Data Privacy and Confidentiality MEP2425-4 PDF

Summary

This presentation discusses data privacy and confidentiality, covering key concepts, the importance of confidentiality in the doctor-patient relationship, potential weaknesses in healthcare information systems, and the analysis of data privacy violations. It also includes details such as privileged information, consent of the data subject, and relevant laws in the Philippines.

Full Transcript

Opening Prayer
 Data Privacy
and
Confidentiality
Catherine Grace Q. Aparece,
MD
 “All that may come to my
knowledge in the exercise of my
profession or in daily commerce
with men, which ought not to be
spread abroad, I will keep secret
and will never reveal.”
—Hippocrates
 Objectives
Define basic terminology relating to data privacy
Recognize the importance of confidentiality in the
doctor-patient relationship
Identify potential weaknesses in the health care and
information system
Apply the core principles in the analysis of the cases on
the violation of data privacy and confidentiality
 References
World Medical Association Ethics Manual 3rd Edition
WHO Ethics Manual Compilation of Cases
Health Information Privacy in the Philippines: Trends and
Challenges in Policy and Practice
Confidentiality breaches in clinical practice:
what happens in hospitals?
National Privacy Commission
Top 5 data breach incidents in Southeast Asia in 2022
 Confidentiality

refers to “the privacy of information
and its protection against
unauthorized disclosure.”
 Privacy

“The state of being free from intrusion
or disturbance in one's private life or
affairs.”
 PRIVACY CONFIDENTIALITY
VERSUS
pertains to an points to the duty
individual’s right that rests on those
to be free from to whom private
information has
unwanted external
been entrusted,
scrutiny
 PRIVACY CONFIDENTIALITY

description The right to be let alone. Agreement that information is kept
secret from the reach of any other
person
concept Limits the access of the public Prevents information and
documents from unauthorized
access

Applies to individual information

obligatory voluntary compulsory

disallowed Everyone is disallowed Only unauthorized persons
 Confidentiality

Patients-the holders of HCP-the bearers of the
the right to privacy duty of confidentiality
 Privileged information
refers to any and all forms of data which under the Rules of Court and
other pertinent laws constitute privileged communication.
Legal obligation
 REPUBLIC ACT NO. 10173
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR
THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES

It is the policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and
growth.
The State recognizes the vital role of information and communications
technology in nation-building and its inherent obligation to ensure that personal
information in information and communications systems in the government and
in the private sector are secured and protected.
 Consent of the data subject
▪ refers to any freely given, specific, informed indication of will,
whereby the data subject agrees to the collection and processing
of personal information about and/or relating to him or her.
▪ Consent shall be evidenced by written, electronic or recorded
means. It may also be given on behalf of the data subject by an
agent specifically authorized by the data subject to do so
Data subject

refers to an individual whose personal information is
processed.
Personal information

refers to any information whether recorded in a material form
or not, from which the identity of an individual is apparent or
can be reasonably and directly ascertained by the entity
holding the information, or when put together with other
information would directly and certainly identify an individual.
 Sensitive personal information refers to
personal information:

1. About an individual’s race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations;

2. About an individual’s health, education, genetic or sexual life
of a person, or to any proceeding for any offense committed
or alleged to have been committed by such person, the
disposal of such proceedings, or the sentence of any court
in such proceedings;
Sensitive personal information refers to
personal information:
3.Issued by government agencies peculiar to an individual
which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and

4. Specifically established by an executive order or an act of
Congress to be kept classified.
 WHY CONFIDENTIALITY IS IMPORTANT?

If patient knows his/her information will be kept secret

S/he will understand important information to the doctor

Good diagnosis

Better treatment
 Privacy of personal information is a
closely-guarded individual right
any unauthorized access or breach is considered a
violation of this entitlement from both legal and
moral perspectives.
Liberal transfer of private information stems from the
fiduciary nature of the clinician-patient relationship:
patients trust that any and all details they may share
with their healthcare provider will be maintained as
private information.
 Technology is also changing the landscape of
healthcare practice.
the evolution of electronic medical records and the
connectivity afforded by the Internet
health information is more readily accessible to
anyone with the right tools and can be easily linked
across disparate databases
 Telemedicine

the delivery of health-related
services and information via
telecommunications
technologies now makes
possible virtual patient
consultations and specialist
referrals involving parties
separated by physical distance
Electronic Medical Records
transcends the physical limitations of paper
files and facilitates access to, and sharing of,
health information among providers of care
improves the accuracy and quality of
recorded data
improves the quality of care as a result of
having health information immediately
available at all times for patient care
 While in many ways these developments
contribute towards enhancing the delivery of care
to all people, they also tend to redefine the scope
of privacy and confidentiality within the context
of the provider-patient relationship.
 In the Philippines, a person’s right to privacy is enshrined in no
less than fundamental law.
The Philippine Constitution provides:
Section 3. (1) The privacy of communication and correspondence
shall be inviolable except upon lawful order of the court, or when
public safety or order requires otherwise, as prescribed by law
 A person’s general right to privacy is affirmed
in the Civil Code (Republic Act No. 386).
It provides that every person shall respect the
dignity, personality, privacy and peace of
mind of another.
 Since a physician has an acknowledged duty to
maintain patient confidentiality, any injury that
a patient may incur as a direct result of the
violation of this duty will make the physician
liable for damages
The Revised Penal Code (Act No. 3185)
criminalizes “Revelation of Secrets”.
Its provision protecting the secrets of any
person may find application in cases of
government physicians who have custody of
patient records and who would reveal private
information about patients or any other
employee who may abuse their position to
obtain confidential information.
 Specific laws guarantee the right to privacy of rape
victims and minors in conflict with the law
– Republic Act No. 8505, Rape Victim Assistance
and Protection Act of 1998
– Republic Act No. 9344, Juvenile Justice and
Welfare Act of 2006
 Republic Act No. 8504 Handling of information, both
the identity and status, of persons with HIV
Republic Act No. 9165 confidentiality of records of
those who have undergone drug rehabilitation
Republic Act No. 9262 confidentiality of records
pertaining to cases of violence against women and
their children
The Electronic Commerce
Act of 2000
provides that any person with
access to electronic data
messages or documents has the
obligation of confidentiality or
the duty not to convey the
information to, or share it with,
any other person.
unauthorized access to
computer systems is punishable
by a fine and mandatory
imprisonment
 Republic Act No. 4200 :The Anti-wiretapping Law

may also be applied where a person
who is not authorized by parties to a
private communication record or
communicate its contents.
covers doctor-patient communication
which is privileged and confidential,
and which therefore should not be
recorded or disclosed without consent
 Types of Breaches (Hospital setting)
1. related to the custody of clinical histories and records
(admission forms, clinical and nursing report sheets,
laboratory tests and other complementary examinations,
and any other type of record containing patient data), as
well as computer access to such records
2. related to the consultation and/or disclosure of clinical
and/or personal data to medical personnel not involved in
the patient’s clinical care, as well as people external to the
hospital
 Breach severity
Minor confidentiality breaches –
those in which sensitive patient data is not properly
safeguarded or handled but which do not result in
observable consequences.
custody of clinical histories and records or breaches
due to inadequate hospital infrastructure.
committed repeatedly: more than once.
 Breach severity
Severe confidentiality breaches –
the disclosure of sensitive data, as well as incidents that
result in some kind of observable consequence.
correspond to situations where clinical patient data are
disclosed to third parties or to medical personnel not
involved in the patient’s care, as well as those that are
committed intentionally, or related to the patient’s sexual
life, mental or other stigmatizing illnesses, and racial or
ethnic background.
highly private nature
occur repeatedly: more than once
 The rule of the confidentiality of physician-patient
communication and patient records is not absolute

there are exceptions under the following circumstances:
1. Upon patient consent or waiver:
a. Upon waiver or authority of the patient to release such information.
stems from the recognition that the information contained in medical records
is the property of the patient, while the medical records themselves are the
property of the hospital
 The rule of the confidentiality of physician-patient
communication and patient records is not absolute

b. For purposes of insurance compensation.
Presidential Decree No. 442, as amended
Labor Code of the Philippines
Republic Act No. 7875, National Health Insurance Act of 1995
individuals availing themselves of insurance coverage also sign waivers
allowing the health maintenance organization or insurer access to their
medical records in exchange for claim of benefits
 The rule of the confidentiality of physician-patient
communication and patient records is not absolute

2. In the interest of public order and safety.
Republic Act No. 3753 (Law on Registry of Civil Status) Births and deaths
should be registered
Republic Act No. 3573 Reporting of certain communicable diseases is
mandatory
Executive Order No. 212 requires medical practitioners to report treatment
of patients for serious and less serious physical injuries.
Presidential Decree No. 603, as amended Child and Youth Welfare Code,
practitioners are required to report cases of child abuse or maltreatment.
 The rule of the confidentiality of physician-patient
communication and patient records is not absolute

▪3. Upon lawful order of the court or a quasi-judicial body.
Release of health information may occur upon service of a
valid subpoena, warrant, or adjudicative order from a court,
a law enforcement agency, an administrative agency
authorized by law, or an arbitration panel.
 The rule of the confidentiality of physician-patient
communication and patient records is not absolute

▪4. For research purposes. The National Ethical Guidelines for Health
Research permits review of medical records without consent for purposes
of research provided the data are de-identified or anonymized and are
non-sensitive.
“It is ethical to disclose
confidential information when the
patient consents to it or when
there is a real and imminent
threat of harm to the patient or to
others and this threat can be only
removed by a breach of
confidentiality.”
WMA’s International Code of Medical Ethics
Now let’s tap the
cases…
 Activity 2

Case Assigned

My personal
Ethical Law reaction
Base the issue on The specific law State your personal
the core principles applicable reaction…(no
filters)
 CASES
SGD 1& 22: Lloyd v Google LLC EWCA Civ 1599
The data protection class action against Google which found that they are permissible in the case
of DPA breaches for the Safari Workaround. The case sets a precedent for representative opt-out
style class actions for data protection breaches under UK law.
SGD 2 & 21: Bohol Governor posted on Facebook on the use of expired IV fluids in Loon District
Hospital
SGD 3 & 20:SWU PHINMA IT Security issue , July 2024
SGD 4 & 19: Juliana Villafuerte Flatline Issue
SGD 5 & 18: Philippines COMELEC data breach
The Commission on Elections (COMELEC) for the Republic of the Philippines’ security systems
was breached by a hacker group, exposing 60 terabytes of private voter information.The depth of
this data could enable cybercriminals to map the whole internal workings of the Philippine voting
system. Essentially opening the door to much more destructive follow-up strikes on a national
security level.
SGD 6 & 17: Bjorka, the SIM card hacker
A hacker named Bjorka listed 1.3 billion profiles of Indonesian SIM card registrations for sale. The number is more than the total
population, but it’s common to have more than one phone number in the country. The hacker also showed how weak Indonesia’s
cybersecurity infrastructure is.
SGD 7 & 16: The Black Suede Scandal
A 39-year-old homosexual florist from Cebu City underwent minor operation on January 3, 2008 at the Vicente Sotto Memorial
Medical Center (VSMMC) for extraction of a foreign body lodged in his rectum. He was allegedly asleep at the time of the
operation, and was not made aware that the procedure was going to be filmed, nor was he informed post facto that the medical
staff took a footage of his operation. He claimed that he only learned of the existence of the YouTube video when it was brought
to his attention by their barangay captain, who saw the video on YouTube.
SGD 8 & 15 Carlos Yulo Issue
SGD 9 & 14: The Careless Whisper
The PRC revoked Dr. Hayden Kho's license in November 2009, after he was found guilty of committing "immorality, dishonorable
and unethical conduct" in connection with his video-recording of his intimate interactions with different women without their
consent.
The videos, including one showing TV actress Katrina Halili, made the rounds online and were even sold in DVD format at the
time.
SGD 10 & 13: Alice Guo Issue
SGD 11 & 12 Facebook, Inc and its User Privacy Issue.
Facebook Inc will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that
will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges
that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal
information.
 Thanks!

CREDITS: This presentation template was created by Slidesgo, and
includes icons by Flaticon, and infographics & images by Freepik

Please keep this slide for attribution
Closing Prayer