Medical practitioners now have increased legal duties when processing patients’ personal information, both within their practice and between practitioners, writes Thabiso Mthiyane from MacRobert Attorneys.
He says the Protection of Personal Information Act 4 of 2013 (POPI), introduced to oversee the processing and transmission of personal information by all private and public entities that may, for whatever reason, possess a person’s personal information, becomes extremely relevant in industries handling sensitive personal information, for example healthcare.
He writes:
"Section 19 of the Act provides that:
(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent: (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.
(2) To give effect to subsection (1), the responsible party must take reasonable
measures to:
(a) identify all reasonably foreseeable internal and external risks to personal
information in its possession or under its control;
(b) establish and maintain appropriate safeguards against the risks identified;
(c) regularly verify that the safeguards are effectively implemented; and
(d) ensure the safeguards are continually updated in response to new risks
or deficiencies in previously implemented safeguards.
(3) The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
The Act does not provide any specificity on the exact technical and organisational measures medical practitioners are expected to implement within their practices.
What would be deemed “appropriate” and “reasonable” presumably depends on the circumstances/underlying intention of Section 19. Ultimately, a medical practitioner needs to engage in a risk-based approach and consider the risks when processing the personal information, the nature of the information as well as the cost of implementing the measures.
A medical practitioner can implement various security measures within their practice to safeguard patients’ personal information and include:
1) Physical measures – securing filing cabinets and access control at offices;
2) Operational measures – ensuring staff sign confidentiality agreements, training them on the importance of protecting personal information and introducing
multi-level authorisation protocols;
3) Technological measures, e.g. installing firewalls/anti-virus programmes,
using passwords and encrypting removable devices; and
4) Developing an information security policy for privacy, addressing all the above.
The main benefit of these security measures is that it standardises processes and provides clear direction on procedures and rules to be followed to protect the practice against threats to data confidentiality and integrity.
Irrespective of the combination of measures a medical practitioner may decide to implement, they should ensure all parties involved in the chain are always able to provide tangible evidence of the steps they have taken to safeguard and safely transmit a patient’s personal information.
The Act also places a duty on any employee/agent processing personal information on behalf of a medical practitioner, to ensure they process this only with the knowledge or authorisation of said medical practitioner. They are also required to treat all personal information as confidential and not to disclose it, unless required to do so by law or in the course of the proper performance of their duties. The employee/agent is required to notify the medical practitioner immediately where there are reasonable grounds to believe a patient’s personal information has been accessed/acquired by an unauthorised person.
From the above, it appears evident the Act expects medical practitioners to monitor, control and regulate all aspects and parties involved in the chain of processing the inward/outward flow of patients’ personal information.
The transmission of this to another practitioner raises different security concerns. There are different ways to transmit this information to another medical practitioner during the referral process, all of which pose their own risks. Transmitting personal information via email poses less of a risk than if hand delivered by a third-party agent or via post.
Provided the information is processed in a reasonable manner that does not infringe on privacy rights and the medical practitioner has taken reasonable steps to ensure the patient is aware of the purpose for which their personal information is being collected (and the possibility of it being processed further), sending it via email will not be deemed to be contrary to the Act’s provisions.
Security measures implemented by a practitioner to prevent a data leak when transmitting patients' personal information are and diverse, most of which are IT related. It is therefore advisable for medical practitioners to consult qualified IT personnel when they intend to regularly transmit information electronically, as appropriate software and hardware must be in place to ensure compliance with Section 19 of the Act.
The Act essentially provides an extra layer of protection for patients, as practitioners are obliged to keep their personal information confidential not only under the regulatory guidelines of the profession but now also in terms of POPI.
This dual obligation serves to regulate the internal and external processing of personal information as well as potential breaches by unauthorised third parties. It is worth noting that the Act does not aim to replace or amend any of the regulations or guidelines set by the HPCSA, but requires medical practitioners to process the personal information of patients in a way that satisfies the Act’s requirements as well as those of the HPCSA guidelines and regulations.
Unlike the regulatory guidelines of the medical profession, which are more concerned with the professional conduct of medical practitioners, a breach of confidentiality by any person in terms of the Act is considered a criminal offence. On conviction, a person will be liable to a fine or imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment."
* Thabiso Mthiyane was assisted by Jayashree Naidoo.
POPIA is coming into force – are you ready?
DA and DoH clash over request for medical scheme member data
US Congress grills Facebook over patients’ health data privacy breach
US patients' new electronic access to records hits snags