Types of data we collect

• Data that identifies you
• Health, biometric, biological, and medical information
• Financial Information relevant to the settlement of your bills (e.g., insurance details)
• Contact details
• Other sensitive personal information that may affect our delivery of healthcare services

How we use your data

• To provide you with medical care
• To communicate with you
• For billing and payments
• To comply with legal requirements
• To coordinate with your healthcare professionals
To send you marketing messages
• To improve our services

Third parties who process your data

• Health and Medical Services: Medical Consultants, Metro Pacific Health Corporation
• Payments: PhilHealth, HMOs, Payment Channels
• Others: Sekhmet Technologies Private Limited

DATA YOU GIVE	DATA WE COLLECT
✔	✔	Through the Admissions Department
✔	✔	If admitted, in the course of your care, through our in-patient services
✔	✔	In an emergency, through the Emergency Department
✔	✔	When you avail of any of our out-patient services, through the relevant department (e.g., laboratory services, diagnostic imaging services, etc.)

Know your rights

• Access and/or correct the information we hold on you
• Complain about us
• Other rights as specified in the Data Privacy Act

Last updated on May 17, 2024

Our role in your privacy
If you are a client or patient of COMMONWEALTH HOSPITAL AND MEDICAL CENTER this policy applies to you. It is only natural to want assurance that your data will be in safe hands. We consider your privacy extremely important; through this policy, we will explain which of your data we process and how we handle these data.
Our responsibilities We act as the ‘personal information controller’ of your personal data processed for the provision of healthcare and healthcare services.
We are registered as a personal information controller with the National Privacy Commission under registration number PIC-003-258-2023 effective until August 31, 2024.
Alan Joel L. Restubog is our data protection officer. You can reach him via dpo.chmc@commonwealthmed.com.ph or 8930-000 loc 192.
Your responsibilities

• Read this Privacy Policy
• If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorize us to process it on your behalf in accordance with this Privacy Policy.

Your name, age and birthdate, marital status, PhilHealth number, SSS or GSIS number, the details of your valid government identification card, etc.

• Your height, weight, blood type, current symptoms, medical history (including family medical history), information about your lifestyle (e.g., consumption of alcohol or tobacco products), vital signs (temperature, blood pressure, heart rate, etc.), diagnostic information, treatment information (details of surgeries, medications prescribed, doses, administration times, and other treatments). If you have been admitted to the hospital we will also collect information on your medical condition and changes in your condition, treatment responses and outcomes, discharge status, and follow-up care instructions.

• Credit/debit card details, details of your employer, etc.

• Your contact number, email address, and home address, as well as the contact details of your next of kin or emergency contact

• Your religion, race and ethnic origin, CCTV footage (please refer to our separate CCTV Surveillance Notice)

We process data about all patients at our hospital. By ‘process’, we mean, for example, that we will save or add to your data, or that we will share them with your healthcare providers (e.g., your physicians), and delete them at a later date. If you receive treatment at our hospital, we will process your health and medical information in your patient record. Under no circumstances will we process more data than needed to provide you with the appropriate care.

• To provide you with medical care
  Legal basis: Necessary for medical treatment, Necessary for the protection of life and health
  Your personal information helps us understand your health history and current health needs to provide you with appropriate medical treatment and services. This includes everything from diagnosing your condition to planning your care and treatment. Your information may be used and accessed by our employees and medical consultants (i.e., your physicians or the healthcare professionals involved in the interpretation of your test results) who are involved in or who have a supporting role in your care and treatment to ensure that you receive the best possible care. These employees and consultants have a statutory duty and/or ethical and professional duties of confidentiality.
  We may share your information with other affiliated clinics or hospitals if you are referred to them. But, we will only share your information after you have consented to it.
• To communicate with you
  Legal basis: Necessary for medical treatment, Necessary for the protection of life and health
  We may use your contact information to communicate important information about your appointments, test results, and health status.
• For billing and payments
  Legal basis: Necessary for medical treatment, necessary for compliance with a legal obligation
  We will process your relevant financial information (such as your credit card information or other information relevant to your mode of payment), insurance or HMO details, and PhilHealth details to ensure that you are properly billed, that your health insurance benefits under PhilHealth and your insurance or HMO are deducted from your bills, and for the payment and settlement of your bills.
• To comply with legal requirements
  Legal basis: Necessary for compliance with a legal obligation
  We are required under various regulations to share health information to the Department of Health, PhilHealth, etc. For instance, we are required to report to the DOH selected non-communicable diseases, communicable, infectious and other notifiable diseases, including those that pose a serious health and security threat to the public. We are also required to share information on your diagnosis and treatment to PhilHealth to accord you the benefits that may be due to you under the National Health Insurance.
To coordinate your care with your healthcare professionals
Legal basis: Necessary for medical treatment, Necessary for the protection of life and health Your medical doctors practice in our institution as consultants. Therefore, they are considered as third parties with whom we must necessarily share your information to provide the medical care you need.
To send you marketing messages
Legal basis: Legitimate Interest
We may send you messages to provide health education content, information about our hospital and the services we offer, information and tools that may help you make informed decisions about your health, feedback forms to assess the quality of our services, etc.
• To improve our operations and services
  Legal basis: Legitimate interest, vitally important interest, and necessary for purposes of medical treatment
  We will process your personal information to standardize your information in the hospital, allowing us, ultimately to improve our operations and services. By standardizing your information, we mean that we will reformat and re-organize your information (including those that we are already keeping) so that your information will follow a standardized format thereby allowing us to clean up our records and enhance patient safety and coordination of care.
  We will process your name (First, Middle, and Last), date of birth, address, gender, information on your government-issued ID (e.g., PhilHealth number), and phone number to unify our records and create a unique patient ID for each of our patients. This will help us understand our patients’ care lifecycle and improve patient safety by ensuring that our healthcare professionals have the latest information available to make informed treatment decisions. The unique patient ID will be the hospital’s foundation for unifying its disparate patient records and for cleaning up and updating its patients’ records.
• Other uses that are exempt from the coverage of the Data Privacy Act
  In the interest of full transparency, we also use your information for purposes that are exempt from the Data Privacy Act:
  - For scientific and research studies,
  - For teaching and training our future doctors-specialist, healthcare professionals, and students in the medical and other healthcare fields, and
  - For purposes of our business operations and financial performance reporting, statistical analysis, etc.
  In all of these cases, we will anonymize or aggregate your information. Otherwise, we will seek your consent prior to using or sharing your information for the above purposes.
To know more about what these legal bases mean, please read the information on the last page of this Notice.

DATA YOU GIVE	DATA WE COLLECT
✔	✔	Through the Admissions Department	Upon your arrival at the hospital for admission or surgery your detailed personal and medical information will be collected by our Admissions Department. If you are referred to admissions by our Emergency Department, the information necessary for your admission may have already been collected at the Emergency Department.
✔	✔	If admitted, in the course of your care, through our in-patient services	If you are admitted for treatment in our institution, our staff will collect and use your information (such as your diagnostic information, medical condition, dietary information, medication, etc.) for your medical care.
✔	✔	In an emergency, through the Emergency Department	In emergency situations, the Emergency Department, and the Triage will quickly collect your information (such as your brief medical history, reason for the visit, and insurance information if readily available) to render timely and adequate medical care.
✔	✔	When you avail of any of our out-patient services, through the relevant department (e.g., laboratory services, diagnostic imaging services, etc.)	When you avail of our various out-patient services (such as imaging, diagnostics, consultations in our out-patient or primary care centers), we collect and/or update your information to reflect any changes since your last visit. For laboratory, diagnostics, and imaging, we verify and collect your information to ensure that the tests and the results are accurately matched and recorded to the right patient.

You have the right to access the information we hold about you
This includes the right to inquire upon:

• The contents of your personal information that we process,
• Where we obtained your personal information,
• Names and addresses of those who received your personal information,
• Manner by which we process or processed your personal information,
• Any automated process we employ where your data will or likely be made as the sole basis for decisions affecting, or that may affect, you, etc.

For more information on the matters for which you may demand access, please refer to the Data Privacy Act of 2012 and its implementing rules. You have the right to make us correct any inaccurate information about you You have the right to lodge a complaint regarding our use of your data Please tell us first, so we have a chance to address your concerns. If we fail to do this, you may lodge your complaint with the National Privacy Commission. Please note that you have other rights under the Data Privacy Act of 2012, in addition to those which we have listed in this Notice.

Third Party	Data Collected or Shared	Purpose	Place of Processing
Medical Consultants	Personal identifiers of patients and their medical and clinical information	To provide medical care and coordinate your medical care with your healthcare professionals	Philippines

Third Party	Data Collected or Shared	Purpose	Place of Processing
PhilHealth	Full Name, Period of Confinement, Patient Disposition, Type of Accommodation (if in-patient), Admission Diagnosis, Discharge Diagnosis, and Treatment Information	For the reimbursement of claims pursuant to the National Health Insurance Act and its implementing regulations.	Philippines
HMOs (You may request the list of our accredited HMOs from our Admissions Department or you may view the list in our website)	Full Name, Employer, Age, HMO account number, and Diagnosis	To process your claims against your insurance provider.	Philippines
Payment Partners (Maya, Gcash, Bank POS Terminals)	For Maya and Gcash: Transaction Type, Batch Number, Reference Number, Approval Code, Date and Time of Transaction, Network Reference Number, and Amount Bank POS Terminals: Credit or Debit Card Information, Amount, and Cardholder Signature	To process and verify the payment of your bills.	Philippines

Third Party	Data Collected or Shared	Purpose	Place of Processing
Sekhmet Technologies Private Limited	First name, Last name, Middle name, Date of Birth, Gender, Address, Phone Number, and Government ID	To create a unique patient ID for existing patients.	Singapore (The third-party is contractually bound to comply with the requirements of the DPA.)

• No data transmission is guaranteed to be 100% secure.
• If you believe your privacy has been breached, please contact us immediately at dpo.chmc@commonwealthmed.com.ph

We store physical copies of your data in our Medical Records Department. We also store electronic copies of your information in our Hospital Information System (HIS) that has an on-site server.

We will retain your information for as long as necessary to serve the purposes for which they were obtained. Please know, however, that the periods for the retention of medical records are likewise governed by Philippine laws, rules, and regulations, including DOH Department Circular No. 70-1996 (which provides for the retention period of various health records), DOH Department Circular No. 2021-0226, and DOH Administrative Order No. 2022-007 (which provides for retention periods of documents, records, slides and specimens in clinical laboratories). We will, therefore, also retain your information for as long as necessary to comply with our obligations under said laws, rules, and regulations.

We may change or update our Notice to comply with regulatory requirements, adapt to new protocols, align with industry practices, and for other legitimate purposes. We will let you know should we implement any such changes at the earliest opportunity. If necessary, we will also obtain your updated consent.