Data Privacy for Physicians

Today, our data is worth billions. And data is in everything we do: communication, commerce, banking, and even medical visits. Data Security horror stories have boomed in the past decade, and the world is fighting against it with Data Protection laws in the EU, US and now, the Philippines!

Data Privacy for Physicians

Today, our data is worth billions. And data is in everything we do: communication, commerce, banking, and even medical visits. Data Security horror stories have boomed in the past decade, and the world is fighting against it with Data Protection laws in the EU1, US2 and now, the Philippines!

This consorted effort towards better privacy is coming at the right time, some would say belated, because hackers are now targeting medical records. Why? People are learning that medical data be used for identity fraud, false health insurance claims, and for some more serious cases, blackmail. Plus, medical records are less secure than banking records because the health industry does not invest in data security… yet.

We are still on our way to going completely digital, and many are already there. DOH is leading this movement toward eHealth,3 and Clinic Management Systems and EMRs are gaining popularity among Filipino doctors.

If Medical Digitization is unavoidable and Data Privacy is a law, how can you keep up?

#1 Commit to comply by registering a Data Protection Officer (DPO).

The DPO should possess specialized knowledge and demonstrate reliability necessary for the performance of his or her duties and responsibilities. As such, the DPO should have expertise in relevant privacy or data protection policies and practices. He or she should have sufficient understanding of the processing operations being carried out by the Personal Information Controller (PIC).4

#2 Choose your route: Do you want to process data Manually, Electronically, or both?

If processing data manually (i.e. on printed paper forms), review your workflow, check for vulnerabilities, add security measures like locks, guards, CCTV, log books, authorisation forms, or special IDs.

If you choose an Electronic Data Processing System (DPS), this is usually outsourced to a Personal Information Processor (PIP) and they should already have advanced security measures like password protection, limited access to user accounts, encrypted server, two-step authentication, SSL, and cloud storage. You’ll usually find this on their Privacy Policy.

Watch this video and sign up for MYCURE to see how we can help you be more DPA-compliant!


#3 Identify threats and vulnerabilities.

A manual DPS will require that your DPO thoroughly check the data handling process from data collection, use, retention, disclosure, and destruction. This is best done with the participation of relevant stakeholders, such as your front-office and back-office staff, physicians, nurses, technicians, and the like.

Your outsourced PIP will have conducted their own Privacy Impact Assessment and you may request the output of this.

#4 Compose a privacy manual.

The manual [will serve] as a handbook for ensuring the compliance of [the PIC] with the DPA, its Implementing Rules and Regulations, and other relevant issuances of the National Privacy Commission. It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances, directed toward the fulfillment and realization of the rights of data subjects.4

Or, you can also request a guide from your outsourced PIP.

#5 Train your staff.

There are many ways for the PIC to deliver training and general personal data protection education. Examples include small group sessions, one-on-one training, monthly e-newsletters, or inserting modules. The DPO should document its training processes and measure participation and success.4


#6 Monitor your progress annually, at least.

The Data Protection Officer should monitor manual and digital Data Processing Systems and ensure conduct of Privacy Impact Assessments when necessary. The policies of the [clinic or hospital] should include procedures for documentation, regular review, evaluation, and updating of the privacy and security policies and practices.4

When you’ve done all these and continue to practice your own policies, privacy will come naturally! Yes, change management is tricky. But change management is key to our constantly changing world.

References:

1https://www.eugdpr.org/

2https://content.next.westlaw.com/6-502-0467?transitionType=Default&firstPage=true

3http://ehealth.doh.gov.ph/

4https://privacy.gov.ph/wp-content/files/attachments/Privacy-Toolkit-compressedAug152017a.pdf

5https://privacy.gov.ph/npc-extends-data-processing-systems-registration-for-covered-professionals/