Private hospitals rushing to comply with Data Privacy Act

With the upcoming implementation of the Philippine Health Information Exchange (PHIE), private hospitals have committed to comply with the Data Privacy Act (DPA) of 2012 and are implementing data protection measures to protect sensitive personal information of their patients.


This development was revealed during the first general assembly of Data Protection Officers (DPO) of private hospitals.

The event, called DPO7 is the seventh in a series of DPO sectoral assemblies organized by the National Privacy Commission (NPC) this year that gathered participants from private hospitals. DPO7 was co-organized in cooperation with the Private Hospitals Association of the Philippines Inc. (PHAPI).

The PHIE is an electronic health (eHealth) initiative of the Department of Health (DOH), the Department of Science and Technology (DOST), and the Philippine Health Insurance Corporation (PhilHealth) that would ensure accurate and timely health information exchange that can be instrumental in improving the services of the three agencies, as well as the other organizations that can use the data.

“The efficient use of electronic medical records (EMR) for eHealth has a lot of potential benefits for our citizens. It is a good example of innovation in the free flow of information that the DPA espouses. The protection of personal information has to be prioritized in such systems as there is greater danger of data breaches with the increased number of users and processors,” NPC chair Raymund Liboro said

Health information is considered sensitive personal information that requires a higher level of data protection, and private hospitals agree with this.

According to Dr. Rustico Jimenez of Medical Center Parañaque and PHAPI president: “Hospitals have always valued information privacy, this one of the reasons why our industry will soon be having the Health Privacy Code which is also in-line with the Data Privacy Act of 2012. Hospitals are cleaning up their patient records to be ready for the full implementation of the Philippine Health Information Exchange (PHIE) which is currently under development.”

In November of last year, the NPC received a complaint about a hospital that did not have adequate security measures for their patient records. The NPC conducted a compliance check of the hospital and will be issuing a compliance order for the hospital to implement to ensure that patient data is protected.

Penalties for violations of data privacy that involve sensitive personal information (SPI) are higher than those that involve personal information and as such, SPI need to be accorded a higher level of protection.

An example of this is unauthorized disclosure; under the DPA, the maximum fine of the unauthorized disclosure of personal information is P1 million, while if it involves SPI it is P2 million.

Last month, the NPC announced the mandatory registration of data processing systems of hospitals including primary care facilities, multi-specialty clinics, custodial care facilities, diagnostic or therapeutic facilities, specialized out-patient facilities and other organizations processing genetic data.

The mandatory registration applies to all entities that fall under these categories regardless of the number of employees or number of personal records it processes.

The Implementing rules of the Data Privacy Act state that entities that have more than 250 employees or those that processes sensitive personal data of more than 1000 individuals are required to register their data processing systems with then NPC, beginning with the designation and registration of a DPO.

For medical research, patient information is invaluable and is a significant contributor to the development of new treatment methods, the anonymization of health data may be done to protect the identities of the patients in research.

According to deputy privacy commissioner Dr. Ivy Patdu; “We want to anonymize or de-identify health information, but we must also note that advancements in technology and the availability of volumes of data may make re-identification possible. The thrust should be towards incorporating ethics in use of information, and focusing on accountability.

“We may one day also consider data donation, for patients to donate their health information to science and research upon their death, the same way organs are donated,” Patdu added.

Comment on this post