TMR

Regulatory

Compliance Statement

The Medical City Endocrine Diseases Registry is designed and operated in compliance with Philippine laws and institutional policies governing data privacy, health information, and patient care.

Applicable Laws and Regulations

Republic Act No. 10173

Data Privacy Act of 2012

Governs the collection, processing, and protection of personal and sensitive personal information. The Registry operates under the legal bases of consent (Section 12(a)), medical treatment (Section 13(c)), and research with anonymized data (Section 13(d)).

JAO No. 2016-0002

Health Privacy Code

Joint Administrative Order implementing privacy guidelines for the Philippine Health Information Exchange. Defines standards for health data retention (15 years minimum), consent requirements for health data processing, and interoperability standards.

Republic Act No. 11223

Universal Health Care Act

Establishes the framework for universal healthcare in the Philippines. The Registry contributes to the UHC mandate by supporting evidence-based clinical practice, disease surveillance, and health systems research for endocrine disorders, including diabetes and thyroid diseases.

Republic Act No. 10747

Rare Diseases Act of the Philippines

Provides for a comprehensive policy on rare diseases. Several complex endocrine conditions tracked in this registry (e.g., specific pituitary tumors, congenital thyroid disorders) fall under rare disease classifications, making structured data collection essential for policy development and resource allocation.

Technical Compliance Measures

The following organizational, physical, and technical security measures are implemented in accordance with RA 10173, its IRR, and NPC Circular 2016-01 (Security of Personal Data in Government Agencies):

Encryption Standards

  • AES-256 encryption for all sensitive personal information at rest
  • TLS 1.3 for all data in transit
  • Encrypted database backups with separate key management
  • Field-level encryption for patient identifiers

Access Controls

  • Role-based access control (RBAC): physician, department admin, registry admin
  • Physicians restricted to patients under their care
  • Multi-factor authentication via third-party identity provider
  • Session management with automatic timeout

Audit Trails

  • Comprehensive logging of all data access, creation, modification, and deletion events
  • Immutable audit records with timestamps, user IDs, and IP addresses
  • Audit logs retained for the full data retention period
  • Regular audit log review procedures

De-identification

  • No direct identifiers (names, birthdates, government IDs) stored in the registry
  • System-generated registry IDs with no derivable patient information
  • k-anonymity (k=5) applied to all statistics generated for The Medical City
  • Age generalization to 10-year bands; geographic generalization to region level
  • Small-cell suppression for aggregate cells with fewer than 5 individuals

Institutional Review Board (IRB)

The Registry protocol is subject to review by The Medical City Institutional Review Board (TMC-IRB). The current status of IRB review and approval will be posted here upon completion.

IRB Review Status

Pending — Protocol submitted for review

NPC Registration

In accordance with NPC Circular 17-01 (Registration of Personal Data Processing Systems), the Registry will be registered with the National Privacy Commission (NPC) as a personal data processing system handling sensitive personal information.

NPC Registration Status

In progress — Registration application being prepared

Compliance Inquiries

For compliance-related questions or concerns, please contact our Data Protection Officer:

Data Protection Officer

The Medical City Endocrine Diseases Registry

The Medical City

Ortigas Avenue, Pasig City, Metro Manila, Philippines

Email: dpo@themedicalcity.com