HEALTH MAINTENANCE ORGANIZATIONS SECTOR
Frequently Asked Questions
1. Corporate coverage plans are usually procured by employers as part of their employee benefits package. The enrollment procedure is usually just a submission of an e-data by the employer containing the employees’ personal information. Would an undertaking by the employer that it has secured the consent of the employee to have his/her information shared, disclosed, and processed by the Health Maintenance Organization (HMO) be sufficient? Do we also need to keep physical copies of consents of all of our members?
An HMO is considered a Personal Information Controller (PIC) relative to all personal data it processes, regardless of the situs for collection. A PIC, as defined under Section 3(h) of the Data Privacy Act, refers to a a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. There is control if the natural/juridical person or any other body decides on what info is collected, or the purpose or extent of its processing.
Considering this definition, an HMO would still be considered a PIC with respect to the personal data procured from its corporate client (through the latter’s HR department), provided it exercises control over its processing. As a PIC, the HMO is expected to comply with all the requirements laid out in the DPA, its IRR, and all other relevant issuances of the NPC. This includes the provisions on consent. It is therefore recommended that the HMO develop and maintain an internal process for securing the consent of its members relative to the specific purpose advanced by the HMO.
2. Several of our clients want to know what should be mentioned in a consent form. How will they know if their consent form is commensurate to the data that we will be sharing to third-party providers?
There is no set format required for how a consent form must be formulated or what should a consent contain. It is only required that consent be obtained prior to the collection and processing of personal data and must be time-bound in relation to the declared, specified and legitimate purpose of the PIC (or the HMO in this case). Moreover, the data subject (the client) needs only to be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing (See Section 19, DPA IRR).
What a consent must contain if personal information would be shared to third-parties is found on Section 4 of NPC Circular 16-02. Although said circular pertains to data sharing agreements involving government agencies, it may be utilized as guidance when taking up data sharing agreements in the private sector. As such, prior to sharing of data to third-party providers, the data subject must be provided the ff. information:
3. Several of our clients are asking if electronic consent is acceptable. If yes, should logs/proof of electronic acceptance be kept? What details are required for those logs?
Yes, electronic consent is acceptable. The DPA provides that:
“Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.” (Sec. 3(b) of the DPA, and Section 3(d) of the DPA IRR)
Therefore, consent may be in either of the above-cited formats for as long as it was freely-given, specific, and is an informed indication of will.
When consent is the lawful basis for processing, the PIC must be able to demonstrate how and when it was obtained. (See Sec. 19 of the DPA IRR). It may be impractical to document each individual consent as part of your record of processing activities, but it can serve as a good business practice. This can help to maintain an effective audit trail that can enable you to quickly locate and provide evidence of consent if challenged (also refer to Arts. 6(1)(a) and 7(1), and Recital 42 of the GDPR).
4. What happens if the data subject does not give consent? Can we deny him/her our services?
When consent is the basis for processing of personal information, the same must be a freely-given, specific, and informed indication of the data subject’s wishes. Also, consent given may be withdrawn (Sec. 3(b) of the DPA, and Section 3(d) of the DPA IRR). The GDPR essentially explains that consent is freely-given when the data subject is given genuine choice and control over how you use their data. If the data subject has no real choice, consent is not freely-given, and it will be invalid. The GDPR also states that people must be able to refuse and withdraw consent without being penalized, otherwise, consent is not freely-given.
Taking these into account, a data subject should be allowed to withdraw his or her consent without fear of negative consequences. In such situation, the data subject’s consent would be freely-given because he/she is given the option to say “Yes,” or “No.” Consequently, denial of service may be justified provided that no detriment falls upon the data subject for withdrawing his/her consent.
5. HMO coverage is usually effective for one year only. For renewal, a notice is sent to client-member to the effect that the contract shall automatically be renewed under the same terms and conditions upon payment of the renewal fees. In such cases, is the HMO still required to have the consent of the data subject anew to collect, process, and store his/her personal data?
The DPA IRR provides that “[w]hen consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose” (Sec. 19(a)(1)). When a data subject gives his/her consent to HMO coverage for a period of one year as stated on the contract, it is presumed that the consent covers the processing contemplated on the contract for that one-year period only. If your processing operations or purposes change or evolve, the original consent obtained may no longer be specific or informed enough, and automatic renewal would not be a valid form of re-obtaining consent. It is therefore recommended that consent be obtained anew for such renewal. The periods or intervals for refreshing consent may be assessed on a case-to-case basis.
6. If a client-member appoints someone in writing (agent, broker, or HR manager as the case maybe) as his/her HMO benefits manager thereby granting the latter the authority to transact in his/her behalf, would such authority be enough to allow disclosure and/or sharing of personal information that is in compliance with the DPA?
The DPA and its IRR provides that consent may be given on behalf of the data subject by an agent or representative specifically authorized by the data subject to do so (Sec. 3(b), DPA and Sec. 3(c), IRR). Therefore, if the client-member appoints an agent to be the one to consent to the processing of the former’s personal information, the same may be allowed, provided that the instrument evidencing the agency be compliant with the requirements of the DPA, its IRR and issuances regarding consent and data privacy and protection (Please refer to Sec. 19 of the IRR).
7. HMOs usually perform Annual Physical Examination (APE) to its client-members. Would an HMO be allowed to disclose sensitive personal information to the employer (through its HR department) without the employee’s consent if it has found out that the latter has a communicable disease and may pose health risk to his co-employees?
Advisory Opinion No. 2017-025 issued by the Commission on the 22nd of June 2017 can serve as a guide on this query. In summary, the Commission stated that for the company to have access to the health information of an employee/client-member, which is classified as sensitive personal information, it may obtain the consent of the data subject/employee for such purpose. In ensuring that an employee does not have a contagious or communicable disease or any other illness that could put at risk other employees, the company may implement alternatives to requesting information directly from HMOs. For instance, the company may require that an employee provide a medical certificate showing that he or she is “fit to work” before allowing the said employee to return to work. Nothing prohibits the company from securing a valid consent from the employee to access their health information. The company cannot, however, compel an HMO to disclose medical information without authorization from the data subject, or without other legal basis for processing.
8. It is industry practice that our clients engage brokers. These brokers regularly provide reports to our mutual clients. Can we share unidentifiable/masked/anonymized personal information to brokers?
Yes. Personal information under the DPA refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Sec. 3(g), DPA).
On the other hand, anonymous information is information that does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (Recital 26, General Data Protection Regulation). Both Regulation (EU) 2016/679, which repeals the 1995 EU Directive upon which the DPA is based on, recognizes that “the principles of data protection should not apply to anonymous information.” Since anonymized data in its truest sense is not personal information, the DPA would not be applicable. (Please refer to Advisory Opinion No. 2017-027 for guidance on anonymized data)
9. In relation to Q8, can we share information to the broker without a Data Sharing Agreement (DSA) since the information we are sharing is unidentifiable?
Yes. The DPA requires a DSA only when there is a disclosure or transfer to a third party of personal data under the custody of a PIC or PIP. Since anonymized data refers to data or information that may not be traced back to a definite individual, they do not constitute personal data, and consequently, no data sharing agreement would be necessary. Emphasis must however me made that the data shared must be anonymized and not just pseudonymized data, because the latter is still considered personal data and would therefore require a DSA.
10. Is it safe to assume that a data sharing agreement (DSA) is required from all our affiliated physicians, dentists, other health care professionals, hospitals, or clinics?
Yes. A DSA is a contract, joint issuance, or any similar document that contains the terms and conditions of a data sharing arrangement between two or more parties, provided, that only personal information controllers shall be made parties to a data sharing agreement (Sec. 3(E), NPC Circular 16-02). Data sharing, on the other hand, refers to the disclosure or transfer to a third party of personal data under the control or custody of a personal information controller (Sec. 3(D), NPC Circular 16-02).
An HMO, its affiliated physicians, dentists, other health care professionals, hospitals, and clinics are all to be considered PICs as defined under the law for they control the collection, holding, processing or use of personal information. There is control if the natural/juridical person or any other body decides on what info is collected, or the purpose or extent of its processing.
Taking these into consideration, a DSA would be necessary before data may be shared by the HMO to its affiliated doctors, etc. Also, as previously mentioned, although NPC Circular No. 16-02 pertains to data sharing agreements involving government agencies, it may be utilized as guidance when taking up data sharing agreements in the private sector.
11. If there is a signed DSA already, do we still need to sign a GDPR compliance form? Are local companies covered by the GDPR? How different or alike is the GDPR with our local DPA?
The General Data Protection Regulation (GDPR) is the regulation governing data protection and privacy of individuals within the European Union (EU). The DPA is closely patterned after the GDPR but is not the Philippine version thereof. Instead, the DPA is the Philippine implementation of the GDPR – in alignment with Recital 8 of the latter which states that: “States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law” (Mapping the DPA and GDPR by Damian Domingo Mapa, Former NPC Deputy Commissioner).
Moreover, the GDPR aspires to cover all data subjects, regardless of nationality or place of residence, while the DPA covers Philippine citizens primarily, whether located here or abroad. Therefore, local companies need only to comply with the DPA; they need not sign a GDPR compliance form. As Mr. Mapa puts it, any Philippine company that is fully compliant with the DPA and its related issuances is already 90% compliant with the GDPR.
12. What is the stand of the NPC regarding masking/anonymizing/pseudonymizing of data to be shared with a third-party (i.e. Brokers/Agents)?
These methods of masking data are however two distinct techniques. The difference lies on whether data can be re-identified. Pseudonymization consists of replacing one attribute (typically a unique attribute) in a record by another. While pseudonymization lessens the risks, personal data which have undergone pseudonymization remains to be personal data, hence, consent is still necessary. In anonymization, the data is scrubbed of any information that may identify a data subject. Therefore, anonymized data is not covered by the DPA.
13. As an HMO, we report to several regulatory agencies (BIR, SEC, IC, etc.) Some of them may require data from us as far back as 10 years. How long can we keep data? Some of our clients require us to delete their data after 1 year. Can we insist on keeping their data due to regulatory requirements?
The DPA provides that personal data shall only be retained for as long as necessary for the fulfillment of the purposes for which the data was obtained, or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law (Sec. 11(e), DPA). The IRR of the DPA reiterates such requirement under Sec. 19(d) as one of the general principles in collection, processing and retention. From these provisions, it is apparent that the law only sets out the general principles and guidelines and gives no specific retention period.
One of the factors that the HMO may consider in determining retention periods for personal data under their custody is whether the HMO is subject to a legal requirement, such as in this instance when the HMO is required to report to regulatory agencies. The HMO needs only to be mindful of the data privacy principles of transparency, legitimate purpose, and proportionality. This means that the data subject must be informed of the retention periods of the company, and the purpose for retaining the records for such specific period. The company must ensure that only that personal data which is adequate, relevant, suitable and necessary for the purpose will be retained and that retention will not be in perpetuity in consideration of some future use which has not yet been determined.
Note: The answers provided in this FAQ is based on the limited information provided in the questions and may vary based on additional information or when the facts are changed or elaborated. Hence, it may be subject to change at any time without prior notice to the user.
HEALTH MAINTENANCE ORGANIZATIONS SECTOR
Frequently Asked Questions
1. Corporate coverage plans are usually procured by employers as part of their employee benefits package. The enrollment procedure is usually just a submission of an e-data by the employer containing the employees’ personal information. Would an undertaking by the employer that it has secured the consent of the employee to have his/her information shared, disclosed, and processed by the Health Maintenance Organization (HMO) be sufficient? Do we also need to keep physical copies of consents of ...