PoPI reinforces systems already in place in the healthcare industry
The National Health Act
For at least the past decade and a half, the National Health Act, 2003 (NHA) has been the direct piece of legislation dealing with issues pertaining to personal health information. Chapter 2 of the NHA sets out the rights and duties of users and healthcare personnel and has specific provisions dealing with:
- Confidentiality;
- Access to health records; and
- Consent to disclosure of health information pertaining to patients.
These provisions are echoed in the Health Professions Act, 1974 (HPA) as well as the Health Professions Council of South Africa's Guidelines for Good Practice (Booklet 5 in particular, which deals with confidentiality). The latter guidance is provided by the HPCSA and aimed at healthcare practitioners who are registered in terms of the HPA.
Sections 13 to 17 of the NHA deal with access to as well as the protection of healthcare records. It begins from the premise that confidentiality is fundamental to the doctor-patient relationship. Sections 14 and 15 of the NHA place a statutory obligation on practitioners to treat all information concerning a health user (patient) as confidential.
Section 14 expressly provides that no one is entitled to disclose any information pertaining to a health user’s health status, treatment or stay in a hospital unless the user has consented thereto in writing. The only circumstances where a practitioner may disclose without consent is where required to do so by law (such is in the case of communicable diseases), or in terms of a court order or where non-disclosure would pose a serious threat to public health.
Section 15 permits the flow of information necessary in rendering healthcare services to patients, provided it is for a legitimate purpose within the ordinary course of a health professional’s duties and the disclosure is in the interests of the user.
Section 17 obligates persons in charge of health establishments to set up control measures to prevent unauthorised access to health records and storage systems containing those records. It also creates various offences for tampering with, stealing or unlawfully accessing patient health records.
PoPI
PoPI establishes minimum standards for the processing of personal information. It sets out eight conditions for lawful processing of personal information, which must be met to ensure the protection of a data subject's privacy rights as enshrined in our Constitution.
Some relevant provisions of PoPI for healthcare are the following:
- Processing of information must be limited to what is lawful, reasonable and justified having regard to its purpose. That means that only relevant data should be captured, used or retained. The gold standard for lawful processing remains obtaining the consent of a data subject, but there are instances where processing without consent is justifiable, and indeed desirable in terms of the new law. For example:
- To carry out actions to conclude or perform a contract to which the data subject is a party;
- To comply with an obligation imposed by law;
- To protect the legitimate interests of a data subject;
- For proper performance of a public law duty by a public body;
- To pursue legitimate interests of other responsible parties or third parties to whom the information was supplied.
- Data collection must be purpose-specific. This means that one may not retain records if they are no longer necessary for the purpose for which they were obtained or created. For example, if a mandatory document retention period in terms of legislation has expired, or any prescription period in respect of legal claims, but you wish to engage in further processing of that information, that needs to be explained to the data subject upfront. Thus, if you receive information in one context, one cannot use it in another context without complying with the provisions of PoPI.
Under PoPI, personal health information as well as any personal information of children is considered special personal information. This requires a higher standard of care than ordinary forms of personal information such as financial information.
Healthcare institutions are authorised by PoPI to access, examine and disclose personal health information for the proper treatment and care of patients or the administration of a health institution. For this, consent is not specifically required in terms of PoPI.
Case managers and hospital billing staff do not require a patient's consent to collect and process updated personal health information in the course of either case management or medical scheme billing submissions. As a responsible party, a hospital or medical staff will have the right to use that information to implement the doctor-patient contract or hospital admission contract or to assess risk in the health insurance context.
One is also allowed to disclose personal information if required by law , for example, where access to information is requested by a valid requestor in terms of the Promotion of Access to Information Act, 2000 or in responding to a regulator such as the Information Regulator or Office of Health Standards Compliance.
Remember, too, that where any third-party processes personal information on another party's behalf, they will also need to establish and maintain security measures as required by PoPI. This is relevant where medical scheme administrators ask hospitals and providers to collect or provide information concerning their members.
Clinical documentation and hospital admission contracts therefore need to be carefully worded to delineate the various users of information. If one needs consent to process information, make sure that it is clearly worded and in plain language. One may also need to explain some concepts to the patient or their next of kin who may be providing information in circumstances where the patient is a child or has limited contractual capacity.
Healthcare providers are already under a legal and professional duty to maintain the confidentiality of patient health information in terms of the NHA and HPA. PoPI continues this requirement, while strengthening the legislative framework for data privacy and protection in South Africa.
Most health institutions already have adequate systems in place to protect data in their possession, including personal information, but a thorough review of current systems and security measures is worthwhile given the strict penalties and enforcement actions which apply under PoPI.
The Information Regulator is currently gearing up to publish codes of conduct applicable to various industries under its oversight. This may well include guidelines for the healthcare industry. As and when these codes of conduct materialise, these will provide added comfort to both healthcare professionals and patients alike in protecting and preserving the integrity and privacy of personal health information.