As the 1 July deadline looms for businesses to become POPIA compliant, we sat down with Managing Director of Elsabé Klinck & Associates, Elsabé Klinck, to discuss what medical practices need to do to become compliant. Elsabé Klinck & Associates is a healthcare consulting service that specialises in law, regulation, & policy in the health sector.
Let’s start by defining two terms we are hearing a lot about lately, POPIA & PAIA.
POPIA, also known as the POPI Act, is the Protection of Personal Information Act of 2013. PAIA is the Promotion of Access to Information Act of 2000. These are two different laws that are essentially two sides of the same coin. POPI Act is about how you protect personal information, & PAIA is about how you legally access information. These laws are not new – what is relatively new is that they are now governed by the Information Regulator – a regulatory authority established to ensure that all businesses, including medical practices, comply with the law.
It’s well-known that POPIA will come into effect on 1 July. Will this be a ‘hard’ start, or is some leniency expected?
It is now, for many, a hard start – mandatory compliance with the POPI Act will come into full effect on 1 July. The POPI Act came into effect last year, & everyone was given a year to get things in order. As mentioned, these laws are not new & medical practices have an ethical & legal obligation to protect personal information. Businesses can expect more rigorous monitoring & consequences in the form of administrative penalties for non-compliance after the 1 July deadline.
What are the minimum requirements medical practices must have in place by the deadline?
There are a couple of requirements that must be in place. The first is that every medical practice must register their Information Officer with the Information Regulator. The Information Officer is an individual at your practice that acts as the custodian of these two laws. They are responsible for compiling & submitting manuals, notices, & reports to the relevant departments, as well as receiving & responding to PAIA requests which we will talk about later. Medical practices are urged to register their Information Officer on the Information Regulator website. It’s a good idea to have some basic information at hand too such as names, ID/passport numbers, addresses & mobile phone numbers.
The second minimum requirement is to have your manuals & record-keeping systems (e.g. when you destroy or archive personal information) ready. There are a number of templates available that are invaluable in preparing your manuals & ensuring they contain the right information. If the templates you are using don’t mention POPIA, they are outdated, & you will need to find a current template to work with. At Elsabé Klinck & Associates we offer templates of the most important documents healthcare professionals need, these can be purchased individually or as a bundle here. There is also a comprehensive training video available here.
Tell us more about the templates & how to use them?
I will mention a few that every practice will need to have in place. First is the POPIA Policy that outlines how you deal with personal information at your practice. It is a comprehensive template that the Information Officer will need to review & customise to the workings of your practice. This then becomes the manual or framework for how you treat personal information.
Secondly, you will need to have an ‘access to information,’ or ‘PAIA’ manual ready which works on the same principle of customising the template to be in line with the information your practice hold, & which could potentially be accessed through a PAIA Request by someone such as a patient or an attorney.
Next, & this is specifically for healthcare, you will need a consent of disclosure document in place. This relates to, for example, getting patient consent to issue a sick note that states the diagnosis. Where & how that record is stored is important & must be documented. On the other hand, you will also need to keep a record of what was disclosed on the sick note that gets stored in a different place to the patient consent to disclose information, should the Information Regulator inspect or require a report on personal information disclosed.
Lastly, you will need a Document Retention, Archiving & Destruction Guide. One of the security assessments, one must meet under the POPI Act, is to have a process in place that stipulates how long personal information is kept, how you prevent unauthorised access, & how you manage the damage or unlawful destruction of health records. Again, using the right templates can help you document this process. Good templates will include the relevant mandatory retention periods for various records in a practice, such as invoices, patient files, employee information, etc.
In terms of time & effort, what can medical practices/practitioners expect in getting ready for the deadline?
There are two areas you need to focus your efforts on ahead of the 1 July deadline. The first is applying some time to identifying what personal information you are keeping, where you are keeping it, who has access to it, etc. For a medical practice, patient records are an obvious store of personal information, but there are other areas to consider. Do you outsource staff payroll to an external organisation? How do you protect the personal information of reps, contractors & other service providers whom you do business with? It’s a good idea to sit down with key members of your staff to brainstorm & identify how personal information is used, stored & shared at your practice.
The other aspect that you need to budget some time & effort for is customising the templates. There are no shortcuts in this regard & it’s a good thing because you have to carefully evaluate what applies to you. It’s not an insurmountable task, but it is worth devoting a few hours to it not only for compliance, but peace-of-mind that you are upholding your ethical & legal obligation to protect personal information. No person who is not working in your practice would be able to do it for you without substantial input from the practice owners and staff.
For paper-based medical practices, record-keeping is still very manual & time-consuming. From your perspective, would you recommend electronic records for healthcare?
I’m highly in favour of electronic medical records (EMRs). They are easier to physically store, to retrieve & control access to, & back-ups are easy. Ensuring that you use software that provides adequate protection, as well as being able to set access levels on your practice software to prevent the unlawful use of personal information, are important considerations. Digital records are the most practical solution for businesses dealing with vast amounts of personal information, far more so than paper records.
You’ve touched on most of the benefits of using digital records, but another benefit is that information is more easily shared. How does POPI apply in this regard?
It’s true that records can be shared & accessed by a treating doctor, pathology lab & a specialist, for example. But here it is important to note that the National Health Act allows for the sharing of patient information where it is in the patient’s best interest & necessary for their care. Each of these parties will have their own policies in place to protect personal information, to prevent for example, a General Practitioner (GP) accessing lab results for individuals who are not their patients. And if all parties are compliant with the Act, this would not be an issue.
Let’s talk about some of the practical ways medical practices communicate with patients & how POPI applies. Can a practice SMS a patient to remind them of upcoming appointments or to come in to get test results?
Every practice should give patients options for receiving information & get their consent before using those channels. Your new patient forms are the best time to ask for consent. We recommend updating them to align with requirements in POPI. Those forms also typically ask for personal information such as next of kin. You must stipulate why that information is required. Is it for debt collecting purposes or for care decisions in the case of an emergency, for example?
If you don’t currently have patient consent to communicate by SMS, you may communicate with them by SMS only once without getting consent to send further SMSs. You must also ensure that patients always have an option to opt out of every electronic communication.
What happens if a patient requests their information?
This is where PAIA comes into effect. Under the Act, everyone is entitled to a copy of any information that pertains to them, regardless of the context. But in the case of a medical practice, the record isn’t solely the patient’s information – the doctor has made notes & those records contain their intellectual property. If the patient requests a copy of their information, there is a process to follow. The patient will need to complete a requester form stating why they want the information. The request will be submitted together with a consent form to be processed if the request comes through another person, such as an attorney.
What can practices expect if they don’t comply?
Realistically, we expect the Information Regulator will act on complaints & tip-offs. If a patient has a problem with how you have managed their personal information, they can lodge a complaint that kicks off an inquiry & potentially an investigation. Enforcing the Act is then a sequence of enforcement notices to address the issue. Their premise, as should all businesses be, is to identify & rectify the issue. But if you continue to ignore notices & do nothing to resolve the problem, you can expect administrative fines of up to R10 million to be levied. In the meantime, commit to being compliant & do the necessary in the time leading up to the deadline (& beyond) to protect personal information.
If you need help getting your medical practice POPIA compliant, the team at Elsabé Klinck & Associates are there to help & you can contact them here. If you have the basics in place & would like to make POPIA compliance even easier with electronic medical records (EMRs), drop your details here & one of our Business Consultants will be in contact to assist.
Disclaimer: The information provided is general in nature & should not be considered sound advice. In all cases, you should consult with professional advisors familiar with your particular situation before making business, legal or any other decisions.
Table of Contents