The Protection of Personal Information (POPI) Act is finally coming into effect and, although implementation might still be down the line, it will fundamentally change the way personal data is managed. Principal Officer of Bonitas Medical Fund, Gerhard van Emmenis, explains why corporate South Africa, including medical aid schemes, insurance brokers, financial advisors, marketers and even brands need to start preparing now for its impact.
A patient’s medical information and history is particularly sensitive, which means the entire service chain, from medical practitioners to pharmacists, administrators and scheme involved in receiving and storing this information will be required to meet the stringent POPI requirements.
Essentially, POPI, which is based on European legislation, outlines eight general conditions and three specific conditions, which will ensure businesses and organisations take responsibility for the way they share personal information, how that data is used and stored and who has access to it. Many countries have similar legislation in place to protect information and this also governs the transfer and sharing of data internationally.
The introduction of POPI
We live in an information driven world with easy access to data and personal information via the internet, emails, Facebook, Instagram, LinkedIn and more as well as traditional faxes and written correspondence. With an increase in cyber threats and information being leaked and shared, POPI is making sure businesses – and even individuals – are more careful with personal information and to take responsibility for this data.
The message to the public is that the new Act should be taken very seriously. Unlawful retention, distribution, sharing or unauthorised use of personal information may result in non-compliance with the Act, which will carry onerous penalties of up to R10 million in fines, and could even result in jail sentences (in some instances of up to 10 years), depending on the seriousness of the breach or non-compliance.
Compliance with POPI is of the utmost importance for all medical funds. This applies to members, their brokers and those in the medical fraternity. We are ready for its implementation and have taken great care to ensure data protection is a key priority.
Storing patient information
According to the Health Professions Council of South Africa (HPCSA) recommendations, the most important factor is for stringent precautions to be taken to safeguard patient information. For this reason, when the Council for Medical Schemes (CMS) requested information for the Central Beneficiary Register last year the majority of medical schemes did not comply, mainly due to concerns of how the information will be stored and used.
The concern is that although the rationale behind the Department of Health (DoH) wanting a Beneficiary Registry in terms of negating fraud and recovering payment for treatment at state facilities, there is still uncertainty around how this information will be stored and used.
The CMS has since clarified that no actual medical data is required and that an Industry Technical Advisory Group task team has been established, with representatives from medical schemes and administrators, to deal with security issues and POPI compliance. Medical aids continue to engage with the CMS to find a workable solution regarding their directive for member information.
Holistic approach to healthcare
In order to take a holistic approach to medical aid members’ care and preventing duplication of medical tests, we embarked on a campaign in 2016 to obtain members consent to share their personal data with specific healthcare providers. When all co-morbidities are taken into account it ensures that healthcare providers work together in the patient’s best interest.
All healthcare providers who interact with patients are generally permitted to have access to their information to a certain extent. However, to conform to POPI regulations, medical schemes need to ensure claims, medical conditions and treatment are only shared if the member chose for it to be.
Regarding the implementation of POPI, we have processes in place to securely store the data we have and are ready for the implementation of POPI and will conform 100% to the final conditions outlined in the Act. Protecting the personal and medical records of our members is a key priority.