Are you interested in privacy in healthcare? Are you wondering how the Protection of Personal Information Act (POPI Act or POPIA) will affect your organisation or the healthcare industry? Are you trying to determine what laws are relevant and how you can practice good governance?

The POPI Act (together with the Consumer Protection Act) is going to have an impact on doctors, healthcare professionals, medical aids, insurance companies, pathologists, administrators and hospitals. It is also going to have an impact on organisations that need to protect employee personal health data (like a mine or manufacturer). When can you process personal information about a person’s health? This becomes all the more urgent and important in the context of the coronavirus.

In this article we share some insights about privacy, the protection of personal information and confidentiality as it relates to the healthcare industry. We include the actual relevant sections of the laws. This article does not deal with privacy generally, only privacy as it relates to healthcare. If you find this article useful, you might want to join our programme and work through the data protection in healthcare lens.

Why is privacy in healthcare important?

There is significant harm that people can suffer if organisations do not protect their personal health data. People can have their money stolen, suffer bodily harm (for example, receive the wrong treatment or commit suicide after receiving the wrong test result) be discriminated against (for example, after a community finds out what disease they have).

All over the world, people are particularly concerned about their privacy when it comes to health-related personal information. They want it to be confidential. Thinking of myself, for example, Discovery Health knows everything about me. How many push-ups I can do, how short my hamstrings are, how many times and how often I fly, and what groceries I buy. It is important to me that I trust Discovery Health to look after that information that is very personal to me. If they do not protect my personal information and lose my trust, I will seriously consider moving to an organisation that I do trust.

The risks of non-compliance for organisations and individuals related to privacy are significant. They apply equally to the healthcare industry. One good example is the nurse.

Examples of failing to protect personal health data

A US healthcare provider publically displayed the HIV status of thousands of people by using envelopes with a window that was too big and enables anyone to see the HIV status of the recipient of the letter.

Another example is the Ashley Madison hack. Ashley Madison is a website where people could have an affair. It is a dating site for people wanting to cheat on their spouse. The tagline was “life is short, have an affair”. Hactivists or hackers who are activists didn’t like the website so they hacked the Ashley Madison website, got the database and published it on the website. They provided a search facility so that people could go and check whether their spouse or partner had been cheating on them. As you can imagine, it had very serious consequences a lot of marriages got broken up or ended. Various people committed suicide.

There are many other examples.

The most important laws that relate to data protection in healthcare

  1. Constitution
  2. Common law obligation of confidentiality
  3. The Promotion of Access to Information Act (PAIA) – for example, a requester might be able to request access to the HIV status of another person
  4. Various medical laws or codes relevant to patient information (like the National Health Act, HPCSA Ethical guidelines for good practice in the health care professions and the Ethical Charter, specifically Rule 2.3.8, Rule 5.4 and Rule 13 respectively. See also Confidentiality: Protecting and Providing Information)
  5. The POPI Act or POPIA
  6. Rules for the processing of health information or sex life

These are not all of the laws, just some of the more important ones. It is important to look at all relevant laws when considering their application of them to issues. In this article, we are just going to look at two laws and how they interact. You can also read more about information security legal requirements in different healthcare laws.

Which law prevails?

Whichever provides the patient with greater protection or rights (the more extensive provisions) prevails. So often this means that healthcare law (like the National Healthcare Act) prevails over data protection law (POPIA). For this reason, it is very important to create a matrix of all applicable laws to help you work out which one prevails in a particular case.

National Health Act (NHA)

A patient’s information is confidential and a person may only disclose it in certain circumstances

All information concerning a user (including information relating to his or her health status, treatment or stay in a health establishment) is confidential (section 14). No person may disclose any information unless:

  • the user consents to that disclosure in writing;
  • a court order or any law (like PAIA or section 15 of the NHA) requires that disclosure; or
  • non-disclosure of the information represents a serious threat to public health.

A health worker may disclose for a legitimate purpose in the interests of a patient

“A health worker … that has access to the health records of a user may disclose such personal information to any other person, health care provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interests of the user.” (section 15)

A healthcare provider may access health records

A healthcare provider may examine a user’s health records for the purposes of:

  • treatment with the authorisation of the user; and
  • study, teaching or research with the authorisation of the user, head of the health establishment concerned
    and the relevant health research ethics committee (section 16).

A health establishment must protect health records

The person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorised access to those records and to the storage facility in which they keep those records (section 17). It also says that anyone who fails to do so commits an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and imprisonment. The person in charge of a health establishment, such as a hospital or doctor’s practice, therefore requires information security to prevent unauthorised access to a user’s health records.

Stem cell data is confidential

Section 10 of regulation R183 of the National Health Act says that an authorised stem cell bank must ensure that all data (including genetic information, collated within the scope of this regulation) remain confidential at all times, including ensuring that:

  • data security measures are in place as well as safeguards against any unauthorised data additions, deletions or modifications to donor files or deferral records and transfer of information;
  • procedures are in place to resolve data discrepancies;
  • no unauthorised disclosure of information occurs, whilst guaranteeing the traceability of donations; and
  • anonymity and privacy of donors are protected.

The POPI Act and healthcare

The definition of personal information includes:

  • “information relating to the … physical or mental health, well-being, disability … of the person”, and
  • “information relating to the … medical … history of the person”.

Special personal information includes “information concerning the … health … of a data subject”. A person’s current coronavirus status is definitely special personal information. Sometime after that, it might become the medical history of the person and therefore only personal information.

There is an interesting distinction here. Medical history is about the past whereas health is about the present. Therefore, different rules apply to those two different kinds of personal information. Seems strange and could result in some interesting practical applications. When it comes to a person’s medical history the normal conditions under Part A of POPIA apply. But when it comes to health the authorisations for special personal information apply. Section 26 of POPI prohibits the processing of personal information concerning a person’s health. But then (under section 32(1)) the prohibition does not apply to the processing by various people or institutions. Such as:

  • medical professionals, healthcare institutions or facilities or social services,
  • insurance companies, medical aid scheme administrators and managed healthcare organisations,
  • schools, and
  • any public or private body managing the care of a child

But that is not the end of the story. Many people will stop reading there and think that they have Carte Blanche. That is not the case. There are conditions and rules that need to be followed in each case. You need to read section 32 carefully. Section 32 also confirms the common law duty of confidentiality or creates it where it does not exist.

You can process personal information concerning a person’s health if authroised

No need to panic

So, in a nutshell, you can process personal information concerning a person’s health if you:

  1. follow the conditions and rules in section 32 of POPIA;
  2. keep the personal information confidential; and
  3. comply with the rest of the conditions in POPIA.

You can also process a person’s medical history if you do 2 and 3.