As Dirk Hammann, legal adviser to Altron HealthTech explains, the new POPIA law stands to impact how healthcare practitioners process, capture, store and transmit patient data. Furthermore, healthcare providers are responsible for ensuring compliance.
“The obligation for compliance with POPIA is on the ‘responsible party’- meaning a person or body who, alone or in conjunction with others determines the purpose of and means for processing personal information.” The healthcare provider is the responsible party in respect of its, his or her patient’s personal information. “If a healthcare practitioner asks another party to process that personal information on their behalf then they are required to enter into a written contract with the other party, also known as an ‘operator’ to make sure that the information is securely handled,” he adds.
What kind of healthcare data is subject to POPIA?
Essentially all ‘personal information’ relating to “an identifiable, living, natural person or juristic person” processed by a healthcare practitioner is subject to POPIA. According to the POPIA, personal information is defined by a non-exhaustive list of identifying characteristics that include, but are not limited to medical and financial history, marital status, culture and language.
Hammann adds that there is an additional category that relates to ‘special personal information’ as defined by Section 26 of POPIA that healthcare practitioners need to take note of. This prohibits the responsible party from processing personal information concerning:
- Religious or philosophical beliefs
- Race or ethnic origin
- Trade union membership
- Political persuasion
- Health or sex life
- Biometric information
- The criminal behaviour of a data subject.
“However, in terms of section 27, the prohibition on processing special personal information does not apply in cases where the data subjects have given their consent, where it is legally obligated, where processing is for historical, statistical or research purposes subject to certain conditions and if the processing is by medical professionals, healthcare institutions or facilities or social services, as long as (such as in the case of the medical professional) there is an obligation of confidentiality. But this does not mean that healthcare providers have free rein to do with the personal information of their patients as they please. “As “responsible parties”, they still have to comply with the eight conditions for lawful processing of personal information under POPIA”, says Hammann.
Failure to comply
Hammann stresses that the penalties for failing to comply by the specified deadline are severe.
The Information Regulator that oversees compliance with POPIA is authorised to stop a practice or institution from processing information if found to be non-compliant – essentially shutting down operations. “For the more serious offences, the maximum penalties are a R10 million fine or imprisonment for a period not exceeding 10 years or both a fine and such imprisonment. The practice will also suffer reputational harm and may be sued for civil damages, whether or not there is intent or negligence on the part of the practice or practitioner.” “With these penalties in mind, we urge healthcare practitioners to review their personal information processing activities and make the changes as needed before 1 July 2021,” says Hammann. Wayne Botha, Altron HealthTech Head of Technology, echoes Hammann’s recommendation that healthcare practitioners review their current processes to avoid penalties. “The same measures have been implemented internally throughout Altron HealthTech to reassure clients and be compliant to the new laws ourselves. As a trusted healthcare technology solutions provider, Altron HealthTech has taken every step to ensure that the technology solutions we provide enable our clients to become POPIA compliant,” he says.
Botha explains that while Altron HealthTech cannot guarantee the ‘human element’ of POPIA compliance — i.e., ensure that healthcare practitioners hold up their end of the bargain — Altron HealthTech systems comprise of all the sound building blocks that healthcare professionals need to ensure their compliance.
“POPIA stipulates certain conditions on how healthcare data must be handled and protected, and these concerns are addressed by Altron HealthTech’s service offerings including Access Management and Data Security,” he says. “Another important aspect to consider is our Cloud-Based Hosting Solutions. Customers who entrust Altron HealthTech with the secure online storage of their data do not have to take on the challenge of ensuring POPIA compliance in their storage methods. We provide the assurance that the data is stored securely.”
Cutting-edge technology essential to ensure compliance
Bringing the POPIA discussion back to the issue of the technology utilised by Altron HealthTech customers, Botha explains that for healthcare practitioners to ensure that their data is secure, it is essential that they adopt newer technologies. “We are aware of healthcare practitioners who are still using the Windows XP operating system (originally released to the public in 2001) to process their patient data. Microsoft ended support for this system in 2014. These systems are extremely vulnerable to cybersecurity threats and it would be very difficult to attain POPIA compliance on them.” In keeping with Microsoft’s security updates, Altron HealthTech has been developing its products using newer Microsoft technologies. “Customers who want to run the most recent versions of our products to ensure that their data is securely stored and compliant under POPIA must update their systems.”
Finally, while the journey to POPIA compliance for healthcare practitioners is complex and subject to complex legal criteria, Botha believes that the best way to start is through understanding the intent of the Act. “Explain to your staff why the Act came about, and how it serves to protect the personal information and privacy of patients. Communication is key to compliance, and once that is understood, POPIA can be viewed as a tool to provide both privacy and security rather than an administrative hassle,” he concludes.