Protection of Personal Information (PoPI) Act compliance expert at Pétanque Consultancy, Tania May, highlights the top priorities for healthcare organisations to prepare for PoPI.

The PoPI Act protects our constitutional right of privacy and applies to all public and private institutions, including medical professionals in private and public practice.

While the Act does not have a section specifically addressing the medical industry, the industry finds itself in a complex situation when it comes to PoPI compliance due to the extent of the personal information it processes.

Once the PoPI Act is implemented healthcare organisations will be required to create their own privacy policies and practices in order to protect personal information of data subjects –the patients, otherwise you’ll be subjected to fines.

Ensuring PoPI compliance from your IT system supplier

In order for your healthcare organisation to become PoPI compliant, you need to ensure your IT system supplier is PoPI complaint. This can be done by following three important steps:

  • Information security is all about confidentiality, integrity and availability of data. Ask your IT system supplier what controls are in place to ensure these and what they are doing to continually ensure the appropriate management of risks.
  • Secondly, find out how your IT system supplier is ensuring the security of unstructured data. This is important because effectively securing the personal information of patients goes much wider than the IT department; most breaches occur when staff and other suppliers process personal information using unstructured data processing method. This includes unsecure email; file shares; call centres; unsecure printing; and using mobile devices which are not encrypted.
  • Thirdly, ask your procurement, legal and operational departments how they ensure third party organisations who deal with your patients’ personal information are compliant with the PoPI. It is important to ensure that you have contracts in place with all third parties who process patients’ personal information on your behalf and that they align to your organisation’s Privacy Policy and Information Security Policy.

If you have outsourced processing of personal information to outsourced service providers, like radiography, and the outsourced service provider has a PoPI breach, your organisation, as the responsible party, will be held responsible by the regulator and will have to pay any penalties and bear the reputational risk.

Patient responsibility

While the PoPI Act doesn’t deal with an individual’s responsibility to protect their own data, it does deal with their rights to have their personal data protected by any organisation to whom they have entrusted it for the provision of a service. This includes your healthcare organisation when providing medical treatment.

At the point of collecting the personal information, your organisation must ensure that only information required to complete the service is collected. On top of this, the collected information may only be kept for the period for which it is required to fulfil the purpose, after which it must be safely destroyed. This requirement must be aligned to other regulation in terms of retention of medical records; privacy regulation is subordinate to other regulation in this regard.

Consent for the processing of the personal information must be obtained in writing and must be explicit, informed and voluntary. If at some future stage it becomes necessary to share the patients personal information with additional parties not covered by the original consent, additional consent must be obtained from the patient to do so.

Developing your PoPI strategy

For IT Managers and CIOs, we recommend implementing ISO 27001:2013, which deals not only with personal information but the full spectrum of information security.

While both information security and PoPI has a large IT component, your whole organisation needs to be involved and on board. With the implementation of PoPI comes a culture change, so everyone dealing with personal information must understand their responsibilities and the risks that they are exposed to.

If implementing ISO 27001 is too daunting, then we recommend following a risk-based approached where you analyse all your processes and systems that deal with personal information, assess the risks you are exposed to and create a risk treatment plan that is revised and updated frequently.

It’s also important to prioritise according to the risk exposure scores. The high level phases would be: define the scope; assess the risks; create the risk treatment plan; execute the risk treatment plan; and then follow the cycle again. This must be done annually or more frequently depending on the complexities you deal with.

Don’t underestimate PoPI compliance, either in terms of its requirements or the time needed to get your compliance plan implemented.

To find out more about how PoPI will affect your healthcare organisation, you can download the Pétanque PoPI Medical Industry Report here.

For more information contact, like us on Facebook or tweet us @eHealthNewsZA.