When implemented, the Protection of Personal Information (POPI) Act will fundamentally change the way personal data is managed. Corporate South Africa, including medical aid schemes, insurance brokers, financial advisors, marketers and even brands need to start preparing now for its impact.
"A patient’s medical information and history are particularly sensitive," says Gerhard van Emmenis, principal officer of Bonitas Medical Fund. "Which means the entire service chain, from medical practitioners to pharmacists, administrators and scheme, involved in receiving and storing this information will be required to meet the stringent POPI requirements."
Essentially POPI, based on European legislation, outlines eight general conditions and three specific conditions, which will ensure businesses and organisations take responsibility for the way they share personal information, how that data is used and stored and who has access to it. Many countries have similar legislation in place to protect information and this also governs the transfer and sharing of data internationally.
Why the introduction of POPI?
We live in an information-driven world with easy access to data and personal information via the internet, emails, Facebook, Instagram, LinkedIn and more, as well as traditional faxes and written correspondence. With an increase in cyber threats and information being leaked and shared, POPI is making sure businesses – and even individuals - are more careful with personal information and to take responsibility for this data.
The message to the public is that the new Act should be taken very seriously. "Unlawful retention, distribution, sharing or unauthorised use of personal information may result in non-compliance with the Act, which will carry onerous penalties of up to R10m in fines, and could even result in jail sentences (in some instances of up to 10 years), depending on the seriousness of the breach or non-compliance."
According to Van Emmenis, compliance with POPI is of the utmost importance for all medical funds. "This applies to both members, their brokers and those in the medical fraternity," he says. "We are ready for its implementation and have taken great care to ensure data protection is a key priority."
Storing patient information
According to the Health Professions Council of South Africa (HPCSA) recommendations, the most important factor is for stringent precautions to be taken to safeguard patient information. For this reason, when the Council for Medical Schemes (CMS) requested information for the Central Beneficiary Register last year the majority of medical schemes did not comply, mainly due to concerns of how the information will be stored and used.
The concern is that although the rationale behind the Department of Health wanting a Beneficiary Registry in terms of negating fraud and recovering payment for treatment at state facilities, there is still uncertainty around how this information will be stored and used.
The CMS has since clarified that no actual medical data is required and that an Industry Technical Advisory Group task team has been established, with representatives from medical schemes and administrators, to deal with security issues and POPI compliance. Medical aids continue to engage with the CMS to find a workable solution regarding their directive for member information.
Holistic approach to healthcare
"In order to take a holistic approach to medical aid members’ care and preventing duplication of medical tests, we embarked on a campaign in 2016 to obtain members consent to share their personal data with specific healthcare providers," explains Van Emmenis. "When all co-morbidities are taken into account it ensures that healthcare providers work together in the patient’s best interest."
Member data and healthcare providers
All healthcare providers who interact with patients are generally permitted to have access to their information to a certain extent. However, to conform to POPI regulations, medical schemes need to ensure claims, medical conditions and treatment are only shared if the member chooses for it to be.
Regarding the implementation of POPI, Van Emmenis says, "we have processes in place to securely store the data we have and are ready for the implementation of POPI and will conform 100% with the final conditions outlined in the Act. Protecting the personal and medical records of our members is a key priority."