This policy outlines how ACE Malolos Doctors safeguards patient personal and sensitive personal information, ensuring full compliance with Republic Act No. 10173, also known as the Data Privacy Act of 2012. This policy applies to all ACE Malolos Doctors personnel, regardless of employment status, who are involved in the processing of health information within the institution. All personnel must strictly adhere to the terms and provisions set forth in this policy.

​

Definition of Terms

To ensure clarity, the following terms are defined as they pertain to this policy:

​

Data Privacy Act of 2012 (Republic Act No. 10173): This refers to the Philippine law that protects individual personal information in information and communications systems in the government and the private sector.

​

Personal Information: Any information, whether recorded in a tangible form or not, from which the identity of an individual is apparent or can be reasonably and directly determined by the entity holding the information, or when combined with other information, would directly and certainly identify an individual.

​

Sensitive Personal Information: This category includes specific types of personal information, such as:

​

• Data concerning an individual's race, ethnic origin, marital status, age, color, or religious, philosophical, or political affiliations.

• Information related to an individual’s health, education, genetic or sexual life, or details concerning any offense committed or alleged to have been committed by such person, the outcome of legal proceedings, or any court sentences.

• Data issued by government agencies specific to an individual, including but not limited to social security numbers, previous or current health records, licenses (or their denials, suspensions, or revocations), and tax returns.

• Information specifically designated as classified by an executive order or an act of congress.

​

Processing: Any operation or set of operations performed on Personal Information, including but not limited to its collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction.

​

Personal Information Controller (PIC): A natural or juridical person or any other entity that controls the processing of personal data or instructs another to process personal data on its behalf.

​

Data Protection Officer (DPO): An individual appointed by the head of an agency or organization to be accountable for its compliance with the Data Privacy Act, its Implementing Rules and Regulations (IRR), and other issuances from the National Privacy Commission. Unless otherwise allowed by law or the Commission, the DPO must be an organic employee of the entity. An entity may designate more than one DPO.

​

Confidentiality: The obligation to safeguard personal data against unauthorized disclosure.

​

Consent: Any freely given, specific, and informed indication of will by which an individual agrees to the collection and processing of their personal information. Consent must be evidenced by written, electronic, or recorded means. It may also be provided on behalf of the individual by a lawful guardian or an authorized agent.

​

Health Information: This encompasses personal and sensitive personal information related to an individual's past, present, or future physical or mental health condition. This includes demographic data, diagnosis and management details, medication history, health financing records, service costs, and any other information pertaining to an individual’s overall well-being.

​

National Privacy Commission (NPC): An independent government agency established under the Data Privacy Act to administer and implement the law's provisions, and to monitor and ensure the Philippines' compliance with international data protection standards.

​

Patient or Client: An individual who avails of medical consultation, diagnostic examinations, treatment, or healthcare services from a healthcare provider.

​

Privacy: The right of an individual to be free from intrusion or disturbance in their personal and intimate life or affairs. This includes data privacy, which refers to an individual's right not to have their personal data disclosed, encompassing the ability to control what personal data is disclosed, to whom, and for what purpose.

​

Responsibilities

The National Privacy Commission mandates this policy, and it is applicable to all medical practitioners within ACE Malolos Doctors. This institution is committed to implementing this policy to ensure an adequate level of protection for personal data. When individuals seek consultation for diagnosis and/or treatment, their act of seeking care implies consent for necessary data processing.

​

Express consent from the data subject is not required for medical treatment purposes or when processing personal data is essential to protect life and health, or when the data subject is not legally able to express consent prior to processing (e.g., in emergencies or public health emergencies).

​

Accordingly, we collect, analyze, use, share, store, retain, and dispose of personal information as needed, in accordance with applicable laws and regulations.

​

The Compliance Officers for Privacy and the Data Protection Officer are responsible for ensuring adherence to this Policy. ACE Malolos Doctors respects patient privacy and is accountable for protecting their personal information.

​

All personnel working for ACE Malolos Doctors are obligated to abide by the provisions of the law.

​

Obtaining and Disclosing Personal Information and Sensitive Personal Information

​

We collect personal information primarily for identification and communication purposes, which may include:

• Name, Age, Sex, Address, Date of Birth, Religion, Telephone Number, Emergency Contact

• Billing Information

• Health Information: family clinical history, symptoms, diagnosis, medical history, test results, reports and treatment plans, record of allergies, prescriptions.

​

Disclosures Authorized by Law and Other Parties:

​

Patient personal information may be shared to comply with Section 21, Rule 5 of the Implementing Rules and Regulations of the Data Privacy Act, specifically provision D: "the processing is necessary to protect vitally important interests of the data subject, including his or her life and health."

​

Patient's Right to Object and Withhold Consent:

​

Patients retain the right to object to and withhold consent for data processing. As per Section 34, Rule 8 of the Implementing Rules and Regulations, "the patient shall have the right to object to the processing of his or her personal data and shall be given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject." Consequently, "the patient also has the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system" if the data is no longer necessary for the purpose for which it was collected.

​

Data Privacy Principles

The processing of personal data is permitted subject to adherence to the principles of transparency, legitimate purpose, and proportionality.

​

Transparency: The data subject must be fully aware of the nature, purpose, and extent of the processing of their personal data, including associated risks and safeguards. This also covers the identity of the personal information controller, the data subject's rights, and how these rights can be exercised. All information and communication related to personal data processing should be easily accessible and understandable, presented in clear and plain language.

​

Legitimate Purpose: The processing of information must align with a declared and specified purpose that is not contrary to law, morals, or public policy.

​

Proportionality: The processing of information must be adequate, relevant, suitable, necessary, and not excessive in relation to the declared and specified purpose.

​

Processing of Sensitive Personal Information

​

The processing of sensitive personal is generally prohibited, with exceptions in the following cases:

​

• The processing is necessary for the purpose of medical treatment: Provided that all processing is carried out by a medical practitioner or ACE Malolos Doctors, and an adequate level of personal data protection is ensured.

• Consent has been given by the data subject, or by the parties to the exchange prior to the processing of the sensitive personal information, which shall be undertaken for a declared, specified, and legitimate purpose.

• The processing of sensitive personal information is mandated by existing laws, regulations, or a Court Order. This applies provided that such laws and regulations do not require the consent of the data subject for the processing and guarantee the protection of personal data.

• The processing is essential to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express their consent prior to the processing.

• The processing is necessary for the purpose of medical treatment: Provided, that all is carried out by a medical practitioner or ACE Malolos Doctors and an adequate level of protection of personal data is ensured.

​

ACE Malolos Doctors assures patients that their records are timely and accurate. "The patient has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, that recipients of patients who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request to the data subject." (Section 4, Rule 8 of the Implementing Rules and Regulations).

 

Data Protection

​

Personal written and electronic data will be retained for ten (10) years for in-patient and seven (7) years for out-patient and emergency case health records, as stipulated under Republic Act 9470, also known as the National Archives Law of the Philippines.

​

Paper Records: All records are properly maintained and stored in a file Compactor/Shelving System for convenience and ready reference. Appropriate lighting and ventilation are provided to protect the integrity and quality of written and electronically produced documents. Health records are maintained and filed in one established sequence to ensure rapid location and retrieval. Health records are filed and stored using a terminal digit filing system, clearly labeled and properly tracked if transferred to another location.

​

Electronic Records: User IDs and passwords must not be shared. Only the authorized employees have access. Passwords will be regularly changed at specified intervals. Data backup methods are implemented and periodically tested.

​

Disposal of Records: Records will be disposed of appropriately in reference to the Disposal and Deletion Procedure of the hospital.

​

Complaint Process

​

Should a patient have a complaint regarding the handling and processing of their personal medical information, contact the Data Protection Officer thru dataprivacyofficer@acemalolosdoctors.com.

 

Accessing Personal Record

Patients have the right to access their records in a timely, reasonable, and legitimate manner. A copy may be provided upon their written request. Patients may submit a written request to their Attending Physician to view their medical record. If a patient wishes to view their original record, upon written request, a staff member will personally assist the patient. In cases where litigation is probable and intended against the healthcare facility or any of its staff, the management may refuse or deny access to the record, even with the patient’s written request, except when mandated by a Court Order. The patient cannot access or may be denied access/copy of their personal record in accordance with Section 22, Rule 5, which states that: “the processing is necessary to protect the life and health of the patient, and the patient is not legally or physically able to express his/her consent prior to the processing.”

​

Upon Patient Consent, only a Healthcare Provider and authorized entities shall have access to the patient’s health information. Without such consent, a Court Order shall be obtained.

​

If the requester is not the patient themselves, the following requirements must be met prior to accessing the patient’s health record:

​

• If the patient is a minor (below 18 years of age):

  • Either parent or legal guardian shall have access to the child’s health record.

  • An authorization from the parent or legal guardian must be obtained.

​

• For the incapacitated:

  • If the patient is unable to sign the authorization due to physical or mental disability, the authorization should be signed by the Next-of-Kin or the legally appointed guardian. Verification of such disability should be obtained from a physician if possible.

  • Where the person requesting access to patient information is incapacitated, a person in whose favor a Special Power of Attorney has been executed shall be allowed access to the records.

​​

• Authorization for patient who has died:

  • Consent must be signed by the identified Authorized Representative or Next-Of-Kin, or by the Administrator or Executor of the Decedent’s Estate.

​

• Medico-Legal Cases:

  • In Medico-Legal cases, information may be disclosed to the authorized personnel in charge upon authorization from the patient or their Authorized Representative (if the patient is deceased).

​

• Legal Authorities and/or Government Agencies:

  • Disclosure of health information to any other government agency may only be allowed pursuant to a lawful Order of a court.

  • In cases of emergency where time is critical, disclosure may be made even without a Court Order. This refers to situations such as:

    • Where access is sought by virtue of a SUBPOENA. Consent is not required from the next of kin.

    • For medical or financial assistance requests for abstracts or similar documents, Authorization of the patient is required.

    • For DOH programs and other government agencies providing Financial Public Assistance, said Agency shall disclose de-identified information.

​

The original health record remains the physical property of the healthcare facility and should not be removed from the hospital, except under a Court Order. Without patient consent, or in its absence, a Court Order, the release of information shall be pursuant to hospital policy; otherwise, patient records shall not be released or disclosed.