Editor’s Note (December 2025): This article has been completely rewritten to reflect the current NPC Registration System (NPCRS) and 2025 requirements. The original 2018 version covered processes that no longer exist. The old “eRehistro” system, physical document submission, and SMS access codes have all been replaced by a fully online registration portal.
If you’re a doctor in the Philippines, you’ve probably heard about NPC registration by now. Maybe a colleague mentioned it, or you saw something about “data privacy compliance” in a medical group chat.
Here’s the reality in 2025: the National Privacy Commission is no longer just educating, they’re actively enforcing. In 2024, NPC conducted unannounced inspections at malls and business establishments, issuing immediate Show Cause Orders to 65 establishments found non-compliant.
At SeriousMD, we’ve been helping doctors navigate this since 2018. A lot has changed since then, so we’ve updated this guide to reflect exactly what you need to know and do in 2025.
Do You Need to Register with NPC?
Short answer: If you have 1,000 or more patient records, whether digital or paper. Yes, you must register.
Most active medical practices hit this threshold quickly. Think about it: 1,000 patients is roughly 3-4 patients per day for one year. If you’ve been practicing for more than a year, you probably qualify.
You must register if ANY of these apply:
- You have 1,000+ patient records (including paper charts!)
- You employ 250+ people
- You use automated decision-making systems
- You’re a government health facility
Common misconception: “I only use paper records, so NPC doesn’t apply to me.”
Reality: The Data Privacy Act covers ALL personal data processing, digital or paper. A filing cabinet full of patient charts is a “data processing system” just like an EMR.
The Critical Concept: You Are the PIC
Before we get into the how-to, you need to understand this fundamental concept:
| Role | Who | What It Means |
|---|---|---|
| PIC (Personal Information Controller) | You, the doctor | You decide what patient data to collect, why, and how to use it. You’re ultimately responsible for compliance. |
| PIP (Personal Information Processor) | SeriousMD, labs, billing companies | Third parties that process data on your behalf, following your instructions. |
What this means for SeriousMD users: Using our platform doesn’t exempt you from registration. We’re registered as a PIP but you still need to register as a PIC for your own patient data.
Think of it like this: You own the patient data. We just provide the secure vault to store it in.
What Happens If You Don’t Register?
The NPC has moved from pure education to active enforcement, especially for organizations that ignore their obligations or mishandle sensitive data. Here is what may be imposed in serious or repeated cases:
- Administrative fines: The NPC may impose fines ranging roughly from ₱50,000 up to ₱5,000,000 per violation, depending on the severity and impact of the breach.
- Orders to correct or stop processing: The NPC can issue orders to suspend or limit certain data‑processing activities until issues are fixed, which can disrupt clinic operations if problems are not addressed.
- Possible criminal liability: For serious, willful, or malicious violations, the Data Privacy Act allows imprisonment (in years) plus fines, especially when sensitive health information is involved.
- Certificate suspension or revocation: A registration may be suspended or revoked if an entity repeatedly fails to comply with legal and NPC requirements.
- Reputational impact: NPC decisions and enforcement actions can be made public, which may affect a clinic’s or doctor’s professional reputation.
Registration Process Overview (2025)
The entire registration process is now 100% online through the NPC Registration System (NPCRS) at npcregistration.privacy.gov.ph.
Here’s the high-level flow:
Step 1: Prepare (1-2 weeks)
- Designate yourself (or a qualified staff member) as your Data Protection Officer (DPO)
- Create a position-specific email (e.g., dpo@email.com)
- Gather supporting documents (PRC license, DTI certificate if applicable)
Step 2: Register Online (2-4 hours)
- Create an NPCRS account as an “Individual Professional”
- Enter your organization and DPO details
- Register your Data Processing Systems (your EMR, paper records, etc.)
- Download, sign, notarize, and upload the system-generated DPO form
Step 3: Wait for Validation (5-10 business days)
- NPC reviews your submission
- You’ll be notified of any deficiencies (you get 5 days to correct them)
Step 4: Pay and Download (same day once approved)
- Pay the registration fee online
- Critical: Click “Update Payment” in your NPCRS account after paying online
- Download your Certificate of Registration and NPC Seal
Registration Fees (Current as of 2025)
| Fee Type | Amount |
|---|---|
| Initial Registration | ₱500 |
| Annual Renewal | ₱350 |
Your registration is valid for 1 year and must be renewed 30 days before expiration.
For Complete Step-by-Step Instructions
We’ve created a comprehensive guide with screenshots, exact form field answers, and troubleshooting tips:
👉 Complete NPC Registration Guide for Doctors (2025)
This guide includes:
- Exact answers for each registration field
- What to put for “Purpose of Processing”
- How to describe security measures
- Common mistakes to avoid
- Screenshots of every step
After Registration: Your Ongoing Obligations
Getting registered is just the beginning. Here’s what you’re responsible for ongoing:
Display Your NPC Seal
- Physical clinic: Main entrance, reception desk, or most visible area
- Website: Embedded or linked from your privacy notice
- All branches: Every location where you process patient data
👉 See our NPC Seal Display Requirements guide
Annual Requirements
| Requirement | Deadline | Where |
|---|---|---|
| Registration Renewal | 30 days before expiration | NPCRS |
| Annual Security Incident Report (ASIR) | March 31 every year | DBNMS (separate system!) |
Important: You must submit ASIR even if you had zero security incidents. Just report “0” in the relevant fields.
If a Breach Occurs
- Report to NPC within 72 hours of discovery
- Notify affected patients if the breach poses real risk
- Document everything
What Documents You Need (And Don’t Need) to Submit
This confuses a lot of doctors, so let’s be clear:
Submit to NPC:
✅ Registration application (via NPCRS)
✅ Annual Security Incident Report (via DBNMS)
✅ Breach reports within 72 hours (if applicable)
✅ Registration amendments when things change
Keep Internally (NPC may inspect during audits):
📁 Privacy Impact Assessment (PIA)
📁 Privacy Management Program
📁 Privacy notices (display these publicly, but don’t submit)
📁 Security documentation
📁 Training records
📁 Data processing inventory
Note: NPC provides a template for the Privacy Impact Assessment (PIA). For everything else, Privacy Management Program, privacy notices, policies, you create them yourself or use templates like the ones we provide to SeriousMD users.
How SeriousMD Helps With Compliance
We’ve been registered with NPC since the beginning. Here’s what we handle as your PIP:
Security measures we implement:
- AES-256 encryption for data at rest
- TLS encryption for data in transit
- Multi-factor authentication
- Role-based access controls
- Comprehensive audit logging
- Regular backups
- Automatic session timeout
What this means for your registration: When filling out the NPCRS form about security measures, you can reference that you use “SeriousMD EMR system with AES-256 encryption, multi-factor authentication, and automatic session timeout.”
What you still need to do:
We’re your partner in compliance, but you remain the controller of your patient data.
Frequently Asked Questions
Q: I’m just starting my practice. Do I need to register now?
A: You have 20 days from when you start operations to register. Even if you don’t hit 1,000 patients yet, registering early demonstrates accountability. Better to be compliant from day one.
Q: I have two clinics. Do I register twice?
A: If both clinics are under the same legal entity (your name or your corporation), one registration is sufficient, the second clinic is considered a “branch.” If they’re separate legal entities, register each separately.
Q: Can my secretary be the DPO?
A: Yes, if they’re familiar with data privacy regulations and have received formal training. The DPO must be an individual affiliated with your practice, not SeriousMD or any external party.
Q: What if I only have paper records?
A: You still need to register. Paper-based patient charts are a “data processing system” under the Data Privacy Act. The same rules apply.
Q: I’m retiring soon. Do I still need to register?
A: If you’re still seeing patients and have 1,000+ records, yes. You also need a plan for transferring or archiving patient records when you close. Medical records are generally expected to be retained for at least 10–15 years from the date of last entry or patient contact under DOH guidance, but doctors should check their hospital or clinic’s specific retention policy and any newer DOH issuances to be sure.”
The Bottom Line
The days of “wait and see” are over. The Commission is actively enforcing, conducting unannounced inspections, and issuing immediate penalties.
The good news: compliance isn’t that complicated once you understand the process. And the cost of registration (₱500 initial, ₱350/year) is nothing compared to the cost of a violation.
Ready to get started?
👉 Complete NPC Registration Guide with Screenshots
👉 NPC Seal Display Requirements
Need Help?
If you’re a SeriousMD user and have questions about compliance, reach out to our support team. We’re here to help you navigate this because protecting patient data is something we care about deeply.
Not using SeriousMD yet? See how we help doctors stay compliant while making practice management easier.
This article was last updated in December 2025. NPC requirements can change, always verify current requirements at privacy.gov.ph.
Share this guide with other doctors who might find it helpful. Compliance is easier when we help each other.