Teaching and research
The National Health Act states that the use of identifiable information in medical records can only be used for study, teaching or research if it has been authorised by the patient and the head of the health establishment concerned and the relevant health research ethics committee. The Protection of Personal Information Act states that no identifiable personal information may be used for study, research or teaching unless the patient has authorised the disclosure for that particular purpose.
Publishing case reports, photographs or other images
The HPCSA says that a patient’s express consent must be obtained before publishing case reports, photographs or other images in media that the public can access. This rule applies regardless of whether the patient can be identified or not.15
Research and audit
If you are conducting your own clinical audit based on your patients’ personal information including medical records, you must obtain the patient's authority to hold and process the information for that purpose. If it is necessary to include information that could be used to identify individual patients, you must always first secure the patient’s express consent.
Management and financial audit
Files relating to administration should be kept separately from the patient’s medical records.
Wherever possible, records used for financial audit by a third party (such as a medical scheme) should be anonymised and provided in accordance with the guidance issued by the HPCSA in its booklet, Confidentiality: Protecting and Providing Information. Disclosure of information should be limited to the relevant parts of the record.16
The National Health Act 2003 obliges healthcare providers to create and maintain a medical record for each of their patients. Moreover, it requires them to introduce control measures to restrict access to those records or the records’ storage facility to authorised personnel (see Box 8 overleaf).
The Protection of personal Information Act obliges you to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of or unlawful processing or access to personal information. Appropriate and reasonable measures will include identifying all reasonably foreseeable internal; and external risks to personal information under your control, establishing and maintaining appropriate safeguards against the risks so identified, verifying that the safeguards have been effectively implemented and ensuring that the safeguards are continually updated to meet your operational requirements (see section 19(1) and (2) to the Protection of Personal Information Act 4 of 2013).
The key to safeguarding your patients’ confidential information is a sensible records management policy incorporating strong security controls. The policy should apply to both computerised and manual records and include measures to protect the physical integrity of the records (see Appendix 3).
For comprehensive guidance on all aspects of records security, the ISO standard ISO/IEC 27002: 2005 – covers everything you need to know (and more) about averting threats to the confidentiality, integrity and availability of your records. It offers a menu of hundreds of suggested controls for a wide range of security issues such as staff responsibilities and training, premises, business continuity, protocols and procedures, email and internet usage policies and remote access. This standard has been approved for use in South Africa as SANS 27002:2008.
ISO/IEC 27002 covers all manner of threats to records, which might be bewildering for a non-expert in this field. Fortunately, a recently published standard aimed specifically at the health sector and drawing on ISO/IEC 27002 content has come to the rescue. ISO 27799: 2008 – Health Informatics: Information Security Management in Health – contains all the relevant guidance in ISO/IEC 27002 as it relates to the healthcare sector.
Box 8: NHA on protection of health records
Section 17 of the National Health Act makes the following provisions for the protection of health records:
17. (1) The person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept.
(2) Any person who fails:
(a) to perform a duty imposed on them in terms of subsection (1);
(b) falsifies any record by adding to or deleting or changing any information contained in that record;
(c) creates, changes or destroys a record without authority to do so;
(d) fails to create or change a record when properly required to do so;
(e) provides false information with the intent that it be included in a record:
(f) without authority, copies any part of a record;
(g) without authority connects the personal identification elements of a user’s record with any element of that record that concerns the user’s condition, treatment or history;
(h) gains unauthorised access to a record or record-keeping system, including intercepting information being transmitted from one person, or one part of a record-keeping system, to another;
(i) without authority, connects any part of a computer or other electronic system on which records are kept to:
- (i) any other computer or other electronic system; or
- (ii) any terminal or other installation connected to or forming part of any other computer or other electronic system; or
(j) without authority, modifies or impairs the operation of:
- (i) any part of the operating system of a computer or other electronic system on which a user’s records are kept; or
- (ii) any part of the programme used to record, store, retrieve or display information on a computer or other electronic system on which a user’s records are kept, commits an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and such imprisonment.