Philippine clinics that have a website collect patient data the moment a visitor fills in a contact or appointment form. That data — name, phone number, date of birth, health concern, medication history — is classified as sensitive personal information under the Data Privacy Act (RA 10173). The law applies to your clinic whether you are a solo practitioner in a provincial city or a multi-specialty clinic in Makati. This article explains what compliance looks like in practice for clinic websites.
The short answer
Your clinic website needs a Privacy Policy linked from the footer, a consent checkbox on every form that collects personal data, secure data storage (not a shared Gmail inbox), and a designated Privacy Officer if your clinic meets the NPC’s registration threshold. These are not optional additions — they are legal requirements under RA 10173 that a properly built clinic website should include as standard.
What the Data Privacy Act requires from clinic websites
RA 10173 establishes rights for data subjects (your patients) and obligations for data controllers (your clinic). For a clinic website, the practical obligations break down into four areas:
1. Notice and transparency. Patients must be told what data you collect, why you collect it, how long you keep it, and whether you share it with third parties (HMOs, hospital systems, payment processors). This information goes in your Privacy Policy, which must be easily accessible — typically in the footer and linked from every form.
2. Consent. For sensitive personal information (which health data is), you need freely given, specific, and informed consent. On a website, this means a checkbox on every appointment or contact form that says something like: “I consent to the collection of my personal information for appointment scheduling purposes. See our [Privacy Policy].” Pre-ticked boxes do not satisfy the consent requirement.
3. Security. Patient data must be protected against unauthorized access, alteration, or disclosure. For websites, this means: SSL/HTTPS on all pages, secure form submission, encrypted data storage, limited access to booking system dashboards, and a documented breach-response process. RA 10173 IRR §38 requires notification of the NPC and affected data subjects within 72 hours of becoming aware of a personal data breach involving sensitive personal information that is likely to give rise to a real risk of serious harm — see NPC Circular 16-03 for full procedure.
4. Data subject rights. Patients have the right to access their data, correct it, and request deletion. Your clinic needs a way to respond to these requests. A simple process — a designated email address for privacy requests and a staff member responsible for handling them — satisfies this requirement for most small clinics.
The Privacy Policy: what it must cover
A clinic website’s Privacy Policy is not a generic template you copy from another industry. It needs to be specific to your data practices. Required contents under NPC guidelines:
- Identity and contact details of the data controller (your clinic)
- Description of the personal data collected (appointment data, health history, payment information)
- Purpose of data collection (appointment scheduling, patient records, billing)
- Data retention period (how long you keep appointment records)
- Third parties who receive data (HMO providers, laboratory systems, payment processors)
- Patient rights (access, correction, deletion, objection)
- How to contact your Privacy Officer or designated representative
- Date the policy was last updated
Clinics that use third-party booking systems (Calendly, Acuity, etc.) must disclose that data is processed by a third-party service and identify that service by name.
Forms and consent mechanisms
Every form on your clinic website that collects personal data needs a consent mechanism. Specifically:
- Appointment request forms: consent checkbox linking to Privacy Policy
- Contact forms: consent checkbox if asking for health-related information
- Patient intake forms: consent for collection and processing of health data, including any sensitive categories
- Newsletter or follow-up email signup: separate consent for marketing communications, distinct from clinical appointment consent
The consent checkbox must not be pre-checked. The patient must actively select it before submitting the form.
Data storage: what is and is not appropriate
Not appropriate (common but non-compliant):
- Appointment form submissions forwarded to a shared clinic@gmail.com account with no access controls
- Patient records in a shared Google Sheet accessible by anyone with the link
- Booking data stored in a third-party tool without a data processing agreement in place
Appropriate:
- Booking plugin data stored in an encrypted WordPress database on a server with access controls
- Third-party booking platform with a signed data processing agreement meeting NPC standards
- Patient intake data transmitted directly to a practice management system with encryption in transit and at rest
NPC registration and Data Protection Officers
NPC Circular 17-01 lists healthcare providers processing sensitive personal information as a mandatory NPC registration category — which generally applies regardless of headcount. The 250-employee / 1,000-data-subject thresholds are additional triggers. Every clinic that processes health data as a core activity must also appoint a Data Protection Officer (DPO).
For a solo clinic with a website collecting appointment requests, the owner-physician typically serves as the DPO. The key obligation is to be identifiable to patients and to the NPC as the person responsible for data protection compliance.
Budget implications for compliance
A properly built clinic website includes Privacy Policy, consent mechanisms, secure form handling, and SSL as standard deliverables. If you are working from a quote that does not mention any of these, ask specifically. The additional cost for proper compliance infrastructure in a Starter-tier build (₱65,000–₱85,000) is marginal — these should be included by default, not priced as add-ons.
Care Plans starting at ₱4,000/month keep your SSL certificate renewed, your Privacy Policy current as regulations evolve, and your plugins patched against security vulnerabilities.
If you want a clinic website built with proper Data Privacy Act compliance from the ground up, send the project details through the contact page and get a response within one business day.
This article is general guidance, not legal or medical-regulatory advice. RA 10173, NPC Circulars, and DOH guidance evolve. For your clinic’s specific obligations — registration, DPO appointment, breach response, consent forms — consult a Philippine-licensed privacy lawyer.
Frequently asked questions
- Is the Data Privacy Act the Philippine equivalent of HIPAA?
- Not exactly, but it serves a similar purpose for healthcare data. RA 10173 applies to all personal information processors and controllers in the Philippines, including clinics. While HIPAA is sector-specific to US healthcare, the DPA covers all sectors handling personal data. For clinic websites, the practical requirements are similar: disclose what you collect, secure how you store it, and give patients rights over their data.
- Does my clinic website need to register with the NPC?
- Likely yes. NPC Circular 17-01 lists healthcare providers processing sensitive personal information as a mandatory registration category — this generally applies regardless of headcount. The 250-employee / 1,000-data-subject thresholds are additional triggers, not the only ones. Most clinics that handle health data as a core function fall in scope. Confirm via the NPC's online registration portal or with a Philippine privacy lawyer.
- What is 'sensitive personal information' under the Data Privacy Act?
- Health, genetic, and medical data is classified as sensitive personal information under RA 10173. This is a higher protection tier than regular personal information. Processing it requires explicit consent, appropriate security measures, and stricter retention and disclosure rules. Any appointment form, patient intake form, or contact form on your clinic website that asks about health conditions collects sensitive personal information.
- Can I store patient appointment data in Google Sheets or a shared Gmail?
- Technically, you can use Google services if they are properly configured with appropriate data processing agreements, but many small clinics use shared Gmail accounts without encryption or access controls — which creates compliance risk. A booking plugin hosted on your own secured website server, or a healthcare-specific SaaS with a clear data processing agreement, is the safer path.
- What is the penalty for a data breach at a Philippine clinic?
- RA 10173 §§25–34 set criminal penalties — fines from ₱100,000 to ₱5,000,000 and imprisonment from 6 months to 7 years depending on the offense (e.g. unauthorized disclosure of sensitive personal information under §29 carries the upper range). The NPC also imposes administrative fines under NPC Circular 2022-01 (up to 3% of annual gross income, capped at ₱5M) and may order cessation of processing. Beyond penalties, a clinic data breach damages patient trust that is very hard to recover. Consult a Philippine privacy lawyer for your specific exposure.
Working with webdesigner.ph
- Service tiers — Start, Scale, Sell. What each tier includes and what it doesn't.
- Published pricing — Fixed price ranges per tier, named exclusions, and the payment schedule.
- How the process works — Discovery, design, build, and launch, with milestone-gated payment.
- Maintenance plans — Hosting, security, and content updates from ₱4,000/month.
- Get a specific quote — Reply within one Philippine business day.