The Protection of Personal Information Act 4 (POPI) came into operation on 1 July 2020, however, businesses have until 1 July 2021 to become compliant and from this date, the POPI Act will be enforceable. A year was given to ensure compliance in businesses. The only section currently enacted is the establishment of the Information Regulator. This act places an extra responsibility on doctors to monitor and self-report their flow of personal information to help protect patient privacy.
What does it mean for medical professionals?
POPI affects all healthcare service providers in the private and public sectors that process personal information such as names, addresses, email addresses, health information and employment history.
It does not replace the HPCSA’s existing guidance on safeguarding confidential patient data as laid out in Booklet 5 – Confidentiality: Protecting and Providing Information.
One of the guidelines is where a healthcare practitioner may share information with other healthcare practitioners within the health care team without the consent of the patient. It is important to make patients aware of this possibility and that express consent is not needed to disclose the information to other healthcare practitioners (guideline 7). An example of this is where a patient has consented to a GP examining, diagnosing and treating a condition and the GP then refers the patient to a specialist – the information about the patient is relayed to a medical secretary to type a referral letter and the information is then relayed to the specialist. It is important to note that patient confidentiality is always of utmost importance.
Collecting personal information
Under POPI, personal information may only be collected for the specific purpose of providing services to a patient. If another Dr provides you with a patient’s personal information, it will only be in the patient’s legitimate interests for you to hold this information if you are providing your services to the patient too.
Once the personal information has been collected from another source, the medical practitioner must take reasonable steps to inform the patient of this, together with the source of the information and the purpose for which it has been collected. This can be relayed to the patient either orally or in writing.
Preserving personal information
Any personal information you hold must be protected from loss, damage, unauthorised destruction and unlawful access. Your practice should implement reasonable technical and organisational measures to ensure this. The resources of your practice will be considered as well as the nature of the information when determining reasonable measures.
As a minimum, Doctors are expected to identify all reasonably foreseeable internal and external risks, establish appropriate safeguards and regularly review these. Examples of foreseeable risks are:
Access to information
- Employees requiring access to patient information should be identified and should have employment agreements that include a clause to keep the information strictly confidential;
- Employees should have individual passwords to access patient information, which are updated from time to time – generic passwords in a practice are not acceptable.
- Hard drive or server crashes can destroy personal information thus ensure suitable back up is in place to limit or prevent this.
- Ensure hard copies of patient personal information are stored securely in locked filing cabinets or rooms and that files are not left unattended.
Under terms of POPI, the arrangement around third-party access to patient personal information broadly match the guidelines as set out in the HPCSA guidelines which require patient consent in most instances.
All third-party agreements need to be in writing with an undertaking to advise if any information and data breaches have been experienced. Patients are to be made aware of third parties e.g. if data is stored off-site.
Any suspicion on reasonable grounds that personal information has been accessed or acquired by an unauthorised person must be reported to both the patient and the Information Regulator. Notification must be in writing and must provide sufficient information to allow the patient to understand:
- The possible consequences of the unauthorised disclosure for him/her
- A description of the measures that you intend to take to protect his/her interests
- The identity of the individual who made the unauthorised access, if this is known
It is important that the responsible party, i.e. the healthcare practitioner, can show that all reasonable steps were taken to protect the data of the patient. It is suggested that:
- Risk assessments are done in the practice
- POPI training is provided to staff, and proof of training is kept
- IT specialists are used to assist the practice in safeguarding information
Failure to comply with POPI
Failure to comply with the provisions of POPI can potentially lead to:
- A complaint lodged with the Information Regulator
- A civil claim for payment of damages
- Criminal prosecution with a fine of up to R10million or prison sentence or even both.
For more information, see Confidentiality – General principles.