We received a call the other day. Then we received a support ticket. Then we got an email.
Then messages started coming in by the dozens per hour.
“I was told that I need to register with NPC. Am I violating anything by using SeriousMD?”
“I need to register if I have 1000 patients??? That is just half my year. What should I do now?”
“I thought going paperless was easy, now, I have to register with NPC? Makes me want to go back to paper.”
“Should I worry about using an EMR because of the NPC deadline?”
“I got this message from another doctor with these images. What will happen now??”
This Data Privacy Act compliance deadline has caught a lot of doctors off-guard.
Here at SeriousMD, we treat all of you like family and we want to make things as easy as possible for you.
There’s no need to panic. The registration deadline was extended to
March 8, 2018 July 2, 2018 and in this article we’ll explain what you need to do. If you have other questions that are not covered here, just let us know and we’ll try our best to answer them.
So, let’s get started.
First of all, doctors are not violating anything by using SeriousMD. Both SeriousMD users as well as those still using paper records are required by the NPC to register.
You simply need to register with the NPC if you have collected information or process at least 1000 records.
If you are processing any of this information, you are required to register:
- information that would likely affect national security, public safety, public order, or public health;
- information required by applicable laws or rules to be confidential;
- vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or PIP;
- automated decision-making or profiling
There are 2 Phases that you need to know about.
- Phase 1 – A PIC (personal information controllers) or PIP (personal information processors) through its DPO (Data Protection Officer) shall accomplish the prescribed application form, and submit the same to the Commission together with all supporting documents. Upon review and validation of the submission, the Commission shall provide the PIC or PIP via email an access code, which shall allow it to proceed to Phase II of the registration process.
In Short: You just have to register.
- Phase 2 – Using the access code provided by the Commission, a PIC or PIP shall proceed to the online registration platform and provide all relevant information regarding its data processing systems. The Commission shall notify the PIC or PIP via email to confirm the latter’s successful completion of the registration process: Provided, that registration may be done in person at the office of the Commission in the event that online access is not available.
In Short: Provide further requirements.
This article will cover Phase 1.
* Disclaimer. This article is for informational purposes only and not for the purpose of providing legal advice.
Phase 1: Registration
Here’s the basic overview of how you can complete Phase 1:
- Fill up their form. They call it the DPO (Data Protection Officer) form.
- Have the DPO form notarized.
- Prepare a notarized Secretary’s Certificate (Corporations)
- Prepare a Certified True Copy of your Certificate of Registration (Get a certified true copy from DTI for a sole proprietor, or SEC Certificate for a corporation. I’ll go through your options below.)
- Submit the above requirements to NPC.
- Wait for email for access to Phase 2.
Here’s a video and an image that you can share with other doctors.
Step 1. Complete the DPO Form
- Download the DPO form by clicking here.
- Print it out.
- Fill up the form.
- Your DPO (What’s a DPO?) can be your secretary or yourself. Essentially, the DPO is the doctor, unless you have another staff member dedicated to handling the safekeeping of all your records for both digital and/or paper charts.
- Your DPO and Head of Agency (in this case, it’s most likely that you are the head) should sign at the bottom of the form.
- Get it notarized.
Step 2. Prepare the Requirements
Requirements For Private Entities (Sole-Proprietorship)
- Certificate of Registration DTI (Get a Certified True Copy from DTI)
Requirements For Private Entities (Corporation)
- Duly-notarized Secretary’s Certificate authorizing appointment or designation of Data Protection Officer. (Because we love you, here’s a copy that we created that you can use and fill up. Make sure to get it notarized.)
- Certified True Copy of SEC Certificate (Certificate of Registration), AOI, By-Laws
- General Information Sheet
Step 3. Submit All Documents
- Either personally deliver the documents OR…
- Send via registered mail or private courier service (to the National Privacy Commission)
- Note: Before sending the documents, we recommend calling up the NPC directly to check if the address provided is still correct.
- Address: 5th Floor Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila, Philippines
After they receive the documents and process them, you will receive an email confirmation like this.
That’s actually it for Phase 1.
Frequently Asked Questions for Phase 1:
Q: I am a doctor and I have over a thousand records BUT I do not have a clinic. Should I register?
A: We recommend that you just register. Better to be safe.
Q: I have 900 records. Do I need to register?
A: Their requirement is 1000 but here at SeriousMD, we’d like to keep things simple. Always err on the side of caution. Just register now, it doesn’t hurt to do things in advance.
Q: Is there another address for the NPC?
A: We were told that they will be moving to a new office. No official notification yet as to where their new address will be. So for now, it’s still 5th Floor Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila, Philippines
Q: Is this just for doctors keeping digital records?
A: No. Whether you are keeping digital records or written records, you are still required to register.
Q: The NPC DPA deadline is still far away, can I register now?
A: Yes, you definitely can.
Q: What’s the difference if I register online or do it offline. It seems to be the same.
A: We recommend doing it offline since you are STILL submitting the documents manually anyway but if you prefer the online route, here’s what you need to do.
- Go to the NPC website (Click here to go to their website)
- Click on the Register button and Pick an Organization type. (Sole Proprietor, Corporation, etc.)
- Fill up the online DPO form.
- You will see a page at the end (basically telling you to watch out for their email and SMS with the code for your account.)
- Then it will ask you to print it out, sign it and have it notarized.
Technically, it’s just the same as the instructions above, you just had a form generated for you instead of you writing on it and you will get your account code earlier but you will still have to submit the requirements manually.
A: Here’s the official description from NPC. “Data Protection Officer” or “DPO” refers to an individual designated by the head of agency or organization to be accountable for its compliance with the Act, its IRR, and other issuances of the Commission: Provided, that, except where allowed otherwise by law or the Commission, the individual must be an organic employee of the government agency or private entity: Provided further, that a government agency or private entity may have more than one DPO.
In short: A DPO is a Person assigned by the Entity (the one processing information) to be responsible for everything related to the records, including safekeeping of the records, making sure the entity’s operations are in compliance with the data privacy act or other mandates by the NPC, as well as being the point of contact for the NPC.
The DPO assigned is usually the doctor but in some cases, your secretary can be assigned if they are responsible for safekeeping the records.
TL;DR (Too Long; Didn’t Read)
- The DPA (Data Privacy Act) just provides for the “keeper” of the files to be conscious about privacy concerns of the patients
- It’s NOT just for EMR or digital data, but also for physical records as long as doctors keep identifiable information about a person, they are required to register. So, technically, all clinics with over 1000 records should be registered.
- SeriousMD is already registered with NPC for compliance.
- There are 2 phases for NPC registration. Phase 1 and Phase 2. See the function for each phase above.
- You just need to process Phase 1 before the
March 8, 2018July 2, 2018 deadline.
- Once processed by the NPC, you will receive an email.
- Another email and/or SMS will come at least a week after to notify you about Phase 2.
Notes About Phase 2:
- By going with SeriousMD, we handle the checks on how the data is stored versus a one-off system or app or by using MS Word or any other software that doesn’t have any at all.
- So, in short, it’s easier and more secure with SeriousMD because we handle the long checklist (Phase 2 of NPC’s requirements) on how to store and protect data. It’s definitely safer than storing files on your computer on your own. Check how we secure your data.
Share this post to other doctors on social media by clicking the Facebook, Twitter, Whatsapp or other buttons you can see on left side of this page.
This space is reserved for our article about Phase 2.
The requirements for Phase 2 can be complicated. As a SeriousMD user, we will definitely be able to help you out with Phase 2. Link to the article coming soon. If you still aren’t using SeriousMD for your practice, then sign up today!