Skip to main content

A Complete Guide to NPC Registration for Doctors (2025)

Chelsea avatar
Written by Chelsea
Updated today

If you have 1,000 or more patient records (this includes both electronic and paper records), registration is required. Even if you fall below the threshold, voluntary registration is highly recommended to demonstrate accountability and compliance.

PIC vs. PIP: Understanding Your Role

Personal Information Controller (PIC)

The Doctor retains ownership of all patient information stored in SeriousMD and is mainly responsible for maintaining the data’s accuracy, integrity, and security (e.g., proper access control).

Personal Information Processor (PIP)

SeriousMD acts as the third-party PIP for the Doctor, providing the platform and technical means to store and secure the data in its cloud platform, strictly following the instructions of the PIC.

Important: Your role as the PIC means you cannot designate SeriousMD as your DPO. The DPO must be an individual affiliated with your practice (the doctor or a trained staff member like a secretary).

Step-by-Step NPCRS Registration Process

The entire registration process is completed online via the NPCRS portal.

Phase 1: Preparation and Account Creation

  1. Designate Your DPO: Appoint yourself or a qualified staff member (like a secretary) as the Data Protection Officer (DPO).

  2. Create DPO email address: Must be position-specific (e.g., dpo@yourclinic.com). Best to not use a personal email.

  3. Gather Documents: Prepare the necessary supporting documents:

    • PRC License or valid government ID.

    • DTI Certificate of Registration (for sole proprietorships).

    • NPC DPO Form: This is auto-generated by the NPCRS. You will need to print, sign, have it notarized, and re-upload it later.

  4. Create NPCRS Account: Go to the official NPCRS website and create an account as an "Individual Professional."

Phase 2: Registration Proper (Data Processing System Details)

You must register at least one Data Processing System (DPS), which is your Patient Record Keeping system (SeriousMD, paper charts, etc.).

Data Processing System (DPS) Name

Patient Record Keeping

Purpose of Processing

To record, manage, and maintain patient medical information for continuity of care and clinical documentation.*

*The example above is only a basic reference.

Description of the category or categories of data subjects

Patients*

*The examples above is only a basic reference. You’re identifying the groups of people whose data your clinic handles.

Description of data or categories relating to the Data Subject

Medical records - Name, age, sex, contact information, medical history, diagnosis, prescriptions, payment information, etc.*

*The examples above is only a basic reference. You're describing what kinds of data you collect from each of those groups

Recipients or categories of recipients to whom the data might be disclosed

Partner laboratories, diagnostic centers or pharmacies*

*The examples above are only basic references. This section described who you share the data with. Whether individuals, organizations, or systems outside your clinic that may receive or access the data.

Is processing done as the PIC or PIP?

PIC

Is the system outsourced or subcontracted?

Yes

Name of PIP

SeriousMD

Contact number

Clinic contact number

Email address

DPO email

When is the data collected?

During clinic visit, booking an appointment*

* The examples above are only basic references. Please make sure to list or describe every step in your clinic’s workflow that involves data collection.

Retention Period with Reckoning date/time

Data is retained in accordance with applicable healthcare regulations and legal retention periods. The retention period may be based on statutory or regulatory requirements relevant to medical practice.

Disposal/Destruction/Deletion Procedure

SeriousMD helps delete records saved electronically

For physical records, this is disposed by shredding/burning*

* The examples above are only basic references. Please make sure to describe how you remove your patient's medical records.

Is the personal data transferred outside the Philippines?

If you answered Yes, that could mean:

  • You use a foreign-based service provider that processes your clinic data.

  • Patient data is shared with international research institutions or foreign partners.

If your answer is No, that means:

  • All personal data collected and stored by your clinic stays within the Philippines.

  • You do not transmit patient or employee data to any foreign organizations, systems, or entities.

Is there any data sharing agreements with other parties?

If you answered Yes, that could mean:

  • Your clinic shares patient test requests and receives results from a partner diagnostic center (e.g., Hi-Precision, The Medical City Diagnostics, etc.).

  • You share data with an HMO or insurance provider for claims processing.

  • You share billing information with a third-party accounting or HR system.

If you answered No, that means:

  • Your clinic does not share any patient or staff data with external organizations beyond internal use.

Who are these data sharing agreements with?

Describe who you share the information with.

Is the system external and/or internal facing?

Yes (External-facing for NowServing bookings; Internal-facing for EMR use.)

Is there any notification regarding any automated decision-making operation and/or profiling?

Leave this blank

Description of Security Measures (Organizational)

Explain who is responsible for data privacy in your clinic and what policies or training are in place.

Tip: Mention your DPO (Data Protection Officer), internal rules, and how your staff handles patient data.

An example would be: "We have designated [Name] as our DPO, implemented access control policies requiring staff to only access records on a need-to-know basis, and conduct annual privacy training"

Description of Security Measures (Physical)

Describe how you protect physical (paper-based) records in your clinic.

Tip: Include where they are stored, who can access them, and what security measures you use to prevent unauthorized access.

An example could be: "Paper records are stored in locked filing cabinets in our secure records room with access limited to authorized personnel. We maintain visitor logs and implement clean desk policies"

Description of Security Measures (Technical)

We use SeriousMD EMR system with AES-256 encryption, multi-factor authentication, and automatic session timeout. Our computers have password protection and anti-virus software

Phase 3: Payment and Issuance

  1. Validation: NPC will review your submission and supporting documents. You will be notified of any deficiencies.

    • Review of submission may take around 5-10 business days.

  2. Payment: Once validated, you will receive a prompt for payment.

    • 🚨 IMPORTANT: Make sure to click the "Update Payment" button after settling payment online in your NPCRS account.

  3. Download: After successful payment, you will download your Certificate of Registration (COR) and the NPC Seal of Registration.

Timeline and Costs (Current as of 2025)

Fee Type

Amount

Notes

Registration Fee

500

Applicable to PICs

Renewal Fee

350

Must be renewed annually

Validity of registration is 1 year from the date of issuance. Registration must be renewed 30 days before expiration.

How to Display the NPC Seal

Physical Clinic: Must be displayed prominently at the reception area and consultation room/s

Online Clinic: The NPC Seal must be displayed in the doctor's website, doctor profiles, or patient-facing pages

Common Misconceptions when Registering

Misconception

Correction

One Registration per Clinic

One registration is sufficient if both clinics are under the same PIC/business entity (the second is considered a "branch"). If they are separate legal entities, register them separately.

Mistaking PIC/PIP Roles

The Doctor is always the PIC for patient data. You must register as the PIC and list SeriousMD as your PIP.

DPO Appointment

The DPO must be an individual in your practice (the doctor or staff), not SeriousMD.

Frequently Asked Questions (FAQs):

  1. Do I have to register every year?

    • The registration is valid for one year and requires renewal within the 30-day period before its expiration date via the NPCRS.

  2. Who provides the Seal of Registration?

    • The NPC provides the downloadable Seal and Certificate of Registration once your application is completed, paid for, and validated in the NPCRS.

  3. Who prepares the Privacy Impact Assessment (PIA)?

    • You (the PIC) are responsible for your own PIA. Your PIA covers your clinic processes (e.g., how you collect paper forms, staff training). SeriousMD's PIA covers the platform's internal systems, not your practice's operations.

  4. What official email can I use for the registration form?

Attachment icon
NPC Registration Process Flowchart.pdf
Related Articles
How do you handle security for my data?
SeriousMD is HIPAA-compliant. What does that mean?
Do you have a primer on how to answer the Phase 2 for the Data Privacy Act/National Privacy Commission registration?
Is SeriousMD registered with the NPC? Complies with the Data Privacy Act?
NPC Privacy Seal Display Requirements
Did this answer your question?