Privacy and
Confidentiality Standards
Since these principles were written and proposed, various events have
coloured both law and politics concerning the right to privacy and data,
including the promulgation of the passing of
the National Health ActBill, the SA Law
Commission Issue Paper on Privacy and Data-protection and the controversy
relating to the sale of data for commercial purposes, sparked by the alleged
Post Office sale of addresses. It is suggested that the Electronic
communications and transactions Act of 2002 also be considered in more detail,
including the provisions on voluntary adherence to data-protection principles.
Moreover, in the health care funding industry health data no longer
only relates to “whether to pay or not”, but also to “whether to
intervene/manage or not”. Furthermore, risk calculations may still be bound to
health data relating to current and past medical scheme members (within a
particular scheme or within a particular group of schemes), requiring access to
as comprehensive a health care picture as possible. Proposals in terms of a
social health insurance system may affect the basis on which data is collected,
from whom it is collected and the purposes for which it is used.
Until data-legislation is passed, interim measures have to be
instituted in line with applicable legislation and general constitutional
principles.
The initial document is kept and some issues are
raised for consideration and discussion. It is important that the practical
implementation of the various principles are considered, that may prompt
further research and investigation. Some principles may be consolidated and
this may serve as the document that could impact on the health sector part of
envisaged Data Protection legislation.
Definitions
"health care role player" refers to medical schemes,
administrators, managed care organisations, service
providers, intermediaries and their employees, governing bodies, trustees and
Boards of Directors.
"personal- or health information" refers to all information that is
personal or could be re-linked to a particular person or group and that
pertains to the health and/or health care, treatment, diagnosis, tests,
procedures, stay in health care facilities, and any other related health care
information of any person or group. It includes any record that contains these
types of information, irrespective of its format or type.
Principle 1: All parties dealing with patient health
care and personal information have to take into account relevant legislation,
such as the Constitution of the RSA of 1996, the Medical Schemes Act of 1998,
the Promotion of Access to Information Act of 2000, the National Health ActBill
of 2003 and specific provisions contained in health- and health care
legislation.
Principle 1.1: Information may be disclosed by a
service provider to a medical scheme in execution of a managed care agreement
as provided for in the regulations to the Medical Schemes Act of 1998. Where
such disclosure is made to an administrator or any third party on the basis of
a contract between the scheme and such administrator or third party in terms of
this specific regulation, the administrator or third party is bound by the same
provisions as the scheme. Access to patient information is limited in scope by
the exact provisions of the contract between the managed care organisation and
the scheme and the purpose for which
the information is provided, e.g. evaluation of benefits, motivation for
pre-authorisation, etc. This information should not be passed on to any other
department within that organisation, scheme or administrator which does not
deal with managed care. This information should also not be used to
risk-rate a particular patient/member/dependant and/or to reduce benefit levels
that would have been different in the absence of such information.
Personal or health Information
may be refused if it is requested for "random audits of practices",
to include on health databases or practice profiling (if the practice profiling
does not focus on affordability and appropriateness of care, or as a risk
management tool in accordance with an agreement entered into in terms of
Regulation 15A of the Medical Schemes Act Regulations, but is required only for
financial benchmarks).
Principle 1.2: Administrators and intermediaries are
obliged to keep confidential all information and
material in their possession and relating to its duties vis á vis a medical scheme and/or service provider;,
confidential,
and is bound by the same principles governing the conduct of the
scheme and/or service provider in relation to patient information
confidentiality and disclosure.
Principle 1.3: Any third party request for information
is to be dealt with in terms of the Promotion of Access to Information Act of
2000.
The provisions of Section 15 and 16 of the
National Health Act should also be adhered to.
Principle 1.4: Implementation
of ICD-10 codes on accounts by service providers vis-à-vis
specific aspects of confidentiality falls outside the scope
of these general principles. (meaning unclear)
ISSUES UP
FOR CONSIDERATION AND DISCUSSION:
The National Health Bill provision on
confidentiality, reads as follows:
14. (1) All
information concerning a user, including information relating to his or her
health status, treatment or stay in a health establishment, is confidential.
(2) Subject to section 15, no person may disclose
any information contemplated in subsection (1) unless -
(a) the user consents to that disclosure in
writing;
(b) a court order or any law requires that
disclosure; or
(c) non-disclosure of the information represents a
serious threat to public health.
Specific consideration has to be given as to
whether the Medical Schemes Act and regulations provide for sufficient
authority (in terms of section 14(2)) for the various disclosures that take
place during (a) medical scheme membership administration (including dependent
administration) (b) health service provisions (c) accounts, payments and
billing (d) evaluation of member health status, risk analyses and/or managed
care. It is also important to note that the Promotion of Access to Information
Act of 2000 does not allow for health care information to be withheld if a
patient requests such information. It may be difficult to withhold a person’s
health status from him or her if ICD10 coding is used that appears on an
account.
Third party access, if such a third party is a
health care provider, is regulated by section 15(1) that
states that “a health worker or any health care provider that has access to the
health records of a user may disclose such personal information to any other
person, health care provider or health establishment as is necessary for any
legitimate purpose within the ordinary course and scope of his or her duties
where such access or disclosure is in the interests of the user” and section 16
states that “A health care provider may examine a user's health records for the
purposes of- (a) treatment with the authorisation of the user…”. The issue is
whether medical advisors, case managers, clinical reviewers, etc., in the
employ of a funder or managed care organization, are also covered by this
provision.
Principle 2: For all uses and disclosures of health
information all "health care role players" should remove personal
identifiers consistent with maintaining the usefulness of the information,
unless legislation authorises specific personalised disclosures. Nothing
prevents the compilation and/or manipulation of anonymous information for the
purposes of financial- or other planning, for risk calculation within the
scope as permitted by legislation or for statistical purposes,
related to the core business of the entity in possession of the information.
The role player compiling and/or manipulating such information lawfully owns
such information.
“Anonymised
data” means data
from which the patient cannot be identified by the recipient of the
information. The name, address, and full postal code must be removed, together
with any other information which, in conjunction with other data held by or
disclosed to the recipient, could identify the patient. Patient reference
numbers or other unique numbers may be included only if recipients of the data
do not have access to the 'key' to trace
the identity of the patient using that number.
ISSUES UP
FOR CONSIDERATION AND DISCUSSION:
The right to privacy entails “having control over
his or her personal information” (SALC par 1.2.1). The sale of data, and the use of such data
for purposes other than for what the person has expressly (or implicitly?)
consented to (in writing? - see NHB) have to be considered in this context. Consideration should, t.g. be given to
whether Section 15(1) authorises health care providers to disclose patient data
in order to identify financial costly patients and medical practices/providers.
Principle 3: Privacy protections should follow the
data, irrespective of the number of intermediaries between the patient, as
initial provider of the information, and any final destination. This is
also applies to electronic messaging.
3.1
Section 17
of the National Health Act places a duty on health establishments to ensure
that there is no unauthorised access to records, which implies the setting up
of mechanisms to verify record and data requests, even where these are from
funding institutions or data warehouses. Failure to do so constitutes an
offence under the ActBill.
3.2
The onus of
protecting confidential information vests with the holder thereof. Health care
role players should, therefore, implement security safeguards for the storage,
use, and disclosure of health information, irrespective of the format of such
information. Confidentiality agreements should also
be entered into with third parties to whom
information is disclosed beyond the extent of the
principles herein contained.
3.3
Health information
handed over to an attorney or debt collection agent for legal
proceedings should not include medical records, initially
i.e. only the quantum and cause of action should be disclosed. The nature
and extent of treatment would only be raised should there be a dispute to which
this information is pertinent and if such is raised by the patient
him/herself.
ISSUES UP FOR CONSIDERATION AND DISCUSSION:
Section 17 of the National Health Bill places a
duty on health establishments to ensure that there is no unauthorised access to
records, which implies the setting up of mechanisms to verify record and data
requests, even where these are from funding institutions or data warehouses.
Failure to do so constitutes an offence under the Bill.
Principle 4: An individual should have the right to
access his or her own health information, as regulated by the Promotion of
Access to Information Act of 2000 and other relevant legislation, and the right
to supplement such information.
In terms of the National
Health Act a person’s right to know his
or her health status may be withheld “in circumstances where there
is substantial evidence that the disclosure of the user's health status would
be contrary to the best interests of the user”. This
section gives statutory recognition to the common law doctrine of therapeutic
privilege. (Sithara to investigate the use of a specific
diagnostic code in this regard for ICD-10 purposes)
ISSUES UP FOR CONSIDERATION AND DISCUSSION:
In terms of the National Health Bill a person’s
right to know his or her health status may be withheld “in
circumstances where there is substantial evidence that the disclosure of the
user's health status would be contrary to the best interests of the user”
(section 6 – possible repercussions discussed above under principle 1). This section gives statutory recognition to
the common law doctrine of therapeutic privilege.
Principle 5: Health care role players should, in
effecting their duties in terms of section 57(4)(i) of the Medical Schemes Act,
establish policies, procedures and review mechanisms regarding the protection
of confidentiality, as well as the collection, use, and disclosure of health
information.
ISSUES UP FOR CONSIDERATION AND DISCUSSION:
Section 57(4) relates to the duties of trustees to
medical schemes, who may need guidance from staff and/or administrators.
Subsections (4)(g) and (h) could also be applied so as to ensure compliance.
Principle 6: Individuals should be given notice
about the (possible) uses-, purposes- and disclosures of their health
information in the chain of health care and health care financing, even
where such information would be anonymised. Individuals have to be
informed about their rights with regard to that information. This should be
done at the point of potential delivery of health care, as well as the point of
application for medical scheme membership or health insurance.
6.1
In order
for members/patients to have control over their information, they should at
some point consent to the variety of uses to which their information may be put.
6.2
Cognisance
should be taken of the provision of section 52ff to the Electronic
Communications and Transactions Act of 2002, whereby some databases may be
declared “critical databases” and certain measures have to be instituted to
secure the database and access to it.
ISSUES UP FOR CONSIDERATION AND DISCUSSION:
In order for members/patients to have control over
their information, they should at some point consent to the variety of uses to
which their information may be put. In terms of section 52ff to the Electronic
Communications and Transactions Act of 2002, some databases may be declared
“critical databases” and certain measures have to be instituted to secure the
database and access to it.
Principle 7: Health care role players
should implement security safeguards for the storage, use, and disclosure of
health information, irrespective of the format of such information.
Personal
health information on users may be transferred across national borders and
collected, stored, processed, and published for many purposes, including
clinical research and health statistics. Since the extent of the protection
afforded to personal health data varies from country to country, the common and
internationally accepted ISO International Standard, which provides a uniform
set of guidelines acceptable to all health-related organizations in countries
worldwide, whether transmitting to, or receiving personal health data from,
other countries, should be complied with.
Principle 88: Personally
identifiable health information should not be disclosed without written patient
authorisation, except in circumstances authorised by law, court order or with the patient's specific, full and
informed consent in writing.
National Health Bill requires written consent.
Principle 88.1: Informed
consent means that the patient or member should know the reasons why the
disclosure is necessary (e.g. for the execution of duties in terms of a
specific section of the Medical Schemes Act on, for example, waiting periods,
and/or a specific regulation). The patient should also know and understand the
implications such disclosure for him or her in terms of health care delivery
and -financing. Health care role players are encouraged to formulate the
various purposes for which private information is required or should be
disclosed, and whether such are authorised by legislation or whether specific
patient consent/member is required.
Principle 88.2: The
provisions of Section 8 of the National Health Act, Section 39 of the Child
Care Act, Section ? of the Mental Health Care Act, the Promotion of Access to
Information Act and other relevant legislation relating to consent and
participation in decisions affecting a user's personal health and treatment
should be taken into account. Existing legal rules in terms
of consent by minors under the age of 14 and persons incapable of consenting to
a disclosure have to be abided by.
Principle
8.3: Where
written patient authorisation is not possible (National Health Act
requires that in writing!), alternative generally
acceptable means of identification may be used (e.g. "biometric
consent"), subject to compliance with relevant legislation.
Principle 8.48.3: The same rules of confidentiality and consent to disclosure
apply to dependants and steps have to be taken to ensure sufficient protection
of dependant/ beneficiary confidentiality.
Principle 99: Where
financial, ownership or shareholding links exist between a third party and a
health care role player (such as a medical scheme, administrator, managed
care organisation, intermediary or any health care role player),
confidential- or personal information obtained by such role player in the
course of its business as service provider, managed care organisation, medical
scheme, administrator, broker may not be sold-, passed on
to-, or be used by- or utilised in any manner by such third party
institution or organisation for the purpose of conducting their business. The
same prohibition applies where medical scheme benefits are linked to the
conditions of work and/or employment contract. A contribution made by an
employer towards an employee's medical scheme does not entitle that employer to
access any personal- or health care information, including any medical
diagnosis, held by the scheme or any health care role player.
Principle 10: Health care organisations should use an
objective and balanced process to review the use and disclosure of personally
identifiable health information for research purposes. The provisions of Sections
11, 15 and 16 of the National Health Act as well as internationally
accepted research documents, such as the Helsinki Declaration have to be
adhered to.
It is important to
note that the legislation is applies to
all research, even where the researcher only uses existing files
of patients and has no patient-contact at all.
Principle
11: Health care role players should not disclose personally
identifiable health information to law enforcement officials or any other
person acting in a capacity of investigating any alleged or suspected offence, in the absence of t
a compulsory legal process, such as a warrant or court order. Only
relevant information may be supplied with regards to the purpose
for which the information is to be disclosed, as stipulated within the
framework of such warrant or court order.
Caution should also be
exercised when information is requested by investigators acting on behalf of
medical schemes. In such cases, written informed consent from the patient is a
pre-requisite prior to any form of disclosure.
Relates to various constitutional protections found
in the SA Constitution and the general principle that rights may only be
limited if authorised by a law of general application that would pass the
section 36-muster.
Principle 12: Health privacy protections should be
implemented in such a way as to enhance and not undermine, existing laws
prohibiting discrimination such as the Promotion of Equality and Prevention of
Unfair Discrimination Act of 2000 and the Employment Equity Act of 1998. This
principle also applies to issues such as profiling of practices and patient
groups.
Principle 13: Strong and effective remedies for
violations of privacy protections shallhould be
established, including employee training and -disciplinary measures,
appropriate contractual provisions and penalties with respect to any
party contracting with a health care role player, etc.
Principle 14: All role players that handle healthcare
information should be held accountable for breaches of privacy and
confidentiality for information in their hold. Aggrieved persons should have
access to internal procedures and/or outside institutions at which to lodge
complaints.
The National Health
Act create penalties for health establishments and their staff in terms of
violations of privacy/data protection, but similar penalties should exist for
other role players in this sector.
N.B. All Acts and
other documents, as well as resource documents, referred to herein will be
listed in an index to this document.