NPC to health institutions: Strengthen protection of coronavirus patient data
MANILA, Philippines—The National Privacy Commission (NPC) is urging health institutions to strengthen the protection of patient data following reports of “unauthorized disclosure” of sensitive personal information of suspect, probable, and confirmed COVID-19 patients.
“With a view to preventing similar instances of unauthorized disclosure from happening, we call on health institutions and their Data Protection Officers to strengthen the protection of patient data. After all, fostering mutual trust and protection between patients, health institutions and authorities is crucial in dealing with the COVID-19 pandemic,” the NPC said Saturday in a release
The NPC noted that they are now looking into the said breach incidents in accordance with the commission’s internal procedures and in collaboration with concerned personal information controllers “for remediation and other purposes” as allowed by the Data Privacy Act of 2012.
“Patients will only fully and truthfully disclose the needed information to authorities if they feel assured that the information will be properly used for treatment, disease surveillance and response, and will be protected against any type of misuse, such as unauthorized disclosure, which has proven to result in stigma-driven physical assaults, harassments, and acts of discrimination,” the NPC stressed.
Inter-Agency Task Force spokesperson Karlo Nograles earlier this month announced that COVID-19 patients are required to disclose personal information to authorities to enhance contact-tracing efforts of the government.
Nograles assured, however, that the patients’ personal data are only for the Department of Health and that there will be no public disclosure of their personal information.
The NPC also listed down some of the organizational, physical, and technical security measures health institutions may enforce to protect patient data against unauthorized disclosure:
1. Regularly remind officials and employees of their ethical and legal duty to protect patient data. This reminder may come in the form of strategically located posters or print outs informing everyone of their responsibility to protect the confidentiality, integrity and availability of patient data, which they have been entrusted with. Health institutions may want to emphasize that unauthorized disclosure is a prohibited act, both under Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, and the Data Privacy Act of 2012. They should ensure that non-disclosure agreements and related contracts are in place and enforced.
2. Establish access control for patient data based on least privileges. Only provide access on a “need-to-know” basis. This means that health personnel are allowed only the minimum and necessary access to enable the performance of their functions.
3. Equip facilities with physical access controls. Protect physical access to facilities through locks and alarms. This is to ensure that only authorized personnel have access to facilities that house the systems and the data. At the same time, keep documents containing patient data in locked cabinets or secure rooms when not in use.
4. Only disclose patient data to proper authorities and in appropriate areas. Refrain from discussing patient data in public areas where unauthorized parties may pick up personal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first, and check whether he or she is authorized to receive such information.
5. Protect the computer display from unauthorized or accidental viewing. Prevent the accidental viewing and disclosure of data through the use of privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such a way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation.
6. Lock storage media away when not in use. If the use of portable storage media (such as USB flash drives or external hard drives), to store patient data is unavoidable, ensure that the files are encrypted and password protected. Also, make sure they are kept secure in your person when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where it may be accessed by unauthorized individuals.
7. Ensure that patient data are encrypted, both in-transit and at rest. Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons.
8. Communicate securely. Choose a secure platform for care team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, a second-factor authenticator may be used whenever logging into accounts.
The Inquirer Foundation supports our healthcare frontliners and is still accepting cash donations to be deposited at Banco de Oro (BDO) current account #007960018860 or donate through PayMaya using this link.
Subscribe to INQUIRER PLUS to get access to The Philippine Daily Inquirer & other 70+ titles, share up to 5 gadgets, listen to the news, download as early as 4am & share articles on social media. Call 896 6000.