As accredited healthcare professionals, you owe it to your patients to protect their data.
The Protection of Personal Information Act (POPIA), which came into effect on July 01, 2021, puts a spotlight on how South African organisations collect, process, and store data.
The Act holds both individuals and entities accountable should data information be abused or compromised in any way.
Healthcare data – as some of the most sensitive and sought-after data – must be protected at all costs by every healthcare practice and practitioner. The practitioner/patient relationship is based on confidentiality, and the POPI Act looks to further safeguard data and address previous vulnerabilities.
Adele Pretorius, Training Specialist for Altron HealthTech, a division of Altron recently hosted a workshop entitled ‘A Simplified Guide to POPIA Practices’. In the presentation, she explained that POPIA brings a new facet to record keeping. “POPIA codifies personal information and access to it. Security, consent, data breaches and alignment to POPIA and Promotion of Access to Information Act (PAIA) are essential in this regard.”
The acronym PI is often used concerning POPIA. In the healthcare sector, processing refers to anything to do with the PI. This includes the collection (via paper forms or online forms), storage (in yellow files or electronic health record systems), modification, sharing (for instance with other medical professionals), destruction, etc.
But the question must be asked:“How does this differ and affect the Hippocratic oath that all Health Professionals Council of South Africa (HPCSA) members swear to?”
Medical professionals have always been governed by their own set of moral principles to protect their patients’ privacy. Informed consent, probity, and confidentiality guide the healthcare industry as we know it, and this remains the case.
The most pertinent point to note is that POPIA (Sections 26 – 33) exempts the healthcare sector from collecting data relating to a data subject’s health or sex life. Here, sensitive information such as this can be processed, but it must be treated as confidential, unless the party is required, by law, to disclose this information to other parties.
In line with POPIA, both new and existing patients must sign a consent form. This must be informed and voluntary.
In a case where consent cannot be obtained, the task may be delegated to a person educated, trained, and qualified to give consent. The patient must have enough knowledge of the treatment and an understanding of the risks involved. They must also be aware of the HPCSA’s rules and regulations related to consent and must act in accordance.
Where consent cannot be given, treatment can continue without consent in the case of a medical emergency and to save a life.
Finally, Section 34 prohibits the processing of information concerning a child unless there is authorisation to do so in terms of Section 35. This is unless the information is made publicly available by the child with the consent of a competent person. Or if it is for historical, statistical, or research purposes that meet certain criteria.
Information must be kept confidential, must be protected against loss, unauthorised access or unauthorised destruction. Risk assessments must also be carried out and documented – regularly – regardless of the size of the practice.
Any operators that contract to your business, including the likes of Altron HealthTech, must align to the tenets of POPIA. A practices’ staff should sign written agreements and be encouraged to attend POPIA seminars.
Altron HealthTech’s security and safeguarding solutions for the healthcare sector are as follows:
To conclude, Altron HealthTech is guided by Altron’s PAIA and privacy policy in compliance with South African legislation. As responsible and ethical corporate citizens, we respect all our customers and value your information, and strictly comply with POPIA in all aspects of our business – including our call centre and direct marketing communications.