The appointment of Adv Pansy Tlakula as Chair of the Office of the Information Regulator in September 2016 signals the end of the transition period for compliance with the Protection of Personal Information (PoPI) Act. However, healthcare providers are still largely unclear of what PoPI means for their organisation and what their responsibility is going forward. Lead Healthcare Industry Privacy Protection Specialist at Pétanque International, a consulting firm focusing on PoPI integration into enterprises, Dr Wim Booyse, discusses what healthcare organisations need to do to keep patient data confidential and shares insights about what the country needs to get right to ensure the PoPI Act is effectively implemented. Dr Booyse has almost three decades of experience in the South African healthcare industry and participated in the process surrounding the implementation of privacy regulation in the Republic of the Philippines since 2015.
Looking beyond South Africa
As healthcare adopts more and more digital systems globally, developing countries in particular have taken strides towards implementing strategies for the protection of private information of its citizens. The Philippines is one such country that has successfully prioritised the privacy of its population’s data and can offer other regions, such as South Africa, insights into how to go about developing and implementing privacy legislation.
Unlike SA, the Privacy Act was spearheaded by the private sector, investigated and promulgated by the Philippine Senate Committee on Science and Technology and finally jointly submitted into legislation with other Senatorial Committees. The Philippines is one of the largest business process outsourcing countries in the world and therefore deals with customers who are residents in countries that have extremely strict privacy laws. The Act originated in the Senate under the ITC Subcommittee and resulted in active participation between privacy advocates groups, government and the private sector.
In addition, the Philippines have been rolling out universal health coverage (UHC) in the public sector since the 1990s and their national medical scheme, PhilHealth, has 87 million members to date. The country’s UHC strategy is comparable to the impending National Health Insurance (NHI) in providing basic medical coverage for the population with different options to “top-up” this cover resulting in more comprehensive cover for its citizens and also, more complex billing and sharing of patient data processes. Having already achieved what South Africa wants to achieve, we have some fundamental lessons to take from their experience as guidance for the local context.
Lessons for implementing PoPI:
The common thread between the Philippines and South Africa is that Philippine National Privacy Commission was also only appointed four years after the promulgation of the Privacy Act. But despite the gap, the country started disseminating the first circulars that described what and how processes would be structured to civil society within three months of the appointment of the regulator. By the time the Commission formally took up the mandate, the ground work had already been done by civil society, business and academia to know what to do and how to do it to engage and educate the public and garner popular support. This proactive approach is something we haven’t yet seen in South Africa but fundamental to the Philippine’s success.
What we can learn from this is that as a first priority, the newly appointed Regulator should proactively communicate with civil society, business, individuals and government about what their function is. Many people don’t fully understand how PoPI applies to them and this uncertainty is something that needs to be addressed in an inclusive, transparent manner. The Information Regulator needs to start issuing circulars to provide policy direction to everybody in terms of what may or may not be done and offer clarity to custodians of private information. Next priority is to initiate a public debate on what, how and where the Act applies. In that regard, I am convinced that as a society there are advocacy groups that will emerge – such as academia – that will guide the debate and help the regulator distil the best possible implementation guidelines.
Under PoPI, all eHealth suppliers will be required to tell their customers how they are adhering to international data security standards. Their role in educating providers and users of their services is paramount. For instance, an eHealth software solutions vendor will have to be able to verify to a hospital group that they don’t store or share patient data when they access it and/or send it on to other systems for billing purposes, etc. according to best practices.
Currently in South Africa we have no indication that sharing data with medical schemes for research purposes isn’t happening, for example. A patient gives consent to their doctor to submit ICD-10 codes for claims purposes but does that consent extend to third parties that are able to access that data? At Pétanque, we believe the lack of data protection stems from a business flow process and, as a result, third parties have a vested interest in patient data.
It’s essential that procurers of third party software solutions thoroughly assess suppliers and systems against PoPI. First and foremost, third party vendors must be able to verify that as a company, they comply with PoPI and that when the system receives data, it’s not pooled or provided to anyone else.
Secondly, vendors must be transparent about the nature of their associations with medical schemes administrators, electronic switches, managed care organisations, health data aggregators and accounting bureaus. It’s important for healthcare providers to understand the ecosystem when procuring solutions for their practices. It is imperative that healthcare providers ensure that software and service suppliers they engage with are PoPI compliant. Failing declared and demonstrative compliance as reflected in the PoPI Portfolio of Evidence (POE), for example, place healthcare providers at risk as the data of their patients, for which they are the legitimate custodian, are placed on risk and subjected to possible contraventions of the PoPI Act by being unknowingly subjecting the data to additional processing without patient consent
Lastly, but certainly by far the most important, is consent. Patients own their data and making them aware of why their data is being shared with other parties is critical. Presently the majority of patients in the private healthcare sector provide consent to their healthcare provider to add confidential data such as diagnosis and health status on the invoice which is submitted to Medical Aid Schemes for payment. Patients consent therefore in no way what-so-ever provides a carte blanche to any third party to additionally process the data for whatever reason. From our survey of the South African landscape, we believe that parties that currently have access to patient data did not receive consent to do so, consequently putting the healthcare provider at risk. Unlimited and uncontrolled access to patient confidential health data for which no consent exist, by a myriad of stakeholders in healthcare in South Africa should be addressed as a matter of urgency.
To find out more about how to prepare for PoPI, you can download Pétanque International’s white paper, ‘PoPI and Patient Health Data Privacy: Do Healthcare Providers Fully Understand their Obligations and Risks?’ here.