Gill says that South African healthcare legislation and codes of conduct do account for this protection but that the Protection of Personal Information Bill, (PoPI) will have a significant impact on data privacy, including in respect of personal healthcare information when it is promulgated. "Non-compliance with the provisions of the PoPI Bill could result in either a fine or imprisonment," Gill notes.
Mariska van Zweel, associate in the TMT practice explains, "Even though the right to privacy is not absolute and may be disclosed under certain restrictive circumstances, personal health information contained in medical records is protected in South African healthcare legislation and the Constitution.
"The Health Professions Act (HPA), imposes guidelines and prescribes standards of competence on healthcare providers, including via the mandatory guidelines imposed by the Health Professions Council of South Africa (HPCSA) in terms of which medical practitioners may only disclose patient information with the express consent of a patient or when required:
"The HPCSA also imposes guidelines relating to storage, confidentiality and protection of patient information. In addition, the National Health Act specifically protects the privacy and confidentiality of patient records and provides, in particular, that such information may only be disclosed if the patient consents to disclosure in writing, or a court order or law justifies such disclosure, or where non-disclosure of such information represents a serious threat to public health," says Van Zweel.
She says that the current draft of the PoPI Bill defines 'personal information' widely and specifically includes information relating to the medical history of a person. In addition, special personal information as contemplated in the current draft of the Bill includes information concerning a person's health. The PoPI Bill prohibits the processing of special personal information.
"A limited number of exemptions do exist, including where the data subject has consented to the processing of health related information and, specifically with regard to special personal information concerning a person's health, the processing of personal information by certain prescribed data processors, including medical professionals, healthcare institutions or social services, insurance companies, medical aid schemes, medical aid scheme administrators and managed healthcare organisations, who may process health care information if it is necessary for assessing risk to be insured or covered by a medical aid scheme; the performance of an insurance or medical aid agreement or enforcement of any contractual rights and obligations," Gill explains.
Health care information may only be processed where the processing is subject to an obligation of confidentiality by virtue of office, employment, profession, legal provision or as may be established by a written agreement between the responsible party and the person to whom the health care information relates. Notice of any breach of the security resulting in unauthorised disclosure of health information will, in terms of the Bill, have to be reported to the data subject in accordance with the provisions of the Bill.
"It is essential for organisations to implement awareness campaigns to ensure that staff and managers have a good understanding of their obligations under the Bill and applicable laws. It is to be noted that non-compliance with the provisions of the Bill may result in a civil damages claim or criminal prosecution resulting in a fine or imprisonment," Gill adds.
