Access to Medical Records in the Philippines: Patient Rights and Certified Copies

This article is for general information and is not a substitute for professional legal advice.

1) Why medical records matter—and why access can be complicated

A “medical record” (often called a chart, patient record, or clinical record) is more than a doctor’s notes. It is the official, chronological documentation of a patient’s health history and care: symptoms, findings, diagnoses, test results, procedures, medications, consent forms, discharge instructions, and sometimes billing-related clinical documentation. These records matter for:

  • continuity of care (second opinions, referrals, transfers)
  • insurance, PhilHealth claims, and reimbursements
  • employment/fitness determinations (when validly authorized)
  • disability and benefits applications
  • complaints, malpractice claims, and other legal proceedings
  • personal health management and informed decision-making

In the Philippines, access to medical records sits at the intersection of two strong principles: (a) patient rights to information and autonomy, and (b) confidentiality and data privacy.

2) Core legal framework in the Philippine context

A. Constitutional and general legal principles

Even without a single “Medical Records Access Act,” several foundational principles shape access:

  • Right to privacy: Medical information is among the most sensitive personal information.
  • Due process and fair dealing: Hospitals and clinics providing services are expected to adopt clear procedures, act in good faith, and avoid arbitrary refusals.
  • Patient autonomy and informed consent: A patient’s right to make decisions about their body presupposes meaningful access to information about their condition and care.

B. Data Privacy Act of 2012 (Republic Act No. 10173)

The Data Privacy Act (DPA) is the most important modern statute governing access, because medical records contain personal information and typically sensitive personal information (health data). In broad terms:

  • Hospitals, clinics, laboratories, HMOs, and sometimes individual practitioners can be treated as personal information controllers (PICs) when they decide what data is collected and how it is used.
  • The DPA grants data subject rights that include the right to access personal data held by a controller, subject to lawful limitations and verification of identity/authority.
  • The DPA also imposes duties on controllers: lawful processing, proportionality, security, and confidentiality.

Practically, the DPA supports a patient’s right to obtain copies of their medical records, while also allowing providers to require safeguards (ID checks, authorization documents, redaction of third-party information, etc.).

C. Government service standards (for public hospitals and facilities)

Where the records are held by a government hospital or a facility under a government unit, request processing may also be influenced by:

  • Ease of Doing Business and Efficient Government Service Delivery Act (RA 11032) and its “Citizen’s Charter” approach to service timeframes and procedures for transactions with government offices.
  • Freedom of Information (FOI) policies for the Executive branch (noting that FOI requests are subject to privacy exceptions; medical records are generally protected, and access is usually anchored on the patient’s own rights and consent rather than “public information” principles).

D. Professional ethics and confidentiality duties

Even aside from statutes, medical professionals are bound by ethical standards emphasizing confidentiality. In practice, hospitals and doctors treat medical records as confidential by default and release them only with a valid legal basis (consent, lawful order, statutory duty, etc.).

E. Special confidentiality regimes (selected examples)

Some categories of health information carry heightened confidentiality rules. Common examples include:

  • HIV-related information (under the Philippine HIV and AIDS policy framework): disclosures are tightly controlled, typically requiring specific consent or lawful authority.
  • Mental health records: confidentiality is strongly protected, with access often carefully managed to protect the patient’s welfare and privacy.
  • Minors’ reproductive/sexual health-related records: providers frequently apply stricter release controls due to privacy, consent, and child protection considerations.

These special regimes do not necessarily eliminate patient access, but they often add procedural safeguards and may narrow who can receive information and under what conditions.

3) What counts as a “medical record” for access purposes

Requests often fail or get delayed because the patient asks generally for “my record,” while the custodian needs specifics. Typical components include:

  • Physician notes (history, physical exam, progress notes, orders)
  • Nursing notes and monitoring sheets
  • Operative reports, anesthesia records
  • Laboratory results (CBC, chemistry, pathology)
  • Imaging reports (X-ray, CT, MRI, ultrasound) and sometimes the image files themselves
  • ECG strips, other diagnostic outputs
  • Medication administration records
  • Consent forms, waivers, advance directives
  • Discharge summary, medical certificate (if issued), instructions
  • Referral letters (incoming/outgoing)
  • Billing/charge summaries (may be separate but often related)

A patient can request specific documents (e.g., “operative report + anesthesia record + discharge summary + complete labs during confinement”).

4) Ownership vs. access: who “owns” the chart?

A practical distinction is widely recognized in healthcare administration:

  • The physical chart (paper file, hospital system record) is typically maintained by the hospital/clinic as the custodian.
  • The information in the record pertains to the patient and is protected as personal and sensitive personal information. The patient has strong rights to access that information.

So, while providers often refuse to release the original file, they ordinarily provide inspection and copies (including certified true copies) when properly requested.

5) Patient rights: the substance of access in the Philippines

A. Right to obtain copies (not just a summary)

Many facilities first offer a medical certificate or a discharge summary. Those are useful but may be incomplete. As a matter of access rights (and data privacy principles), a patient may request the actual underlying records, not merely a narrative summary—subject to lawful limits and redactions.

B. Right to access in a usable form (including electronic copies when available)

If records exist in an electronic medical record (EMR) system, access may be provided via printed copies, PDFs, or other formats. The DPA’s concepts also support providing data in a manner that is reasonably intelligible and usable, with appropriate security controls.

C. Right to know certain processing details

In a data privacy framing, access commonly includes not only the record content but also basic information such as:

  • what personal data is being processed
  • the purpose/s for which it is used
  • who it may have been shared with (where applicable and lawful)
  • how long it is retained (as stated in policy)

Facilities typically respond through their Data Protection Officer (DPO) or Medical Records Section when requests are formal.

D. Right to correction—handled carefully in medical documentation

Patients may seek corrections for errors (wrong date of birth, wrong address, wrong medication list, etc.). Healthcare providers generally must preserve the integrity of the clinical record, so corrections often take the form of:

  • an addendum or clarificatory note, rather than deleting original entries
  • correction of demographic fields with audit trails in EMRs
  • documentation of disputes (“patient states…”)

This balances accuracy rights with medico-legal integrity.

6) Certified copies: what they are and why they matter

A. “Plain copy” vs. “Certified True Copy”

  • Plain copy: Photocopy or printout without official certification. Useful for personal reference or informal use.
  • Certified True Copy (CTC): A copy that the records custodian certifies as a faithful reproduction of the original on file. Often required for: insurance claims, government benefits, school requirements, overseas processing, or court proceedings.

B. Who may certify

Certification is typically made by the custodian of records (e.g., Medical Records Officer/Health Information Management staff) or an authorized hospital officer. For records kept in a private clinic, the physician or the clinic’s authorized records custodian may certify.

C. What a proper certification commonly includes

While formats vary, a robust certification typically contains:

  • statement that the document is a “Certified True Copy” of the record on file
  • patient name and identifying details (or reference number), with privacy-safe handling
  • dates covered (e.g., confinement dates)
  • signature over printed name and position of certifying officer
  • facility name, address, contact details
  • date of certification
  • official stamp/seal (if used by the facility)
  • page numbering or marking to prevent substitution (common in practice)

Some institutions also issue a cover certification page listing the documents included.

D. Certification vs. notarization

Notarization is different. A certified true copy is an internal certification by the custodian. A notarization is a notary public’s act (usually acknowledging a person’s signature). Many agencies accept CTC without notarization; some require notarized request/authorization, not the record itself.

E. Court use: certification helps, but rules of evidence still matter

In litigation, medical records may be treated as documentary evidence subject to authentication and hearsay rules, although records made in the regular course of business are often admissible under established evidentiary principles when properly supported. A CTC can strengthen authenticity, and courts may still require testimony or an appropriate certification depending on the proceeding and the form (paper vs. electronic).

7) Who may request records (and what proof is typically needed)

A. The patient (adult, competent)

Usually required:

  • written request form/letter
  • government-issued ID (and sometimes a second ID)
  • details of the record requested (dates, department, physician, admission number)

B. Authorized representative

Common requirements:

  • authorization letter or special power of attorney (depending on the institution’s policy and purpose)
  • IDs of both patient and representative
  • patient’s signature specimen or verification
  • specific scope of authority (what records, what purpose)

C. Minors

Generally, parents/guardians request on the minor’s behalf, with:

  • proof of relationship (birth certificate, guardianship papers)
  • parent/guardian ID
  • sometimes additional restrictions for sensitive services depending on facility policy and applicable laws

D. Incapacitated patients

A legal guardian, attorney-in-fact, or duly authorized representative may request, supported by appropriate legal documents.

E. Deceased patients

Although the DPA primarily protects living individuals, confidentiality obligations do not simply vanish upon death. Hospitals commonly release records of deceased patients only upon presentation of documents showing legitimate interest and authority, such as:

  • proof of relationship (for heirs/next of kin)
  • death certificate
  • letters of administration, authority from executor/administrator, or court authority (depending on context)
  • clear statement of purpose (e.g., estate settlement, insurance claim)

Policies vary widely; disputes often arise here.

8) How to request medical records in practice (Philippine setting)

Step 1: Identify the custodian

  • For confinement: Medical Records Section / Health Information Management Department
  • For labs: Laboratory Records/Results Releasing
  • For imaging: Radiology Department (reports and image files)
  • For outpatient consult notes: clinic records unit or the attending physician’s clinic (if not integrated)

Step 2: Make a precise written request

A well-scoped request reduces delays. Example scope phrases:

  • “Complete inpatient chart for admission dated ___ to ___, including…”
  • “Discharge summary + ER record + triage notes + doctor’s orders”
  • “All lab results during confinement period”
  • “Radiology report and copy of CT images in digital format”

Step 3: Prove identity and authority

Expect strict checks. This protects patients from unauthorized disclosures.

Step 4: Pay lawful and reasonable fees

Facilities often charge:

  • photocopy/printing cost per page
  • CD/USB cost for imaging files (if provided)
  • certification fee (for CTC) Government facilities may have posted fees in their Citizen’s Charter.

Step 5: Observe processing timelines

Time depends on:

  • whether records are archived
  • completeness of request
  • volume of documents
  • whether a physician review is required under facility policy (common when requests are broad)

Public hospitals may align timelines with their Citizen’s Charter classification of transactions.

Step 6: Receive records securely

Reputable facilities release in sealed envelopes, require signature logs, and may provide redactions where appropriate.

9) When facilities may lawfully refuse, delay, or limit access

A refusal is not automatically unlawful. Common lawful grounds include:

  • Failure to verify identity/authority
  • Overbroad requests that can be reasonably narrowed for practicality and safety
  • Records containing third-party information (e.g., another patient’s details) requiring redaction
  • Legal holds or active investigations where release may be restricted by lawful order
  • Requests from employers/insurers without proper patient authorization
  • Sensitive categories with heightened confidentiality (e.g., HIV-related information) where the law/policy requires specific consent formalities
  • Information that is not actually held by the facility (e.g., consult notes kept solely in a private clinic)

In some clinical contexts, facilities may manage access through controlled release processes to protect patient welfare, but broad blanket denials (especially to the patient) should be well-justified and documented.

10) Confidentiality and lawful disclosures (beyond patient-initiated requests)

Medical records may be disclosed without the patient’s direct request only when there is a valid legal basis, commonly including:

  • Patient consent (written and informed, often specific in scope)
  • Court orders and compulsory process (subpoena, lawful orders), subject to objections and privilege considerations
  • Public health reporting required by law and regulation
  • Insurance and billing processes where authorization exists and disclosures are proportionate
  • Emergencies where disclosure is necessary to protect life or health (narrowly applied)

Healthcare institutions should limit disclosures to what is necessary and maintain disclosure logs and data-sharing controls.

11) Record retention, integrity, and why “delete my record” is rarely granted

Patients sometimes ask hospitals to delete records. Healthcare providers usually retain records for substantial periods due to:

  • continuity of care
  • legal and regulatory compliance
  • claims processing and audits
  • medico-legal defense

Even when privacy principles recognize erasure/blocking in some contexts, medical documentation is typically preserved with safeguards, and corrections are handled through addenda and audit trails rather than deletion.

Retention periods vary by institution and by the type of record; certain records (e.g., operative, obstetric, pediatric) are often retained longer. Facilities should have written retention and disposal policies consistent with applicable regulations and data privacy standards.

12) Remedies when access is wrongfully denied or mishandled

When a patient believes a facility unreasonably refused access or improperly disclosed records, available avenues may include:

  • Internal grievance/complaint mechanisms (medical records office, patient relations, hospital administration, Data Protection Officer)
  • National Privacy Commission (NPC) complaints for potential Data Privacy Act violations (unauthorized disclosure, unreasonable denial of access, inadequate safeguards, etc.)
  • Administrative complaints with relevant regulators depending on the provider and circumstances
  • Professional accountability routes where unethical conduct is involved
  • Civil actions for damages when legally supported by facts and causation
  • Judicial remedies in appropriate cases involving privacy rights and protection of personal data (including remedies relating to information held about a person)

The appropriate remedy depends heavily on facts: who holds the record, what was requested, what was released/denied, and the facility’s stated legal basis.

13) Practical templates (commonly accepted formats)

A. Simple patient request (outline)

  • Date
  • Medical Records Section / Hospital Administrator
  • Patient full name, DOB, address, contact number
  • Admission/clinic number (if known), dates of confinement/consult
  • Specific documents requested
  • Purpose (optional but often helpful)
  • Preferred format (paper/PDF) and whether Certified True Copies are needed
  • Patient signature + attached ID copy

B. Authorization for representative (outline)

  • Patient details and signature
  • Representative details and signature
  • Specific authority granted (what records, what dates, what purpose)
  • IDs of both parties
  • If abroad: consularization/apostille may be required depending on the institution and intended use

(Institutions often require their own forms; aligning with their form reduces delays.)

Conclusion

In the Philippines, access to medical records is anchored on patient autonomy and reinforced by data privacy principles: patients are entitled to obtain copies of their health information, while healthcare providers have a legal and ethical duty to protect confidentiality and secure sensitive data. The most efficient path is a precise written request, strict identity/authority verification, and—when needed—obtaining properly executed certified true copies from the lawful custodian of records.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login