Published 17 April 2020, The Daily Tribune

In my previous article, I posed the following questions: Can the employer disclose to other employees the name of its employee who tested positive for COVID-19 for purposes of contact tracing? Is the employer required to inform the Department of Health (DOH) if any of its employees tests positive for COVID-19?

The answers to these questions are contained in the National Privacy Commission Public Health Emergency Bulletin No. 3 which states that “if an employee/PUI has been proven to be positive of COVID-19, the employer may not freely disclose the identity of the said employee to everyone, even if within the company only.”

If the purpose is to inform those who may have had contact with the said employee so they can be tested and monitored as well, the employer may instead make the necessary notices internally without disclosing the identity of the person who is COVID-19 positive. Employers should only disclose such personal information as may be necessary to enable other employees to assess their health and potential exposure. Revealing the identity of the COVID-19 patient offers no benefit to the patient nor any advantage to other employees in assessing their exposure. If an employee tests positive, the protocols and guidelines for PUMs/PUIs would apply and, generally, would cover everyone.

The proper authority that does contact tracing is the DOH. It follows that the disclosure of the identity of the patient shall be limited to DOH personnel only, following the PUM/PUI protocol. Announcements relating to an employee who is COVID-19 positive should come from the DOH or other appropriate government agencies. Thus, anyone, including employers, with relevant information, should immediately relay it to the DOH for proper handling.

The DOH is empowered to require mandatory reporting of “emerging infectious diseases” as well as perform quarantine and isolation under the Republic Act 11332 or the “Law on Reporting of Communicable Diseases” to effectively centralize the processing of reported Covid-19 cases in the country.

RA 11332 was signed into law by the President in April 2019. Section 9 of the law prohibits (1) the unauthorized disclosure of private and confidential information pertaining to a patient’s medical condition or treatment; (2) tampering of records or intentionally providing misinformation; (3) non-operation of the disease surveillance and response systems; (4) non-cooperation of persons and entities that should report and/or respond to notifiable diseases or health events of public concern; and (5) non-cooperation of the person or entities identified as having the notifiable disease or affected by the health event of public concern.

Section 10 of the law provides that any person or entity found to have violated Section 9 of this Act shall be penalized with a fine of not less than P20,000 but not more than fifty thousand pesos (50,000) or imprisonment of not less than one month but not more than six months, or both such fine and imprisonment, at the discretion of the proper court.

If the offense is committed by a public or private health facility, institution, agency, corporation, school, or other juridical entity duly organized in accordance with law, the chief executive officer, president, general manager, or such other officer in charge shall be held liable. In addition, the business permit and license to operate of the concerned facility, institution, agency, corporation, school, or legal entity shall be canceled.

Another privacy issue in this time of COVID-19 is the sharing of sensitive personal data of persons who tested positive for COVID-19 or are considered PUI. In this State of National Calamity, the DOH seems to be willing to overlook privacy implications in an effort to save lives. However, the sensitive data that’s being collected is not exclusive to public health organizations. The DOH has issued guidelines which now allow private companies and learning institutions (who are working on a possible vaccine or more affordable testing kits) to have access to the date that a coronavirus patient was infected, along with his or her nationality, gender, age and the locations they visited.

Under ordinary circumstances, sensitive patient-linked medical records can and should be kept private. Unauthorized disclosure is a punishable offense under the Data Privacy Act. Exposing them to private companies, even in the interest of public health, is a source of concern because these records hold significant commercial value. They could, for instance, provide advertising agencies with valuable targeting data for healthcare and pharmaceutical companies. They could also help inform decision-making by health insurers seeking to verify medical histories when processing new policies and claims. While we do not want to put a hurdle on current joint efforts between the government and private entities, it is prudent that safety measures be set in place so that these privacy issues may be addressed.

For comments and questions, please send an email to cabdo@divinalaw.com.