NPC PHE BULLETIN No. 10: Protecting Patient Data from Unauthorized Disclosure

April 25, 2020 | 11:17 AM GMT+0800 Last Edit: May 12, 2020

In recent weeks, the National Privacy Commission (NPC) has received several breach notifications which involve the possible unauthorized disclosure of sensitive personal information of suspect, probable and confirmed COVID-19 patients. The NPC is now looking into said breach incidents, in accordance with our internal procedures and in collaboration with concerned Personal Information Controllers (PICs), for remediation and other purposes within the bounds of the Data Privacy Act of 2012.

With a view to preventing unauthorized disclosure from happening, we call on health institutions and their Data Protection Officers (DPOs) to strengthen the protection of patient data. After all, fostering mutual trust and protection between patients, health institutions and authorities is crucial in dealing with the COVID-19 pandemic.

Patients will only fully and truthfully disclose the needed information to authorities if they feel assured that the information will be properly used for treatment, disease surveillance and response, and will be protected against any type of misuse, such as unauthorized disclosure, which has proven to result in stigma-driven physical assaults, harassments, and acts of discrimination.

Below are some of the organizational, physical and technical security measures that health institutions and their staff may enforce to protect patient data against unauthorized disclosure:

  1. Regularly remind officials and employees of their ethical and legal duty to protect patient data. This reminder may come in the form of strategically located posters or print outs informing every one of their responsibility to protect the confidentiality, integrity and availability of patient data, which they have been entrusted with. Health institutions may want to emphasize that unauthorized disclosure is a prohibited act, both under Republic Act No. 11332 or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act, and the Data Privacy Act of 2012. They should ensure that non-disclosure agreements and related contracts are in place and enforced.
  2. Establish access control for patient data based on least privileges. Only provide access on a “need-to-know” basis. This means that health personnel are allowed only the minimum and necessary access to enable the performance of their functions.
  3. Equip facilities with physical access controls. Protect physical access to facilities through locks and alarms. This is to ensure that only authorized personnel have access to facilities that house the systems and the data. At the same time, keep documents containing patient data in locked cabinets or secure rooms when not in use.
  4. Only disclose patient data to proper authorities and in appropriate areas. Refrain from discussing patient data in public areas where unauthorized parties may pick up personal data, unless when providing treatment under compelling circumstances. In addition, when discussing over the phone, confirm the identity of the person first and check whether he or she is authorized to receive such information.
  5. Protect the computer display from unauthorized or accidental viewing. Prevent the accidental viewing and disclosure of data through the use of privacy screens. If a privacy screen is not readily available or practical, place computer monitors inside secluded cubicles or angle them in such way that minimizes the chance of any unauthorized or accidental viewing by unauthorized individuals. Computers must be locked with a password whenever the authorized user leaves the workstation.
  6. Lock storage media away when not in use. If the use of portable storage media (such as USB flash drives or external hard drives), to store patient data is unavoidable, ensure that the files are encrypted and password protected. Also, make sure they are kept secure in your person when working in public places and not left absentmindedly on desks, counters, in conference rooms, and other common areas where it may be accessed by unauthorized individuals.
  7. Ensure that patient data are encrypted, both in-transit and at rest. Electronic copies of patient data must be protected in the same extent that physical files and storage media containing patient data are secured. Encrypting patient data both in-transit and at rest ensures that the files are locked and only accessible to authorized persons.
  8. Communicate securely. Choose a secure platform for care team collaboration and patient communication. For further protection, ensure that the documents are encrypted with a password of sufficient strength. The password must be sent via a separate channel like SMS/text. It is likewise advised that apart from setting a strong password, a second-factor authenticator may be used whenever logging into accounts.

Privacy Commissioner

# # #