As accredited healthcare professionals, you owe it to your patients to protect their data.
The Protection of Personal Information Act (POPIA), which came into effect on July 01, 2021, puts a spotlight on how South African organisations collect, process, and store data.
The Act holds both individuals and entities accountable should data information be abused or compromised in any way.
POPIA and the Healthcare Sector
Healthcare data – as some of the most sensitive and sought-after data – must be protected at all costs by every healthcare practice and practitioner. The practitioner/patient relationship is based on confidentiality, and the POPI Act looks to further safeguard data and address previous vulnerabilities.
Adele Pretorius, Training Specialist for Altron HealthTech, a division of Altron recently hosted a workshop entitled ‘A Simplified Guide to POPIA Practices’. In the presentation, she explained that POPIA brings a new facet to record keeping. “POPIA codifies personal information and access to it. Security, consent, data breaches and alignment to POPIA and Promotion of Access to Information Act (PAIA) are essential in this regard.”
Three stakeholders are responsible for the flow of data in the healthcare sector:
- The responsible party: The practice and its practitioners are responsible for the patient’s personal information. They determine its purpose and the means for processing personal information (PI).
- The data subject: The patient is the data subject as the data collected relates to them.
- The operator: This definition refers to anyone who processes information on your behalf. However, these parties are not under your direct supervision and are procured on a contract or mandate.
Processing of Personal Information (PI)
The acronym PI is often used concerning POPIA. In the healthcare sector, processing refers to anything to do with the PI. This includes the collection (via paper forms or online forms), storage (in yellow files or electronic health record systems), modification, sharing (for instance with other medical professionals), destruction, etc.
Personal information may only be processed if one or more of the following principles apply:
- Data subject consent has been given.
- It is necessary for the performance of a contract in which the data subject is a party.
- A legal implication imposed on a party by law.
- The processing of information protects the data subject.
- It is in the legitimate interest of the party or a third party to whom the PI is supplied.
- It is necessary for the performance of a public law duty by a public body.
But the question must be asked: “How does this differ and affect the Hippocratic oath that all Health Professionals Council of South Africa (HPCSA) members swear to?”
Medical professionals have always been governed by their own set of moral principles to protect their patients’ privacy. Informed consent, probity, and confidentiality guide the healthcare industry as we know it, and this remains the case.
The most pertinent point to note is that POPIA (Sections 26 – 33) exempts the healthcare sector from collecting data relating to a data subject’s health or sex life. Here, sensitive information such as this can be processed, but it must be treated as confidential, unless the party is required, by law, to disclose this information to other parties.
How to Get Consent When Collecting Personal Data
In line with POPIA, both new and existing patients must sign a consent form. This must be informed and voluntary.
In a case where consent cannot be obtained, the task may be delegated to a person educated, trained, and qualified to give consent. The patient must have enough knowledge of the treatment and an understanding of the risks involved. They must also be aware of the HPCSA’s rules and regulations related to consent and must act in accordance.
Where consent cannot be given, treatment can continue without consent in the case of a medical emergency and to save a life.
Finally, Section 34 prohibits the processing of information concerning a child unless there is authorisation to do so in terms of Section 35. This is unless the information is made publicly available by the child with the consent of a competent person. Or if it is for historical, statistical, or research purposes that meet certain criteria.
Securing, Storing, and Destroying of Data
Information must be kept confidential, must be protected against loss, unauthorised access or unauthorised destruction. Risk assessments must also be carried out and documented – regularly – regardless of the size of the practice.
Any operators that contract to your business, including the likes of Altron HealthTech, must align to the tenets of POPIA. A practices’ staff should sign written agreements and be encouraged to attend POPIA seminars.
How Altron HealthTech Processes Your Data
Altron HealthTech’s security and safeguarding solutions for the healthcare sector are as follows:
Online products (Elixir Live, HEALTHOne, MediSwitch):
- All personal information in these products is encrypted in transit and at rest.
- Only authorised staff have access to these systems and the data contained.
- Organisational security controls are in place to prevent unauthorised access to information (e.g., physical access controls, firewalls, username/password logins, backups, and disaster recovery processes).
MedeMass Plus (ME+) and Elixir Classic
- We do not have access to the data in these systems. Physical access to the data and encryption at rest is the responsibility of the practice.
- Access to the data in these systems during a support call-out always accompanies permission from the practice.
- Data in transit to the MediSwitch SwitchOn service is encrypted.