Digital Healthcare 2023 Comparisons

The terms digital healthcare, digital medicine, and digital therapeutics are used interchangeably by healthcare providers and patients in the Philippines to refer to digital solutions in the healthcare sector.

From a regulatory perspective, “digital healthcare” is not specifically defined under Philippine law. However, “telemedicine” is defined under Guidelines on the Implementation of Telemedicine in the Delivery of Individual-Based Health Services (Joint Guidelines), issued jointly by the Department of Health (DOH), the Department of Interior and Local Government (DILG), and the Philippine Health Insurance Corporation (PHIC) as “the delivery of healthcare services, where distance is a factor, by all healthcare professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment, and prevention of disease and injuries and evaluation, and for the continuing education of healthcare providers, all in the interests of advancing the health of individuals and their communities.”

Digital therapeutics is not specifically defined under Philippine law. However, instruments, software, and technology for digital therapeutics can be regulated if they fall within the definition of a medical device.

A “medical device” is defined under regulations of the Philippine Food and Drug Administration (FDA) as “any instrument, apparatus, implement, machine, appliance, implant, in-vitro reagent or calibrator, software, material, or other similar or related article intended by the manufacturer to be used alone, or in combination, for human beings for one or more of the specific purpose(s) of:

• diagnosis, prevention, monitoring, treatment, or alleviation of disease;
• diagnosis, monitoring, treatment, alleviation of, or compensation for an injury;
• investigation, replacement, modification, or support of the anatomy or of a physiological process;
• supporting or sustaining life;
• preventing infection;
• control of conception;
• disinfection of medical devices; and/or
• providing information for medical or diagnostic purposes by means of in vitro examination of specimens derived from the human body.”

FDA regulations further provide that a medical device does not achieve its primary intended action in or on the human body by pharmacological, immunological, or metabolic means, but may be assisted in intended function by such means.

The Philippines continues to witness the development of digital healthcare technologies, including those for digital medicine and digital therapeutics. There has been an increase in telemedicine platforms, use of electronic prescriptions, digital storage of medical records, and use of wearable technology and other gadgets to monitor and identify health concerns.

Specifically and by way of example, the ICanServe Foundation has partnered with cities in Metro Manila to develop the Circle of Life Data and Digital Infrastructure project (Circle of Life). The Circle of Life supports the breast cancer control programme of the ICanServe Foundation by generating analytics that can help identify gaps in cancer care and enhance monitoring and evaluation.

“Digital healthcare” is not specifically defined under Philippine law.

On the other hand, “telemedicine” is defined under the Joint Guidelines as as “the delivery of healthcare services, where distance is a factor, by all healthcare professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment, and prevention of disease and injuries and evaluation, and for the continuing education of healthcare providers, all in the interests of advancing the health of individuals and their communities.”

The Joint Guidelines provide for the governing principles in the practice of telemedicine by licensed physicians. They cover electronic consultations, including the requirement that electronic consultation documents comprise the digital signature, name, licence number, and professional tax receipt number, if applicable, of the issuing licensed physician. The Guidelines also provide information on the issuance of electronic prescriptions which should include the name of the patient to whom the medicines or drugs are prescribed, the names of the medicines and/or drugs prescribed, the dosage, and all other pertinent details similarly contained in a written prescription.

The Joint Guidelines include provisions for the further development of telemedicine regulations, including the mandate to develop a code of ethics and clinical practice guidelines for telemedicine, implementation of a certification programme on good clinical practice of telemedicine for licensed physicians based on the approved code of ethics and clinical practice guidelines and other regulations, and a system to allow verification of the licences and credentials of healthcare providers.

There is no specific definition for digital healthcare under Philippine law. Digital healthcare is often referred to as encompassing digital medicine or telemedicine.

Telemedicine platforms and their development and expansion to cover a wider range of services continue to be a key area of technology in improving healthcare in the Philippines. Telemedicine platforms allow healthcare services to reach remote areas. The location and lack of infrastructure had previously served as a barrier to access to healthcare services for residents in such remote locations.

Software allowing the collection of data and generation of analytics has also resulted in increased awareness of certain diseases, and allowed data driven action by physicians, patients, and the Philippine government. As an example, data from such digital platforms has been used to evaluate and support funding requests at the local and national levels of the Philippine government.

Data security and privacy are among the key emerging issues in digital health. Telemedicine/digital health significantly involves the collection, analysis, and application of personal data, specifically health data. Since a person’s health data is considered sensitive personal information under the Philippine Data Privacy Act, compliance with the relevant privacy requirements is of paramount importance. This includes adherence to the general data privacy principles of transparency, proportionality, and legitimate purpose, implementation of reasonable and appropriate security measures, and observance of the data subjects’ rights.

The adoption of digital healthcare in the Philippines was accelerated by the COVID-19 pandemic. Prior to the spread of COVID-19, accessing healthcare services through digital infrastructure was not very common.

Because of the restrictions on movement within the Philippines, and to be able to access healthcare services required, Filipinos resorted to telemedicine. The use of digital platforms to allow for the purchase and delivery of medicines also increased.

In the area of research, platforms have been used to collect, store, and generate data on cases of COVID-19 (ie, positivity rate, and percentage of hospital beds devoted to COVID-19 cases). Platforms have also been used for forecasting and analytics, and to enable the Philippine government to impose restrictions based on applicable alert levels.

The Universal Healthcare Act (UHA) was issued in 2018. Under UHA, the Department of Health (DOH), the Department of Interior and Local Government (DILG), the Philippine Health Insurance Corporation (PHIC), and the local government units shall endeavour to integrate health systems into province-wide and city-wide health systems to ensure effective and efficient delivery of population-based and individual-based health services, and health systems’ operations. The implementing rules and regulations of the UHA (UHA IRR) provide for remote access and delivery of individual-based health services through the use of digital technologies for health.

In light of the increased use of telemedicine platforms, the DOH and the University of the Philippines issued a joint memorandum circular which provides guidelines on the practice of telemedicine (Telemedicine Guidelines). The DOH and the National Privacy Commission (NPC) had also issued guidelines on the use of telemedicine in the COVID-19 response (COVID Telemedicine Guidelines). The Telemedicine Guidelines and the COVID Telemedicine Guidelines were superseded by the Joint Guidelines.

As discussed, the Joint Guidelines provide for the governing principles in the practice of telemedicine by licensed physicians. They cover electronic consultations, including the requirement that electronic consultation documents comprise the digital signature, name, licence number, and professional tax receipt number, if applicable, of the issuing licensed physician. They also provide guidelines on the issuance of electronic prescriptions which should include the name of the patient to whom the medicines or drugs are prescribed, the names of the medicines and/or drugs prescribed, the dosage, and all other pertinent details similarly contained in a written prescription.

The Joint Guidelines do not provide for a reporting mechanism for telemedicine consultations, and instead provide that the practice of telemedicine shall follow the standards of the practice of medicine under the Medical Act and its implementing rules and regulations, the Philippine Medical Association Code of Ethics, and other applicable policies.

With regards to software, wearables, and other digital devices, Republic Act No 9711, as amended, or the Food and Drug Administration Act of 2009 (FDA Act), governs the manufacture, importation, sale, offering for sale, promotion, advertising, and sponsorship of any health product in the Philippines. A “health product” includes devices, in addition to food, drugs, cosmetics, biologicals, vaccines, in vitro diagnostic reagents, and household/urban hazardous substances or a combination or derivative thereof, and other products that can affect health that require regulation, as determined by the Food and Drug Administration (FDA).

Instruments, machines, software, and other articles used in connection with digital healthcare may be classified as medical devices, depending on their intended use and product claims.

An entity that intends to engage in the importation, marketing, sale, and distribution of medical device products must obtain a licence to operate (LTO) for this purpose from the FDA.

In addition, medical device companies may not import, export, manufacture, market, or distribute their medical devices in the Philippines unless these are notified to, or registered with, the FDA, depending on the risk classification of the device.

With the rise in the use of telemedicine platforms, regulations have been issued to set the parameters for local government units, private healthcare providers, and stakeholders in the adoption and use of telemedicine. Current regulations appear to encourage stricter regulation of telemedicine by mandating the development of a Code of Ethics and clinical practice guidelines for telemedicine, a certification programme on good clinical practice of telemedicine by licensed physicians, and development of a system which will allow the verification of the licences and credentials of healthcare providers.

The firm has yet to see enforcement actions in relation to violations of the provisions of the Joint Guidelines. While the Joint Guidelines do not provide specific penalties for violation, a breach of the provisions is punishable under the Medical Act of 1969, FDA Act, Pharmacy Act, Data Privacy Act, Civil Code of the Philippines, and the Revised Penal Code.

The authors are aware, however, of compliance checks being carried out by the Philippine National Privacy Commission against companies belonging to the healthcare sector. The main purpose of these compliance checks, whether in the form of privacy sweeps, document submission, or on-site visits, is to protect individuals and their personal data to check if a culture of privacy exists in organisations, both public and private. During the course of a compliance check, the NPC would request the entity subject to the check for privacy documentation, such as, but not limited to, privacy impact assessments, a privacy manual, a privacy management programme, and security incident response policies. They can also interview the company’s personnel who are engaged in the processing of personal data, for purposes of assessing compliance. Depending on the results of the compliance check, the company may be given the opportunity to remediate any deficiency to avoid the issuance of any administrative penalty from the NPC.

Digital healthcare technologies may be subject to non-healthcare-specific regulations, such as telecommunications regulations and data privacy regulations.

Telecommunications Regulations

Digital healthcare technologies can be considered as a value-added service (VAS) under Philippine telecommunications regulations, as the term is broadly defined to cover “enhanced services” that add “features or value not ordinarily provided by a public telecommunications entity, such as format, media, conversion, encryption, enhanced security features, computer processing, and the like”. Note that entities which provide VAS are generally required to register with the National Telecommunications Commission.

Data Privacy Regulations

The National Privacy Commission (NPC) is the primary agency that is tasked to administer and implement Philippine data privacy regulations, and to monitor and ensure compliance of the country with international standards set for data protection.

Philippine law does not expressly include definitions for “preventative care” and “diagnostic care.”

However, the UHA expressly provides that the state shall adopt a healthcare model that provides all Filipinos with access to a comprehensive set of quality and cost-effective, promotive, preventive, curative, rehabilitative, and palliative health services without causing financial hardship, and prioritises the needs of the populations who cannot afford such services. The UHA also states that every Filipino shall be granted immediate eligibility and access to preventive, promotive, curative, rehabilitative, and palliative care for medical, dental, mental, and emergency health services, delivered either as population-based or individual-based health services.

In view of the foregoing, the Philippine framework appears to lean towards a comprehensive and cohesive system, which does not make distinctions between preventative and diagnostic care.

See 4.1 Preventative Versus Diagnostic Healthcare.

The UHA also adopts a general policy that ensures that Filipinos are health literate.

In view of such mandates under the UHA, healthcare in the Philippines has expanded the concept of traditional diagnostic healthcare to move towards a more holistic approach covering preventative healthcare.

To the extent that wellness and fitness data amount to personal information (including sensitive personal details), the requirements under Philippine data privacy regulations apply.

Under the Joint Guidelines (on the practice of telemedicine), proper informed consent must be obtained from the patient prior to the collection of personal data and the offering of any telemedicine service. Consent shall be evidenced by written, electronic, or recorded means and shall include the features of the telemedicine consultation.

The Joint Guidelines also provide that the right to privacy of health information shall be protected at all times. The principle of privileged communication between the licensed physician and the patient shall be observed at all times.

In line with the UHA and its mandate to move towards primary care, the DOH has established the Disease Prevention and Control Bureau (DPCB).

The DPCB (through its director) shall operationalise integrated primary care for reproductive, maternal, and child health, nutrition, oral health, the national immunisation programme, the national tuberculosis programme, the national AIDS programme, and the STI prevention and control programme. The DCPB is also mandated to develop the disease prevention and control policies and strategic framework integrating all components of the health system coverage, heath service delivery, health financing, governance, and performance accountability.

New technologies may be classified as medical devices in the Philippines, depending on how they are used in healthcare.

The DOH and FDA have aligned their regulations with the ASEAN Medical Device Directive (AMDD). The DOH has issued guidelines that govern the notification and registration of medical devices with the FDA prior to importation, exportation, marketing, manufacture, and distribution in the Philippines.

In view of this, non-healthcare companies will initially have to determine whether the product will be classified as a medical device and subject to licensing and notification requirements of the FDA.

An entity that intends to engage in the importation, marketing, sale, and distribution of medical device products must obtain a licence to operate (LTO) for this purpose from the FDA. The application for an LTO must include information on the qualified person of the establishment, who is defined as “an organic or full-time employee of the establishment who possesses technical competence related to the establishment’s activities and health products by virtue of his profession, training, or experience.” A qualified person is responsible for complying with the technical requirements of the FDA, discussing or clarifying matters with the FDA when submitting technical requirements, and engaging the FDA officials when conducting inspection or post-market surveillance activities.

The licensing requirements of the FDA, and specifically the need to engage/hire the qualified person before actual importation of medical devices and other health products, has often been regarded as a cause of delay in the timeline for establishment of the business and for importation of medical devices and health products of new market entrants, especially non-healthcare companies (who would not otherwise have engaged such qualified persons).

According to the official website of the International Trade Administration (ITA), demand for medical devices in the Philippines is driven by large hospital groups. The ITA cites Ken Research which states that hospitals contribute to 70% of the total medical device revenue while clinics and diagnostic labs contributed 22.5%. 7.5% was attributed to other healthcare institutions.

Based on Open Gov Asia, in its article “The Internet of Medical Things Transforming Healthcare in the Philippines”, healthcare institutions have been deploying smart technologies to improve hospital design and sanitation, such as germ-killing UV light-emitting devices, thermal scanners, and contract tracing apps. The said article also recognised the benefits of new technologies that make it easier to capture medical data, and allow accurate, contactless diagnoses.

The firm is not aware of recent regulatory action in the field of digital healthcare.

While the FDA has issued advisories against the use of unregistered health products or those not covered by the proper notification, we are not aware of any decisions relating to adverse health outcomes resulting from the use of digital medicine or digital health products.

Whenever people use the internet of medical things, such as wearables, it would typically involve the collection and further processing of large amounts of personal data, including health data. This generally leads to a higher risk of harm to the affected data subjects in case of a breach involving such data. It is for this reason that Philippine data privacy regulations require personal information controllers to implement reasonable and appropriate organisational, technical, and physical security measures to maintain the confidentiality, integrity, and availability of the personal data in their possession. Note, however, that the law does not specifically require certain types of measures to be in place.

Wearables, implants, and digestible healthcare technology may be classified as medical devices depending on their intended use. If the wearable, implant, or digestible is intended to be used for:

• diagnosis, prevention, monitoring, treatment, or alleviation of disease;
• diagnosis, monitoring, treatment, alleviation of, or compensation for an injury;
• investigation, replacement, modification, or support of the anatomy or of a physiological process;
• supporting or sustaining life;
• preventing infection;
• control of conception;
• disinfection of medical devices; and/or
• providing information for medical or diagnostic purposes by means of in vitro examination of specimens derived from the human body,

it may be classified as a medical device and subject to regulation by the Philippine FDA.

An entity that intends to engage in the importation, marketing, sale, and distribution of medical device products must obtain a licence to operate (LTO) for this purpose from the FDA. Depending on the classification of the medical device, it may be subject to notification or product registration with the FDA.

At the time of writing, the authors are not aware of proposed regulations specifically dealing with the internet of medical things and other forms of connected devices.

Republic Act No 9711, as amended, or the FDA Act, governs the manufacture, importation, sale, offering for sale, promotion, advertising, and sponsorship of any health product in the Philippines. A “health product” includes devices, in addition to food, drugs, cosmetics, biologicals, vaccines, in vitro diagnostic reagents and household/urban hazardous substances or a combination or derivative thereof, and other products that can affect health that require regulation, as determined by the FDA.

Instruments, machines, software, and other articles used in connection with digital healthcare may be classified as medical devices, depending on their intended use and product claims.

An entity that intends to engage in the importation, marketing, sale, and distribution of medical device products must obtain a licence to operate (LTO) for this purpose from the FDA.

Medical device companies may not import, export, manufacture, market, or distribute their medical devices in the Philippines unless these are notified to or registered with the FDA, depending on the risk classification of the device.

In this regard, any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator, software, material, or other similar or related article which satisfies the following is to be a medical device:

• the device must be intended for human beings;
• the manufacturer intends it to be used for any of the following:
1. diagnosis, prevention, monitoring, treatment, or alleviation of disease;
2. diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury;
3. supporting or sustaining life;
4. preventing infection;
5. control of conception;
6. disinfection of medical devices; or
7. providing information for medical or diagnostic purposes by means of in vitro examination of specimens derived from the human body.

To align the regulations in the Philippines with the ASEAN Medical Device Directive (AMDD), the DOH has issued guidelines that govern the notification or registration of medical devices with the FDA prior to importation, exportation, marketing, manufacture, and distribution in the Philippines. DOH Administrative Order No 2018-0002 entitled “Guidelines Governing the Issuance of an Authorisation for a Medical Device based on the ASEAN Harmonised Technical Requirements” (“MD Guidelines”) adopts a classification system for medical devices according to their level of risk. Under the MD Guidelines, all medical devices under class A (low risk) must be notified to the FDA, while all medical devices under classes B to D (low to moderate, moderate to high, and high) must be registered with the FDA. The FDA will issue (i) a Certificate of Medical Device Notification (CMDN) upon successful notification of a class A medical device, and (ii) a Certificate of Medical Device Registration (CMDR) upon successful registration of a class B/C/D medical device.

The UHA, and its rules and regulations, recognises the use of digital technologies for remote access and delivery of individual-based health services.

In response to the increased use of telemedicine during the COVID-19 pandemic, the Philippine government has issued various regulations on telemedicine. Currently in effect are the Joint Guidelines, which provide for the implementation of telemedicine in the delivery of individual-based health services.

See 1.2 Regulatory Definition for details of how “telemedicine” is described under the Guidelines.

Under the Joint Guidelines, only licenced physicians are allowed to practice telemedicine. Moreover, the practice of telemedicine shall follow the standards of the practice of medicine as defined under the Medical Act and its rules and regulations, the Philippine Medical Association’s (PMA’s) Code of Ethics, and other applicable policies. Further, physicians shall observe the same standards of care as in face-to-face consultations but with the intrinsic limitations of telemedicine.

Under the Philippine Constitution and unless otherwise provided by law, the practice of all professions, including the medical profession, is limited to Filipino citizens.

Corporate practice of a profession is also prohibited and against public policy. In a decided case, the Philippine Supreme Court held that “a hospital, as a juridical entity, cannot practice medicine.” In an opinion, the Securities and Exchange Commission (SEC) opined that personal qualifications for the practice of a profession cannot be possessed by a corporation, and in view of the distinct and separate personality of the corporation from the individual members or stockholders, a corporation could not have the power to perform an act requiring a licence which only individuals could obtain. Thus, while a corporation can hire a professional for their services, the corporation itself cannot hire professionals for the purpose of carrying on the business of practising a profession.

However, under the Medical Act, a person shall be considered as engaged in the practice of medicine as a profession if:

• they shall, for compensation, fee, salary, or reward in any form paid to them directly or through another, or even without the same, physically examine any person and diagnose, treat, operate, or prescribe any remedy for human disease, injury, deformity, physical, mental, psychical condition, or any ailment, real or imaginary, regardless of the nature of the remedy or treatment administered, prescribed, or recommended;
• they shall by means of signs, cards, advertisements, written, or printed matter, or through the radio, television, or any other means of communication, either offer or undertake by any means or method to diagnose, treat, operate, or prescribe any remedy for any human disease, injury, deformity, physical, mental, or psychical condition; or
• they shall use the initials “MD” after their name.

The Medical Act also provides that any person found guilty of “illegal practice of medicine” shall be punished by:

• a fine of not less than PHP1,000 and not more than PHP10,000, with subsidiary imprisonment in case of insolvency;
• by imprisonment of not less than one year and not more than five years; or
• by both a fine and imprisonment, at the discretion of the court.

Depending on the operational arrangements of the telemedicine platform and the entities offering digital technologies in the Philippines, they could be deemed to be engaged in the practice of medicine as a profession, in violation of the Medical Act and the Philippine Constitution.

With the increase in the use of telemedicine platforms, regulations were issued by the DOH, in conjunction with the NPC and the University of the Philippines. However, these regulations were superseded by the Joint Guidelines.

The Joint Guidelines recognise and provide for electronic consultation documents, such as clinical abstracts, consultation summaries, prescriptions, and referral back forms. The Joint Guidelines also specify the requirements for electronic prescriptions.

The Joint Guidelines address privacy and confidentiality issues in remote consultations. They also ensure the authenticity and preservation of medical records used to facilitate telemedicine.

The firm is not aware of specific regulations applicable to online platforms used for telemedicine such as Zoom or Microsoft Teams.

Digital payment technologies have gained increasing importance with the use of new tele-health services. Patients can now pay for hospital services using e-payment systems with a credit or debit card, and other e-wallets at a hospital or clinic’s terminal or through a payment link or payment portal.

Operators of payment systems are required to register with the Bangko Sentral ng Pilipinas (the Philippine Central Bank).

While AI, 5G, and other similar technologies have contributed to the growth of the internet of medical things (IoMT), the authors note that the use of IoMT products is still not very common in the Philippines and, therefore, the information on this is currently limited, especially in provinces located outside of the country’s capital.

Considering that the transmission speed of 5G networks is significantly faster, the authors expect that the use of 5G will further hasten the development of digital healthcare in the Philippines.

The health data of an individual is considered sensitive personal information under the Data Privacy Act of 2012 (DPA). Therefore, the processing of such data, among other types of personal data, is subject to the requirements under Philippine data privacy regulations.

Philippine Data Privacy Regulations

As a rule, personal information controllers are required to comply with the general privacy principles of transparency, legitimate purpose, and proportionality whenever they are processing personal data, including health data. They must also ensure that they have a lawful basis for processing whenever they process (which includes disclosure, sharing, and transfer) such data. In most cases, the most appropriate basis would be the consent of the data subject, which must, in advance, be expressed, specific, informed, time-bound, and freely given in order to be valid. In cases where consent is relied upon, it must be evidenced by written, electronic, or recorded means.

Also, since there is no data localisation requirement imposed by Philippine data privacy regulations, personal information controllers are free to transfer personal data to third parties located outside the Philippines, provided that they use contractual or other reasonable means to ensure a comparable level of protection while the information is being processed by a third party.

Anonymised Information

As a rule, Philippine data privacy regulations do not apply to anonymised data. Similar to the GPDR, data will only be considered as personal data if the person holding the data can relate it to an identified or identifiable person using reasonable means. Conversely, data is considered anonymised where identification is practically impossible because it requires efforts prohibited by law or reasonably disproportionate to any interest in that identification, such that the person in possession of the data would not be expected to take any such means.

Liability Risks

In the absence of a legal basis to process sensitive personal information, the responsible person/s may be held liable for the offence of Unauthorised Processing of Sensitive Personal Information under the DPA, which is punishable with imprisonment of up to six years and a fine of up to PHP4 million (approx USD80,000). These penalties are imposable on the responsible officers who participated in, or, by their gross negligence, allowed the commission of the offence. In addition, the affected data subjects may also recover damages by way of civil indemnity from the entity.

The NPC may also impose administrative penalties such as compliance/cease-and-desist orders, and permanent/temporary bans on data processing. Further, the NPC may charge an administrative fine of 0.5% to 3% of the entity’s annual gross income of the immediately preceding year of the violation, but not exceeding PHP5 million (approx USD100,000) for a single act constituting the violation.

At present, there is no AI-specific regulation in the Philippines.

At the time of writing, the authors are not aware of any proposed regulation, as well as any enacted legislation, that addresses the use of AI and machine learning data in healthcare.

The increased use of digital technologies, including wearables and telemedicine platforms, may give rise to regulatory and licensing issues.

In the Philippine setting, only licensed professionals may engage in telemedicine. With the rise of telemedicine platforms, access to offshore healthcare services has been made possible. In this regard, a foreign healthcare provider (who is not licensed to practice medicine in the Philippines) may be deemed to be engaged in the practice of medicine in the Philippines in violation of Philippine laws and regulations.

Similarly, the foregoing issues may be present when telemedicine platforms in the Philippines allow access to healthcare services in other jurisdictions which have similar restrictions on the practice of medicine.

Further, digital technologies that are considered as medical devices are subject to regulation by the FDA. For software and other technologies that provide access to patient conditions and health remotely, enforcement of such regulatory requirements may pose challenges for the FDA.

Moreover, companies that make technologies available in the Philippines through the internet may be considered as doing business in the Philippines and required to establish a business presence and obtain a licence from the Philippine SEC.

The authors are not aware of any specific upgrade or feature in the IT infrastructure of healthcare institutions that is currently required under Philippine law. Nonetheless, healthcare institutions, as personal information controllers, are required to implement reasonable and appropriate organisational, physical, and technical security measures intended for the protection of personal data against any accidental or unlawful destruction, alteration or disclosure, or natural or human dangers, as well as any other unlawful processing.

At the time of writing, the authors are not aware of any proposed regulation, as well as any enacted legislation, regarding the implementation of IT upgrades.

Since there is no law, rule, or regulation that specifically applies to the protection of IP rights in the field of digital healthcare, the general principles under the Intellectual Property Code (IP Code) on patents, copyrights, and trade secrets, which are the common IP rights involved in digital healthcare, will apply.

Digital healthcare-related devices or methods can be protected by a patent, provided, that it meets the requirements for patentability under the IP Code. This means that it must be new, involve an inventive step, and be industrially applicable.

In case the owner of the digital healthcare-related devices or methods does not want to obtain a patent over the same, it may nevertheless protect it as a trade secret. However, not all information can qualify as a trade secret since it must be commercially valuable, be known to a limited group of persons, and the owner should take reasonable steps to keep the information secret, including the use of confidentiality agreements for business partners and employees.

In tandem with such digital healthcare-related devices is the software used alongside them, which, by its nature, is not patentable. However, the software may be protected by copyright at the moment of creation.

Obtaining a patent over an invention accords the owner with exclusive rights over the same, subject to certain limitations provided for by law. It is also worth noting that to secure a patent, an application must be filed with the IPO, and must thereafter be maintained through the payment of annuities during its 20-year term, which is non-extendible. Moreover, the claims and details of the invention are published and accessible to the public.

Conversely, in the case of trade secrets, no application is required to be filed with the IPO and the protection can subsist for as long as the information remains a secret. This notwithstanding, trade secrets are more difficult to enforce and commercialise due to their secret nature.

Finally, the owner of a copyright is entitled to exercise exclusive economic rights over the work of authorship, subject to certain limitations provided for by law, such as fair use. Note that for copyright to vest, no registration is required, since the work will be protected from the moment of its creation.

Generally, IP licensing contracts can take many forms since there are no formalities that must be observed for their validity. As an exception, however, IP licensing agreements that involve the transfer of systematic knowledge will fall under the definition of a technology transfer arrangement (TTA).

For a TTA to be enforceable, the IP Code requires that certain prohibited clauses be excluded, and certain mandatory clauses be included. Non-compliance with the requirement on prohibited and mandatory clauses will automatically render the TTA unenforceable. However, there are exceptional cases where exemptions from the prohibited and/or mandatory clauses may be allowed by the IPO on a case-by-case basis.

Finally, a TTA that conforms to the IP Code need not be registered with the IPO. However, there are practical benefits for registering a compliant TTA, such as the fact that registration will serve as evidence that the agreement is compliant with the IP Code and enforceable in this respect.

Under the IP Code, inventions and works of authorship created by an employee are owned by such employee, even if he/she uses the time, facilities, and materials of his/her employer, provided that the inventions and works of authorship created are not part of, or a result of, the performance of the employee’s regular duties.

Insofar as inventions created pursuant to a commission, the patent is owned by the person who commissioned the work, unless otherwise provided in the contract. On the other hand, in the case of works of authorship, the copyright shall remain with the creator, while the work itself will be owned by the person who commissioned the work, unless there is a written stipulation to the contrary.

The foregoing rules apply in the case of inventions and works of authorship created in the university and healthcare sectors.

Since the IP Code prohibits a joint owner of an invention or work of authorship to grant a licence without the consent of the other owner(s), it would be difficult to supersede such requirement through a contractual arrangement. It is for this reason that co-owned IP rights are generally more difficult to commercialise, when compared with IP rights owned by a single person or entity. Therefore, it is considered best practice to assign inventions and works of authorship that are jointly owned to a single entity.

The authors are not aware of decisions that have been recently issued in connection with digital health technologies in the Philippines. Also, currently, the firm is not aware of decisions that could possibly predict the Supreme Court’s approach or legal biases/presumptions on AI, machine learning, and software as medical devices.

Nonetheless, in addition to the possible sanctions under regulatory or penal laws (eg, FDA Act and DPA), another potential source of liability under Philippine laws includes quasi-delicts and general principles of human relations (ie, Articles 19 to 21 of the Civil Code). Plaintiffs (eg, patients) can manage to recover damages on the basis of theories of liability on grounds of fault or negligence if there is no pre-existing contract, or of fraud, gross negligence, wilful injury, or intentional damage to another.

For example, suppliers of digital health technologies can be subjected to legal actions or claims for damages for risks and injuries caused by the use of health technologies or devices that are released to the public, if found to be at fault or negligent by courts.

In practice, limitations of liability can be accomplished through the inclusion of indemnity clauses in contracts governing the use of medical devices or the execution of waivers. Note that under the law, the clause or relevant waivers shall be invalid and unenforceable if any of the following are present:

• future fraud;
• wilful injury to a person or property;
• future unlawful acts;
• gross negligence;
• intentional misconduct; and
• acts of bad faith.

Generally, liabilities for injuries caused by third-party vendors’ products or services (eg, leading to cybersecurity attacks) are imposed on the vendor or supplier of the said services. Thus, regulatory or penal laws (eg, the Cybercrime Prevention Act of the Philippines (“Cybercrime Law”), the FDA Act, and the DPA) shall be applied to the actor who has directly caused the injury. Unless there is actual violation by a healthcare institution of the provisions of the Cybercrime Law (eg, illegal access, illegal interception, and misuse of devices), then only the third-party vendor shall be liable.

Nevertheless, it shall be noted that under Philippine laws, healthcare institutions can be held liable for damages based on negligence caused by their own employees (ie, vicarious liability under Article 2180 in relation to Article 2176 of the Civil Code) or caused by agents who have apparent authority (ie, agency by estoppel). For apparent authority to be considered, the hospital or its agent must have acted in a manner that would lead a reasonable person to conclude that the individual who was alleged to be negligent was an employee or agent of the hospital or that it has knowledge without opposition regarding the said act.

If either vicarious liability or apparent authority attaches to the healthcare institution, then plaintiffs (eg, patients) can manage to recover damages on the basis of theories of liability on grounds of fault, negligence, fraud, gross negligence, wilful injury, or intentional damage. The plaintiff must prove that the institution or its agent has failed to observe the standard of care and vigilance under the circumstances, as required when it administered services or offered products coming from third-party vendors.

Healthcare institutions or their agents can also be made liable for administrative and penal violations associated with their acts.