If you have 1,000 or more patient records (this includes both electronic and paper records), registration is required. Even if you fall below the threshold, voluntary registration is highly recommended to demonstrate accountability and compliance.

PIC vs. PIP: Understanding Your Role

Personal Information Controller (PIC)	The Doctor retains ownership of all patient information stored in SeriousMD and is mainly responsible for maintaining the data’s accuracy, integrity, and security (e.g., proper access control).
Personal Information Processor (PIP)	SeriousMD acts as the third-party PIP for the Doctor, providing the platform and technical means to store and secure the data in its cloud platform, strictly following the instructions of the PIC.

Important: Your role as the PIC means you cannot designate SeriousMD as your DPO. The DPO must be an individual affiliated with your practice (the doctor or a trained staff member like a secretary).

What makes a secretary or trained staff member a DPO?

A secretary or trained staff member may be designated as the clinic’s DPO if they are familiar with data privacy regulations and have received formal training in privacy and security practices to effectively oversee compliance with the Data Privacy Act.

Step-by-Step NPCRS Registration Process

The entire registration process is completed online via the NPCRS portal.

Phase 1: Preparation and Account Creation

Designate Your DPO: Appoint yourself or a qualified staff member (like a secretary) as the Data Protection Officer (DPO).
Create DPO email address: Must be position-specific (e.g., dpo@yourclinic.com, dpo.clinicname@gmail.com). Best to not use a personal email.
Gather Documents: Prepare the necessary supporting documents (just in case!):
- PRC License or valid government ID.
- DTI Certificate of Registration (for sole proprietorships).
- NPC DPO Form: This is auto-generated by the NPCRS. You will need to print, sign, have it notarized.
Create NPCRS Account:
- You will receive an email to complete registration. Click the one-time login button
- Go to the official NPCRS website and create an account as an "Individual Professional."

IMPORTANT: Please note that once registration is completed, the NPCRS system will automatically display the DPO’s name as the PIC (Person-in-Charge) on your account. You can see this on the upper right corner of the screen after logging in.

Because of this, make sure to enter the correct DPO name during registration. If you list your secretary’s name as the DPO, it will also appear as the PIC in the system.

Note: You'll see this prompt before proceeding. If you have 1000+ patient records already, kindly leave the box blank them click Continue.

You will have to upload a notarized Attestation of Exemption of Registration

If you will not be going for exemption, you will then fill out the details about your Data Processing System (DPS)

Phase 2: Registration Proper (Data Processing System Details)

You must register at least one Data Processing System (DPS), which is your Patient Record Keeping system (SeriousMD, paper charts, etc.).

Data Processing System (DPS) Name	Patient Record Keeping
Basis of Processing Information	✔︎ The data subject has given his/her consent ✔︎ The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract ✔︎ The processing is necessary for compliance with a legal obligation to which the personal information controller is subject ✔︎ The processing is necessary to protect vitally important interests of the data subject, including life and health ✔︎ The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate ✔︎ The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution
Purpose of Processing	To record, manage, and maintain patient medical information for continuity of care and proper clinical documentation, in accordance with Sections 12 and 13 of the Data Privacy Act of 2012 (RA 10173) and Rule IV, Section 18(a) of its IRR, which permit the lawful processing of sensitive personal information necessary for medical treatment and healthcare management by medical practitioners or health institutions bound by professional confidentiality.* *The example above is only a basic reference.
Basis of Processing Sensitive Personal Information	✔︎ The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing ✔︎ The processing of the same is provided for by existing laws and regulations. Provided, that such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information. Provided, further, that the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information ✔︎ The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing ✔︎ The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations. Provided, that such processing is only confined and related to the bona fide members of these organizations or their associations. Provided, further, that the sensitive personal information are not transferred to third parties. Provided, finally, that consent of the data subject was obtained prior to processing ✔︎ The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured ✔︎ The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or in the establishment, exercise of defense of legal claims, or when provided to government or public authority
Description of the category or categories of data subjects	Patients* *The examples above is only a basic reference. You’re identifying the groups of people whose data your clinic handles.
Description of data or categories relating to the Data Subject	Medical records - Name, age, sex, contact information, medical history, diagnosis, prescriptions, payment information, etc.* *The examples above is only a basic reference. You're describing what kinds of data you collect from each of those groups
Recipients or categories of recipients to whom the data might be disclosed	Partner laboratories, diagnostic centers or pharmacies* *The examples above are only basic references. This section described who you share the data with. Whether individuals, organizations, or systems outside your clinic that may receive or access the data.
Is processing done as the PIC or PIP?	PIC
Is the system outsourced or subcontracted?	Yes
Name of PIP	SeriousMD
Contact number	You may leave this blank
PIP Email Address	privacy@seriousmd.com
When is the data collected?	During clinic visit, booking an appointment* * The examples above are only basic references. Please make sure to list or describe every step in your clinic’s workflow that involves data collection.
Retention Period with Reckoning date/time	Medical Records Retention Policy: Inpatient records: 10 years from date of last discharge Outpatient records: 7 years from date of last consultation Medico-legal cases: Lifetime (permanent retention) Basis: Department of Health Department Circular No. 2021-0226
Disposal/Destruction/Deletion Procedure	You may enter whichever applies to you SeriousMD helps delete records saved electronically Patient records stored in locked filing cabinets with access restricted to authorized medical staff* Access log maintained showing who accessed physical files and when* Visitor logbook at reception* Clean desk policy requiring all patient documents to be secured when not in use* Physical files disposed via cross-cut shredding* *The examples above are only basic references. Please make sure to describe how you remove your patient's medical records.
Is the personal data transferred outside the Philippines?	If you answered Yes, that could mean: You use a foreign-based service provider that processes your clinic data. Patient data is shared with international research institutions or foreign partners. If your answer is No, that means: All personal data collected and stored by your clinic stays within the Philippines. You do not transmit patient or employee data to any foreign organizations, systems, or entities.
Is there any data sharing agreements with other parties?	If you answered Yes, that could mean: Your clinic shares patient test requests and receives results from a partner diagnostic center (e.g., Hi-Precision, The Medical City Diagnostics, etc.). You share data with an HMO or insurance provider for claims processing. You share billing information with a third-party accounting or HR system. If you answered No, that means: Your clinic does not share any patient or staff data with external organizations beyond internal use.
Who are these data sharing agreements with?	Describe who you share the information with.
Is the system external and/or internal facing?	Yes (External-facing for NowServing bookings; Internal-facing for EMR use.)
Is there any notification regarding any automated decision-making operation and/or profiling?	Leave this blank
Description of Security Measures (Organizational)	Explain who is responsible for data privacy in your clinic and what policies or training are in place. Tip: Mention your DPO (Data Protection Officer), internal rules, and how your staff handles patient data. An example would be: "We have designated [Name] as our DPO, implemented access control policies requiring staff to only access records on a need-to-know basis, and conduct annual privacy training"
Description of Security Measures (Physical)	Describe how you protect physical (paper-based) records in your clinic. Tip: Include where they are stored, who can access them, and what security measures you use to prevent unauthorized access. An example could be: "Paper records are stored in locked filing cabinets in our secure records room with access limited to authorized personnel. We maintain visitor logs and implement clean desk policies"
Description of Security Measures (Technical)	We use SeriousMD EMR system with AES-256 encryption, multi-factor authentication, and automatic session timeout. Our computers have password protection and anti-virus software

Phase 3: Payment and Issuance

Validation: NPC will review your submission and supporting documents. You will be notified of any deficiencies.
- Review of submission may take around 5-10 business days.
Payment: Once validated, you will receive a prompt for payment.
- 🚨 IMPORTANT: Make sure to click the "Update Payment" button after settling payment online in your NPCRS account.
Download: After successful payment, you will download your Certificate of Registration (COR) and the NPC Seal of Registration.

Timeline and Costs (Current as of 2025)

Fee Type	Amount	Notes
Registration Fee	500	Applicable to PICs
Renewal Fee	350	Must be renewed annually

Validity of registration is 1 year from the date of issuance. Registration must be renewed 30 days before expiration.

How to Display the NPC Seal

Physical Clinic: Seal should be displayed at

Main entrance
Reception desk
Most conspicuous place where patients first arrive

Online Clinic: The NPC Seal must be displayed in the doctor's website, doctor profiles, or patient-facing pages

Common Misconceptions when Registering

Misconception	Correction
One Registration per Clinic	One registration is sufficient if both clinics are under the same PIC/business entity (the second is considered a "branch"). If they are separate legal entities, register them separately.
Mistaking PIC/PIP Roles	The Doctor is always the PIC for patient data. You must register as the PIC and list SeriousMD as your PIP.
DPO Appointment	The DPO must be an individual in your practice (the doctor or staff), not SeriousMD.

Frequently Asked Questions (FAQs):

Do I have to register every year?
- The registration is valid for one year and requires renewal within the 30-day period before its expiration date via the NPCRS.
Who provides the Seal of Registration?
- The NPC provides the downloadable Seal and Certificate of Registration once your application is completed, paid for, and validated in the NPCRS.
Who prepares the Privacy Impact Assessment (PIA)?
- You (the PIC) are responsible for your own PIA. Your PIA covers your clinic processes (e.g., how you collect paper forms, staff training). SeriousMD's PIA covers the platform's internal systems, not your practice's operations.
What official email can I use for the registration form?
- You will have to create your own email (e.g., dpo@yourclinic.com)
I do not have DTI registration. Do I have to be registered with DTI before registering with the NPC?
- No, not always.
  The requirement for DTI registration before registering with the NPC depends on how your business or practice is formally registered and operated:
  - Individual Professionals (Operating under your personal name): If you are operating perating solely under your given name (e.g., "Dr. Juan Dela Cruz Clinic"), you typically do not need DTI registration to register with the NPC.
    When you register with the NPC, select the "Individual Professional" option.
    This applies as long as all your clinics, offices, or places of business are under your personal name.
  - Sole Proprietorships (With a Business Name): If you are operating a Sole Proprietorship under a fictitious or business name (e.g., "Bright Smile Dental Clinic"), you must be registered with the DTI first, as the DTI registers business names for sole proprietorships. This DTI registration would then be a requirement for your NPC registration.

NPC Registration Process Flowchart.pdf

How do you handle security for my data?

SeriousMD is HIPAA-compliant. What does that mean?

Do you have a primer on how to answer the Phase 2 for the Data Privacy Act/National Privacy Commission registration?

Is SeriousMD registered with the NPC? Complies with the Data Privacy Act?

NPC Privacy Seal Display Requirements

A Complete Guide to NPC Registration for Doctors (2025)