The POPI Act and handling of medical information
With personal information becoming more accessible and easier to manipulate, POPI legislation is imperative for the protection of businesses and individuals.
The Information Regulator is making solid progress towards the effective implementation of the Protection of Personal Information Act (POPI Act) and recently published the draft POPI Regulations on which individuals can submit commentary by no later than 7 November 2017. The POPI Act promotes the protection of personal information by all public and private entities.
In principle the draft POPI Regulations are administrative in nature and will not necessarily assist individuals to interpret the POPI Act or make it easier to comply with. There are no clear controls and the relevant party is responsible for applying the conditions to their specific circumstances and working environment.
How will this affect your business?
Since personal information is becoming more accessible and easier to manipulate, duplicate, delete and abuse across multiple platforms, the POPI legislation is imperative for the protection of businesses and individuals. It’s all about safeguarding the personal information entrusted to you by your customers and clients. If you act recklessly with this information, you not only face regulatory sanctions, but also run the risk of damaging business relationships and being held liable for civil damages.
The POPI Act has particular implications for all medical practitioners as it aims to protect special personal information such as HIV status and biometric and medical information of individuals. In this article we take a closer look at medical information.
Who has access to medical information?
Handling medical information is primarily the responsibility of the following individuals:
This includes individuals who work for:
- GP practices
- Medical aid schemes
- Pension funds
- Insurance companies
- Social services
- Policy makers
- Employers, etc.
HPCSA and POPI
It is worth noting that no amendments made to the POPI Act will replace or change the regulations set by the Health Professions Council of South Africa (HPCSA). The confidentiality policy, which ensures the protection of information, will still apply. It is useful to note, however, that regulations governing third party access to information are very similar for both POPI and HPCSA. Permission to disclose confidential information has to be obtained in written or verbal format. The objective of POPI, together with the provisions set by the HPCSA, is to protect personal information from unauthorised modification, destruction or access.
The POPI Act states that when a medical professional obtains personal information from another source, he/she must make a reasonable effort to inform the patient. Firstly the patient must be informed, after which access must be requested from the party dispensing the information. The reason for requiring access to the information must be clearly stated.
Whether your business is a dental practice, a medical aid scheme or within a similar environment, we recommend you talk to your IT supplier to ensure that you are protecting your patients’ information. This is where all information protected by POPI is stored centrally. You need to make sure it is safer than Fort Knox to prevent those with access to the information from using it unethically. However, IT protection is not sufficient. All personal and special personal information on hard copy must also be protected against modification, destruction or undue access.
Health information processors have been invited to comment on the amendments to the POPI Act and to indicate whether there should be prescribed rules for processing health information and what those rules should be. Ensure that your business is compliant and that the privacy of your patients, customers and clients is respected.