ST.

DOMINIC SAVIO COLLEGE

S.Y. 2018 - 2019
Health Assessment
(Bill of Rights and Data Privacy Act)

Bill of Rights

1. The patient has the right to considerate and respectful care.

2. The patient has the right to and is encouraged to obtain from physicians and other direct
caregivers relevant, current, and understandable information concerning diagnosis,
treatment, and prognosis.
Except in emergencies when the patient lacks decision-making capacity and the need for
treatment is urgent, the patient is entitled to the opportunity to discuss and request
information related to the specific procedures and/or treatments, the risks involved, the
possible length of recuperation, and the medically reasonable alternatives and their
accompanying risks and benefits.
Patients have the right to know the identity of physicians, nurses, and others involved in
their care, as well as when those involved are students, residents, or other trainees. The
patient also has the right to know the immediate and long-term financial implications of
treatment choices, insofar as they are known.
3. The patient has the right to make decisions about the plan of care prior to and during the
course of treatment and to refuse a recommended treatment or plan of care to the extent
permitted by law and hospital policy and to be informed of the medical consequences of
this action. In case of such refusal, the patient is entitled to other appropriate care and
services that the hospital provides or transfer to another hospital. The hospital should
notify patients of any policy that might affect patient choice within the institution.
4. The patient has the right to have an advance directive (such as living will, health care
proxy, or durable power of attorney for health care) concerning treatment or designating a
surrogate decision maker with the expectation that the hospital will honor the intent of
that directive to the extent permitted by law and hospital policy. Health care institutions
must advise patients of their rights under state law and hospital policy to make informed
medical choices, ask if the patient has an advance directive, and include that information
in patient records. The patient has the right to timely information about hospital policy
that may limit its ability to implement fully a legally valid advance directive.
5. The patient has the right to every consideration of privacy. Case discussion, consultation,
examination, and treatment should be conducted so as to protect each patient's privacy.
6. The patient has the right to expect that all communications and records pertaining to
his/her care will be treated as confidential by the hospital, except in cases such as
suspected abuse and public health hazards when reporting is permitted or required by
law. The patient has the right to expect that the hospital will emphasize the

Submitted by: Juliene Hannah V. Flores Submitted to: Marilyn M. Santos, Ph.D.
 confidentiality of this information when it releases it to any other parties entitled to
review information in these records.
7. The patient has the right to review the records pertaining to his/her medical care and to
have the information explained or interpreted as necessary, except when restricted by
law.
8. The patient has the right to expect that, within its capacity and policies, a hospital will
make reasonable response to the request of a patient for appropriate and medically
indicated care and services. The hospital must provide evaluation, service, and/or referral
as indicated by the urgency of the case. When medically appropriate and legally
permissible, or when a patient has so requested, a patient may be transferred to another
facility. The institution to which the patient is to be transferred must first have accepted
the patient for transfer. The patient must also have the benefit of complete information
and explanation concerning the need for, risks, benefits, and alternatives to such a
transfer.
9. The patient has the right to ask and to be informed of the existence of business
relationships among the hospital, educational institutions, other health care providers, or
payers that may influence the patient's treatment and care.
10. The patient has the right to consent to or decline to participate in proposed research
studies or human experimentation affecting care and treatment or requiring direct patient
involvement, and to have those studies fully explained prior to consent. A patient who
declines to participate in research or experimentation is entitled to the most effective care
that the hospital can otherwise provide.
11. The patient has the right to expect reasonable continuity of care when appropriate and to
be informed by physicians and other caregivers of available and realistic patient care
options when hospital care is no longer appropriate.
12. The patient has the right to be informed of hospital policies and practices that relate to
patient care, treatment, and responsibilities. The patient has the right to be informed of
available resources for resolving disputes, grievances, and conflicts, such as ethics
committees, patient representatives, or other mechanisms available in the institution. The
patient has the right to be informed of the hospital's charges for services and available
payment methods.
 Data Privacy Act
In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict privacy
legislation “to protect the fundamental human right of privacy, of communication while ensuring
free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Ch. 1,
Sec. 2). This comprehensive privacy law also established a National Privacy Commission that
enforces and oversees it and is endowed with rulemaking power. On September 9, 2016, the final
implementing rules and regulations came into force, adding specificity to the Privacy Act.

Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities that process personal
information, with some exceptions. The law has extraterritorial application, applying not only to
businesses with offices in the Philippines, but when equipment based in the Philippines is used
for processing. The act further applies to the processing of the personal information of
Philippines citizens regardless of where they reside.
One exception in the act provides that the law does not apply to the processing of personal
information in the Philippines that was lawfully collected from residents of foreign jurisdictions
— an exception helpful for Philippines companies that offer cloud services.

Approach
The Philippines law takes the approach that “The processing of personal data shall be allowed
subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared, specified, and legitimate
purpose” and further provides that consent is required prior to the collection of all personal data.
It requires that when obtaining consent, the data subject be informed about the extent and
purpose of processing, and it specifically mentions the “automated processing of his or her
personal data for profiling, or processing for direct marketing, and data sharing.” Consent is
further required for sharing information with affiliates or even mother companies.
Consent must be “freely given, specific, informed,” and the definition further requires that
consent to collection and processing be evidenced by recorded means. However, processing does
not always require consent.
Consent is not required for processing where the data subject is party to a contractual agreement,
for purposes of fulfilling that contract. The exceptions of compliance with a legal obligation
upon the data controller, protection of the vital interests of the data subject, and response to a
national emergency are also available.
An exception to consent is allowed where processing is necessary to pursue the legitimate
interests of the data controller, except where overridden by the fundamental rights and freedoms
of the data subject.
Required agreements
The law requires that when sharing data, the sharing be covered by an agreement that provides
adequate safeguards for the rights of data subjects, and that these agreements are subject to
review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
 About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding or any offense committed or alleged to have committed;
 Issued by government agencies “peculiar” (unique) to an individual, such as social
security number;
 Marked as classified by executive order or act of Congress.
All processing of sensitive and personal information is prohibited except in certain
circumstances. The exceptions are:
 Consent of the data subject;
 Pursuant to law that does not require consent;
 Necessity to protect life and health of a person;
 Necessity for medical treatment;
 Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.

Privacy program required

The law requires that any entity involved in data processing and subject to the act must develop,
implement and review procedures for the collection of personal data, obtaining consent, limiting
processing to defined purposes, access management, providing recourse to data subjects, and
appropriate data retention policies. These requirements necessitate the creation of a privacy
program. Requirements for technical security safeguards in the act also mandate that an entity
have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as related to the principles of
notice, choice, access, accuracy and integrity of data.
The Philippines law appears to contain a “right to be forgotten” in the form of a right to erasure
or blocking, where the data subject may order the removal of his or her personal data from the
filing system of the data controller. Exercising this right requires “substantial proof,” the burden
of producing which is placed on the data subject. This right is expressly limited by the fact that
continued publication may be justified by constitutional rights to freedom of speech, expression
and other rights.
Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.

A right to data portability is also provided.

Mandatory personal information breach notification
The law defines “security incident” and “personal data breach” ensuring that the two are not
confused. A “security incident” is an event or occurrence that affects or tends to affect data
protection, or may compromise availability, integrity or confidentiality. This definition includes
incidents that would result in a personal breach, if not for safeguards that have been put in place.
A “personal data breach,” on the other hand, is a subset of a security breach that actually leads to
“accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise processed.

Requirement to notify
The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority. Section 38
of the IRRs provides the requirements of breach notification:
 The breached information must be sensitive personal information, or information that
could be used for identity fraud, and
 There is a reasonable belief that unauthorized acquisition has occurred, and
 The risk to the data subject is real, and
 The potential harm is serious.
The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and
whether the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National Privacy Commission as well as
affected data subjects within 72 hours of knowledge of, or reasonable belief by the data
controller of, a personal data breach that requires notification.
It is unclear at present whether the commission would allow a delay in notification of data
subjects to allow the commission to determine whether a notification is unwarranted. By the law,
this would appear to be a gamble.

Notification contents
The contents of the notification must at least:
 Describe the nature of the breach;
 The personal data possibly involved;
 The measures taken by the entity to address the breach;
 The measures take to reduce the harm or negative consequence of the breach;
 The representatives of the personal information controller, including their contact details;
 Any assistance to be provided to the affected data subjects.