DATA PRIVACY ACT

Question 1

What is included in a patient’s clinical record?

Answer 1

● Patient’s medical history
● Results of examinations
● Records of treatment
● Copies of diagnostic examinations
● Notation of all instructions given
● Copies of all prescriptions and notes on refill
authority
● Documentation of informed consent
● Any other pertinent data

Question 2

What are the uses of a patient’s clinical record?

Answer 2

● To provide the best medical care
● To supply statistical information
● To provide legal protection

Question 3

What are the steps to correct a handwritten entry on a record?

Answer 3

● Draw a line through the error
● Insert the correction above or immediately following
the statement
● In the margin, write “CORRECTION”, your initials,
and the date

Question 4

Why should correction fluid or tape not be used on medical records?

Answer 4

“There might be a superimposition on top of another correction.”

Question 5

Who owns hospital records?

Answer 5

“The hospital owns hospital records.”

Question 6

Why does the hospital own the original copy of records?

Answer 6

“The hospital owns it because they paid for the paper the ink, the storage etc.

Question 7

What is privileged communication in medical records?

Answer 7

“It ensures that the privacy of the patient’s record is protected unless waived by the patient or their authorized representative.”

Question 8

How long are hospital records stored?

Answer 8

“Legally there is no specific duration

Question 9

Under what circumstances are medical records admissible in court?

Answer 9

“When the entrant is not available to testify

Question 10

What type of subpoena requires medical records?

Answer 10

“Subpoena duces tecum.”

Question 11

Who has access to medical records?

Answer 11

“The hospital

Question 12

Can a patient possess the original medical records?

Answer 12

“No

Question 13

What are the types of medical records?

Answer 13

“Hospital medical records and physician’s private office records.”

Question 14

What can result from failure to maintain accurate and complete medical records?

Answer 14

“It can constitute medical malpractice.”

Question 15

What is the best evidence rule in documentary evidence?

Answer 15

“The original copy is the most reliable evidence.”

Question 16

What is the Data Privacy Act (RA No. 10173)?

Answer 16

“An act protecting individual personal information in information and communications systems and creating the National Privacy Commission.”

Question 17

What is the right to be informed under RA 10173?

Answer 17

“The right to be informed when personal data is collected

Question 18

What is the right to access under RA 10173?

Answer 18

“The right to know if an organization holds personal data and to obtain reasonable access to it

Question 19

When can you exercise the right to object to data processing?

Answer 19

“When processing is based on consent or legitimate interest unless required by subpoena

Question 20

What is the right to erasure or blocking?

Answer 20

“The right to suspend

Question 21

What is the right to damages under RA 10173?

Answer 21

“The right to claim compensation for damages due to inaccuracies

Question 22

Who can file a complaint with the National Privacy Commission (NPC)?

Answer 22

“Anyone who feels their data privacy rights have been violated

Question 23

What is the right to rectification under RA 10173?

Answer 23

“The right to correct inaccuracies or errors in personal data

Question 24

What is the right to data portability?

Answer 24

“The right to move

Question 25

What is the transmissibility of data subject rights?

Answer 25

“The ability to assign data privacy rights to a legal assignee or heir

Question 26

When do the limitations of data subject rights apply?

Answer 26

“When data is used solely for scientific/statistical research or investigations of criminal

Question 27

What is a Data Subject in the context of the Data Privacy Act?

Answer 27

An individual whose personal information is being processed, such as patients.

Question 28

Who is the Personal Information Controller?

Answer 28

The person or organization who controls the collection, holding, processing, or use of personal information, such as hospitals or physicians.

Question 29

Who is the Personal Information Processor?

Answer 29

A natural or juridical person to whom the Personal Information Controller may outsource data processing, such as third-party apps or EMR systems.

Question 30

What are the three principles of data privacy?

Answer 30

Transparency, Legitimate Purpose, and Proportionality.

Question 31

What is the policy of the State under the Data Privacy Act?

Answer 31

To protect the fundamental human right of privacy of communication while ensuring free flow of information for innovation and growth.

Question 32

What defines Personal Information under the Data Privacy Act?

Answer 32

Information that identifies an individual, such as name, ID numbers, or contact details.

Question 33

What is De-identification in the context of data privacy?

Answer 33

Removing personal information to prevent identification of an individual, such as excluding names and specific geographic data.

Question 34

What are examples of Sensitive Personal Information?

Answer 34

Information about race, ethnicity, marital status, health, education, and government-issued IDs.

Question 35

Does the Data Privacy Act apply to personal information collected for journalistic purposes?

Answer 35

No, it does not apply to personal information processed for journalistic, artistic, literary, or research purposes.

Question 36

What is considered Privileged Information?

Answer 36

Confidential communications, such as between husband and wife, attorney and client, or doctor and patient.

Question 37

What are the requirements for Personal Information collection?

Answer 37

It must be for specified and legitimate purposes, processed fairly and lawfully, and accurate and relevant.

Question 38

How long should personal information be retained?

Answer 38

Only as long as necessary for its purpose or for legal claims, or as provided by law.

Question 39

What is the Right to Privacy as described in the Hippocratic Oath?

Answer 39

The commitment to keep secret anything seen or heard professionally or privately that ought not to be divulged.

Question 40

What is the role of a physician regarding patient data protection?

Answer 40

To ensure privacy and security of patient information and avoid unnecessary disclosure.

Question 41

What should a prescription pad include under the Data Privacy Act?

Answer 41

Physician’s name, specialty, clinic hours, and contact number for clarifications.

Question 42

What is the burden of proof under the Data Privacy Act?

Answer 42

It lies with the data processor or party claiming the act’s non-applicability.

Question 43

What are examples of Personal Information identifiers?

Answer 43

Name, social security number, medical record number, and biometric data.

Question 44

What is the purpose of de-identification in medical records?

Answer 44

To protect patient privacy by removing or anonymizing identifying details.

Question 45

What is the difference between Personal Information and Sensitive Personal Information?

Answer 45

Personal Information identifies an individual, while Sensitive Personal Information includes data like race, health, or government IDs.

Question 46

What is the importance of consent in data collection?

Answer 46

Personal data cannot be collected, processed, or stored without explicit consent unless provided by law.

Question 47

What is the Right to Data Portability?

Answer 47

The right to obtain and securely transfer personal data for further use.

Question 48

What does the principle of Proportionality in data privacy mean?

Answer 48

Data collected should not be excessive and must be adequate for its purpose.

Question 49

Can a patient access their own medical record under the Data Privacy Act?

Answer 49

Yes, but they may only obtain a certified true copy, not the original.

Question 50

What is considered the Best Evidence Rule for personal data?

Answer 50

The original copy of a document is the most reliable evidence.

Question 51

How should errors in medical records be corrected under the Data Privacy Act?

Answer 51

Draw a line through the error, write the correction above, and annotate with ‘Correction,’ your initials, and the date.

Question 52

Does the Data Privacy Act apply to public officials’ employment information?

Answer 52

No, it excludes information related to their position, salary, and responsibilities.

Question 53

What is the penalty for violating patient privacy?

Answer 53

Liability for damages or other penalties depending on the nature of the violation.

Question 54

What is the Right to Erasure or Blocking under the Data Privacy Act?

Answer 54

The right to request removal, blocking, or destruction of incomplete, outdated, or unlawfully obtained data.

Question 55

What is the role of hospitals as Personal Information Controllers?

Answer 55

To collect, use, and store patient data while ensuring compliance with data privacy laws.

Question 56

What are the three General Data Privacy Principles?

Answer 56

Transparency, Legitimate Purpose, and Proportionality.

Question 57

What does Transparency in data privacy entail?

Answer 57

The data subject must be aware of the nature, purpose, and extent of the processing of their personal data, including risks, safeguards, identity of the personal information controller, their rights, and how these can be exercised.

Question 58

What is the principle of Legitimate Purpose?

Answer 58

The processing of information must be compatible with a declared and specified purpose and must not be contrary to law, morals, or public policy.

Question 59

When is consent required for processing personal data?

Answer 59

Consent is required for training purposes, research (in general), publication, disclosure of data to anyone other than the patient, marketing purposes, and sharing data with affiliates or mother companies.

Question 60

When is consent NOT required for processing personal data?

Answer 60

Consent is not required in emergencies, for medical treatment, for generating statistical data, or when reporting is mandated by law or regulation.

Question 61

What is the core idea of the Proportionality principle in data privacy?

Answer 61

The processing of information must be adequate, relevant, suitable, necessary, and not excessive in relation to its purpose.

Question 62

What security measures are essential when processing personal data?

Answer 62

Ensuring physical security, technical measures to protect data confidentiality, maintaining data integrity, and ensuring data is accessible only when needed.

Question 63

What is data processing?

Answer 63

Data processing involves the collection, storage, usage, access, transfer, and even the destruction of data.

Question 64

What must establishments with CCTV do to comply with data privacy laws?

Answer 64

They must display signage informing individuals that they are being recorded in real-time.

Question 65

Why is taking pictures of data records prohibited?

Answer 65

To ensure the confidentiality and security of sensitive information.

Question 66

What penalty did Huping Zhou face for unauthorized access to medical records?

Answer 66

He was sentenced to four months in prison and fined $2,000.

Question 67

What precautions should be taken when posting pictures of patients online?

Answer 67

Obtain explicit consent, explain the purpose, and ensure the patient understands how the photos will be used.

Question 68

How should examination records be properly disposed of?

Answer 68

By shredding them to prevent unauthorized access or misuse.

Question 69

What happened in the medical group fined $140K for improper disposal of health records?

Answer 69

They discarded records of over 67,000 residents in a public dump without shredding or redacting them, exposing sensitive data.

Question 70

What does the Rare Diseases Act (2015) require regarding patient data?

Answer 70

Healthcare practitioners must report diagnosed cases to the Rare Disease Registry while protecting patient privacy as per NIH guidelines.

Question 71

What is the key rule for consent according to data privacy laws?

Answer 71

If it’s not clear, it’s not consent.

Question 72

What is required of a Data Protection Officer (DPO)?

Answer 72

They must have specialized knowledge and demonstrate reliability in privacy policies, data processing operations, and sector-specific practices.

Question 73

Give an example of data processing misuse during storage.

Answer 73

Allowing unauthorized access to records rooms or data centers.

Question 74

What are the penalties for improperly accessing confidential data?

Answer 74

Penalties can include fines and prison sentences, as seen in the case of unauthorized celebrity record access.

Question 75

What principle should guide the collection of personal data?

Answer 75

Collect only what is necessary and ensure the purpose is clear and legitimate.

Question 76

What is the purpose of anonymizing patient data?

Answer 76

To prevent linkage to an individual’s identity by separating data from direct identifiers.

Question 77

What is pseudonymization in data privacy?

Answer 77

The separation of data from direct identifiers so linkage to an identity is not possible without additional information held separately.

Question 78

Why should initials not be used to anonymize patient data?

Answer 78

Initials can still identify a patient’s identity.

Question 79

What should a privacy notice include?

Answer 79

Details on what personal data is collected, why it is processed, how it is handled, who processes it, and the rights of data subjects.

Question 80

What are the key principles of data processing in a privacy notice?

Answer 80

Transparency, Legitimate Purpose, and Proportionality.

Question 81

What should be reviewed in consent forms?

Answer 81

The inclusion of consent for training, research, confidentiality measures, and data use in training institutions.

Question 82

Why is a record of processing activities important?

Answer 82

To document the basis of processing, track processes, and ensure compliance.

Question 83

What is the purpose of a risk assessment cycle?

Answer 83

To identify where data might be lost or leaked and address potential risks.

Question 84

What are the steps in a Privacy Impact Assessment?

Answer 84

Identify data flow, assess privacy risks, evaluate risk impact, and address risks to avoid negligence.

Question 85

Why are Non-Disclosure Agreements (NDAs) important?

Answer 85

To prevent unauthorized disclosure of sensitive information.

Question 86

What is the correct email etiquette for protecting privacy?

Answer 86

Use the BCC field to mask recipients’ email addresses in group messages.

Question 87

What are examples of physical security measures for data privacy?

Answer 87

Ensuring EMR monitors are not visible to unauthorized persons and arranging workspaces to provide privacy.

Question 88

What steps can prevent data theft?

Answer 88

Encrypting data, using strong passwords, and ensuring devices are locked.

Question 89

Why should contracts with service providers be reviewed?

Answer 89

To ensure they include privacy and security measures, address liability, and avoid unauthorized data use or breaches.

Question 90

What should be done in case of a data breach?

Answer 90

Notify the National Privacy Commission and affected data subjects within 72 hours of knowledge or reasonable belief of the breach.

Question 91

What does ‘being a friend of mankind’ imply in the medical profession?

Answer 91

Maintaining an honorable tradition, rapport with patients, and adherence to ethical principles.

Question 92

What penalties are imposed for data privacy violations?

Answer 92

Imprisonment from 6 months to 7 years and fines ranging from ₱500,000 to ₱5 million.

Question 93

What are prohibited acts under data privacy laws?

Answer 93

Unauthorized processing, improper disposal, negligence, breaches, malicious or unauthorized disclosure.

Question 94

What are the top 5 cybercrime complaints in the Philippines?

Answer 94

Identity theft, unauthorized access, data breaches, phishing, and hacking.

Question 95

How should sensitive personal data be protected in a nutshell?

Answer 95

Anonymize if possible, have a privacy notice, review consent forms, keep processing records, do risk assessments, use NDAs, implement privacy guidelines, and prepare for breaches.

Question 96

What is the fine for unauthorized data disclosure?

Answer 96

₱500,000 to ₱2,000,000 and imprisonment of 3 to 5 years.

Question 97

Why should email recipient addresses be placed in BCC?

Answer 97

To protect the privacy of recipients and prevent disclosure of their email addresses.

Question 98

What should be considered when designing physical workspaces for data privacy?

Answer 98

Ensure that monitors and documents are not visible to unauthorized individuals.

Question 99

What is the Canister Scandal of 2008 an example of?

Answer 99

A breach of data privacy that highlights the importance of protecting sensitive information.