Privacy Policy

MedAsia Philippines, in the course of its business operation is very much committed to maintaining the privacy of data. In accordance with our compliance to Data Privacy, we recognize that the personal information and sensitive personal information of the data subjects that we gather, are managed based on the minimum standards characterized by the Republic Act No. 10173 (Data Privacy Act of 2012 or DPA).

As a business client or customer who provide personal information and sensitive personal information to MedAsia Philippines, you authorize and consent to the data collection, use, processing and transfer of the same to regulatory parties or government agencies, hereby allowing MedAsia Philippines, to meet its obligations, under applicable laws, principles, as well as predetermined obligations. We will possibly collect or release informations necessary, from our subsidiaries and affiliates or other organizations, authorized by law.

MedAsia Philippines, also guarantees to maintain the integrity, availability and discretion of your “information”, against any breaches while safeguarding the fundamental data subject’s right to data privacy.

Any data transfer, data sharing or processing of your “information”, will be accomplished by MedAsia Philippines, accordingly through the compliance of the Data Privacy Act.

Healthcare Data Collection

1. Availment Purpose – the data subject, also known as the “patient/ member”, whose record is stored at the Company’s Members Database, is requesting guarantee from the Company against his/ her Consultation, Laboratory and In-Patient benefits.

2. The current health records of the patient is forwarded to the Company, in the form of Hospital, Doctors and Clinic SOA billings, with clinical abstract reference, for processing of:

   • Billings to the insurance companies

   • Payments to the Hospitals, Doctors and Clinics

3. As business (IMAS) transactions are gathered, these same informations are being used, for proper verifications of every availment record.

Uses (Healthcare Data Collection)

• To manage the healthcare of individual patient and to guarantee the continuity of care.

• To restructure levels of delivery of healthcare service.

• To administer the management of hospital and healthcare service delivery.

• To keep tract of healthcare costs (consultations per Specialists, Room and Board and other “costs”) that are under hospital bills category.

• For the proper information dissemination of the healthcare system policy.

• To guarantee the continued reliability and consistency of high quality patient care.

Processing (Healthcare Data Collection)

1. Collected personal informations of the data subject are process for availment purposes:

• Out Patient availments – includes consultations and laboratory procedures for guarantee.

• ER availments – includes life threatening availments requests to guarantee.

• In-Patient availments – include hospital confinements of data subject for guarantee through the processing of schedule of benefit limits.

2. Approved Availment – are approved guarantee for the hospital bills, doctors’ professional fees and clinic charges (including dentals), that are received and processed by the Claims & Processing Dept for billings to the insurance companies and payments to the concerned hospitals, doctors, dentists & dental clinics, and ambulatory clinics.

3. Billings to the Insurance Companies, are processed based on the collected personal information of the data subject, including all hospital miscellaneous transactions related to the guaranteed availment, but is not limited to the individual cost, that must be stated clearly of the Billing SOAs received for payment processing.

MedAsia Philippines, guarantees the protection of the personal information and the sensitive personal information of our customers and clients. As you share information with us, using our services, we are very committed to protect your privacy. However, MedAsia Philippines, shall never be endangered to whichever obligations of confidentiality, concerning with submitted information, other than agreed as specifically stated by MedAsia Philippines, directly to the clients or customers, under applicable government law.

The Collection of Personal Data can be obtained through the following methods:

1. Providing personal data of the data subject in the availment process, assistance and participation, purchase of the Company’s products and services.

2. Participate in the Company’s meetings, forums, surveys and feedback in the Company’s website.

3. The data subjects’ request for informations of the Company’s products or services to receive the kinds of informations, with any marketing and promotional activities.

4. The data subject’s communication regarding with the Company’s services.

5. The interactions of the data subject with the Company’s personnels or employees.

6. The data subject must had submitted a resume, fill in any electronic forms and provide personal informations for recruitment purposes.

1. The data subject had clearly given a consent to the disclosure of personal information.

2. The disclosure is necessary for the performance of a contract to which the data subject is involved.

3. If there is a statutory or legal obligation to disclose the data.

4. The disclosure is needed to protect the important interest of the data subject.

5. The disclosure is within the legitimate interests of the Company /MedAsia Philippines, or of a third party with which the data are to be disclosed and do not prejudice the rights, freedoms and legal interests of the data subject.

A Privacy Notice, is a statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. It is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.

Data Subject Rights:

1. Right of Access - It is fair exactly that a client has access to the information that are processed, the manner how the information is processed, the origins of the personal data, the contacts involve and the reasons of the release of such personal data to recipients.

2. Right to Rectification - The client or the data subject can dispute for identified errors in the processed personal data and demand for immediate and appropriate correction. The retracted and the corrected information will be both furnished or is made accessible to the data subject for clarity and transparency reasons.

3. Right to Erasure or Right to be Forgotten - The client or the data subject has the right to be indemnified for identified damages that he or she sustained because of inaccurate, incomplete, outdated, false, illegally or unauthorized use of personal data, which violated his or her rights and freedoms as a data subject.

4. Right to Restriction of Processing - The client or the data subject has the right to suspend, withdraw and order of blockage, removal or destruction of his or her personal data from MedAsia Philippines filing references, under provision of the Data Privacy applicable law.

5. Right to be Informed - The client or the data subject has a right to be informed in the processing of his or her personal data. The client is notified by MedAsia Philippines, upon enrollment, as his account is being entered into the IMAS processing system for the Members’ Database.

6. Right to Data Portability - The client or the data subject is allowed to secure and reprocess his or her personal data, to also serve specific purposes to other services. The personal data, can be copied or transferred easily from one company to another in the most secure manner, without affecting its data quality and usability.

7. Right to Object - The client or the data subject has the right to say no to personal data processing. It is acceptable for a client to literally object to stop or discontinue processing of personal data, because of factors affecting safety with data privacy.

8. Right not to be Subject to a decision based solely on Automated Processing. - The client or the data subject cannot be endangered or convicted based primarily on automated processing and especially profiling, which results to the client’s exposure to legal difficulties, which affects the client, considerably at a cost.

Retention and Disposal of Personal Information

Subject to applicable requirements of the Data Privacy Act and Implementing Rules and Regulations, the personal data cannot be retained by the Company for a time or period longer than necessary to the purposes for which such data was collected.

The DPO shall be responsible for developing measures to determine the applicable data retention schedules, as well as to safeguard the destruction and disposal of such personal data in accordance with the DPA and its implementing rules and regulations.

Benefits:

• Improve the overall utilizations of resources.

• Control the growth of records volume.

• Demonstrate compliance with regulatory record-keeping requirements.

• Enforce the consistent implementation of record keeping policies.

• Improve ability to locate and retrieve records when required.

• Reduce litigation risks.

Determinations:

• Organize information so it can be searched and accessed at a later date.

• Dispose of information that is no longer needed.

• Know the exact location where the data is stored, for instance is, the medium where data resides exactly and the links among similar information.

• Proper data classification as to label, this includes the period or required validity period/ retention requirements, according to the demand of the business.

1. The Company invests in professional security camera systems with state-of-the-art viewing capabilities.

2. Access to personal informations or data and its applications are restricted by the Company.

3. The Company to conduct, “risk assessments” and if possible all data files must be encrypted.

4. The Company will assign a Specialist, a private, juridical individual, who has a degree pertaining to business technologies, most especially responsible for updating the Company’s operating systems (OS) and system softwares.

5. The Company will be Creating a Written Security Policy, for the following:

   • Statements regarding the removal or transfer of Company properties and devices from one location to another.

   • Individual “password policy” for employees per desktop PCs.

   • A written “security policy”, to access Company data, from remote locations, especially on non-corporate devices.

   • A security policy on how to handle reports over lost or stolen personal and Company devices/ I.T. Infrastructures.

   • A security policy for the use of “third party’ cloud or file sync devices.

1. Data Theft - Data Theft is the act of stealing information stored on computers, servers, or other devices from an unknowing victim with the intent to compromise privacy or obtain confidential information.

Security Incident –

• Concerned personnel received some spam emails and misleading messages from unknown email addresses.

• Quitting or resigning employees intend to delete data files or stealing information before leaving the company using their personal.

• Intentional stealing of Company’s informations, especially physical documents,e.g. service agreements, contracts and printed financial informations.

2. Espionage - Espionage or spying is the act of obtaining secret or confidential information or divulging of the same without the permission of the holder of the personal information.

Security Incident –

• A malicious individual is accessing the Company’s website to pretentiously verify or check latest updates, etc., posing as one of the Company’s client by inquiring through phones, and checking in on the Company’s portals of information.

• Mobile phone tracking – a person is eavesdroppped of his or her messages, personal videos, pictures and mobile applications that he or she is using, via internet. Any and all of the personal informations, including sensitive personal informations, can be extracted from an individual’s social media private account.

3. Data Loss - Data loss is an error condition in information systems in which information is destroyed by failures or neglect in storage, transmission, or processing.

Security Incident –

3. • Unreliable IT Infrastructures for data servers and storage back up.

   • When power failure occurs, some of the business transactions or data are not instantaneously saved to the data servers, resulting to data storage failures.

   • During System failures, data records are not saved but are rather corrupted. The occurrence of System glitches must be monitored and factors to occur must be dealt with especially. Accidental deletion of records can be expected of system glitches.

4. Fire - A conflagration is a large and destructive fire that threatens human life, animal life, health, and/or properties. It may also be described simply, as a blaze or a (large) fire. Example: Australian bushfires.

Security Incident –

• In the occurrence of fortuitous events like Earthquake, an incidence of Fire comes along. Stored data records, printed and on computer media, will be charred to dust, resulting to loss of data from the blaze.

• In the process of fighting off “fire”, data records or documents, when they arenot burnt or charred, they will be drenched with water, to stop fire from spreading to nearby structures, resulting also to enevitable data loss caused by water.

5. Flooding - A flood is an overflow of water that submerges land that is usually dry. In the sense of "flowing water", the word may also be applied to the inflow of the tide. Flooding can also mean an influx of connection requests to the server.

Security Incident –

• Data records will be lost due to “flood water”, or in the events when water becomes uncontrollably harmful. This is especially true when electrical wirings are consumed by flood or simply of too much water spillage.

• Flood attacks occur when a network or service network becomes so congested with packets prompting incomplete connection requests that it can no longer process. By “flooding” a server or host with connections that cannot be completed, on the other hand, the flood attack eventually fills the host’s memory buffer.

6. SW Malfunction – A Software Malfunction is a failure that occurs when the user perceives that the software has ceased to deliver the expected result with respect to the specification input values.

Security Incident –

• Very recently, email messages, cannot accomplish to the intended recipients, because the email version is out dated and is no longer compatible with the applications used.

• The interruption or glitches to the computer systems, will eventually lead to unrecorded data or data loss, from and to the intended data files.

7. HW Malfunction – A desktop shows an error message like, “Hardware Malfunction - memory parity error”. This malfunction usually happens when the PC is on working, after which the screen goes blank and another error is displayed “Hardware Malfunction - Call your hardware vendor for support – The system has halted”. These are indications of a malfunctioning hardware.

Security Incident –

• Hardware Malfunctions are sometimes demonstrated clearly by prompt messages or warnings like: “PC issues should be resolved”.

• Some computer hardware is showing a clear and outright signs of wear and disrepair. These hardware parts are replaced after making thorough validations.

8. Earthquake – An earthquake is the result of a sudden release of stored energy in the Earth's crust that creates seismic waves. An earthquake is caused by tectonic plates getting stuck and putting a strain on the ground. The strain becomes so great that rocks give way by breaking and sliding along fault planes.

Security Incident –

• There are frequent occurrence of earthquakes, for the last six months of 2019 in the provinces, but not much in Metro Manila. For certain there must be countless incidents of data losses, together with the damages and losses to properties.

• Fortuitous events like earthquake is precursor of fire and flood in case when tsunami occurs. Tremendous loss of private data and most importantly business due to countless incidents of security breaches, considering privacy risks.

9. Phishing - Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

Security Incident –

• There are reported spam messages received by different departments. To avoid incidents of phishing data breaches, the DPO will conduct email-monitoring using the Company’s GSuite Monitoring process. To counter phishing, an interview is conducted with the email account-user to anaylze properly the received affected email messages.