THIS POLICY DESCRIBES HOW YOUR PERSONAL HEALTH INFORMATION MAY BE USED AND DISCLOSED. PLEASE REVIEW THIS NOTICE CAREFULLY. IF YOU HAVE ANY QUESTIONS, PLEASE EMAIL email@example.com WITH THE SUBJECT DATA PRIVACY.
This notice explains in general terms the purposes, and legal bases, for the processing of the typical examples of personal and sensitive personal information that Eyecare Deluxe collects from its personnel, the measures in place to protect data privacy, and the right to access and correct the same.
Under the DPA, personal information may be processed (e.g., collected, used, stored, disclosed): (1)with the consent of the data subject; (2) pursuant to a contract with the data subject; (3)when it is necessary in order for Eyecare Deluxe to comply with a legal obligation; (4) to protect vitally important interests including life and health; (5) in order to respond to a national emergency; (6) to comply with the requirements of public order and safety; (7) to comply with the requirements of a public authority; or (8) pursuant to the legitimate interests of Eyecare Deluxe or a third party, except where such interests are overridden by the data subject’s fundamental rights.
Sensitive personal information (e.g., age, birthdate, civil status, ocular and medical history), may be processed: (1) with the consent of the data subject; (2) when such is allowed by laws and regulations, and such regulatory enactments provide for the protection of such information, and the consent of the data subject is not required. Processing may also be done when needed for the protection of lawful rights and interests of natural or legal persons in court proceedings, and for the establishment, exercise or defense of legal claims, or where provided to government or public authority.
Eyecare Deluxe is committed to complying with the Data Privacy Act of
(DPA) http://www.officialgazette.gov.ph/2012/08/15/republic-act-no-10173/ in
order to protect the right to data privacy of Eyecare Deluxe patients (the data subject).
This Policy describes the manner in which Eyecare Deluxe may collect, hold, use, share, and discard the above-mentioned information. By availing of the services provided by ED, you signify your acceptance of this policy and terms of service. Your continued availment of the services of ED following the posting of changes to this policy will be deemed your acceptance of those changes.
Your personal information will be available to all health care, allied health professionals, staff, and industry partners and consultants who need access as described in this Policy, many of whom will be involved in your treatment.
As part of our commitment to maintaining the confidentiality of your care, Eyecare Deluxe will share your information only to the extent necessary to ensure with your treatment, conduct our professional operations, collect payment for the services we provide you, and comply with the laws that govern health care. While we may need your personal information for other purposes, we will not use or disclose your information without your permission.
Definition of Terms
“Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed
“Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so;
“Data sharing” is the disclosure or transfer to a third party of personal data under the custody of Eyecare Deluxe.
“Personal data” refers to all types of personal information;
“Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
Sensitive personal information refers to personal information:
About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; an
Specifically established by an executive order or an act of Congress to be kept classified.
“Privileged information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication
“Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;
“Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteratialteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
“Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
This Policy pertains to all individuals, staff, doctors, and industry partners of Eyecare Deluxe who have access to, use, or disclose protected health information. The Policy is administered by the Data Privacy Officer. It is intended to serve as a foundation for privacy practices of ED. Divisions, departments, or units within ED may impose privacy safeguards in addition to those required by this policy and procedure.
Processing of Health Information
This section describes ways that Eyecare Deluxe use and disclose health information. It does not list every possible use or disclosure, but the ways your information may be used and disclosed fall into the following categories:
Treatment and Communication
Billing and Collection
Health Care Processes and Professional Services
Legal Compliance and Health-Related Services
Research and Training
Collection, Use and Disclosure
Treatment and Communication
Your health information is used to provide you with medical treatment or services. We may use and share health information about you with staff, doctors, and industry partners and interns or other ED personnel involved in your care. We may also disclose your health information to providers not affiliated with ED to facilitate care or treatment they provide you. These include other doctors and allied health professionals outside Eyecare Deluxe who are involved in your care.
Electronic exchange of health information helps ensure better coordination of care. The doctors and staff of Eyecare Deluxe utilize digital technology in order to facilitate quicker and prompt referrals within the eyecare team. They may use messaging platforms such as SMS, emails, Viber, Telegram, and other similar services in order to communicate with the team. Alternatively, you may request for a copy of your results. Upon your request, we may send your results of to you or your authorized representative. We may also use and disclose health information to contact you as a reminder that you have an appointment for care at Eyecare Deluxe. We will communicate with you using the information (such as telephone number, cellphone number, and email address) that you provided us.
Unless you notify us to the contrary, we may use the contact information you provide to communicate general information about your care such as appointment location, date and time, as well as for patient experience and satisfaction surveys.
Billing and Collection
We may use and disclose your personal and health information to confirm, bill and receive payment for eyecare services that we or others provide to you. This includes submission of your health information to receive payment from Philhealth, your health maintenance organization (HMO), insurance company, or other party that pays for some or all of your health care or to verify that your payor will pay for your health care. We may also tell your payor about a treatment you are going to receive to determine whether your payor will cover the treatment. For certain services, if your permission is needed to release health information to obtain payment, you will be asked for permission.
In cases of non-payment, your personal and health information will be sent to legal services for collection purposes who may conduct credit investigations and send demand letters to collect payment for services rendered to you.
Health Care Processes and Professional Services
We may use and disclose health information for health care operations. This includes functions necessary to run Eyecare Deluxe and assure that all patients receive quality care. We may also share your information with affiliated health care providers so that they may jointly perform certain business operations along with ED. We may combine health information about many of our patients to improve on the services being offered, to determine what services are no longer needed and to assess whether certain treatments are effective.
We may share information with doctors, staff, interns, and industry partners or other ED personnel to ensure quality assurance and compliance with standards of care. We may also compare the health information we have with information from other clinics to see where we can improve the care and services we offer. In these instances, Eyecare Deluxe will work to anonymize, mask, encrypt or de-identify your personal and health information as much as possible.
The clinic contracts with outside entities such as government entities, billing companies, management consultants, quality assurance reviewers, accounting or legal firms. In certain circumstances, we may need to share your health information with a business associate so it can perform a service on our behalf.
Legal Compliance and Health-Related Services
We may disclose your information to other appropriate entities for activities authorized by law such as audits, investigations, inspections, and licensure.
When necessary to prevent a serious threat to your health and safety or the health and safety of others, we may use and disclose certain information about you. Such disclosure will only be to someone able to prevent or respond to the threat, such as law enforcement, or a potential victim.
We may also use or disclose health information about you when required to do so for other reasons not specifically mentioned in this Policy.
Research and Training
As an affiliated internship and training facility of the Mindanao Medical Foundation College of Optometry, optometry students and interns may use and access your information. We will have a data sharing agreement or written contract in place with MMFC requiring protection of the privacy and security of your health information.
Being a training ground for future optometrists, your health information may be used and disclosed in training and education.
Other uses and disclosures
Eyecare Deluxe does not require prior consent or authorization in the disclosure of your health information in the following instances:
Public Health Activities
To prevent or control disease, injury or disability;
To report the abuse or neglect of children, elders and dependent adults;
To report reactions to medications or problems with products;
To notify you of the recall of products you may be using;
To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; * To notify the appropriate government authority if we believe you have been the victim of abuse, neglect or domestic violence; we will only make this disclosure when required or authorized by law;
To notify the Department of Health and other appropriate government entities when you seek treatment at The Medical City for certain diseases or conditions required to be reported by law.
Disputes and Lawsuits
To ensure the quality of care you receive while seeking treatment at Eyecare Deluxe, we may access and disclose your health information if you have concerns or complaints regarding your medical management at Eyecare Deluxe. We may also access and disclose your health information if you bring a lawsuit against ED, its officers, doctors, and other employees.
If you are involved in a lawsuit, we may disclose health information about you in response to a court or administrative order or in response to a subpoena, legally enforceable discovery request, or other lawful process by someone else involved in the dispute.
Storage, Security, Retention and Destruction
Eyecare Deluxe will ensure that personal and health information under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. ED will implement appropriate security measures in storing collected personal and health information. All health information gathered and kept in medical records shall be retained for as long as the patient regularly seeks treatment at the institution. Hard copies of medical records more than five (5) years old shall be kept at a secure off-site facility. After an inactive period of five (5) years from the last consult or follow-up, hard copies of medical records shall be brought to an appropriate facility for melting and destruction with secure protocols in place. Electronic copies of medical records shall be retained for a similar period.
Rights Relating to your Health Information
Reasonable access to your health information
Request a correction to your personal information
An accounting of hospital disclosures of your health information
Request restrictions on certain uses and disclosures of your health information
You have the right to be informed that your personal and health information will be, are being, or were, collected and processed. You have the right to be informed of the purposes for which they will be, are being, or were processed and the duration for which the information will be kept.
Reasonable Access of your Health Information
You have the right to obtain a copy of your pertinent health information. The medical information available to you are the following:
Eye and Vision Tests and Ophthalmic Diagnostic Test Results
To request for a copy of your medical records, pay the standard rates of the tests and procedures.
Request a Correction to your Personal Information
If you believe that the personal information Eyecare Deluxe has on file about you is incorrect or incomplete, you may ask us to correct the personal information in your records. If your personal information is accurate and complete, or if the information was not created by Eyecare Deluxe, we may deny your request. If we deny any part of your request, we will provide you with a written explanation of our reasons for doing so. Requests to make a correction to your records must be in writing and must describe each item that you want changed and the reason you are requesting the change. We may require additional documentation from you or your authorized representative as proof before processing your request.
Request Restrictions on Certain Uses and Disclosures of Your Medical Information
You have the right to request reasonable restrictions on certain uses or disclosures of your personal and health information. Requests for restrictions must be in writing. In most cases, we are not required to agree to your requested restriction. However, if we do agree, we will comply with your request unless the information is needed to provide your treatment or comply with the law.
Some examples of restriction requests that the Hospital cannot honor include:
Requests to restrict interns from accessing your medical information.
Requests restricting the clinic from giving your name to any third party that will be asked to pay a portion of your bill.
Request restricting the clinic from reporting your identity and condition to an agency or organization where the clinic is required by law to do so.
INQUIRIES AND COMPLAINTS
The confidentiality of your health information is a significant part of the care we provide to you. For matters relating to the processing of your protected health information or if you believe that your privacy rights have been violated, you may file a written complaint with our Data Privacy Officer.
ED respects the right of every individual to lodge a complaint before the National Privacy Commission provided that they first exhaust administrative remedies by filing a request with the proper offices or a complaint with the proper Data Protection Officer (DPO) regarding the processing of information or the handling of requests for access, correction, blocking of the processing of personal data, and other complaints.
All measures shall be exhausted to resolve complaints amicably between Eyecare Deluxe and the patient. If such dispute cannot be amicably settled within thirty (30) days from receipt by one party of notice sent by the other party, then such dispute shall be finally settled by arbitration conducted in accordance with Republic Act. No. 876, otherwise known as the Arbitration Law, in conjunction with Republic Act No. 9285, otherwise known as the Alternative Dispute Resolution Act of 2004. The costs and expenses for the arbitration, including the arbitrator’s fees, shall be allocated to the party determined to have been at fault or in breach of this agreement or otherwise responsible for the cause of the dispute. The venue of arbitration shall be in the PDRCI office in Davao City, Philippines, to the exclusion of all other venues.