Implementing Guidelines of Section 31 of the Republic Act No. 11223 on the Processing and Submission of Health and Health-related Data

May 21, 2021

DOH-PHILHEALTH JOINT MEMORANDUM CIRCULAR NO. 2021-0001

 

I. RATIONALE

Under Sections 31.1 and 31.2 of the Implementing Rules and Regulations (IRR) of Republic Act (RA) 11223, otherwise known as the "Universal Health Care Act," one critical strategy identified to address the recurring issues and problems on poor quality and untimely generation and reporting of health and health-related data is through the adoption of an integrated approach to processing and submission of health and health-related data for evidenced-informed sectoral policy and planning. This shall be achieved through (1) the implementation of a unified data management and governance framework on health and health-related data; (2) the establishment and maintenance of a National Health Data Repository (NHDR); and (3) the institutionalization of appropriate data access mechanisms between and within the Philippine Health Insurance Corporation (PhilHealth) and the Department of Health (DOH).

Accordingly, this Circular aims to ensure that quality health and health-related data and reports are readily available and made accessible to every stakeholder in the right way, and processed in a lawful, ethical, secure, consistent and efficient manner at all levels of health care utilization.

II. OBJECTIVES

The objectives of this Joint Memorandum Circular are as follows:

General Objective: Set the guidelines and mechanisms in the processing, submission, and access of health and health-related data in accordance with the rules set forth under the UHC Act.

Specific Objectives:

A. Provide the unified health and health-related data management and governance framework;

B. Define the guidelines and mechanisms in the establishment and maintenance of a National Health Data Repository; and

C. Set the data access mechanisms between and within the PhilHealth and the DOH.

III. SCOPE OF APPLICATION

This JMC shall apply to all public and private, national and local health care providers, insurers, and health-related entities involved in the provision of health services, and/or processing and submission of health and health-related data; all national, regional, local and branch offices under the DOH and PhilHealth; and all others concerned.

In the case of Bangsamoro Autonomous Region for Muslim Mindanao (BARMM), the processing and submission of health and health-related data shall be in accordance with Article IX, Section 22 of RA 11054, otherwise known as the "Organic Law for the BARMM" and subsequent laws and issuances. Likewise, in the adoption by the Ministry of Health-BARMM of its own implementing guidelines, the same shall be consistent with the provisions of this JMC and other subsequent issuances, and in coordination with the PhilHealth and DOH.

IV. DEFINITION OF TERMS

A. Data Access shall refer to either of the following:

1. Data Release refers to disclosure of health and health-related data of public interest available as open to the public. Only public data shall be allowed for data release to the public; or

2. Data Sharing refers to the sharing, disclosure, or transfer to a third-party of health and health-related data under the custody of a data controller to one or more other data controllers. All data sharing of private or restricted data shall require the execution of a data sharing agreement (DSA) or its equivalent.

B. Data Controller refers to a juridical entity that controls the processing and submission of health and health-related data, whether submitted to PhilHealth, DOH, or a public health authority, or provided to a data recipient or not, and instructs another to process and submit health and health-related data on its behalf. Among its roles are (1) a personal information controller (PIC) of all personal data under its control; and (2) a data custodian who is responsible for the health business processes and all associated health and health-related data with it, including the data architecture, technical environment and database structure.

C. Data Governance refers to the exercise of authority, control and shared decision making (i.e., planning, oversight, monitoring, and enforcement) over the management of health and health-related data assets and related resources.

D. Data Protection refers to the process of protecting the health and health-related data by implementing strong, appropriate and reasonable privacy and security measures in the processing of health and health-related data, and upholding the data privacy rights of every data subject, and confidentiality/non-disclosure rules of the data controller in accordance with the existing and applicable laws, rules, and policies.

E. Data Steward refers to the concerned organizational unit within the agency that is responsible for the accuracy, integrity, and data protection of all health and health-related data it processes, including all primary data sources it manages. Likewise, they shall be accountable for the standardization of these health and health-related data, the determination of their data classification as to restricted, private, or public, approval and disapproval of data access requests, and compliance with all legal, regulatory, and policy requirements in relation to the processing of health and health-related data, among others.

F. Health and Health-Related Data collectively refers to a set of specific variables or parameters that relates to an individual and population health and well-being, including, but not limited to administrative and investment planning in health, public health, medical, pharmaceutical, and health financing data.

G. Health-Related Entities refer to academic and research institutions, civil society organizations, medical societies, health professional associations, non-government organizations, donor or funding agencies, development partners, local and international information and communications technologies (ICT) service providers, national and local government agencies, and other stakeholders involved in the provision of health services, and/or processing and submission of health and health-related data, and those identified by the DOH and PhilHealth.

H. Insurers refer to local health insurance offices of PhilHealth, health maintenance organizations and private health insurance companies issued certificates of authority by the Insurance Commission, and those identified by DOH and PhilHealth.

I. Personal data refers to all types of personal information such as follows:

1. Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

2. Sensitive personal information refers to personal information:

a. About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

b. About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

c. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

d. Specifically established by an Executive Order (EO) or an act of Congress to be kept classified.

J. Private Data refers to restricted sensitive health and health-related data that can be disclosed internally among organizational units of the data controller, but can pose a medium risk if disclosed outside the Department. This includes, among others, personal health/medical records, or personal data, and other matters as deemed private by the data controller.

K. Processing refers to any operation or any set of operations performed upon the health and health-related data including, but not limited to, the collection, recording, organization, storage, updating or modification, sharing, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the health and health-related data are contained or are intended to be contained in a filing system.

L. Public Data refers to non-sensitive or unclassified health and health-related data that can be disclosed without restriction. This includes, among others, open data or publicly available information including those from informational websites, terminology systems, and standards.

M. Restricted Data refers to confidential health and health-related data that are highly sensitive with high institutional risk from disclosure. This includes, among others, political documents dealing with matters of international health cooperation/negotiation, technical matters of national health security value, internal audit data, privileged communication, and other related agreements concerning health matters deemed as highly confidential.

V. GENERAL GUIDELINES

A. The processing and submission of health and health-related data to PhilHealth through the NHDR shall be an integral component of the health care system. Its implementation shall promote better performance in the health system, while ensuring data protection at all levels of data processing at all times.

B. The processing and submission of health and health-related data to PhilHealth through the NHDR, including the provision of access to DOH, shall be to the extent necessary for the following purposes:

1. To have a single point-of-submission and authoritative repository of the country's health and health-related data as the basis of health policy and standards, decision-making, health program planning and implementation, health systems strengthening, and performance monitoring and evaluation.

2. To enable equitable access to quality and affordable health care goods and services, health education, social health insurance, and better provision of technical assistance.

C. The PhilHealth and DOH shall implement a unified data architecture to ensure an integrated approach to processing, submission, data management, and governance of health and health-related data, including seamless data sharing and exchange between them, and ease of data access by various stakeholders. They also shall develop unified operational guidelines that:

1. Conforms to the data management and governance principles indicated under item V.C of this policy;

2. Defines the specific procedures and quality standards in the processing of health and health-related data, including for data access; and

3. Sets the specific accountabilities of all those involved in the processing of health and health-related data, including those for data protection.

D. The PhilHealth shall establish and maintain the NHDR for all health and health-related data submitted by health care providers, insurers, and health-related entities. It shall be considered as the overall Data Controller insofar as it controls the processing of health and health-related data through the NHDR. It shall assume full responsibility in complying with existing and applicable laws, rules, and other relevant issuances relating to the processing and submission of all health and health-related data through the NHDR, including data protection.

Appropriate operational guidelines shall be developed by PhilHealth in the establishment and maintenance of the NHDR, in coordination with DOH and other relevant agencies, subject to the approval of the NeHSC-TWG.

E. The PhilHealth shall provide DOH access to all health and health-related data submitted through the NHDR. A service/operational level agreement or its equivalent shall be executed by PhilHealth and DOH for this purpose, subject to existing and applicable laws, rules, and policies relating to access of health and health-related data.

VI. SPECIFIC GUIDELINES

A. Implementation of a Unified Data Management and Governance Framework on Health and Health-related Data

l. The processing of health and health-related data by PhilHealth and/or DOH shall be governed by the following principles:

a. Health and health-related data shall be:

i. Collected only when known and documented use and value exist.

ii. Processed for a specified, legitimate, and documented purpose. Likewise, the processing shall involve only the minimum extent of health and health-related data necessary to the declared and specified purpose at the time of collection.

iii. Processed following the data lifecycle from its creation/collection to its archival and destruction at the end of its life.

iv. Standardized and defined consistently across all organizational units and in all data processing systems. Standardization of health and health-related data shall be in accordance with the DOH and PhilHealth Joint Administrative Order (JAO) on the Mandatory Adoption and Use of National Health Data Standards for Interoperability and other subsequent issuances.

v. Classified as to restricted, private, or public by the Data Steward to determine the appropriate level of data protection and degree of access restrictions to be instituted.

vi. Recorded as accurately and completely as possible, at the primary data source, as close as possible to their point of creation, and in an electronic and usable form at the earliest opportunity for both input and output.

vii. Maintained solely in the primary data source by the concerned Data Steward. Any change in the primary data source shall be reflected immediately in secondary data sources without modification.

viii. Reused across all organizational units wherever possible. Data duplication shall be discouraged. For integrity, data shall be entered only once, and any duplication of the collection and processing shall require approval of the Data Steward.

ix. Readily accessible to inform decision-making, and made available to those with a legitimate business need.

b. The processing of health and health-related data shall be:

i. Automated, wherever possible.

ii. Standardized and uniform across all organizational units of the agency, including for all data processing systems being managed. This also applies to the processes that introduce and/or update metadata structures.

iii. Recorded and managed over time in an auditable and traceable manner.

iv. Secured and protected from any unauthorized processing, modification, and disclosure.

c. All data processing systems of the PhilHealth and DOH shall be integrated and interoperable among each other, and mandatorily adopt and use the approved national health data standards for interoperability. No data processing system shall be implemented as a stand-alone system.

2. The interagency National eHealth Steering Committee and Technical Working Group (NeHSC-TWG) shall be responsible for evaluating, directing, monitoring, aligning, planning, and organizing the policy directions and activities relating to the processing, submission, data management, and governance of health and health-related data. This body shall serve as the intermediary among the Data Controller, the Data Stewards, and other relevant stakeholders (e.g., standards development organizations [SDOs], and standards setting bodies). An appropriate personnel order shall be issued for this purpose.

3. The PhilHealth and DOH, as represented by their Heads, shall be the overall Data Controller of all health and health-related data that their respective organization is processing. As a Data Controller, they shall assume full responsibility as data custodians and personal information controllers. They shall also oversee and ensure that all Data Stewards within their organization comply with existing and applicable laws, rules, and other relevant issuances relating to the processing of health and health-related data, including those for data protection.

4. All organizational units of PhilHealth and DOH, who will be responsible for the specific health business processes/services that they are mandated to perform, and all health and health-related data associated with it, including all corresponding primary data sources being implemented, shall act as Data Stewards.

5. The PhilHealth and DOH, including all their organizational units, shall implement strong, reasonable, and appropriate organizational, physical, and technical security measures for data protection as set by the National Privacy Commission (NPC) and the Department of Information and Communications Technology (DICT) in the processing of health and health-related data, and shall uphold and protect the data protection rights of all data subjects and the data controller at all times.

B. Establishment and Maintenance of a National Health Data Repository

1. The NHDR shall be established as the single point-of-submission system and authoritative repository of the country's health and health-related data in a central database system with the following components, namely: (1) a dataset submission (DSS) system, (2) an open data (OD) platform, (3) a business intelligence and analytics (BIA) platform, and (4) a data access request (DAR) platform.

2. All health and health-related data that will be submitted and processed through the NHDR shall conform to the standards and rules set forth under this policy, the DOH and PhilHealth JAO 2021-0002 on the Mandatory Adoption and Use of National Health Data Standards for Interoperability, and other subsequent issuances.

3. All health and health-related data that will be submitted and processed through the NHDR shall be classified as restricted, private, and public to determine the appropriate level of data protection and degree of access restrictions to be implemented by PhilHealth. Determination of data classification shall be released as a separate issuance.

4. All health and health-related data — whether restricted, private, or public — shall be integrated, processed, and analyzed for insights to support the operational, tactical, and strategic planning of the DOH and/or PhilHealth. A separate issuance shall be released by DOH and PhilHealth regarding unified data analysis and report generation in the BIA platform of the NHDR.

5. All health care providers, insurers, and health-related entities shall process and submit health and health-related data for local and national health data reporting to PhilHealth through the NHDR, or DOH using their integrated health information system (iHIS), or any equivalent reporting mechanism as necessary, provided that health and health-related data collected from other reporting mechanisms shall also be submitted to NHDR as a single source of truth for health. A separate issuance shall be released by DOH and PhilHealth for this purpose.

6. This JMC shall serve as the data protection notice of PhilHealth in the processing of health and health-related data through the NHDR, including the provision of access to DOH.

C. Implementation of Data Access Mechanisms

1. All data access requests for health and health-related data from the NHDR shall be governed by the following rules:

a. Determine if there is a legitimate basis for the data access request.

b. Once the legitimate basis has been established, determine the data classification of health and health-related data being requested.

i. If the health and health-related data being requested contains personal data, the processing of the data access request shall follow NPC Circular 2020-003 on "DSA."

ii. If the health and health-related data being requested contains only non-personal data but are considered as private data, the processing of the data access request shall be based on the concerned Data Steward's policy on data access of this type of data.

iii. If the health and health-related data being requested contains only public data that are not readily available in the NHDR OD Platform, the processing of the data access request shall follow Executive Order No. 2, s. 2016 on "Operationalizing in the Executive Branch the People's Constitutional Right to Information and the State Policies of Full Public Disclosure and Transparency in the Public Service and Providing Guidelines Therefor," in coordination with the concerned agency's Freedom of Information (FOI) Unit.

iv. If the health and health-related data being requested contains only public data that are readily available in the NHDR OD Platform, the requesting party shall be directed to the NHDR OD Platform.

v. If the health and health-related data being requested contains restricted data, the data access request shall be automatically disapproved.

2. Approval and disapproval of data access requests shall be a shared responsibility between the DOH and PhilHealth, particularly among the concerned Data Stewards. Accordingly, they shall develop guidelines in the receiving, evaluating, and managing data access requests for health and health-related data that they control, in accordance with the standards set forth in this JMC and other relevant policies issued by the NeHSC-TWG.

VII. ROLES AND RESPONSIBILITIES

A. Department of Health shall:

1. Provide policy directions and oversight, together with the interagency NeHSC-TWG and other relevant stakeholders, in the processing, submission, data management and governance of health and health-related data.

2. Activate the interagency NeHSC-TWG.

3. Act as data controller of all health and health-related data it processes within its Department.

4. Act as receiver of all health and health-related data submitted through the NHDR as provided by PhilHealth, and make available the infrastructure and related platform to receive the shared health and health-related data.

5. Lead the standardization of health and health-related data, in coordination with PhilHealth and other relevant stakeholders.

6. Develop and implement operational guidelines in the processing of health and health-related data under its control, including those for data access and data protection.

7. Implement strong, appropriate and reasonable data protection measures at all levels of data processing.

8. Provide technical assistance to PhilHealth in the management of the NHDR.

9. Build capacity and provide technical assistance to all health care providers, insurers, and health-related entities to ensure compliance with the standards on the processing and submission of health and health-related data set forth under this JMC and other related issuances.

B. Philippine Health Insurance Corporation shall:

1. Provide policy directions and oversight, together with the interagency NeHSC-TWG and other relevant stakeholders, in the processing, submission, data management and governance of health and health-related data.

2. Act as data controller of all health and health-related data it processes within the Corporation.

3. Establish and maintain the NHDR, and act as its data controller.

4. Provide access to DOH on all health and health-related data submitted through the NHDR.

5. Co-lead the standardization of health and health-related data DOH, in coordination with relevant stakeholders.

6. Develop and implement corporate operational guidelines in the processing of health and health-related data under its control, including those for data access and data protection.

7. Implement strong and reasonable data protection measures at all levels of data processing.

C. Health Care Providers, Insurers, and Health-Related Entities shall process and submit health and health-related data for local and national health data reporting to PhilHealth through the NHDR, and/or DOH using their iHIS, or any equivalent reporting mechanism as necessary, following the standards set forth in this JMC and other related issuances.

VIII. BUDGET REQUIREMENTS

The DOH and PhilHealth shall separately allocate funds and provide counterpart resources necessary and appropriate to the overall and regularly funded functions of each agency for the proper implementation of this JMC, subject to the usual government accounting and auditing rules and regulations.

Each agency shall secure the Commission on Audit's Post Audit review over any and all transactions related hereto.

IX. TRANSITORY PROVISION

Within one (1) year from the effectivity of this policy, all responsible DOH and PhilHealth offices shall release new or supplemental issuances, and operationalize the provisions of this JMC.

X. SEPARABILITY CLAUSE

In the event that any provision or part of this JMC is declared unauthorized or rendered invalid by any Court of Law or competent authority, those provisions not affected by such declaration shall remain valid and in force.

XI. EFFECTIVITY

This JMC shall take effect after fifteen (15) days following its complete publication in a newspaper of general circulation and upon filing three (3) certified copies to the University of the Philippines Law Center.

(SGD.) FRANCISCO T. DUQUE III, MD, MSc	(SGD.) ATTY. DANTE A. GIERRAN, CPA
Secretary	President and Chief Executive Officer
Department of Health	Philippine Health Insurance Corporation