Privacy policy | The Medical City

Cookies

This website uses cookies, which may include third party cookies, to improve your browsing experience and in order to allow you to set your individual preferences for present and future use of the site. To find out more, read our Privacy Policy. By clicking “I agree“, you agree to our use of cookies.

COVID-19 Online Screening Tool: Answer on your smartphones or computers within 24 hours prior to your visit to The Medical City.

Privacy Policy

Last Updated: May 20, 2026


THIS POLICY DESCRIBES HOW THE MEDICAL CITY COLLECTS, USES, STORES, SHARES, RETAINS, PROTECTS, AND DISPOSES OF YOUR PERSONAL AND HEALTH INFORMATION IN ACCORDANCE WITH APPLICABLE PHILIPPINE LAWS AND REGULATIONS.  

PLEASE READ THIS POLICY CAREFULLY. IF YOU HAVE ANY QUESTIONS OR CONCERNS REGARDING THIS POLICY OR THE PROCESSING OF YOUR PERSONAL INFORMATION, YOU MAY CONTACT:

 Data Privacy Management Department
The Medical City
Ortigas Avenue, Pasig City
 Telephone No.: (02) 8988-1000 local 2294
Email: dpo@themedicalcity.com

I. BACKGROUND

Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), seeks to protect the fundamental human right of privacy while ensuring the free flow of information to promote innovation and growth. The DPA requires organizations processing personal data to implement appropriate organizational, physical, and technical safeguards to protect personal information under their custody or control.

As a healthcare institution, The Medical City (“TMC” or the “Hospital”) recognizes the confidential and sensitive nature of medical and health information entrusted to it by patients, employees, physicians, students, trainees, and other stakeholders. The Medical City is committed to protecting patient privacy and ensuring the responsible processing of personal and health information.


II. POLICY STATEMENT

The Medical City is committed to protecting the privacy, confidentiality, integrity, and security of patient information. This Policy establishes the standards governing the lawful collection, use, processing, disclosure, storage, retention, transfer, and disposal of personal and health information by The Medical City.

The Medical City adopts privacy-by-design and privacy-by-default principles in developing and maintaining systems, technologies, procedures, and operational processes involving personal and health information.

The Hospital shall process personal and health information only when permitted by law and only for legitimate, specific, and lawful purposes related to healthcare delivery, hospital operations, public health obligations, medical education, research, legal compliance, and related institutional functions.

This Policy applies to all employees, officers, physicians, consultants, residents, fellows, trainees, students, volunteers, contractors, service providers, and other persons who process personal and health information under the authority of The Medical City.


III. OUR COMMITMENT TO PATIENT PRIVACY

The Medical City understands that information about you and your health is personal and confidential. Information obtained during your consultation, admission, treatment, diagnosis, testing, procedures, or confinement shall form part of your medical record and shall be treated with appropriate confidentiality and security safeguards.

The Hospital shall implement reasonable and appropriate organizational, physical, and technical security measures to protect personal and health information against unauthorized access, accidental or unlawful destruction, alteration, disclosure, misuse, loss, or any unlawful processing.

Access to patient records shall be limited only to authorized personnel with a legitimate work-related need and in accordance with the principle of least privilege or minimum necessary access.

All personnel of The Medical City, including physicians, consultants, trainees, and service providers, are required to observe confidentiality obligations and comply with applicable privacy and information security policies.

Hospital personnel shall undergo periodic privacy, confidentiality, cybersecurity, and information security awareness training.


IV. LEGAL BASES FOR PROCESSING

The Medical City may process personal and health information pursuant to one or more lawful criteria recognized under applicable laws, including:

1.    Consent of the data subject;

2.    Protection of life and health;

3.    Medical treatment and healthcare purposes;

4.    Compliance with legal obligations;

5.    Performance of contractual obligations;

6.    Public health and public authority functions;

7.    Legitimate interests of the Hospital consistent with applicable laws;

8.    Establishment, exercise, or defense of legal claims; and

9.    Other lawful criteria recognized under the Data Privacy Act and related regulations.

Certain processing activities necessary for medical treatment, patient safety, legal compliance, public health reporting, hospital operations, or emergency response may be undertaken without separate consent when authorized or required by law.


V. DEFINITION OF TERMS

For purposes of this Policy:

a.    “Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

b.    “Data sharing” refers to the disclosure or transfer of personal data to a third party.

c.    “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed.

d.    “Data sharing” refers to the disclosure or transfer to a third party of personal or sensitive personal data under the possession and custody of The Medical City.

e.    “Personal information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

f.    “Sensitive personal information” refers to personal information about an individual’s health, education, genetic or sexual life, government-issued identifiers, and other information classified as sensitive under applicable laws.

g.    “Protected Health Information” or “PHI” refers to any information relating to the past, present, or future physical or mental health condition of a patient, provision of healthcare services, or payment for healthcare services, which identifies or can reasonably identify the patient.

h.    “Privileged information” refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

i.    “Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

j.    “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored, or otherwise processed.

k.    “Security incident” refers to an event or occurrence that affects or tends to affect data protection or compromises the confidentiality, integrity, or availability of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.

l.    “Sensitive personal information” refers to personal information:

(i)    About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(ii)    About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(iii)    Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

(iv)    Specifically established by an executive order or an act of Congress to be kept classified.


VI. SCOPE AND APPLICABILITY

This Policy applies to all personal and health information processed by The Medical City in physical, paper-based, verbal, electronic, digital, or automated form.

This Policy covers:

•    Patients;

•    Former patients;

•    Patient representatives and guardians;

•    Employees and medical staff acting within the course of healthcare operations;

•    Students, residents, fellows, and trainees;

•    Third-party service providers and business associates;

•    Electronic medical records and information systems;

•    Telemedicine and electronic communication platforms;

•    Research and academic activities involving personal data.

Departments and units within The Medical City may adopt additional privacy safeguards and operational procedures consistent with this Policy.


VII. COLLECTION, USE, AND DISCLOSURE OF INFORMATION

A. Collection of Personal and Health Information

The Medical City may collect personal and health information directly from patients, authorized representatives, healthcare providers, payors, laboratories, government agencies, and other lawful sources.

The Hospital shall collect only information necessary and proportionate to legitimate healthcare, operational, legal, regulatory, research, training, security, and administrative purposes.

Information collected may include:

•    Name, address, contact details, and demographic information;

•    Date of birth, age, sex, nationality, and civil status;

•    Government-issued identifiers and insurance information;

•    Medical history, diagnoses, medications, allergies, and treatment records;

•    Diagnostic, laboratory, radiologic, and imaging results;

•    Billing, financial, and payment information;

•    Audio, visual, biometric, and CCTV recordings where authorized by law;

•    Emergency contact and next-of-kin information;

•    Information obtained through telemedicine, electronic consultations, or digital healthcare systems.


The Hospital may also collect information through:

•    Admission and registration forms;

•    Consent forms;

•    Electronic medical record systems;

•    Patient portals and mobile applications;

•    Telephone calls and electronic communications;

•    Security and access control systems;

•    Surveys, feedback forms, and patient experience programs.


B. Use and Disclosure for Treatment and Healthcare Services

Personal and health information may be used and disclosed for purposes directly related to patient care and healthcare delivery.

Your information may be shared among physicians, nurses, pharmacists, therapists, laboratory personnel, consultants, trainees, allied health professionals, and other authorized personnel involved in your treatment, diagnosis, referral, rehabilitation, or continuity of care.

The Hospital may disclose information to:

•    Referral physicians and healthcare providers;

•    Receiving hospitals and medical facilities;

•    Diagnostic and laboratory facilities;

•    Pharmacies and medication providers;

•    Ambulance and emergency response providers;

•    Home healthcare providers;

•    Telemedicine service providers;

•    Other healthcare institutions involved in your care.

Disclosures shall be limited to information reasonably necessary for healthcare purposes.


C. Electronic Communications and Digital Health Systems

The Medical City may utilize electronic communication systems and digital technologies to facilitate healthcare operations, continuity of care, and patient engagement.

Authorized systems may include:

•    Electronic medical records;

•    Hospital information systems;

•    Secure email systems;

•    SMS notifications;

•    Patient portals;

•    Telemedicine platforms;

•    Secure messaging systems;

•    Mobile healthcare applications;

•    Cloud-based healthcare technologies.


The Hospital shall implement reasonable and appropriate safeguards including:

•    Role-based access controls;

•    Password management policies;

•    Encryption measures where practicable;

•    Multifactor authentication where applicable;

•    Secure transmission protocols;

•    Audit logs and monitoring systems;

•    User authentication procedures.

Hospital personnel shall use only authorized communication channels for the transmission of sensitive medical information whenever practicable.

Patients acknowledge that electronic communication systems involve inherent cybersecurity and privacy risks despite reasonable safeguards.


D. Appointment Reminders and Patient Communications

The Hospital may use contact information provided by patients to communicate:

•    Appointment reminders;

•    Follow-up consultations;

•    Test result notifications;

•    Patient care instructions;

•    Billing and payment reminders;

•    Health advisories;

•    Patient satisfaction surveys;

•    Service announcements;

•    Telemedicine instructions;

•    Other legitimate healthcare-related communications.

Patients may request reasonable limitations on certain communications subject to operational and legal considerations.


E. Use and Disclosure for Billing, Payment, and Collection

The Hospital may use and disclose personal and health information to:

•    Process payments;

•    Verify insurance coverage;

•    Facilitate PhilHealth claims;

•    Coordinate with HMOs and insurers;

•    Conduct utilization review;

•    Verify eligibility and benefits;

•    Process reimbursements;

•    Conduct lawful collection activities.


Information may be disclosed to:

•    PhilHealth;

•    Insurance companies;

•    HMOs;

•    Government healthcare programs;

•    Financial institutions;

•    Billing providers;

•    Auditors;

•    Legal counsel;

•    Collection service providers.

Only limited and necessary information shall be disclosed for payment and collection purposes.


F. Use and Disclosure for Healthcare Operations

The Hospital may process personal and health information for legitimate healthcare operational purposes including:

•    Quality assurance and quality improvement;

•    Patient safety activities;

•    Accreditation and certification;

•    Infection prevention and control;

•    Risk management;

•    Compliance and regulatory reporting;

•    Information technology management;

•    Clinical audits and peer review;

•    Staff training and competency programs;

•    Strategic planning and administration;

•    Internal investigations;

•    Legal and regulatory compliance.

Where practicable, data used for analytics, statistical reporting, operational review, or institutional studies shall be anonymized, masked, encrypted, aggregated, or de-identified.


G. Third-Party Service Providers and Business Associates

The Hospital may engage third-party service providers, contractors, consultants, auditors, accreditation bodies, cloud service providers, and other business associates to support hospital operations.

Such third parties may process personal information only pursuant to lawful purposes and written agreements requiring:

•    Confidentiality obligations;

•    Appropriate security measures;

•    Data protection compliance;

•    Breach reporting obligations;

•    Restrictions on unauthorized disclosure or use;

•    Proper return or disposal of information upon termination of services.

The Hospital shall undertake reasonable vendor risk assessment and due diligence procedures where appropriate.


H. Legal Compliance and Public Health Activities

The Hospital may disclose personal and health information where required or authorized by law, including disclosures to:

•    Department of Health;

•    National Privacy Commission;

•    PhilHealth;

•    Courts and tribunals;

•    Law enforcement agencies;

•    Public health authorities;

•    Regulatory agencies;

•    Licensing and accreditation bodies;

•    Other government agencies exercising lawful authority.


The Hospital may disclose information for:

•    Reporting communicable diseases;

•    Public health surveillance;

•    Reporting births and deaths;

•    Mandatory disease reporting;

•    Reporting abuse, neglect, or violence;

•    Compliance with subpoenas and lawful court orders;

•    Emergency response and disaster management;

•    Protection of life, health, and public safety;

•    Prevention of serious threats to health or safety.

Disclosures shall be limited to information necessary for the lawful purpose.


I. Research, Education, and Training

As a teaching and training institution, The Medical City may use and disclose personal and health information for legitimate educational, training, academic, and research purposes.

Medical students, residents, fellows, trainees, faculty members, and allied health trainees may access information necessary for training and educational activities subject to confidentiality obligations.

Research involving identifiable patient information shall generally require appropriate consent unless otherwise authorized by law.

Research activities involving personal information shall be subject to review and approval by the appropriate Institutional Review Board (IRB) or Ethics Review Committee.

Where practicable, information used for research shall be anonymized, masked, encrypted, aggregated, or de-identified.


J. Telemedicine and Remote Healthcare Services

The Medical City may provide telemedicine and remote healthcare services through authorized platforms and communication systems.

Patients participating in telemedicine services are encouraged to:

•    Use secure internet connections;

•    Protect devices and login credentials;

•    Participate in consultations in private environments;

•    Avoid unauthorized recording or sharing of consultations.

Recording of telemedicine consultations without authorization may be prohibited except where permitted by law.

The Hospital shall implement reasonable safeguards for telemedicine platforms consistent with operational and technological capabilities.


K. Artificial Intelligence and Automated Systems

The Hospital may utilize artificial intelligence systems, automated technologies, analytics tools, and digital healthcare innovations to support healthcare operations, diagnostics, scheduling, quality improvement, patient engagement, cybersecurity, and administrative functions.

Such technologies shall be subject to reasonable safeguards, human oversight, and applicable legal and ethical standards.


L. CCTV, Security Monitoring, and Biometrics

Hospital premises may utilize CCTV systems, visitor management systems, access control systems, biometrics, and related security monitoring technologies for:

•    Security and safety;

•    Access management;

•    Protection of patients, employees, visitors, and property;

•    Incident investigation;

•    Operational management;

•    Crime prevention and detection.

Security recordings and biometric information shall be accessed only by authorized personnel and retained only for legitimate and reasonable periods consistent with operational, security, and legal requirements.


M. Cross-Border Processing and Cloud Services

Certain systems, technologies, cloud-based services, and communication platforms utilized by the Hospital may involve the processing or storage of information outside the Philippines.

Where cross-border processing occurs, the Hospital shall implement reasonable safeguards and contractual protections consistent with applicable laws and regulations.


VIII. STORAGE, SECURITY, RETENTION, AND DISPOSAL

The Medical City shall implement appropriate organizational, physical, and technical safeguards to protect personal and health information against accidental or unlawful destruction, alteration, disclosure, loss, misuse, or unauthorized access.


Security measures may include:

•    Role-based access controls;

•    Password management and authentication protocols;

•    Encryption and secure transmission measures;

•    Audit trails and system monitoring;

•    Physical access restrictions;

•    Secure storage facilities;

•    Cybersecurity protections;

•    Backup and disaster recovery systems;

•    Confidentiality agreements;

•    Information security awareness training;

•    Secure disposal and destruction procedures.


Electronic systems may maintain audit logs and monitoring mechanisms to detect unauthorized access, alteration, disclosure, or misuse of information.

Medical records shall be retained in accordance with applicable laws, accreditation standards, operational requirements, and Hospital retention schedules.

Hard copies of medical records more than five (5) years old may be transferred to secure off-site storage facilities subject to appropriate safeguards.

After the applicable retention period, records shall be securely disposed of through shredding, pulping, melting, secure deletion, destruction, or other methods reasonably designed to prevent unauthorized access or reconstruction.

Electronic records shall be securely archived and destroyed using appropriate technical disposal procedures.


IX. DATA BREACH MANAGEMENT

The Medical City shall maintain policies and procedures for detecting, reporting, assessing, containing, investigating, documenting, and responding to security incidents and personal data breaches.

Personnel are required to immediately report suspected privacy incidents, unauthorized disclosures, cybersecurity events, or security breaches through established reporting channels.

In the event of a personal data breach, the Hospital may:

•    Conduct prompt assessment and containment measures;

•    Implement mitigation and recovery procedures;

•    Notify affected individuals where required by law;

•    Notify the National Privacy Commission and other authorities where required;

•    Conduct investigations and corrective actions;

•    Review and strengthen safeguards and controls.


X. RIGHT OF DATA SUBJECTS

Patients and data subjects have the following rights subject to applicable laws and reasonable limitations:

1.    Right to be informed;

2.    Right to access;

3.    Right to object;

4.    Right to rectification or correction;

5.    Right to erasure or blocking where applicable;

6.    Right to data portability where applicable;

7.    Right to damages;

8.    Right to lodge complaints before the National Privacy Commission.


Parents, guardians, authorized representatives, executors, or lawful representatives may exercise applicable rights on behalf of minors, incapacitated patients, or deceased patients subject to verification requirements.

A. Right to be Informed

You have the right to be informed regarding the collection, use, disclosure, storage, retention, and disposal of your personal and health information.


B. Right to Access Medical Records

You may request access to or copies of certain medical records and health information subject to verification procedures, reasonable limitations, legal restrictions, and applicable fees.


Available records may include:

•    Clinical abstract or discharge summary;

•    Laboratory and diagnostic results;

•    Consent forms;

•    Operative and delivery records;

•    Medical certificates;

•    Certificates of confinement;

•    Other records permitted by law and Hospital policy.

Requests may be submitted through the Health Informatics Management Department or via authorized electronic request systems.


C. Right to Rectification

If you believe your personal information is inaccurate, incomplete, outdated, or misleading, you may request correction or updating of such information.

The Hospital may deny requests that are unsupported, inaccurate, unlawful, inconsistent with medical record integrity requirements, or otherwise prohibited by law.


D. Right to Restrict or Object to Processing

You may request reasonable restrictions or object to certain uses or disclosures of your information where permitted by law.

The Hospital may deny requests that:

•    Affect emergency treatment;

•    Impair lawful healthcare operations;

•    Prevent legal compliance;

•    Compromise patient safety;

•    Conflict with professional or regulatory obligations.


E. Procedures for Requests

Requests involving privacy rights may require:

•    Written request forms;

•    Verification of identity;

•    Supporting documentation;

•    Proof of authority for representatives.

The Hospital may impose reasonable processing periods and lawful fees consistent with operational and regulatory requirements.


XI. RESPONSIBILITIES OF PATIENTS

Patients and authorized representatives are encouraged to:

•    Provide accurate and updated information;

•    Protect login credentials and patient portal access;

•    Inform the Hospital of changes in contact information;

•    Avoid unauthorized recording or disclosure of confidential information;

•    Respect the privacy rights of other patients, visitors, and Hospital personnel.


XII. CONFIDENTIALITY OBLIGATIONS AND SANCTIONS

All employees, officers, physicians, consultants, residents, fellows, trainees, contractors, volunteers, and service providers of The Medical City are required to maintain the confidentiality of personal and health information.

Unauthorized access, disclosure, sharing, misuse, alteration, destruction, or processing of patient information may result in:

•    Administrative sanctions;

•    Disciplinary action;

•    Contractual penalties;

•    Suspension or termination;

•    Civil liability;

•    Criminal liability;

•    Other legal remedies available under applicable laws.


XIII. INQUIRIES, REQUESTS, AND COMPLAINTS

For questions, requests, concerns, or complaints relating to privacy, confidentiality, or the processing of personal information, you may contact:

Data Protection Officer

Data Privacy Management Department

The Medical City

Ortigas Avenue, Pasig City

Email: dpo@themedicalcity.com

Data subjects may likewise lodge complaints before the National Privacy Commission if they believe their privacy rights have been violated.


XIV. POLICY REVIEW AND AMENDMENTS

The Medical City may periodically review, revise, amend, or update this Policy to ensure consistency with applicable laws, regulations, accreditation standards, operational requirements, technological developments, and best practices.

Updated versions of this Policy may be posted through the Hospital website, patient portals, admission areas, or other appropriate communication channels.


XV. EFFECTIVITY

This Policy shall take effect on 20 May 2026 and shall remain in force unless amended, revised, or repealed by The Medical City.