South African employers have been warned to tighten up their management of staff health and medical records, in the light of new Protection of Personal Information Act (POPIA) regulations, reports BusinessTech.
According to Workforce Healthcare, which provides health and wellness services, some companies face challenges in managing employee medical records, including who owns them, how they are stored, who may access them, how long they must be kept, and how they are destroyed.
“Managing these records and the personal information they contain is a heavily regulated area,” said Dr Robin George from Workforce Healthcare, “but we’ve found that many employers, including some healthcare service providers, are not meeting the legislative requirements.”
Urgency has intensified since the March gazetting of new POPIA regulations that specifically govern the processing of health information by responsible parties, like medical schemes, managed healthcare organisations, and insurers. The new regulations establish binding regulations over security, confidentiality, and the processing of the data.
Workforce Healthcare noted that health data carries the highest level of legal protection under POPIA and the National Health Act, and unauthorised disclosure can have devastating consequences.
POPIA deems health data as special personal information, which affords it the highest level of protection under South African law.
That means processing, sharing, storing or granting access to the information is prohibited unless it is necessary for treatment, care, or authorised administration by a healthcare professional.
Who owns what
A central problem is who owns the record in occupational healthcare. Ownership can reside with the healthcare provider who created the record or with the employer who paid for the service, but legislation requires this to be formally agreed upon between the service provider and the client before services begin, said George.
However, this conversation rarely happens in practise.
Employers who assume they have access to employees’ medical information may expose themselves to liability – and if they receive physical medical files from their occupational health provider without a formal ownership agreement and compliant storage arrangements in place, they could be unlawfully holding records.
“Once you accept ownership, you accept legal responsibility for storage, access control, retention, and eventual destruction,” warned George, who suggested that occupational healthcare service providers should preferably avoid handing over complete medical files with sensitive personal information to employers “without certainty that those files will be managed in accordance with relevant legislation”.
George added that service-level agreements are also needed for the management of medical records, because there can be strict obligations, including storing physical data in locked, fire- and flood-resistant facilities and also ensuring electronic records are password-protected and encrypted.
Disclosing information in a medical record to a third party requires the patient’s written consent, a court order, or a defined public health justification, and because compliant medical records management is costly, Workforce Healthcare said these should be formally factored into service agreements from the start.
Business Tech article – Massive legal warning for employers in South Africa (Open access)
See more from MedicalBrief archives:
Healthcare data protection in a mushrooming AI-driven sector
SA has highest percentage of human error healthcare data breaches – report
Probe into Cape clinic staff accused of selling patient info
Manual capturing of patient data in Eastern Cape criticised
Gauteng Health MEC fails in bid for researcher to disclose patient data