Seeing that the application of the Protection of Personal Information Act (POPI) is drawing close, it has now become more important than ever to make sure that your medical practice complies with the requirements of the POPI Act. Although the government has not yet announced a specific enforcement date, you can use the interim to your advantage to get fully acquainted with the significance of the POPI Act for your medical practice and how to set about safekeeping the medical data of patients in accordance with the requirements of the POPI Act.
Are you wondering how the Protection of Personal Information Act (POPI) is going to affect your organisation in the health-care industry?
John Giles, managing attorney at Michalsons, spends most of his time explaining complicated worldwide data protection legislation (such as GDPR, PECR and POPIA) to big organisations in a practical way.
The POPI Act (together with the Consumers’ Protection Act) is going to have a big effect on doctors, health-care personnel, medical-aid funds, insurance companies, administrators and hospitals. Will you be able to continue with the processing of personal information about the person’s health?
Giles explains the POPI Act and healthcare as follows:
The definition of personal information includes:
- information about … physical and mental health, wellbeing, disabilities … of the person; and
- information about the … medical … history of the person.
Special personal information includes information about the … health of the person concerned.
Here we have an interesting distinction. Medical history deals with the past, while health deals with the present. That is why different rules apply to those two different types of personal information. It looks strange and could result in interesting practical applications. As far as the medical history of a person is concerned, the normal conditions in Part A of the POPI Act apply.
Section 26 of the POPI Act prohibits the processing of personal information about a person’s health. In terms of section 32(1) the prohibition does not apply to processing by different people or parties, for example:
- medical funds, healthcare institutions or facilities, or social services;
- insurance companies, administrators of medical schemes and managing healthcare organisations;
- schools; and
- any public or private body managing the care of a child.
However, this is not where it ends. This is where many people will stop reading and think that they now have carte blanche. This is not the case. There are conditions and rules that have to be followed in every case. Section 32 must be read carefully. This also confirms the common-law confidentiality obligation, or creates it where it does not exist.
Therefore, in a nutshell, you may process a person’s health information if you:
- follow the conditions and rules in section 32;
- keep the personal information confidential; and
- comply with the rest of the conditions of the POPI Act.
- You may also process a person’s medical history if you comply with the requirements of the POPI Act, especially the conditions for legal processing under Part A of chapter 3 of the POPI Act.
Some people even argue that the POPI Act could make more comprehensive processing of personal health information possible than was previously the case. More health institutions are allowed to do it, and to a larger extent. Perhaps health institutions will be better under the POPI Act? Perhaps this is an opportunity to start processing health-related personal information more efficiently to take better care of patients.
PLEASE NOTE: The POPI Act is not the only act concerned with privacy and health care. It is important to look at all relevant acts if you are contemplating their application to certain issues.