Constitution of the Republic of the Philippines. Bill of Rights. http://www.gov.ph/constitutions/the-1987-constitution-of-the-republic-of-the-philippines/. Accessed November 15, 2014.
2. Republic Act 10175, Cybercrime Prevention Act of 2012. http://www.gov.ph/2012/09/12/republic-act-no-10175/. Accessed November 15, 2014.
3. Republic Act 10173, Data Privacy Act of 2012. http://www.gov.ph/2012/08/15/republic-act-no-10173/. Accessed November 15, 2014.
4. Code of Ethics of the Philippine Medical Association. https://www.philippinemedicalassociation.org/downloads/pma-codes/FINAL-PMA-CODEOFETHICS2008.pdf. Accessed November 15, 2014.
5. Sixteenth Congress, Senate Bill 151. Magna Carta of Patient’s Rights and Obligations of 2013. Sponsored by Senator Pia Cayetano. http://www.senate.gov.ph/lisdata/1597713214!.pdf. Accessed November 26, 2014.
6. Patient Rights and Organizational Ethics. in Hospital Benchbook Masterlist of Indicators, Philippine Health Insurance Corporation. http://www.philhealth.gov.ph/partners/providers/benchbook/Masterlist_of_Indicators.pdf, accessed November 26, 2014.