DPA & HIPAA Compliance

1. Philippine Data Privacy Act (RA 10173)

The Data Privacy Act of 2012 and its Implementing Rules and Regulations (IRR) govern the processing of personal data in the Philippines. Health information is classified as sensitive personal information under the law. As a healthcare provider or clinic using the EMR platform, you typically act as the data controller; EMR acts as a data processor when we process patient and clinical data on your behalf.

1.1 General principles (Section 11, RA 10173)

Processing must be done fairly and lawfully; collected for specified, legitimate purposes; adequate and not excessive; accurate and kept up to date; retained only as necessary; and protected with appropriate organizational and technical measures. EMR is designed to support these principles by giving you control over what data you collect and store, how long it is retained, and who has access. We process data only in accordance with your instructions and our contractual and legal obligations.

1.2 Lawful basis and consent

Under the DPA, processing of sensitive personal information generally requires consent or another lawful basis (e.g. necessity for medical treatment, protection of lawful rights, or as required by law). You are responsible for obtaining and documenting consent or establishing the appropriate lawful basis before collecting and processing patient data in the EMR. The platform provides fields and workflows to record consent and access decisions where you choose to use them.

1.3 Rights of data subjects (Sections 16–21, RA 10173)

Data subjects (e.g. patients) have the right to be informed, to object, to access, to correct, to erasure or blocking, to damages, and to file a complaint with the National Privacy Commission (NPC). We provide tools and processes to help you respond to access, correction, and deletion requests (e.g. export of data, correction of records, and support for deletion where technically and legally feasible). Requests should be handled within the timeframes required by the DPA and NPC guidelines.

1.4 Data breach notification

The DPA and NPC advisories require notification of the NPC and affected data subjects in case of a personal data breach that is likely to cause real harm. We maintain incident response procedures to assess and contain breaches, and we will notify you and, where required by law, the NPC and affected individuals in accordance with our obligations as a processor and applicable regulations.

2. HIPAA-style safeguards (health information)

The Health Insurance Portability and Accountability Act (HIPAA) and its Privacy and Security Rules apply to covered entities and business associates in the United States. EMR is built primarily for Philippine clinics and may not be a HIPAA “business associate” in all contexts; however, we apply security and privacy practices that align with common expectations for protecting electronic protected health information (ePHI) and that support compliance in jurisdictions with similar requirements.

2.1 Administrative safeguards

• Security management process: We maintain risk assessment and mitigation processes and security policies.
• Workforce security and training: Access to systems and data is limited to authorized personnel; we provide training on security and privacy.
• Access management: We implement role-based access, unique user identification, and procedures for authorization and clearance.
• Evaluation: We periodically evaluate our security and compliance posture.
• Business Associate Agreements (BAA): Where we act as a business associate under HIPAA, we can enter into a BAA or equivalent terms upon request. Contact compliance@emrdocs.ph.

2.2 Physical safeguards

We use cloud infrastructure providers that maintain physical security controls (e.g. data center access controls, environmental controls). We do not maintain our own physical data centers; our providers are selected and monitored in accordance with our vendor management program.

2.3 Technical safeguards

See Section 3 below for a description of our technical measures (access control, audit controls, integrity, transmission security).

3. Technical and organizational measures

We implement measures intended to ensure the confidentiality, integrity, and availability of personal and sensitive personal information processed through the Service:

• Encryption in transit: All data transmitted between your devices and our services is protected using TLS (e.g. TLS 1.2 or higher).
• Encryption at rest: Data at rest is encrypted using industry-standard encryption (e.g. AES-256) where supported by our infrastructure.
• Access control: Access to systems and data is restricted to authorized personnel on a need-to-know basis. We use strong authentication (passwords meeting complexity requirements; multi-factor authentication where available), role-based access, and principle of least privilege.
• Audit logging: We maintain logs of access and significant actions (e.g. login, access to sensitive data, configuration changes) to support security monitoring, incident response, and compliance reviews. Logs are retained in accordance with our retention policy.
• Integrity and availability: We use redundant infrastructure, backups, and monitoring to support availability and recovery. We have procedures for secure development (e.g. code review, vulnerability management) to protect the integrity of the platform.
• Subprocessor and vendor management: We select subprocessors that handle personal or health data only where necessary and require them to meet appropriate security and confidentiality commitments. We assess and monitor their compliance. A list of key subprocessors can be provided upon request.

We periodically review and update these measures in light of risk and changes in technology and regulation.

4. Your responsibilities as data controller

As the healthcare provider or clinic, you remain the data controller (or equivalent under applicable law) for patient and other personal data you collect and process through the EMR. You are responsible for:

• Determining the lawful basis for processing and obtaining any required consent or authorization.
• Ensuring that your use of the Service complies with the DPA, HIPAA (if applicable), and other applicable healthcare and data protection laws.
• Configuring users, roles, and permissions appropriately so that only authorized personnel access patient and clinical data.
• Responding to data subject rights requests (access, correction, deletion, etc.) within the timeframes required by law.
• Notifying the NPC (and, where applicable, data subjects) of personal data breaches where you are required to do so as the controller.

We act as a processor with respect to the data you store and process through the Service. Our processing is governed by our Terms of Use, our Privacy Policy, and any Data Processing Agreement or BAA we have in place with you.

5. Inquiries, DPAs, and BAAs

For compliance questions, requests for a Data Processing Agreement (DPA), Business Associate Agreement (BAA), or subprocessor list: contact us at compliance@emrdocs.ph or through our Contact page. We will work with you to provide the documentation and assurances appropriate to your use case and jurisdiction.