Most other
countries contain extensive data-protection legislation in an era where data
has become a commodity and personal information a valuable tool in marketing
strategies, planning and research. South Africa has no data-protection
legislation that could regulate the collection, storage, use and transmittal of
personal information. Information legislation in existence aims to regulate
requests for information, rather than the compilation and use of information.
With this in mind, medical practitioners have to be extremely careful how they
use, and have others use patient information.
Doctor-patient
confidentiality is one of the cornerstones of the medical profession. Sections
12 and 14 of the South African Constitution protect this right as well. Section
12 relates to freedom and security of the person (the right to have control
over one’s body and information about oneself) and section 14 entrenches the
right to privacy and confidentiality. Inferences drawn from personal
information such as names etc. as to the race or any other characteristic of
the patient may amount to claims of unfair discrimination under section 9 of
the Constitution, especially as persons also have the right to self-identify. The National Health Bill, in its current version,
states that every health care user (i.e. patient) is entitled to
confidentiality of all information concerning him/herself, their health status,
treatment or stay in a health establishment. It also states that a health care
provider may examine the records of a patient for purposes of study, teaching
or research with the authorisation of the patient, the head of the
establishment and the ethics committee.
Other relevant
documents supporting the sanctity of this principle is Ethical Rule 20 of the Rules
specifying the Acts or Omissions in respect of which the Council may take
Disciplinary Steps promulgated in terms of the Health Professions Act of 1974
and the SAMA Code of Conduct. The new proposed World Medical Association Policy
on Health Databases includes strict provisions in relation to the protection of
privacy. This proposed policy is to be discussed by SAMA’s Human Rights, Law
and Ethics Committee. One of the most recent proposals of the Medical and Dental
Professions Board on patient records on CD includes reference to “effective
safeguards against the unauthorised use or retransmission of confidential
patient information”. In the international context, the OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data entrenches the
following principles: openness, limitation of collection and use, purpose
specification, data quality, individual participation, security safeguards and
accountablity.
This means
that a medical practitioner, or any other person or institution dealing with
patient information, has to be authorised by law or court order to hand over or
sell such information to a third party or has to obtain the informed consent of
the patient. One such law is the Medical Schemes Act and Regulations that
authorise certain patient information to be given to the patient’s fund. This
however does not mean that where an intermediary handles accounts, such
intermediary can sell that information to any other institution. Such information
has been obtained for the purposes of submitting it to a specified medical aid
fund and may only use it for that purpose, as authorised by relevant
legislation. In all other cases it is advisable that the medical practitioner
obtain the permission of his or her patients if the information is to be part
of another database or information system, especially if that information is to
be sold for profit purposes or provided to third parties. Where a practitioner
want to use the information for bona fide
business planning purposes, it is submitted that they are not prohibited from
using patient data. However, one should be careful where that information,
however de-identified it may be, goes out to any person or group of persons
that is not part of the immediate health care arrangement between the patient
and medical practitioner.
It is often
stated that the information is de-identified (i.e. there is no name attached to
the information) and therefore can be utilised for any purpose. This is not
true, as there may be other aspects involved. One is the fact that the patient
owns the information (the establishment or practitioner may own the record,
i.e. the file), another is the fact that a patient may have objections to
his/her information being sold or given to, for example, a certain facility,
organisation or business. Where a third party requests certain aspects of
patient information from a medical practitioner in private practice, it is
suggested that such application should be done in terms of the Promotion of
Access to Information Act, in terms of which the unreasonable disclosure of personal information is prohibited. It
is better left to the requester to proof in a court of law that the information
that they are requesting does not amount to an unreasonable disclosure than the
medical practitioner running the risk of violating patient rights.
Elsabé Klinck
Human Rights, Law and Ethics Unit
SAMA
These
documents do not constitute official SAMA policy.
It is, however, the
opinion of the legal department
and is provided
without prejudice.