A Practical Legal and Governance Guide for Clinics

Important Notice: This article provides a practical and legally careful overview of the PIC role in Malaysia. It is intended for professional education and general guidance and should not be treated as legal advice. Specific legal questions should be assessed with qualified counsel.

Why the role deserves serious attention

In Malaysia, the title Person in Charge, commonly referred to as PIC, is often misunderstood. Many assume it is simply an administrative requirement for licensing purposes. In reality, the role carries meaningful operational and regulatory weight.

A PIC sits at the centre of clinic governance. The role helps ensure that a private medical or dental establishment is not only clinically functional, but also lawfully and responsibly run. For that reason, accepting the PIC role should never be treated casually. It brings together professional accountability, patient safety, documentation discipline, and regulatory oversight.

In practical terms, the PIC is often the person through whom a clinic's systems are expected to hold together when examined by regulators, patients, insurers, or the courts.

My interest in this subject grew from practical experience. Through my work at DoctorShield, and from seeing claims in which the PIC was specifically named, I became increasingly curious about how the law, regulation, and insurance framework actually treat the PIC role in Malaysia.

The PIC sits at the intersection of facility law and practitioner law

The legal position of a PIC in Malaysia is best understood through two overlapping frameworks.

The first is facility regulation. Private medical and dental clinics are principally governed by the Private Healthcare Facilities and Services Act 1998, commonly known as Act 586. This Act places private healthcare facilities within a formal regulatory structure and requires such facilities to be maintained or operated by a person in charge. It also addresses the qualifications and prescribed responsibilities of the PIC, as well as related matters such as notification of any change in PIC, patient facing policy statements, grievance mechanisms, and emergency readiness.

The second is practitioner regulation. Doctors are governed by the Medical Act 1971, which regulates registration, annual practising certification, and lawful medical practice. Dental practice operates under the current regulatory framework led by the Dental Act 2018, which came into force on 1 January 2022, replacing the Dental Act 1971, and the Malaysian Dental Council.

"The clinic itself may be regulated under Act 586, but the practitioner serving as PIC must also remain lawfully entitled to practise."

This distinction matters. A clinic may appear compliant at the facility level yet still face exposure if the practitioner acting as PIC has an issue with registration, practising certification, place of practice, or scope of practice. The PIC role therefore cannot be separated from the practitioner's own legal standing.

What the law actually says about the PIC

A careful reading of Act 586 shows that the PIC is part of the statutory operating structure of a private healthcare facility, but the law does not place every clinic duty on the PIC personally in one single section.

Under the Act, the duty to ensure that the facility is maintained or operated by a PIC falls first on the licensee or holder of the certificate of registration. The Act then provides that the PIC must possess the prescribed qualifications, training, and experience, and must carry out the prescribed duties and responsibilities. The law also requires the Director General to be notified within 14 days of any change in the PIC, together with the incoming PIC's credentials.

This framework is important because it shows that the PIC is not merely a name inserted into an application form. The law assumes the role has real substance. The PIC is expected to be a competent and accountable operational figure within the clinic's governance structure.

Why the PIC role goes beyond clinical treatment

A common mistake is to think that a PIC's responsibility begins and ends with seeing patients. That is too narrow.

Act 586 requires private healthcare facilities to have governance features such as a policy statement made available to patients, a grievance mechanism, and the capability to institute essential life saving measures and emergency procedures at all times. While the Act itself does not spell out every operational detail of clinic management, it makes clear that a private healthcare facility must function as a properly organised and safe establishment, not just as a place where consultations happen.

In practice, that means a PIC should have working knowledge of the clinic's systems for patient registration, staffing oversight, documentation, complaints handling, escalation, and emergency response. It also means ensuring that the clinic's internal arrangements are not merely informal habits, but systems that can withstand scrutiny when a complaint, inspection, or adverse event arises.

The PIC is often the person who translates regulatory expectations into daily practice. That includes checking whether the clinic is run by appropriately qualified personnel, whether records are maintained properly, whether emergency procedures are workable, and whether patient complaints are handled in a credible and traceable manner.

This is also why the PIC role becomes highly visible when things go wrong. In many healthcare disputes, the issue is not only what treatment was given, but whether the clinic had proper systems, clear accountability, and adequate records. Missing logs, weak oversight, poor complaint handling, or unclear protocols can become as significant as the clinical event itself.

Practitioner side compliance remains critical

For medical clinics, the Medical Act 1971 remains central. It governs who may lawfully practise and under what practising certification framework. A doctor acting as PIC must therefore not only be clinically competent, but also properly registered and in possession of a valid current Annual Practising Certificate.

The practitioner side has also become more structured. For medical practitioners, professional indemnity cover and continuing professional development have become important parts of the practising certificate renewal framework. Under the Medical (Amendment) Act 2012, Section 20(1) now explicitly requires evidence of professional indemnity cover as a prerequisite for APC renewal. For dental practitioners, the current framework under the Dental Act 2018 and the Malaysian Dental Council similarly ties practising eligibility to current regulatory requirements, including professional indemnity and CPD obligations within the practising certificate structure.

The practical lesson is straightforward. A PIC must not assume that clinic level approval alone is enough. If the practitioner side is not in order, the clinic can still be exposed.

Key point: professional indemnity now matters more than ever

Professional indemnity is no longer something that should be treated as a secondary administrative matter.

Where professional indemnity is part of the statutory framework for renewal or maintenance of practising status, lapse of such cover may affect the practitioner’s compliance standing regardless of the clinic’s facility level registration. For a PIC, that is a serious point. The clinic may appear operationally sound, but if the practitioner’s underlying compliance position is compromised, the exposure can quickly widen.

A practical insurance point PICs should not overlook

A doctor’s personal professional indemnity insurance is generally intended to protect the doctor against liability arising from his or her own clinical acts, errors, or omissions in professional practice. It does not usually provide automatic protection for liabilities arising from the doctor’s separate role as the PIC of a clinic. In many cases, protection for PIC related lapses would need to be specifically provided either through an extension to the individual indemnity policy or under the clinic’s own indemnity coverage.

Patient rights and complaint systems are central to lawful clinic management

One of the clearest lessons from Act 586 is that private healthcare is not regulated solely around treatment. It is also regulated around the patient’s experience of the healthcare institution.

The Act requires the facility to make its policy statement available to patients and to maintain a grievance mechanism. That signals an important principle. A clinic must be able to explain how it operates and how patients may raise concerns when something goes wrong.

For a PIC, complaint handling should not be treated as a nuisance or a customer service afterthought. It is part of clinic governance and part of patient protection. A clinic that lacks a credible complaint structure is not merely inefficient. It may be exposing itself to regulatory criticism and future legal complications, especially if a complaint later develops into a disciplinary matter or negligence claim.

Emergency readiness is a legal expectation

Act 586 also makes clear that private healthcare facilities must be capable of instituting essential life saving measures and emergency procedures at all times.

This does not mean every clinic must function like a hospital. It does mean, however, that emergency preparedness is not optional. From a governance standpoint, the PIC should be asking whether staff know what to do when a patient suddenly deteriorates, whether essential equipment is ready, whether escalation pathways are clear, and whether incidents are documented properly.

These questions are operational, but they are also legal in effect, because the law expects the clinic to maintain a minimum level of readiness appropriate to its function.

Data privacy is now part of the PIC conversation

No modern discussion of clinic governance is complete without addressing patient data.

Malaysia’s Personal Data Protection Act 2010, or PDPA, regulates the processing of personal data in commercial transactions. Health information is treated as sensitive personal data, which means it is subject to stricter handling requirements than ordinary personal information.

Strictly speaking, the PDPA is directed mainly at the data controller (the term adopted by the Personal Data Protection (Amendment) Act 2024, replacing the earlier “data user”), rather than the title of PIC. In most private clinic settings, that means the clinic entity is the primary legal addressee. Even so, the PIC will often be the person through whom privacy compliance is implemented on the ground.

In practical terms, this means overseeing whether patient data is collected properly, stored securely, accessed only by authorised personnel, and handled in a way that is consistent with consent, confidentiality, and lawful retention practices. It also means ensuring that staff behavior, messaging practices, software systems, and third-party vendors do not create avoidable privacy risk.

A legally careful way to state the position is this: sensitive personal data will generally require express consent for processing unless a statutory exception applies. A clinic that is casual about privacy notices, access control, retention, or vendor management may be exposing itself to regulatory, reputational, and operational consequences.

The PDPA amendment has raised the compliance bar

The recent amendment to Malaysia's personal data protection framework has materially raised expectations around governance.

The compliance conversation is no longer limited to basic privacy notices and confidentiality. It now includes stronger accountability, breach response, and internal governance expectations. Clinics handling sensitive health data should therefore assess, with care, whether they fall within the current requirements relating to data breach notification and data protection officer arrangements under the amended framework and related guidance.

In practical terms, the key changes are significant. From 1 June 2025, data controllers and data processors must appoint at least one Data Protection Officer. The guideline threshold for mandatory appointment includes organisations processing sensitive personal data exceeding 10,000 data subjects, which means many established clinics handling health records may need to assess their position carefully. Data controllers must also notify the Personal Data Protection Commissioner of any personal data breach as soon as practicable, and no later than 72 hours after becoming aware of the breach. Where the breach is likely to cause significant harm, affected individuals must be notified within seven days. The maximum penalty for breaches of the Personal Data Protection Principles has been raised from RM300,000 to RM1,000,000, and the maximum imprisonment term from two to three years. Specific applicability to any particular clinic should of course be confirmed with qualified counsel.

For a PIC, this means privacy can no longer be viewed as an administrative side issue. It has become part of responsible clinic leadership.

Cyber risk is no longer unimportant

Cyber risk is also becoming part of the broader healthcare compliance landscape in Malaysia.

The Cyber Security Act 2024 reflects the growing seriousness with which Malaysia treats cyber resilience and critical digital infrastructure. The Act (Act 854) was gazetted on 26 June 2024 and came into operation on 26 August 2024. Healthcare is designated as one of the 11 National Critical Information Infrastructure sectors under the Act. Healthcare sits within the wider national conversation on critical information systems and digital vulnerability.

That does not mean every ordinary private clinic PIC is automatically subject to direct day to day duties under the Cyber Security Act. The Act is aimed at cyber governance and critical infrastructure regulation. Even so, the policy direction is clear. Healthcare systems, patient records, ransomware exposure, and cyber preparedness are now serious institutional concerns.

A prudent PIC should therefore regard cyber hygiene, system resilience, basic access controls, phishing awareness, and incident response planning as part of modern clinic governance.

Where risk tends to crystallise

The legal and practical exposure associated with the PIC role usually arises in four areas.

The first is regulatory exposure. If the clinic cannot demonstrate that it is operating with proper governance, complaints handling, emergency preparedness, or an appropriately qualified PIC, the regulator may intervene under the Act 586 framework.

The second is practitioner exposure. If the doctor or dentist acting as PIC has issues relating to practising status, scope, place of practice, or professional indemnity, those issues may affect not only the practitioner but also the clinic’s standing.

The third is civil exposure. In medical negligence claims, inadequate documentation, poor supervision, unclear emergency arrangements, and weak complaint handling can become evidence of deficient governance. Act 586 does not replace the general law of negligence, but it may influence how a clinic’s operational standards are judged.

The fourth is information governance exposure. Mishandling health data can trigger privacy complaints, regulatory attention, breach response obligations, and reputational damage. Under the amended PDPA, financial penalties for noncompliance have increased materially, with exposure reaching up to RM1,000,000 in certain circumstances. In healthcare, trust loss often spreads faster than formal litigation.

A practical compliance checklist for PICs

The following is not exhaustive, but it is a useful starting point for any PIC who wants to assess whether the clinic is properly anchored.

The most useful way to think about the PIC role

The best way to understand the PIC role is not to ask whether the PIC is personally responsible for every single thing that happens in a clinic. That question is too simplistic.

A better question is this: is the PIC one of the central people through whom a clinic proves that it is competently, safely, and lawfully run?

The answer is clearly yes.

The PIC sits where practitioner law, facility law, patient protection, privacy, and operational discipline meet. The law may not place every duty on the PIC personally in one neat section, but the PIC remains one of the most important people in showing that the clinic is properly governed.

Conclusion

The PIC role in Malaysia should be approached with seriousness. It is not merely an administrative label attached to a licence application. It is a role that sits where patient care, clinic governance, professional regulation, privacy, and accountability meet.

For medical and dental establishments alike, the central lesson is the same. Good clinical care is essential, but it is not enough on its own. A well-run clinic also depends on sound systems, lawful practice, proper documentation, patient protection, and disciplined leadership.

In that wider structure, the PIC remains one of the most important figures in the clinic.

Japhire Gopi Kannan Founder & CEO, DoctorShield

---

End References

• Ministry of Health Malaysia. Private Healthcare Facilities and Services Act 1998 (Act 586).
• Ministry of Health Malaysia. Medical Act 1971 (Act 50). Official MOH legislation PDF.
• Ministry of Health Malaysia. Akta Kesihatan portal. Official health legislation listing page.
• Malaysian Dental Council. Legislation / Acts. Official MDC page listing the Dental Act 2018, Dental Regulations 2021, and related legislation.
• Malaysian Dental Council. Regulating the Profession. Official MDC guidance page describing the implications of the Dental Act 2018, including mandatory CPD and professional indemnity cover.
• Department of Personal Data Protection. FAQ. Official PDPA FAQ on scope, sensitive personal data, and compliance principles.
• National Cyber Security Agency, Malaysia. Act 854. Official NACSA page on the Cyber Security Act 2024.
• National Cyber Security Agency, Malaysia. Legal. Official NACSA legal resources page.
• Personal Data Protection (Amendment) Act 2024. Amendments to the Personal Data Protection Act 2010, including mandatory DPO appointment, data breach notification, data portability, and revised penalties. In force from January to June 2025.
• Malaysian Medical Council. Registration and APC requirements including professional indemnity and CPD under the Medical (Amendment) Act 2012, Section 20(1).
• Telemedicine Act 1997 (Act 564). Ministry of Health Malaysia.