Etienne Dreyer and Leanne Mandim investigate the impact of the Protection of Personal Information Act on medical schemes
The Protection of Personal Information Act 4 of 2013 (POPI Act) was signed into law by the President on 26 November 2013. The President is yet to appoint a regulator and announce the commencement date of the Act, following which entities will have one year to become compliant.
The promulgation of the POPI Act requires all stakeholders in the healthcare industry to become compliant. This entails addressing the impacts on the processing of personal health information for all responsible parties which will include the medical scheme, administrator, managed care entities as well as third-party service providers, and importantly, for the data subject who is the end-user of the healthcare services.
In South Africa there are numerous Acts that have all inferred what the roles and responsibilities of the protection, collection, usage, storage and processing of personal health information. Some of these Acts are:
• The Medical Schemes Act 131 of 1998
• The National Health Act 61 of 2003
• The Health Professions Act 56 of 1974 and regulations and ethical guidelines of the Health Professions Council of South Africa (HPCSA)
• The Electronic Communications and Transactions Act 25 of 2002
• The Children’s Act 38 of 2005
• The Mental Health Act 17 of 2002
• The Constitution of the Republic of South Africa 108 of 1996
• The Promotion of Access to Information Act 2 of 2000
Some commonalities across these Acts address issues such as:
• Who is accountable for the protection of personal information?
• What are the ethical considerations of healthcare practitioners and personnel in healthcare settings?
• What are the considerations for sharing of health information and what is the purpose of doing so?
• What are the processes for consenting to information-sharing?
• Why do we need to be sensitive to personal health information and the role of de-identification and anonymising of personal information?
• How can the collection of information be used for research purposes?
• What are the roles and responsibilities of key stakeholders in the process?
POPI needs to be considered in parallel with the above legislation as it does not supersede any existing laws.
WHAT IS THE IMPACT?
The impact of POPI across South African industries has to be considered within each industry’s unique and special circumstances. There are, however, commonalities across industries, for example:
• The need to understand the impact of processing personal information for the ways in which people interact with each other
• Sharing of information in call centre environments
• The completion of required documentation (for example when opening a new transacting account)
• Signing in at a company’s security gate
In the medical scheme industry, identified stakeholders, to mention but a few, include:
• The medical scheme itself
• The Regulator
• Managed care organisations
• Healthcare service providers
• Brokers
• Call centre healthcare consultants
• Data management companies
• Pharmacy management systems, and
• Practices
The ways in which personal health information is processed in this environment is intricate and requires attention to its safeguarding, review of existing security measures, ethical considerations, education for all role-players, compliance, process review, risk assessment, and understanding of the implications of possible data breaches. Determining the impact of a possible data leakage on the reputation of a healthcare service provider cannot be underestimated in the context of POPI.
The diagram below highlights the various points of data flow in a typical third-party open medical scheme environment.
One of the key considerations when viewing this diagram is to conceptualise the requirements of POPI for the processing of this health information, for example:
• From the point of gaining consent for membership
• Getting pre-authorisation for a needed treatment
• Sharing information for the benefit of the management of the healthcare condition
• The treatment of the condition
• Claiming for the medical procedure
• Online application for further medical benefits needed
• Safe and secure storage of the data collected
• The use of the collected data for predictive modelling
Evaluating the relevance and requirements of collecting, processing, storing and securing personal health information at each point of interaction is the responsibility of each stakeholder in the healthcare system.
PRACTICAL CONSIDERATIONS
We include the following three areas to consider when assessing the impact of adhering to the conditions for the processing of personal health information.
While health information can be processed under the provisions of the Act, there are adherence criteria which each healthcare stakeholder needs to consider and abide by. Should there be any reported incident of leaking of personal health information or use of information without the consent of the member, the onus is on the medical scheme to show how efforts were made to prevent this from occurring.
Websites
The ways in which healthcare services are accessed in South Africa can range from paper-based access, face-to-face interactions, and telephonic consultations to online platforms such as the use of online registration for various medical scheme benefits, access to statements, updating member information through smartphone applications, and using online tools to monitor health improvements.
Whilst most medical schemes and administrators of schemes have controlled access platforms for information, the confidentiality of the dependant’s information is often overlooked and divulged to main members regardless of the dependant’s age (for example viewing a child dependant’s information versus that of a divorced spouse still registered as a dependant). In addition, the dependants will need to consent to allow for the main members access to their information.
Communication
The communication processes followed by medical schemes are pivotal for keeping members informed, updated, and engaged with the management of their personal health. Some examples to consider within communication streams include debt collection, distributing statements of accounts with descriptions of health events and not just the required coding, medical files left on a desk unguarded, personal health information waiting for collection on a printer, and so on. In all of these situations, the use, purpose and quality of that communication should be in alignment with the legislation defined by the POPI Act.
Internal policies
To ensure good governance of data privacy and protection, the scheme needs to be supported by up-to-date policies that guide all aspects relating to people, processes and technologies toward compliance. Consideration, review and revision of policies may be needed in the following areas (listed as examples):
• Data security policy
• Data warehousing back-up facilities
• Off-site data storage
• Contracted third-party service providers data security measures
• Access controls for healthcare personnel
A simple example of how revised policies can assist organisations, healthcare practitioners and individuals (such as the personal assistant of the broker) is when a computer is left unattended for a short period of time. For instance, in the process of capturing personal health information, a person may momentarily leave their workstation, giving another person view of this sensitive and private information. The security controls in place, as advocated by policy, can go a long way to ensuring effective compliance with the prescribed conditions for processing information. The installation of security controlled screensavers, consent-required for log-in to personal machines, encrypted laptops, and defined levels of access to information should all be considered in an effort to ensure compliance, integrity and confidentiality. In addition, the policies should also cover areas of disciplinary action for a data breach and align to that of the practice guidelines emulated by the POPI Act.
CONCLUSION
We believe that it is in the interests of schemes to perform a comprehensive POPI risk assessment, identifying the intricate dependencies between:
• The people that access, process and manage personal health information
• The systems and technologies that enable the “engine” of healthcare management
• The processes that support the optimisation of points of data flow, and
• The structures in the organisation that ensure that health-related personal information is managed with absolute integrity and in alignment with South African law.
Consideration should also be given to privacy services such as personal information inventories and data warehousing, privacy change management and plans, privacy programme manuals, forensic breach analysis, vulnerability assessments, and third-party inventory, assurance and due diligence. ❐
Author: Etienne Dreyer CA(SA) is associate director and Leanne Mandim CA(SA) senior manager at PwC