Data privacy in healthcare: What you need to know as a patient

Upgrade to High-Speed Internet for only ₱1499/month!

Enjoy up to 100 Mbps fiber broadband, perfect for browsing, streaming, and gaming.

Visit Suniway.ph to learn

Seeking healthcare involves disclosing much of your personal information — most of them sensitive. With that in mind, healthcare providers should take measures to protect patient information. 

This is especially enshrined in Section 3.7 of the Philippine Code of Ethics of the Medical Profession: “The physician shall hold as private and highly confidential whatever may be discovered or learned pertinent to the patient even after death, except when required by law, ordinance or administrative order in the promotion of justice, safety and public health.”

This mandate does not just apply to physicians. Government laws and orders are in place that require healthcare providers to protect patient information as well as patients’ right to privacy. 

Here are some key government guidelines that you must know if you’re a patient.

Healthcare providers are mandated to follow the Data Privacy Act 

Republic Act 10173, also known as the Data Privacy Act (DPA) of 2012, lists the rights of people to their data and the responsibilities of those who collect, process, store, and transmit people’s data.

The Department of Health (DOH), recognizing that providing healthcare involves processing personal and sensitive information, issued Administrative Order (AO) 2020-0030, or the Data Privacy Guidelines on the Processing of Health Information.

“In compliance with the DPA, this Administrative Order is issued to serve as guidelines for the processing of health information, while ensuring utmost protection of the right to privacy of an individual and their health information,” the DOH stated.

The DOH — together with PhilHealth and the Department of Science and Technology — also issued the Health Privacy Code (HPC) as part of the agencies’ implementation of the Philippine Health Information Exchange. This project is a cross-agency effort that enables the electronic transmission of health information among healthcare facilities and providers, government agencies, and other health-concerned organizations.

Consent is key

Before healthcare providers collect and process your personal information, they must get your valid, informed consent — in written, recorded, and/or electronic form.

What constitutes valid and informed consent? The HPC lists the following elements that must be present:

• Patient must be “of sound mind, at least 18 years old, and not under the influence of drugs or liquor” 
• Patient must be presented with “relevant factual data about a procedure and/or treatments, its benefits, risks, and possible complications or outcomes”
• Information must be presented to the patient relevant to their education and language or dialect
• Patient must “make an autonomous decision without force or intimidation, and understands that he/she can withdraw consent anytime without consequence”

If the patient is not of sound mind, under 18 years old, or incapacitated to give consent, the HPC allows any of the following to give consent on the patient’s behalf:

• Immediate relatives within the third degree of consanguinity based on hierarchy
• Cohabitant partner for a minimum of one year
• Actual and identified guardian of the patient
• Social worker
• Attending physician

There are instances where consent for the processing of data is exempted, as stated in the HPC:

• When a medical practitioner or a medical treatment institution is carrying out a medical treatment
• When the life and health of the patient is at risk and they’re not legally or physically able to express their consent prior to the processing of their information
• In cases of reporting communicable diseases, as well as notifiable diseases, syndromes, health-related events and conditions, as mandated by government law and order

Who has access to your information? 

AO 2020-0030 states that only healthcare providers attending to patients and authorized entities should have access to patients’ health information, provided there’s prior patient consent.

The HPC details the following accessible health information:

• History of past and present illness
• Family history of illness
• Clinical history, including immunization records, previous operations, and treatment
• Allergies
• Medication history including adverse effects, if any
• Results of laboratory and diagnostic procedures
• Treatment outcome, including final diagnoses whether clinical or confirmed

Third-party access to a patient’s personal and health information is prohibited unless required by law, ordered by a court, or authorized by a valid contract entered into by the patient.

Patients also have the right to access information on how their personal and health information is being used. In the case of minors and incapacitated patients, the right to access health information is granted respectively to either a parent or legal guardian and a person with a special power of attorney. 

The HPC also stresses the importance of health facilities implementing social media guidelines for their personnel, as patient information is prone to getting leaked on social media.

“Unauthorized posting of personal data of patients in social media, including pictures, shall be penalized in accordance with the provisions of the DPA,” the HPC specifies.

“Healthcare professionals shall always be mindful of their duties to their patients, community, their profession and their colleagues thus they must take into account that any content, once posted online, may be easily disseminated to others and is essentially irreversible,” adds the HPC.

What happens in case of breach of information?

The HPC defines a breach as “the unauthorized or impermissible acquisition, access, use, or disclosure of information,” and can apply to information related to patients and/or institutions.

In case a patient’s information has been breached, the HPC requires the healthcare provider concerned to notify the patient within 60 days of discovery. If a breach affects 500 individuals or more, the healthcare provider must immediately put out a media notice and notify the health privacy board, a multisectoral group concerned with health information privacy. 

Notices are elevated to the National Privacy Commission (NPC) when necessary.

Issuance of breach notices may also be delayed “if the health privacy board or the NPC determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security,” according to the HPC. – Rappler.com