Privacy policy | The Medical City

Privacy Policy

Last Updated: January 31, 2023


 Data Privacy Management Department
The Medical City
Ortigas Avenue, Pasig City
(02) 988.1000 local 6790

  1. Background

    Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector. It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights

  2. Introduction

    1. Policy Statement

      This Patient Privacy Policy (“Policy”)sets forth the standards of The Medical City governing the privacy and security of patients’ personal information, particularly health information, as well as the controlled release and disclosure of such information, consistent with the Data Privacy Act of 2012 and other applicable laws.

      This Policy describes the manner in which The Medical City (TMC) may collect, hold, use, share, and discard the above-mentioned information. By availing of the services provided by TMC, you signify your acceptance of this policy and terms of service. Your continued availment of the services of TMC following the posting of changes to this policy will be deemed your acceptance of those changes.

    2. Our Commitment to Protect Your Privacy

      We understand that information about you and your health is personal. We are committed to protecting your health information. As a patient of The Medical City and its other related entities, the care and treatment you receive is confidential in nature and will be recorded in a medical record. We use and share this record to provide you with quality care and to comply with certain legal requirements. This record will be available to all health care and allied health professionals who need access as described in this Policy, many of whom will be involved in your treatment.

      As part of our commitment to maintaining the confidentiality of your care, The Medical City will share your information only to the extent necessary to ensure with your treatment, conduct our professional operations, collect payment for the services we provide you, and to comply with the laws that govern health care. While we may need your personal information for other purposes, we will not use or disclose your information without your permission.

    3. Our Patient Privacy Policy

      The Medical City may provide you with a Patient Privacy Policy pamphlet, upon your request, that explains our privacy practices and your rights regarding your personal and health information. Consent to the collection, use, disclosure, and disposition of your personal and health information will be obtained upon admission or consultation or by availing of the various services provided by the institution.

      You may ask for a copy of our current Policy in any of the patient registration areas throughout the hospital, the Data Privacy Management Department as well as with the Center for Patient Experience. You can also view and print a copy of our current Policy by visiting our website at and clicking on Patient Privacy Policy. Likewise, Privacy Notices may be found publicly posted in a number of places.

      The Medical City may, from time to time, review and update this Policy to adapt to changing corporate practices, and to take into account new laws and technology. We reserve the right to make the revised or changed Policy effective for health information we already have about you as well as any information we receive in the future.The use, storage and disclosure of all data held by TMC will be governed by the most recent privacy policy, posted on TMC will notify you of any amendments by posting an updated version of the policy on this website.

  3. Definition of Terms

    1. “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed;

    2. “Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so;

    3. “Data sharing” is the disclosure or transfer to a third party of personal data under the custody of The Medical City.

    4. “Personal data” refers to all types of personal information;

    5. “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;

    6. Sensitive personal information refers to personal information:

      1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

      2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

      3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

      4. Specifically established by an executive order or an act of Congress to be kept classified.

    7. “Privileged information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication;

    8. “Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;

    9. “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;

    10. “Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;

  4. Scope

    This Policy pertains to all individuals, departments, and units in The Medical City who have access to, use, or disclose protected health information. The Policy is administered by the Data Privacy Management Department. It is intended to serve as a foundation for privacy practices of TMC. Divisions, departments, or units within TMC may impose privacy safeguards in addition to those required by this policy and procedure.

  5. Processing of Health Information

    This section describes ways that The Medical City use and disclose health information. It does not list every possible use or disclosure, but the ways your information may be used and disclosed fall into the following categories:

    • Treatment and Communication
    • Billing and Collection
    • Health Care Processes and Professional Services
    • Legal Compliance and Health-Related Services
    • Research and Training

    1. Collection, Use and Disclosure

      1. Treatment and Communication

        Your health information is used to provide you with medical treatment or services. We may use and share health information about you with physicians, nurses, allied medical personnel, residents, fellows and medical students, or other TMC personnel involved in your care. Different departments of the hospital may also share health information about you to coordinate the services you need, such as pharmacy, dietary, laboratory and other diagnostic centers.

        In special cases, we may also disclose your health information to providers not affiliated with the Hospital to facilitate care or treatment they provide you. These include other physicians outside The Medical City who are involved in your care outside the hospital setting or in case of hospital transfers, to the receiving hospital.

        Electronic exchange of health information helps ensure better coordination of care. The physicians and nurses of The Medical City utilize digital technology in order to facilitate quicker and prompt referrals within the healthcare team. They may use messaging platforms such as SMS, emails, Viber, Telegram, and other similar services in order to communicate with the team. Alternatively, you may access your results through our online platform.

        Upon your request, we may send electronic results of your laboratory and other diagnostic tests to you or your authorized representative. We may also use and disclose health information to contact you as a reminder that you have an appointment for care at The Medical City. We will communicate with you using the information (such as telephone number and email address) that you provide us.

        Unless you notify us to the contrary, we may use the contact information you provide to communicate general information about your care such as appointment location, department, date and time, as well as for patient experience and satisfaction surveys.

      2. Billing and Collection

        We may use and disclose your personal and health information to confirm, bill and receive payment for health care services that we or others provide to you. This includes submission of your health information to receive payment from Philhealth, your health maintenance organization (HMO), insurance company, or other party that pays for some or all of your health care or to verify that your payor will pay for your health care. We may also tell your payor about a treatment you are going to receive to determine whether your payor will cover the treatment. For certain services, if your permission is needed to release health information to obtain payment, you will be asked for permission.

        In cases of non-payment, your personal and health information will be sent to legal services for collection purposes who may conduct credit investigations and send demand letters to collect payment for services rendered to you.

      3. Health Care Processes and Professional Services

        We may use and disclose health information for health care operations. This includes functions necessary to run The Medical City and assure that all patients receive quality care. We may also share your information with affiliated health care providers so that they may jointly perform certain business operations along with TMC. We may combine health information about many of our patients to improve on the services being offered, to determine what services are no longer needed and to assess whether certain treatments are effective.

        We may share information with physicians, nurses, allied medical personnel, residents, fellows and medical students, or other TMC personnel to ensure quality assurance and compliance with standards of care. We may also compare the health information we have with information from other hospitals to see where we can improve the care and services we offer. In these instances, The Medical City will work to anonymize, mask, encrypt or de-identify your personal and health information as much as possible.

        The Hospital contracts with outside entities that perform business services for us, such as the Joint Commission International, government entities, billing companies, management consultants, quality assurance reviewers, accounting or legal firms. In certain circumstances, we may need to share your health information with a business associate so it can perform a service on our behalf. We will have a data sharing agreement or written contract in place with the business associate requiring protection of the privacy and security of your health information.

      4. Legal Compliance and Health-Related Services

        We may disclose your information to the Department of Health and other appropriate government entities for activities authorized by law such as audits, investigations, inspections, and licensure.

        When necessary to prevent a serious threat to your health and safety or the health and safety of others, we may use and disclose certain information about you. Such disclosure will only be to someone able to prevent or respond to the threat, such as law enforcement, or a potential victim.

        We may also use or disclose health information about you when required to do so by laws not specifically mentioned in this Policy.

      5. Research and Training

        As an affiliated hospital for the Ateneo School of Medicine and Public Health (ASMPH), medical students may use and access your health information. We will have a data sharing agreement or written contract in place with ASMPH requiring protection of the privacy and security of your health information.

        Being a training ground for future doctor specialists with over ten accredited residency and fellowship programs, your health information may be used and disclosed in training and education. Daily endorsement rounds, weekly department conferences, audits, morbidity, and mortality conferences are requirements for continued accreditation of our clinical programs and may involve the use of your health information. Limited information about you and your treatment may be used for the purposes of accreditation of our residency and fellowship programs and specialty board certification of our trainees.

        The Medical City has an active research program. We generally ask for your written authorization before asking you to participate, use your health information, or share it with others to conduct research. Under limited circumstances, we may use and disclose your health information without your authorization. In these situations, we will anonymize, mask, encrypt or de-identify data to protect your information and so that no patient is individually identifiable. We will obtain approval through an independent review process to ensure that research conducted without your authorization poses minimal risk to your privacy.

      6. Other uses and disclosures

        The Medical City does not require prior consent or authorization in the disclosure of your health information in the following instances:

        • Public Health Activities

          • To prevent or control disease, injury or disability;
          • To report births and deaths;
          • To report the abuse or neglect of children, elders and dependent adults;
          • To report reactions to medications or problems with products;
          • To notify you of the recall of products you may be using;
          • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
          • To notify the appropriate government authority if we believe you have been the victim of abuse, neglect or domestic violence; we will only make this disclosure when required or authorized by law;
          • To notify the Department of Health and other appropriate government entities when you seek treatment at The Medical City for certain diseases or conditions required to be reported by law.

        • Disputes and Lawsuits

          To ensure the quality of care you receive while seeking treatment at The Medical City, we may access and disclose your health information if you have concerns or complaints regarding your medical management at The Medical City. We may also access and disclose your health information if you bring a lawsuit against TMC, its officers, nurses, allied medical personnel and other employees, its residents, fellows and physicians.

          If you are involved in a lawsuit, we may disclose health information about you in response to a court or administrative order or in response to a subpoena, legally enforceable discovery request, or other lawful process by someone else involved in the dispute.

    2. Storage, Security, Retention and Destruction

      The Medical City will ensure that personal and health information under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. TMC will implement appropriate security measures in storing collected personal and health information. All health information gathered and kept in medical records shall be retained for as long as the patient regularly seeks treatment at the institution. Hard copies of medical records more than five (5) years old shall be kept at a secure off-site facility. After an inactive period of ten (10) years from the last outpatient consult and fifteen (15) years from the last in-patient confinement, hard copies of medical records shall be brought to an appropriate facility for melting and destruction with secure protocols in place. Electronic copies of medical records shall be retained for a similar period.

  6. Rights Relating to your Health Information

    An important part of The Medical City’s Privacy Policy is this section which explains your data privacy rights regarding your health information. You (or your authorized representative) have the right to:

    • Be informed
    • Reasonable access to your health information
    • Request a correction to your personal information
    • An accounting of hospital disclosures of your health information
    • Request restrictions on certain uses and disclosures of your health information
    • Receive a copy of The Medical City’s Privacy Policy

    1. Information

      You have the right to be informed that your personal and health information will be, are being, or were, collected and processed. You have the right to be informed of the purposes for which they will be, are being, or were processed and the duration for which the information will be kept.

    2. Reasonable Access of your Health Information

      You have the right to obtain a copy of your pertinent health information. The medical information available to you are the following:

      • Clinical Abstract/Discharge Summary
      • Laboratory and other diagnostic results
      • Consent for Admission and Procedure
      • Record of Operation or Delivery
      • Operative Technique
      • Medical Certificate or Certificate of Confinement

      To request for a copy of your medical records, proceed to the Health Information Department and fill out a Request for Medical Information or contact them for the link to the electronic request form. TMC may charge a fee for the cost of providing copies to you.

    3. Request a Correction to your Personal Information

      If you believe that the personal information The Medical City has on file about you is incorrect or incomplete, you may ask us to correct the personal information in your records. If your personal information is accurate and complete, or if the information was not created by the Hospital, we may deny your request. If we deny any part of your request, we will provide you with a written explanation of our reasons for doing so. Requests to make a correction to your records must be in writing and must describe each item that you want changed and the reason you are requesting the change. We may require additional documentation from you or your authorized representative as proof before processing your request.

    4. An Accounting of Hospital Disclosures of your Personal and Health Information

      You have the right to request a list of how your personal information was shared for purposes other than treatment, payment, health care operations and legal compliance. Your health information on the other hand, will never be shared with third parties without your consent.

    5. Request Restrictions on Certain Uses and Disclosures of Your Medical Information

      You have the right to request reasonable restrictions on certain uses or disclosures of your personal and health information. Requests for restrictions must be in writing. In most cases, we are not required to agree to your requested restriction. However, if we do agree, we will comply with your request unless the information is needed to provide you emergency treatment or comply with the law.

      Some examples of restriction requests that the Hospital cannot honor include:

      • Requests to restrict residents from accessing your medical information.
      • Requests restricting the hospital from giving your name to an insurance company that will be asked to pay a portion of your bill.
      • Request restricting the hospital from reporting your identity and condition to an agency or organization where the hospital is required by law to do so.

  7. Inquiries and Complaints

    The confidentiality of your health information is a significant part of the care we provide to you. For matters relating to the processing of your protected health information or if you believe that your privacy rights have been violated, you may file a written complaint with our Data Privacy Management Department via:


    Mail: Data Protection Officer
    Data Privacy Management Department
    The Medical City
    Ortigas Avenue, Pasig City

  8. Effectivity

    The provisions of this Policy are effective this 01 day of March 2018 until amended.