By Reon Janse van Rensburg
Careless handling of patient information at a medical practice, is not only unethical but can also result in sanctions at the Health Practitioners Council of South Africa (HPCSA) and violating of a private dispute can in extreme cases result in fines or even imprisonment.
Health practitioners and their administrative staff receive personal information from their patients on a daily basis in various ways, for example when a file is opened or when patients disclose confidential medical history to a doctor. According to the Act this information is regarded as the personal information of a patient with the sole purpose that this information be disclosed for a specific reason.
The main purpose of the POPI Act is to protect the processing of personal information by public and private bodies. The balance of the right to privacy against the reasonable right to access of information is very important, especially in an era that supports both free access to information and personal exposure on social media and other digital platforms. This Act is important to every South African because it protects the distribution of information and the misuse of personal information by individuals as well as corporations.
Obtaining patients’ personal information is not necessarily illegal provided that it meets the requirements to maintain and protect the confidentiality of the patient’s information.
If there is access to published information from a personal electronic device (i.e. a smartphone or personal computer), digital storing systems such as Dropbox or external hard drives or other capturing of data available and it is distributed unlawfully it can lead to personal damage or defamation. In such a case the initial person who obtained the information (in this case the health practitioner or staff member) also known as the primary responsible party will be directly blamed if the information is published or distributed unlawfully.
Therefore, the spreading of information (by accident or on purpose) is not only unlawful but it also places the responsibility on the responsible party to ensure that this information is protected.
When can a health practitioner be held accountable?
The responsible party is guilty when:
- information was obtained without permission;
- information was obtained or published by an unlawful party;
- some damage was made to the subject;
- the responsible party failed to take reasonable steps to prevent access to the information; or
- the responsible party failed to report a violation to the subject or information regulator. The punishment for violating privacy is connected to the seriousness of the damage that is caused. It may include termination of services, sanctions by the HPCSA (including the termination of practitioners), awarding of monetary remuneration to the involved person (up to R10 million) and a maximum of ten years imprisonment.