Are you wondering how the Protection of Personal Information Act (POPI Act) will affect your organisation or the healthcare industry? Are you trying to determine what laws are relevant and how you can practice good governance? The POPI Act (together with the Consumer Protection Act) is going to have an impact on doctors, healthcare professionals, medical aids, insurance companies, administrators and hospitals. Are you going to be able to continue processing personal information about a person’s health?
I recently gave a presentation at a healthcare summit on privacy, the protection of personal information and confidentiality as it relates to the healthcare industry. I thought I would share with you some of my insights to help you to get to grips with the issues. I also raise some questions to which I do not have the answers. I will also include the actual relevant sections of the laws.
This article does not deal with privacy generally, only privacy as it relates to healthcare.
You can read about the top risks related to privacy in a previous article. They apply equally to the healthcare industry. One example is the nurse. All over the world, people are particularly concerned about their privacy when it comes to health-related personal information. They want it to be confidential. Thinking of myself for example, Discovery Health knows everything about me. How many push-ups I can do, how short my hamstrings are, how many times and how often I fly, and what groceries I buy. It is important to me that I trust Discovery Health to look after that information that is very personal to me. If they do not protect my personal information and lose my trust, I will seriously consider moving to an organisation that I do trust.
The most important laws that relate to privacy and healthcare
- Common law obligation of confidentiality
- The Promotion of Access to Information Act (PAIA) – for example, a requester might be able to request access to the HIV status of another person
- Various medical laws or codes relevant to patient information (like the National Health Act, the Guidelines and the Ethical Charter, specifically Rule 2.3.8, Rule 5.4 and Rule 13 respectively. See also Confidentiality: Protecting and Providing Information )
- The POPI Act
These are not all of the laws, just some of the more important ones. It is important to look at all relevant laws when considering the application of them to issues.
National Health Act
Section 11 of the National Health Act says the following:
1) A stem cell establishment shall ensure that all data, including genetic information, collated within the scope of these regulations and to which third parties have access remain confidential at all times.
2) For the purposes of subregulation (1), stem cell establishment shall ensure that:
a) data security measures are in place, as well as safeguards against any unauthorised data additions, deletions or modifications to donor files or referral records and transfer of information;
b) procedures are in place to resolve data discrepancies: and
c) no unauthorised disclosure of information occurs, whilst guaranteeing the traceability of donations.
Section 14 of the National Health Act says the following:
1) All information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment, is confidential.
2) Subject to section 15, no person may disclose any information contemplated in … unless-
a) the user consents to that disclosure in writing;
b) a court order or any law requires that disclosure; or
c) non-disclosure of the information represents a serious threat to public health.
Section 15 of the National Health Act says the following:
15 (1) A health worker … that has access to the health records of a user may disclose such personal information to any other person, health care provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interests of the user;
The POPI Act and healthcare
The definition of personal information includes:
- “information relating to the … physical or mental health, well-being, disability … of the person”, and
- “information relating to the … medical … history of the person”.
Special personal information includes “information concerning the … health … of a data subject”.
There is an interesting distinction here. Medical history is about the past whereas health is about the present. Therefore, different rules apply to those two different kinds of personal information. Seems strange and could result in some interesting practical applications. When it comes to a person’s medical history the normal conditions under Part A of POPI apply.
Section 26 of POPI prohibits the processing of personal information concerning a person’s health. But then (under section 32(1)) the prohibition does not apply to the processing by various people or institutions. Such as:
- medical professionals, healthcare institutions or facilities or social services,
- insurance companies, medical aid scheme administrators and managed healthcare organisations,
- schools, and
- any public or private body managing the care of a child
But that is not the end of the story. Many people will stop reading there and think that they have Carte Blanche. That is not the case. There are conditions and rules that need to be followed in each case. You need to read section 32 carefully. Section 32 also confirms the common law duty of confidentiality or creates it where is does not exist.
you can process personal information concerning a person’s health
No need to panic
So, in a nutshell you can process personal information concerning a person’s health if:
- you follow the conditions and rules in section 32;
- keep the personal information confidential; and
- comply with the rest of the conditions in POPI.
You can also process a person’s medical history if you comply with POPI, especially the conditions for lawful processing under Part A of Chapter Three of POPI.
Some people even argue that POPI actually allows for greater processing of health personal information than has previously been the case. More organisations are permitted to do it and to a greater extent. Maybe healthcare institutions are better off under POPI? Maybe there is an opportunity to start processing health-related personal information more effectively to provide better care for patients.