Published — June 1, 2022
The following post does not create a lawyer-client relationship between Alburo Alburo and Associates Law Offices (or any of its lawyers) and the reader. It is still best for you to engage the services of your own lawyer to address your legal concerns, if any.
Also, the matters contained in the following were written in accordance with the law, rules, and jurisprudence prevailing at the time of writing and posting, and do not include any future developments on the subject matter under discussion.
Read also: Data privacy guide for employers
Right to privacy is a basic fundamental human right. It is also enshrined in several provisions of the 1987 Philippine Constitution.
The right to privacy is however not absolute. One cannot invoke his right to privacy if it will risk public safety. With the recent Covid19 pandemic, information from COVID-19 patients, Person Under Investigation (PUI), and Person Under Monitoring (PUM) is material for their treatment and for thwarting the spread of the virus in a timely manner. Republic Act No. 11332 (An Act Providing Policies and Prescribing Procedures on Surveillance and Response to Notifiable Diseases, Epidemics, and Health Events of Public Health Concern) further mandates patients to be fully transparent and truthful to the Department of Health (DOH), the hospitals that caters to them, and other pertinent public authority on the personal data requested from them. In cases where they fail to cooperate or they refuse to provide details or conceal required information, he or she can be penalized with imprisonment and hefty fines under RA 11332.
For patients to fully cooperate and truthfully disclose the needed information to authorities, they must feel assured that the information will be properly used for treatment, disease surveillance and response, and will be protected against any type of misuse, such as unauthorized disclosure. To address this issue, the National Privacy Commission issued some of the organizational, physical and technical security measures that health institutions and their staff may enforce to protect patient data against unauthorized disclosure, to wit:
- Regularly remind officials and employees of their ethical and legal duty to protect patient data. This reminder may come in the form of strategically located posters or print outs informing every one of their responsibility to protect the confidentiality, integrity and availability of patient data, which they have been entrusted with. Health institutions may want to emphasize that unauthorized disclosure is a prohibited act, both under Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, and the Data Privacy Act of 2012. They should ensure that non-disclosure agreements and related contracts are in place and enforced.
- Establish access control for patient data based on least privileges. Only provide access on a “need-to-know” basis. This means that health personnel are allowed only the minimum and necessary access to enable the performance of their functions.
- Equip facilities with physical access controls. Protect physical access to facilities through locks and alarms. This is to ensure that only authorized personnel have access to facilities that house the systems and the data. At the same time, keep documents containing patient data in locked cabinets or secure rooms when not in use.
- Only disclose patient data to proper authorities and in appropriate areas. Refrain from discussing patient data in public areas where unauthorized parties may pick up personal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first and check whether he or she is authorized to receive such information.
- Protect the computer display from unauthorized or accidental viewing. Prevent the accidental viewing and disclosure of data through the use of privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation.
- Lock storage media away when not in use. If the use of portable storage media (such as USB flash drives or external hard drives), to store patient data is unavoidable, ensure that the files are encrypted and password protected. Also, make sure they are kept secure in your person when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where it may be accessed by unauthorized individuals.
- Ensure that patient data are encrypted, both in-transit and at rest. Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons.
- Communicate securely. Choose a secure platform for care team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, a second-factor authenticator may be used whenever logging into accounts.
Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.
All rights reserved.
SUBSCRIBE NOW FOR MORE LEGAL UPDATES!
[email-subscribers-form id=”4″]