Understanding POPI Act with regards to Healthcare Providers
TraumaCare follow all HPCSA guidelines and government guidelines with regards to the protection of personal information. Should any TraumaCare clients have concerns about their personal information please contact TraumaCare for clarification.
The universal right to privacy of personal information is soon to be enshrined in law in South Africa, bringing the country in line with existing data protection laws around the world. The Protection of Personal Information (POPI) Bill – soon to be passed as an Act – has implications for all medical practitioners, and this article looks at what the legislation explicitly means to Healthcare workers.
It is important to note that POPI does not replace the HPCSA’s existing guidance on safeguarding confidential patient data. The HPCSA’s Confidentiality: Protecting and Providing Information contains all the key information you need to know about ensuring confidentiality and the various guidelines surrounding disclosure of confidential information in different scenarios.
POPI affects all private and public organisations that process information such as names, addresses, email addresses, health information and employment history, and must be complied with if outsourcing data to third parties.
The first relevant area concerns the collection of personal information. Under POPI, such information may only be collected for the specific purpose of providing services to a particular subject (ie, patient). Alternatively, a specialist who has been handed over a patient’s personal information from another healthcare practitioner; again, this possession of information will only be held to be in the patient’s legitimate interests if they are providing services to that patient.
A specific new obligation created by POPI is that once personal information has been collected from another source, the medical practitioner must take reasonable steps to inform the patient of this, together with the source of the information and the purpose for which it has been collected. This can be relayed to the patient either orally or in writing.
Any personal information you hold must be protected from loss, damage or unauthorised destruction, and unlawful access – you will be expected by law to implement reasonable technical and organisational measures to ensure this protection is in place.
However, POPI does make provision for the resources of a organisation, as well as the nature of the information itself, stating that this will be taken into account when deciding what technical and organisational measures are reasonable.
As a minimum, healthcare workers will be expected to identify all reasonably forseeable internal and external risks, establish appropriate safeguards, and regularly review these safeguards and update when new risks emerge. MPS recommends you carry out a risk assessment and draw up a protocol that sets out this information.
Healthcare workers will be expected to identify all reasonably forseeable internal and external risks, establish appropriate safeguards, and regularly review these safeguards and update when new risks emerge
Examples of forseeable risks are:
- Access to information
- Any employee requiring access to patient information should be identified, and their employment agreements checked to ensure they have agreed in writing to treat all such information as strictly confidential.
- Individual passwords to access the information should be given, which should be updated from time to time. A generic password for all staff is not effective in preventing breaches in confidentiality.
- Accidental destruction
- ‘Crashing’ of hard drives or servers can lead to the destruction of personal information. Suitable back-up should be in place to either limit or prevent this.
- Ensure hard copies of patient information are stored securely in locked filing cabinets or rooms. Patient files should never be left unattended on the reception counter of a busy waiting room.
Third party access
Under the terms of POPI, the arrangements around third party access to patient information broadly match the guidelines set out by the HPCSA. This means that patient consent is needed in most situations but is not necessary in others.
Another example of third party access is where an IT service provider has been tasked with installing new software in your practice or hospital. According to the rules of POPI, the service provider may only process personal information if the responsible party is aware of it, and as long as the operator has agreed to treat all personal information they encounter as confidential. The operator must also notify the responsible party if any information is leaked to an unauthorised party – it is recommended that all this is agreed in writing.
Any suspicion, on reasonable grounds, that personal information has been accessed or acquired by an unauthorised person must be reported to both the patient and the Information Regulator.