Commitment to Privacy
At Best Care Physiotherapy (BCP) (the “Practice”, “Us” or “We”), our principal concern is, and always will be, the health of patients who visit our practice or we visit. A high level of trust and confidentiality is required to ensure the confidence of the patients we serve. We strive to protect your privacy while providing you with the best service and experience we can provide.
2. What is Personal Health Information?
Personal health information means identifying information about an individual relating to their physical or mental health. Personal data as defined in the PDPA refers to data about an individual who can be identified from either that particular data, or from that data and other information which we have or are likely have access to. Personal data is collected where reasonably necessary for our functions and activities. Personal data that we may hold include the following:
(A) name, address and contact details;
(B) date of birth;
(C) NRIC number, driver’s licence, passport number, or work permit number;
(D) Personal Health Information
i. current medication or treatments used by the patient;
ii. previous/current medical history, including, where relevant, a family medical history; and
iii. the name of any health service provider or medical specialist to whom the patient is referred
(E) details of services provided to an individual by us;
(F) details of an individual’s dealings with us, including telephone records, email and online interactions;
(G) credit-related personal information;
(H) photos and CCTV recordings; and
(I) other personal data as may be provided by an individual from time to time.
3. Why We Collect Information
Wherever possible, we will collect personal data directly from you. We will only collect, use and disclose personal data with your consent, your deemed consent or as may be otherwise permitted under the PDPA or other applicable laws such as HIPAA.
In addition to the personal data you provide to us, certain information related to you that is not considered personal data under the PDPA may also be collected. We collect this information to improve our website. Such non-personal data may include information such as your IP address, the internet browser you use, details of your interaction with our website and other types of non-personal data.
3.1. General Purposes
In using our services and providing us with your personal data, you hereby agree that BCP may collect, store, process, disclose, access, review and/or use personal data (including sensitive personal data) about you, whether obtained from you or from other sources, for the purposes set out below and/or any other administrative or operational purposes and/or the purpose of managing your relationship as a patient with the Practice or any other company within our affiliations:
(i) providing medical services to you and meeting your healthcare needs within BCP;
(ii) to avail the services which BCP provides, including, where necessary, the transferring to or sharing of your personal data with third party medical service providers such as specialists, imaging providers, pathology providers, or other allied health professionals such as psychologists;
(iii) where there is a serious and imminent threat to an individual’s life, health, or safety;
(iv) where there is a serious threat to public health or public safety;
(v) resolving complaints and dealing with enquiries made by you;
(vi) maintenance and updating of the data;
(vii) administrative or operational purposes;
(viii) processing credit notes and processing refunds;
(ix) collection of fees, charges and expenses for services provided;
(x) verification and identification purposes;
(xi) filing of medical claims on your behalf with the relevant company, employer or insurance provider;
(xii) collecting payments by credit card, cheque, bank transfers or other means,
(xiii) carrying out billing, accounting, auditing and the maintenance of proper book-keeping for the Practice’s operations and business;
(xiv) the disclosure of the relevant books, documents, records and information (in hard or soft copy) to the auditors for the preparation of financial reports;
(xv) compliance with the applicable laws and regulations;
3.2. Marketing Purposes
Where you have (i) subscribed for our marketing communications (by providing the Practice with your local telephone number or email address and have indicated to us that you consent to receiving marketing communications via these channels) or (ii) have been previously received our marketing communications, the Practice may contact you from time to time, whether by SMS, email or otherwise, to inform you about our new developments, services and events that we think may be of interest to you.
Should you choose not to receive any marketing communications from us, the Practice will not send you purely marketing messages and will not share your personal data with other unauthorised third parties. Please note that the Practice may still contact you for research or administrative purposes, such as service-related notices.
3.3. Optional Purposes
From time to time, you may register for additional services that the Practice provides. The purposes that your personal data will be collected, used or disclosed will be notified to you at the time of your registration for these services.
4.1. Consent Required
Your consent is important to us. We will not collect, use or disclose your personal data unless:
(i) you give, or are deemed to give, consent to the collection, use or disclosure of your personal data; or
(ii) the collection, use or disclosure of your personal data without your consent is required or authorized under the PDPA or other written law.
4.2. Provision of Consent
We will not obtain or attempt to obtain your consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of your personal data.
4.3. Consent of Third Parties
If you have provided the Practice with any personal data relating to any other individuals, you warrant that you have obtained the necessary consents of these individuals.
4.4. Withdrawal of Consent
4.4.2. Please be aware that once we receive confirmation that you wish to withdraw your consent to receiving marketing communications, it may take up to thirty (30) working days for your withdrawal to be reflected in our systems. During this period of time you may still receive marketing communications from us.
4.4.3. On receipt of such notice, the Practice will inform you of the likely consequences of withdrawing your consent. Depending on the nature of the withdrawal of consent, we may no longer be in a position to continue to providing our services to you. Such a withdrawal may therefore result in the termination of any doctor-patient relationship that you may have with us.
5. Data Quality
We will take reasonable steps to make sure that the personal data we collect, use or disclose is accurate, complete and up to date.
We endeavour to ensure that all decisions involving your personal data are based upon accurate and timely information. While we will do our best to base our decisions on accurate information, we rely on you to disclose all relevant information and to inform us of any significant changes.
While all reasonable efforts will be made to keep your personal data accurate, you are kindly requested to disclose all relevant information, inform us of any change and to ensure that all your personal data that is submitted to us is current, complete, accurate, true and correct.
7. Safeguards: Protecting Your Information
The Practice maintains personal data in the format of electronic files. We will protect your personal data with appropriate safeguards and security measures to prevent misuse, loss and unauthorized access, modification and disclosure.
Access to personal data will be authorised only for the physiotherapists and employees associated with the Practice, other agents who require access in the performance of their duties, and to those otherwise authorised by law. We provide personal data to health care providers acting on your behalf, on the understanding that they are also bound by law and ethics to safeguard your privacy.
Our computer systems are password-secured and constructed in such a way that only authorised individuals can access secure systems and databases.
We will not keep personal data for longer than is necessary and will take reasonable steps to destroy or permanently de-identify personal information if it is no longer required.
8. Access and Correction
You are entitled to have access to the personal data about you that is in the possession or under the control of the Practice and information about the ways in which the personal data has been or may have been used or disclosed within a year before the date of the request. This can be done by you making a written application to the official email (as defined below) requesting for any such information. We may charge you a fee (representing our costs in administering your request) for supplying such information and reserve the right to refuse requests which, in our opinion, occur with unreasonable frequency.
We will also, where you have requested that we correct an error or omission in the personal data about you that is kept with us, correct such data as soon as practicable and send the corrected personal data to every organisation to which the personal data was sent before it had been corrected, if applicable, unless that organisation does not need the corrected personal data for any legal or business purpose.
We may however choose not to provide you with access to or correct such information, in accordance with the exceptions under the PDPA. This would include cases where:
(i) We are satisfied on reasonable grounds that the correction should not be made;
(ii) The request for access is frivolous or vexatious or the information requested is trivial;
(iii) The personal data is related to a prosecution and all the proceedings related to the prosecution have not been completed;
(iv) The personal data, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm our competitive position; and
(v) The personal data was collected, used or disclosed for the purposes of an investigation and associated proceedings and appeals have not been completed.
Please also note that we are not required to correct information relating to clinical observations or opinions made in good faith.
10. Retention of Patient Files and Medical Records
At the BCP, we store all Patient Files/Medical Records in a Computerised / Electronic format. We reserve the right to store your patient file/medical record for a period of “lifetime +6 years”. In order to meet all current medical and legal requirements in Malaysia, we are not required to delete your patient file/medical record or the contents within the defined retention period.
11. If you have any queries or requests or wish to make any applications concerning your personal information or data, please contact the official email using the details provided below:
Patient File/Medical Records: The patient file/medical record covers all clinical encounters and original inpatient and outpatient records generated at the time of admission, outpatient attendance or home visit.
Retention Period: Retention period refers to the period of time that the medical records should be kept.
Definition of “lifetime” – as BCP may not always be aware of time of death of patients, BCP chooses to substitute “lifetime” with 100 + 6 years based on maximum life expectancy.
Computerised / Electronic Medical Records: Computerised and/or electronic medical records include all records produced by electronic systems and paper medical records which have been digitised into an electronic format.
Governing law and jurisdiction