MPS has fielded many questions on POPIA, South Africa's data privacy legislation which comes into force shortly, and is providing a range of guidance and advice to help healthcare professionals comply with the new rules, writes Dr Tony Behrman, Medicolegal Medical Business Consultant of the Medical Protection Society (MPS).
Dr Behrman writes:
The Protection of Personal Information Act 4 of 2013 (POPIA), is South Africa's data privacy legislation which comes into full force and effect on 1 July 2021.
All healthcare professionals, both private and public, must familiarise themselves with the key concepts of the Act. Special attention must be drawn to their legal responsibilities regarding consent to data collection, privacy and security of such data, and what happens should a data leak occur.
Confidentiality and Consent are nothing new to the medical profession
In the past, you and your staff gathered and generated personal patient information, took consent, stored and processed patient information etc, as directed by the various Health Professions Council of South Africa's Booklets 1,2,5,7 and 9.
POPIA codifies personal information and the access to it, and thus brings a new facet to record keeping. Keep the following essential topics in mind:
• Staff training
• Data breaches
• Alignment of POPIA and Promotion of Access to Information Act (PAIA) manuals.
As with many legal documents, the definitions are important to understand.
• You are the responsible party
• The patient is the data subject
• Anyone who processes information on your behalf, but who is not directly under your authority is referred to as the Operator
• Personal Information is any form of information, which makes an individual identifiable. It includes amongst many other examples their name, email address, ID number, race, sexual orientation, religious beliefs, financial, criminal, medical, and even employment history, etc.
Security and other measures required for protection of personal information data
You will need to conclude contracts with your various practice outsource companies including practice management software companies, billing bureaus, practice accountants etc. to align with the tenets of POPIA. These data operators process your patient's personal information, and contracts with them will go a long way to defending you should they experience a data breach outside of your control.
Staff of your practice
Written agreements must be concluded with your staff, as to the sanctity and security of information. Teaching sessions must explain their responsibilities with respect to POPIA. While tutorials need not be professionally facilitated, the dates and attendances of your various staff should be diligently recorded in case of an inspection or data breach.
Both new and old patients must be asked to sign a voluntary specific and informed consent, granting you permission to process their personal information. The wording of a typical consent is available at an MPS webinar to be held on 18 May 2021.
Medical information exemption (See S26(A) 27 and 32 of POPIA )
Medical and related professions, as well as healthcare facilities, are exempt from the prohibition on collecting and collating information pertaining to a data subject’s health, sex life and biometric data.
Personal medical data must also be destroyed after there is no further use for it, unless there is a cogent medical reason to maintain it on file for future patient care in complicated cases.
Similarly, medical schemes, their administrators and managed care organizations may collect and process data pertaining to applicants to assess the risk of insurance, to fulfil medical scheme agreements, and to enforce any contractual rights and obligations, provided that the data subject has agreed to such processing.
Storage of and access to data
You and your staff have an obligation of confidentiality to your patients in terms of the written agreement (vide supra), and thus qualify to collect and store their personal patient information.
It is your obligation to prevent loss, unauthorized access or unauthorized destruction of personal information or processed information.
The concept of reasonability has relevance here. It would be unreasonable to expect a solo practitioner in a small town to deploy an armed guard to protect his or her files. Contrast this with a large insurance company, medical aid or medical aid organization with thousands of patients, utilising sophisticated access codes, password protection and biometrics on computers, servers and terminals, all of which are regularly changed.
The middle ground would be a one or two doctor practice in an urban setting, which would reasonably be required to have physical access control, a burglar alarm, and have files secured in an area with lockable access, together with secured filing cabinets or devices.
What PAIA implies is that reasonability is important. In any of the above examples, it would be unreasonable to leave a patient's folder, electronic or otherwise, open on a desk or screen, accessible to prying eyes, but equally unreasonable to impose hi-tech security measures on small businesses.
Regular risk assessments must however be carried out and documented no matter the size of the operation.
See paragraphs 19 (1) and (2) of PAIA.
Apart from protecting your data against breaches, you must know what is expected of you when and if – despite best intentions – you experience a data breach.
Data breaches are almost unavoidable, and it is therefore important to be well prepared for a data breach, when and if it happens.
You need a written data breach policy directive, you must educate your employees on the directive, and review it from time to time. Teaching of employees must be documented and staff must sign a register to prove their attendance.
Essential elements of a data breach response policy
This must be a written document, easily accessible by the staff, written in clear and non-technical language, explaining:
• the urgency of the response required to a data breach
• what security was breached and what data was compromised
• the people to whom the breach must be reported internally i.e. to the Information Officer
• whose responsibility it is to report to the regulator
• whose responsibility it is to notify the patients and how the patients will be notified
• who is responsible to ensure that patients receive such notification
• who is responsible to take immediate steps to secure the data
from further compromise
• how the breach will be assessed; and
•what future preventative measures will be implemented.
Response to a data breach
Where there are reasonable grounds to believe that the privacy of personal patient information has been compromised:
1) you must notify the regulator, as soon as possible.
2) Subject to subsection 22.3, notify the patient, unless the identity of the patient is not known.
3) The regulator may direct that you publicize the matter if it is felt that such publicity would protect a compromised party.
Aligning the PAIA manual with POPIA
You must list:
1) the name of your information officer in your PAIA manual
2) the name and details of your information regulator
3) the purpose for which personal information is processed
4) the type of personal information, which will be processed
5) to whom the personal information will be provided for
processing (i.e. the names of the operators)
6) the security measures in your practice
7) whether personal information will be transferred out of South Africa, indicating where it will be sent and what security measures are in place.
A final message
Patient information may only be used for the purpose for which it was originally collected, thereafter it must be destroyed. This depends on the HPCSA recommendations on the length of maintaining records and after considering the patient’s legitimate interests to hold this information for provision of future service.
Written consents must be obtained from all new and returning patients regarding processing of the information.
Staff must be trained in compliance with POPIA.
There is no one size fits all solution or tick-box exercise to bring you into perfect compliance with POPIA.
Each person in charge of a business needs to continually reassess their practice, and the information which they possess, and act responsibly, reasonably and accordingly.
There is nothing unusual about POPIA and it brings RSA’s privacy laws into line with the UK and Europe’s General Data Protection Regulations (GDPR) and the USA’s Health Information Portability and Accountability Act (HIPAA).
As healthcare professionals, you are trusted by your patients on a daily basis to safeguard not only their health, but also their privacy. For the vast majority of healthcare professionals, POPIA should not be a mammoth undertaking, but should merely codify and reinforce the good practice you are already following.
MPS will be hosting a webinar on POPIA on Tuesday 18 May 2021 at 19h00. Register here.
You can also review MPS’s POPIA factsheet.