Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

What you need to know as a patient


Here are some key government guidelines that aim to protect your information and your right to privacy as a patient

Seeking healthcare involves disclosing much of your personal information — most of them sensitive. With that in mind, healthcare providers should take measures to protect patient information. 

This is especially enshrined in Section 3.7 of the Philippine Code of Ethics of the Medical Profession: “The physician shall hold as private and highly confidential whatever may be discovered or learned pertinent to the patient even after death, except when required by law, ordinance or administrative order in the promotion of justice, safety and public health.”

This mandate does not just apply to physicians. Government laws and orders are in place that require healthcare providers to protect patient information as well as patients’ right to privacy. 

Here are some key government guidelines that you must know if you’re a patient.

Healthcare providers are mandated to follow the Data Privacy Act 

Republic Act 10173, also known as the Data Privacy Act (DPA) of 2012, lists the rights of people to their data and the responsibilities of those who collect, process, store, and transmit people’s data.

The Department of Health (DOH), recognizing that providing healthcare involves processing personal and sensitive information, issued Administrative Order (AO) 2020-0030, or the Data Privacy Guidelines on the Processing of Health Information.

“In compliance with the DPA, this Administrative Order is issued to serve as guidelines for the processing of health information, while ensuring utmost protection of the right to privacy of an individual and their health information,” the DOH stated.

The DOH — together with PhilHealth and the Department of Science and Technology — also issued the Health Privacy Code (HPC) as part of the agencies’ implementation of the Philippine Health Information Exchange. This project is a cross-agency effort that enables the electronic transmission of health information among healthcare facilities and providers, government agencies, and other health-concerned organizations.


Here’s what you should do if your customer data is breached online

Before healthcare providers collect and process your personal information, they must get your valid, informed consent — in written, recorded, and/or electronic form.

What constitutes valid and informed consent? The HPC lists the following elements that must be present:

  • Patient must be “of sound mind, at least 18 years old, and not under the influence of drugs or liquor” 
  • Patient must be presented with “relevant factual data about a procedure and/or treatments, its benefits, risks, and possible complications or outcomes”
  • Information must be presented to the patient relevant to their education and language or dialect
  • Patient must “make an autonomous decision without force or intimidation, and understands that he/she can withdraw consent anytime without consequence”

If the patient is not of sound mind, under 18 years old, or incapacitated to give consent, the HPC allows any of the following to give consent on the patient’s behalf:

  • Immediate relatives within the third degree of consanguinity based on hierarchy
  • Cohabitant partner for a minimum of one year
  • Actual and identified guardian of the patient
  • Social worker
  • Attending physician

There are instances where consent for the processing of data is exempted, as stated in the HPC:

  • When a medical practitioner or a medical treatment institution is carrying out a medical treatment
  • When the life and health of the patient is at risk and they’re not legally or physically able to express their consent prior to the processing of their information
  • In cases of reporting communicable diseases, as well as notifiable diseases, syndromes, health-related events and conditions, as mandated by government law and order
Who has access to your information? 

AO 2020-0030 states that only healthcare providers attending to patients and authorized entities should have access to patients’ health information, provided there’s prior patient consent.

The HPC details the following accessible health information:

  • History of past and present illness
  • Family history of illness
  • Clinical history, including immunization records, previous operations, and treatment
  • Allergies
  • Medication history including adverse effects, if any
  • Results of laboratory and diagnostic procedures
  • Treatment outcome, including final diagnoses whether clinical or confirmed

Third-party access to a patient’s personal and health information is prohibited unless required by law, ordered by a court, or authorized by a valid contract entered into by the patient.

Patients also have the right to access information on how their personal and health information is being used. In the case of minors and incapacitated patients, the right to access health information is granted respectively to either a parent or legal guardian and a person with a special power of attorney. 

Use of social media

The HPC also stresses the importance of health facilities implementing social media guidelines for their personnel, as patient information is prone to getting leaked on social media.

“Unauthorized posting of personal data of patients in social media, including pictures, shall be penalized in accordance with the provisions of the DPA,” the HPC specifies.

“Healthcare professionals shall always be mindful of their duties to their patients, community, their profession and their colleagues thus they must take into account that any content, once posted online, may be easily disseminated to others and is essentially irreversible,” adds the HPC.

What happens in case of breach of information?

The HPC defines a breach as “the unauthorized or impermissible acquisition, access, use, or disclosure of information,” and can apply to information related to patients and/or institutions.

In case a patient’s information has been breached, the HPC requires the healthcare provider concerned to notify the patient within 60 days of discovery. If a breach affects 500 individuals or more, the healthcare provider must immediately put out a media notice and notify the health privacy board, a multisectoral group concerned with health information privacy. 

Notices are elevated to the National Privacy Commission (NPC) when necessary.

Issuance of breach notices may also be delayed “if the health privacy board or the NPC determines that a notification, notice, or posting would impede a criminal investigation or cause damage to national security,” according to the HPC. – Rappler.com


Want data privacy? Here’s how to protect your personal information online

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

27 Wayfair finds to convert your external space
Ilia rises to new heights with figure skating at the world championships in Mali
Tyreek Hill didn’t back down from his comments Sunday about wanting out
The Patriots interviewed Pep Hamilton for the head coaching position on Tuesday