Since the Health Insurance Portability and Accountability Act (HIPAA) is limited in applicability to US territory, the healthcare industry is constrained from exploring outsourcing manpower. Overseas companies outsourcing to the US are all too difficult to be held accountable for data breaches. Even India, one of the world’s foremost providers of outsourcing, is yet to pass its own law on data privacy.

Healthcare Information Security: HIPAA and the Philippines’ Data Privacy Act

In the Philippines, legislature has adopted the HIPAA model and passed RA 10173 entitled the Data Privacy Act (DPA) in 2012. While patterned loosely after HIPAA, here are some prominent features in the Philippines’ DPA.

The DPA “protects individuals from unauthorized processing of personal information that is (1) private, not publicly available; and (2) identifiable, where the identity of the individual is apparent either through direct attribution or when put together with other available information.” From that standpoint, the DPA attempts to cover the entirety of data privacy – not just healthcare information. It only limits its scope to what is considered private information that is identifiable with the person of the individual. This limitation protects agencies handling information from frivolous suits.

“Personal information must be collected for reasons that are specified, legitimate, and reasonable…. [individuals] must opt in for their data to be used for specific reasons that are transparent and legal.” This approach to information protection actively involves the individual who owns the information. Agencies cannot act without the express approval of the information owners – and are liable for damages and jail time should they do so.

Further, after opting into any sort of business involving information, the law decrees the level of diligence required in managing that information: “These agencies must be active in ensuring that other, unauthorized parties do not have access to their customers’ information.” How is this conducted?

DPA compliance is not a one-time registration procedure. Similar to HIPAA, it is a process of continuous concurrence. The law mandates:

  1. The appointment of a Data Protection Officer
  2. The conduct of a privacy impact assessment
  3. The creation of a privacy knowledge management program
  4. The implementation of a privacy and data protection policy
  5. And the exercise of a breach reporting procedure




The DPA also provides for security even after disposal. “Personal information must be discarded in a way that does not make it visible and accessible to unauthorized third parties.” As to the methods, the different agencies have freedom to do so based on a guaranty that the disposal is the most secure.


Source: The Beginner’s Guide to RA 10173 (Data Privacy Act of 2012)

The following two tabs change content below.
Rey Palmares

Rey Palmares

Writing should be one part informative and one part entertaining. It's what differentiates a generic piece of text from a well-written article. Rey Palmares dedicates much of his time to fine-tune that craft, juggling the joys and frustrations of writing with those of his law school life outside of the office. He's making it work so far.
The following two tabs change content below.