Healthcare Information Security: HIPAA and the Philippines’ Data Privacy Act

Rey Palmares
April 30, 2019

The Health Insurance Portability and Accountability Act (HIPAA) is only regulated in the United States which makes it challenging for the healthcare industry to outsource work. Because of reduced oversight it is difficult to have overseas companies understand and communicate the need for identifying and reporting data breaches. Even India, a frequent outsourcing location, has no law on data privacy.

In the Philippines, the legislature has adopted the HIPAA model and passed the Data Privacy Act (DPA), RA 10173 , in 2012. While patterned loosely after HIPAA, there are some prominent features in the Philippines’ DPA.

The DPA “protects individuals from unauthorized processing of personal information that is (1) private, not publicly available; and (2) identifiable, where the identity of the individual is apparent either through direct attribution or when put together with other available information.” From these two important qualifiers, the DPA attempts to cover the entirety of data privacy – not just healthcare information. It limits its scope to what is considered private information that is identifiable with the person of the individual and protects agencies handling information from frivolous suits.

“Personal information must be collected for reasons that are specified, legitimate, and reasonable…. [individuals] must opt in for their data to be used for specific reasons that are transparent and legal.” This approach to information protection actively involves the individual who owns the information and agencies cannot act without their express approval. Any agencies that break this rule are liable for damages and jail time.

Compounding on the type of protected information, the law specifies the level of diligence required for managing it: “These agencies must be active in ensuring that other, unauthorized parties do not have access to their customers’ information.” Similarly to HIPAA, DPA compliance is continuously enacted and monitored. It is not a one-time registration procedure and the law mandates:

1. The appointment of a Data Protection Officer
2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection policy
5. Exercising a breach reporting procedure

The DPA also provides for security for disposal of all information. “Personal information must be discarded in a way that does not make it visible and accessible to unauthorized third parties.” Methods may vary, and agencies have the freedom to decide based on a guarantee of the most secure disposal.


Writing should be one part informative and one part entertaining. It's what differentiates a generic piece of text from a well-written article. Rey Palmares dedicates much of his time to fine-tune that craft, juggling the joys and frustrations of writing with those of his law school life outside of the office. He's making it work so far.