The Lawful Processing of Health Information in honour of World Cancer Day
In honour of World Cancer Day, it is important to shed light on the processing of health information and how this should be conducted correctly, as per the Protection of Personal Information Act 4 of 2013. Health information is classified as Special Personal Information in terms of POPI and therefore enjoys a higher level of protection. This means that we need to be aware of what processing is allowed by POPI and what is not. Section 26 of POPI prohibits the processing of any Special Personal Information, subject to section 27 (General authorisation to process special
personal information).
Prior to the enactment of POPI, the National Health Act, 2003 (NHA) has been the direct piece of legislation dealing with issues pertaining to personal health information. Chapter 2 of the NHA sets out the rights and duties of users and healthcare personnel and has specific provisions dealing with:
· Confidentiality;
· Access to health records; and
· Consent to disclosure of health information pertaining to patients.
Under POPI, personal health information is considered special personal information. This requires a higher standard of care than ordinary forms of personal information. Healthcare institutions are authorised by POPI to access, examine and disclose personal health information for the proper treatment and care of patients or the administration of a health institution. For this, consent is not specifically required in terms of POPI.
Section 32 of POPI makes provision for the authorisation of processing data subject’s health information. Directly from the Act are the below provisions:
1. The prohibition on processing personal information concerning a data subject’s health or sex life, as referred to in section 26, does not apply to the processing by—
1. medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned;
2. insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for—
a. assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing;
b. the performance of an insurance or medical scheme agreement; or
c. the enforcement of any contractual rights and obligations;
3. schools, if such processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life; 4. any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties;
5. any public body, if such processing is necessary in connection with the implementation of prison sentences or detention measures; or
6. administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for—
a. the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or
b. the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.
2. In the cases referred to under subsection (1), the information may only be processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject.
3. A responsible party that is permitted to process information concerning a data subject’s health or sex life in terms of this section and is not subject to an obligation of confidentiality by virtue of office, profession or legal provision, must treat the information as confidential, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information in accordance with subsection (1).
4. The prohibition on processing any of the categories of personal information referred to in section 26, does not apply if it is necessary to supplement the processing of personal information concerning a data subject’s health, as referred to under subsection (1)(a), with a view to the proper treatment or care of the data subject.
5. Personal information concerning inherited characteristics may not be processed in respect of a data subject from whom the information concerned has been obtained, unless—
1. a serious medical interest prevails; or
2. the processing is necessary for historical, statistical or research activity.
6. More detailed rules may be prescribed concerning the application of subsection (1)(b) and (f).
Healthcare practitioners are under a legal and professional duty to maintain the confidentiality of patient health information in terms of the National Health Act and the Health Professions Act. POPI continues this requirement, while strengthening the legislative framework for data privacy and protection in South Africa.
Furthermore, Healthcare institutions may disclose personal information if required by law, for example, where access to information is requested by a valid requestor in terms of the Promotion of Access to Information Act, 2000 or in responding to the Information Regulator or Office of Health Standards Compliance. Where any third-party processes personal information on another party’s behalf, they will also need to establish and maintain security measures as required by POPI and there needs to be a contract that governs the relationship between the Responsible Party and the third party operators.
This is relevant where medical scheme administrators ask health institutions and healthcare providers to collect or provide information concerning their members.
A question that naturally arises is when healthcare providers will be found liable. The Health Professions Council of South Africa (HPCSA) sets out basic guidelines on protecting personal information and indicated that personal information is to a large extent disclosed in the following ways:
· Personal information was obtained without specific consent;
· Personal information was accessed unlawfully and the healthcare professional failed to report the breach to patient and information regulator;
· The healthcare professional failed to take reasonable steps to prevent unlawful disclosure of personal information;
· Reasonable harm or distress was caused to the patient.
Examples of unlawful processing of information are as follows:
· Taking a photograph with a private mobile device without the patient’s consent;
· Storing personal information of a patient on any data-storage device or cloud without restricted access;
· Storing personal information (hard copy or electronically) for more than 5 (five) years without it having any legal, research, historic or administrative value;
· Deleting metadata that related to electronic information.
This places an onus on the Healthcare professional to ensure that personal information is protected and that the role players are educated on the lawful processing of personal information in order to prevent severe penalties, including monetary compensation of up to R10 million or imprisonment for up to 10 (ten) years.
· Healthcare professionals should ensure that information is obtained with written consent and used for a specific purpose and that all information is kept confidential.
· Any disclosure of personal information should be minimised, and anonymity should always take preference. The HPCSA and POPI Act emphasise that clerks administration staff should be trained in patient confidentiality, retention and disclosure.
· When publishing personal information, Healthcare professionals should de-identify personal information.
· Healthcare professionals should not discuss patients or leave patient information in a vulnerable area where unlawful disclosure will be a risk.
· Personal information sent and stored in electronic format may be intercepted; therefore, special precautions should be taken to ensure security of information. Appropriate professional assistance is advised, and should be recorded, to protect personal information before connecting to any network.
· These recommendations should be addressed in a policy and distributed throughout the workplace to everyone who has access to patient files. This is one of the reasonable measures required by POPI.
In terms of Section 60 read with Section 61 of POPI, the Information Regulator may issue codes of conduct that are binding on a specified class of persons (or class of information), and must incorporate all the conditions for the lawful processing of information as well as prescribe how the conditions for the lawful processing of information are to be applied or complied with, given the sector in which the class of persons operate. This may well include guidelines for the healthcare industry. As and when these codes of conduct materialise, these will provide added comfort to both healthcare professionals and patients alike in protecting and preserving the integrity and privacy of personal health information.
In terms of Section of 68 of the Act, if a code of conduct is issued in terms of section 60, failure to comply with the code is deemed to be a breach of the conditions for
lawful processing of personal information and shall be dealt with in terms of
Chapter 10 through Enforcement Committees.
