Compliance to Health Privacy Code/Joint AO No. 2016-0002

Pursuant to the state policy enshrined in the Constitution and Republic Act No. 10173 also

known as the Data Privacy Act of 2012 to provide quality health care to the Filipino people while protecting and promoting the right to privacy, the Cognitio+ commits to comply with the Health Privacy Code of Joint Administrative Order (AO) No. 2016-0002.

What is Health Privacy Code of Joint AO No. 2016-0002?

The Health Privacy Code of Joint Administrative Order No. 2016-0002, otherwise known as “Privacy Guidelines for the Implementation of the Philippine Health Information Exchange” otherwise known as “Privacy Guidelines for the Implementation of the Philippine Health Information Exchange” (Code). The said Code has prescribed the procedures and guidelines that ensure the protection of the privacy of a patient which applies to the PHIE system, Health Facilities, Health Care Providers, and any natural or juridical person involved in the processing of health information within the PHIE framework. Such Code was approved on January 20, 2016.


The Department of Health (DOH), in cooperation with the Department of Science and Technology (DOST), Philippine Health Insurance Corporation (PhilHealth), University of the Philippines-Manila (UPM) and the Commission on Higher Education (CHED), established the National eHealth Program (NeHP) that envisions widespread information-technology (IT)-enabled health services by 2020.


Guided by the Philippine eHealth Strategic Framework and Plan, one of the identified eHealth Project is the implementation of the Philippine Health Information Exchange (PHIE). The PHIE is the first major collaborative and convergence endeavor of the Health Cluster and represents the initial step towards the realization of the National eHealth vision.


The PHIE will enable electronic transmission of healthcare-related data among health facilities, health care providers, health information organizations and government agencies, in accordance with national standards. It will allow different applications to exchange data with each other without loss of semantics and will enable health facilities particularly rural health units, health centers, hospitals, DOH and PhilHealth to communicate with each other effectively and to collaborate with the health care providers in the care of the patients. The development and implementation of the PHIE will enable a patient’s medical or health information to follow the patient wherever health care services are provided. Health care providers will be able to exchange patient’s medical or health information securely to improve health care delivery and decision making.


What is medical privacy or health privacy?

It is the right to the protection of a person’s health information, which includes personal data, information about a patient’s condition as contained in medical records, and communications between healthcare provider and a patient.


What is personal information?

Any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonable and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.


What is sensitive personal information?

Personal information:

(a) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(b) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(c) Issued by government agencies peculiar to an individual which includes but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns;

(d) Specifically established by an executive order or an act of Congress to be kept classified.


How does Cognitio+ protect its customer’s data? /PHIPA Compliance Guide

A. Organizational Security Measures

  1. Policies and Procedures. Cognitio+ has its own privacy protocol. Its privacy and security policy documented, maintained and updated as appropriate. It has an established procedure that specify the individuals and positions that require access to health information in order to perform their functions and responsibilities, as well as the type of health information to which they need access.

  2. The Cognitio+ Team is well oriented, particularly those involved in information security, regarding their respective privacy and security policies. It has a clearly defined access rights and user roles among the team to ensure that only those people with the requisite authorization are able to access protected health information.

       2.1 For this purpose, the Chief Mental Health Officer issued a memorandum containing a list of its authorized personnel, and thereafter furnished the DOH                 central office a copy thereof.

  3. Cognitio+ performs a regular privacy and security audit.

  4. Contract/agreement with Partner Clinics and Mental Health Professionals. Cognitio+ has an agreement with each Partner Clinics and Mental Health                 

      Professionals which include:

     4.1 policy for document storage and disposal;

     4.2 data management process, including methods for tracking and controlling records (e.g.,dates and time stamps), the type of data sent and received, and the             individuals who have access to records;

     4.3 description of the privacy and security programs of partners; description of output reporting (e.g., electronically or in hard copy) that allows for the  viewing,             monitoring, and/or reconciling of data;

     4.4 periodic staff training in secure records-handling, and -providing, and appropriate document management tools;

     4.5 staff responsibilities for ensuring compliance and allocation of sufficient job time to the task; and communication requirements regarding control  deficiencies identified through internal or external sources. 

  5. Authorization and Document Retention. For identification and authorization purposes, the authorizing entity shall provide any of the following:

     5.1 biometrics

     5.2 specimen signature

     5.3 e-signature

           The document retention policy issued by the National Archives of the Philippines shall be followed. For archiving purposes, a PHCP can maintain an internal             archiving system or outsource such task to an archiving specialist.

  6. The Information Technology Personnel. Authorized personnel responsible for supporting implementation of security guidelines must adhere to the confidentiality        of medical records. They shall also be charged with the conduct of system-related functions such as, but not limited to, troubleshooting.

  7. The Medical Records Officer. The Medical Records Officer with the Privacy Officer has the authority to audit the patient’s shared health record of patients.


B. Physical Security

  1. Inventory of Information Technology Physical Devices. The Information Technology (IT) personnel of a PHCP maintain and update an inventory of all IT physical devices being used in C+. The inventory includes but not be limited to, on-premise server equipment, firewall and security devices, client workstations, network devices, mobile devices, biometric and authentication devices, as well as other present and future IT devices that may be relevant to the purposes of PHIE.

  2. Access to Physical Infrastructure. C+ defines the access system to its I.T. physical infrastructure and limit the same to authorized personnel only. Any special access to such infrastructure is documented thoroughly. Any unauthorized access shall also be documented and escalated to the appropriate decision-maker for further investigation and action.

      2.1 Server Access. C+ has a cloud server environment, or a combination of the two. Cloud technology is discussed separately under the cloud services section              this document.

      2.2 Computer Access. Pre-deployment site assessment was conducted prior to installation of computer workstations in C+. Computers are accessible to                        authorized personnel, in accordance with a role-based system access. Each user shall only have one account. A person requesting access to a computer                shall fill-out the prescribed request form. Anti-glare filters on computer monitors are installed. Apart from reducing glare, C+ also provide additional security              by preventing, or at least minimizing, unauthorized and/or accidental viewing of the computer screen.

       2.3 Computer Loss. In case of computer loss, the accounts in the computer system shall be reset and deactivated until it is retrieved or reported. The Data                     Protection Officer shall implement security incident procedures and contingency plans for such events.

   3. Bringing of devices outside Cognitio+ premises. Devices registered with the C+ shall not be brought outside its premises, unless the point of patient encounter         is outside C+ such as but not limited to the following scenarios: vaccinations, remote visits, and other similar or related community-oriented activities                         undertaken outside C+. Where devices are brought outside, proper documentation and security checks must be carried out. As a required minimum, the                   following security measures should be in place:

       a. Hard disk encryption

       b. Data encryption

       c. Wireless network

       d. Role-based access control

       e. Anti-virus software for vulnerable operating systems

       f.  Password-protected user access that complies with facility password policies of the health facilities.

       g. Encrypted portable devices such as, but not limited to, Flash Drives, secure digital (SD) card drives, rewritable compact discs (CDs), and other present and             future devices.

    4. Bring-your-own device (BYOD). Mobile and portable devices owned by the C+ personnel is allowed, but it strictly implements policies for the access,                        processing, storage, transmission and output of data, given their possible implications on patient privacy and health information security.

        4.1 Agreement. Prior to the use of a BYOD in the handling of health data and information, its owner has submitted a signed usage agreement.

        4.2 Training. BYOD users shall undergo annual security training.

        4.3 Configuration. The IT personnel of C+ established a mechanism that creates an audit trail of the system activity by the BYOD user, including log-in                              attempts, security incidents, and attempts to access files containing personally identifiable information. The mechanism shall also have a provision for                        remote access by the IT personnel, in such events that privacy of health data and information are compromised.

        4.4 Device Requirements. Before a BYOD is certified as being allowed for use when accessing health information, the privacy officer shall first approve a                        checklist of requirements, which shall, as a minimum, require that the device have the following:

              a. hard disk encryption.

              b. data encryption c. wireless network encryption

              d. role-based access control

              e. anti-virus software for vulnerable operating systems.

              f. password-protected user access that complies with facility password policies.

              g. encrypted portable devices such as but not limited to flash drives, secure digital (SD) card drives, rewritable CD, and other present and future devices.                  Mobile devices used for job responsibilities are subject to audits even if owned by an employee of the C+.

                Taking photos of patient data through the use of camera phones and bringing of unauthorized electronic devices such as cellular phones, laptops,                            tablets, and cameras inside the medical records area is prohibited.

     5. Business continuity and Disaster Recovery. C+ implements policies for business continuity and disaster recovery.

         5.1 Physical backup. A data backup plan has to be implemented to create and maintain exact copies of the system for handling health information. The                           backup medium must be defined, and the interval of backup stated. The backup must also be tested for data validity and integrity. Physical backups                         shall be encrypted and stored outside the health facility and additional physical security measures shall be in place for accessing and securing the                           physical backups. In the event of a disaster, the Data Protection Officer must have a protocol in place for data recovery and a disaster recovery team                         that can be organized within a short period of time.

         5.2 Business Continuity. Business continuity must be ensured even in the event of a disaster. The Data Protection Officer shall have identified a minimum set                   of data requirements for the maintenance of the processes of a health facility necessary for the delivery of services. The health facility shall also have the                   ability to transition from “emergency-mode” services, to full services. For this purpose, policies for encoding data outside the “full services” mode must be                 in place. Events that take place during disaster recovery and business continuity shall be documented and reviewed. Updates implemented according to                 best practices and lessons learned during nthe disaster period.


C. Technical Safeguards

    1. Access Controls. Technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access              only to persons or software programs that have been granted access rights:

       1.1 Information Access Management (Required)

            (a) Isolating health care clearinghouse functions (Required). If a healthcare clearinghouse is part of a larger organization, the clearinghouse shall implement                    policies and procedures that protect the electronic protected health information from unauthorized access by a larger organization.

            (b) Access authorization (Addressable). Policies and procedures for granting access to electronic health information, such as those that relate to                                      workstation access, transaction, program, process, and/or other mechanisms shall be implemented by the PHCP. Guidelines on the access to health i                        information are provided on Article III of this Code.

            (c) Access establishment and modification (Addressable). Policies and procedures of an establishment, including those that relate to the documentation,                       review and modification of a user’s rights to workstation access, transaction, program or process shall be implemented based on the access                                       authorization policy of the data controller and/or data processor.

       1.2  User Identification (Required). A process for unique user identification shall be made within the policy and procedure of the PHCP.

            (a) There shall be a user name and/or number for identifying user identity throughout all levels of the organization.

            (b) User identity shall not be shared, delegated or assigned to a group or individual.

            (c) User identity that was previously used shall not be reused for new and/or existing users.

       1.3  Emergency Access Procedure (Required). Procedures for obtaining necessary electronic health information during an emergency.

            (a) The PHCP shall identify, define, and describe the situations when emergency access to health information may be authorized.

            (b) Personnel who are authorized to access health information during emergency situations must be identified.

            (c) Procedures for obtaining necessary health information during emergency situations shall be established and implemented.

            (d) Policies and procedures for governing access to health information shall be established.

       1.4 Automatic Log-off (Addressable). Electronic procedures that terminate and electronic session after a predetermined time of inactivity.

            (a) A policy and procedure regarding the use of automatic log-off shall be created.

            (b)  A predetermined time shall be documented within the policy based on the application.

       1.5 Encryption and Decryption (Addressable). The method of converting an original message of regular text into encoded text using an algorithm.

            (a)  For encryption in transit, the standard security technology shall be SSL (Secure Sockets Layer).

            (b)  Minimum standard requirement for encryption shall be AES (Advanced Encryption Standard) 128.

            (c)   For encryption in storage, the standard shall be TKE (Trusted Key Entry).

       1.6. Multi-factor Authentication (Addressable). For systems that have been identified as having significant risks (e.g. servers, unified threat management),                        policy, operational, and technical mechanisms that use multi-factor authentication shall be put in place.

   2. Audit Controls. Relative to a particular computer system, there shall be a record of those who have access thereto, when it was accessed and what operations         were performed.

       2.1 Recording of Information (Required). Recorded information must include, but is not limited to, unique user identified, data and time of use/access, location                (if applicable).

       2.2 Audit Data Life Span (Addressable). The PHCP shall establish a policy that specifies the period within which data must be stored, and the method for its                   destruction or disposal.

       2.3 Access to Audit Data (Addressable). The Medical Records Officer alongside with the Data Protection Officer shall be authorized to audit the shared health                 record.

   3. Integrity Controls. Protection of Health Information from improper alteration or destruction.

       3.1 Mechanism to Authenticate Electronic Health Information (Addressable). There shall be a mechanism in place that confirms that electronic health.                               information has not been altered or destroyed in an unauthorized manner.

       3.2 Digital Signatures (Required). Digital signatures shall be used to verify the authenticity of the entry in an electronic system.

       3.3 Sum Verification (Required). Sum verification shall be used to determine if the input data matches source data.

       3.4 Anti-virus Software (Required). Computers shall have an industry-standard anti-virus software with its automatic update feature turned on. The software                     shall be configured regularly and shall automatically download updates to ensure its ability to address the latest threats.

       3.5  Data Storage Encryption (Required). Data storage and transmission shall be encrypted. For websites, https encryption shall be used. Article VII, section                    1.5 provides standards for encryption and decryption.

       3.6 Transmission Encryption (Required). Data transmission via wireless networks or the internet shall always be encrypted.

       3.7 Proper Handling of Mechanical Components (Addressable). Users of electronic systems shall be trained on the proper use and handling of central                             processing units (CPUs), servers, flash drives, and external hard drives.

       3.8 Offline Modes and Caching (Addressable). Electronic systems shall have online and offline modes.

       3.9 Interface Integration of Information Systems (Addressable). Data transmission from electronic medical records shall follow a standard for integration and                   interfacing in order to facilitate interoperability and data compatibility.

   4. Transmission Security. Technical security measures to guard against unauthorized access to electronic health information that is being transmitted over an                 electronic communications network shall be implemented.

   5.  Identity Authentication. Procedures necessary to verify the identity of a person or entity seeking access to electronic health information is the one claimed shall          be implemented.

   6.  Storage Security. Data stored in a portable data storage device (e.g. flash drive, portable hard drives, etc.) and/or in cloud storage services (e.g. Dropbox,               OneDrive, Google Drive, etc.) must be encrypted.



Additional Resources

Health Privacy Code Specifying the Joint A.O. No. 2016-0002

Republic Act 10173 - Data Privacy Act of 2012

Data Privacy Act by Ivy D. Patdu,, MD, JD, of National Privacy Commission

Data Protection Standards for Mental Health Records by Kathleen Benavidez



Updated: October 14, 2020