Since the Health Insurance Portability and Accountability Act (HIPAA) is limited in applicability to US territory, the healthcare industry is constrained from exploring outsourcing manpower. Overseas companies outsourcing to the US are all too difficult to be held accountable for data breaches. Even India, one of the world’s foremost providers of outsourcing, is yet to pass its own law on data privacy.
In the Philippines, legislature has adopted the HIPAA model and passed RA 10173 entitled the Data Privacy Act (DPA) in 2012. While patterned loosely after HIPAA, here are some prominent features in the Philippines’ DPA.
The DPA “protects individuals from unauthorized processing of personal information that is (1) private, not publicly available; and (2) identifiable, where the identity of the individual is apparent either through direct attribution or when put together with other available information.” From that standpoint, the DPA attempts to cover the entirety of data privacy – not just healthcare information. It only limits its scope to what is considered private information that is identifiable with the person of the individual. This limitation protects agencies handling information from frivolous suits.
“Personal information must be collected for reasons that are specified, legitimate, and reasonable…. [individuals] must opt in for their data to be used for specific reasons that are transparent and legal.” This approach to information protection actively involves the individual who owns the information. Agencies cannot act without the express approval of the information owners – and are liable for damages and jail time should they do so.
Further, after opting into any sort of business involving information, the law decrees the level of diligence required in managing that information: “These agencies must be active in ensuring that other, unauthorized parties do not have access to their customers’ information.” How is this conducted?
DPA compliance is not a one-time registration procedure. Similar to HIPAA, it is a process of continuous concurrence. The law mandates:
- The appointment of a Data Protection Officer
- The conduct of a privacy impact assessment
- The creation of a privacy knowledge management program
- The implementation of a privacy and data protection policy
- And the exercise of a breach reporting procedure
The DPA also provides for security even after disposal. “Personal information must be discarded in a way that does not make it visible and accessible to unauthorized third parties.” As to the methods, the different agencies have freedom to do so based on a guaranty that the disposal is the most secure.
Latest posts by Rey Palmares (see all)
- Iloilo City: From Textiles to BPO Services - June 28, 2019
- The ASEAN Mutual Recognition Arrangement on Medical Practitioners and its Impacts - June 3, 2019
- The Mangoes of Guimaras - May 24, 2019