Information about a person's health and health care is generally considered to be highly sensitive and personal, therefore deserving of the strongest protection under the law. This is according to Simone Gill, Director in the Technology, Media and Telecommunications (TMT) practice at Cliffe Dekker Hofmeyr business law firm.
Gill says that South African healthcare legislation and codes of conduct do account for this protection but that the Protection of Personal Information Bill, (PoPI Bill) will have a significant impact on data privacy, including in respect of personal healthcare information when it is promulgated.
“Non-compliance with the provisions of the PoPI Bill could result in either a fine or imprisonment,” Gill notes.
Mariska van Zweel, Associate in the TMT practice explains, “Even though the right to privacy is not absolute and may be disclosed under certain restrictive circumstances, personal health information contained in medical records is protected in South African healthcare legislation and the Constitution.
“The Health Professions Act (HPA), imposes guidelines and prescribes standards of competence on healthcare providers, including via the mandatory guidelines imposed by the Health Professions Council of South Africa (HPCSA) (a body established pursuant to the HPA) in terms of which medical practitioners may only disclose patient information with the express consent of a patient or when required:
- in terms of statutory provisions;
- at the instruction of a court or law; or
- where justified in the public interest.
“The HPCSA also imposes guidelines relating to storage, confidentiality and protection of patient information. In addition, the National Health Act, No 61 of 2003 (Health Act) specifically protects the privacy and confidentiality of patient records (which includes information pertaining to a patient's health status, treatment or stay in a health establishment) and provides, in particular, that such information may only be disclosed if the patient consents to disclosure in writing, or a court order or law justifies such disclosure, or where non-disclosure of such information represents a serious threat to public health,” says van Zweel.
She says that the current draft of the PoPI Bill defines 'personal information' widely and specifically includes information relating to the 'medical history of a person'. In addition, special personal information' as contemplated in the current draft of the Bill includes information concerning a person's 'health'.
Gill explains that the PoPI Bill prohibits the processing of special personal information.
“A limited number of exemptions do exist, including, without limitation, where the data subject has consented to the processing of health related information and, specifically with regard to special personal information concerning a person's health, the processing of personal information by certain prescribed data processors, including (without limitation) medical professionals, healthcare institutions or social services (if such information is required for the proper treatment and care of a person), insurance companies, medical aid schemes, medical aid scheme administrators and managed healthcare organisations, who may process health care information if it is necessary for assessing risk to be insured or covered by a medical aid scheme; the performance of an insurance or medical aid agreement or enforcement of any contractual rights and obligations.
“Such data processors/responsible parties will however need to follow and comply with the processing conditions imposed by the Bill, including concerning patient consent, security of information and data subjects' rights to have access to and request correction of personal information,” Gill explains.
Health care information may only be processed where the processing is subject to an obligation of confidentiality by virtue of office, employment, profession, legal provision or as may be established by a written agreement between the responsible party and the person to whom the health care information relates. Notice of any breach of the security resulting in unauthorised disclosure of health information will, in terms of the Bill, have to be reported to the data subject in accordance with the provisions of the Bill.
“Although the Bill is not yet promulgated, its core principles are unlikely to change significantly. Although the Bill does provide for a one year compliance period, participants in the healthcare industry will, if they have not already done so, need to revisit and consider their processes and procedures to ensure that they are able to comply with the Bill.
“It is essential for organisations to implement awareness campaigns to ensure that staff and managers have a good understanding of their obligations under the Bill and applicable laws. It is to be noted that non-compliance with the provisions of the Bill may result in a civil damages claim or criminal prosecution resulting in a fine or imprisonment,” Gill adds.