Privacy and
Confidentiality Standards
Since
these principles were written and proposed, various events have coloured both law
and politics concerning the right to privacy and data, including the passing of
the National Health Bill, the SA Law Commission Issue Paper on Privacy and Data-protection
and the controversy relating to the sale of data for commercial purposes,
sparked by the alleged Post Office sale of addresses. It is suggested that the Electronic
communications and transactions Act of 2002 also be considered in more detail,
including the provisions on voluntary adherence to data-protection principles.
Moreover,
in the health care funding industry health data no longer only relates to “whether
to pay or not”, but also to “whether to intervene/manage or not”. Furthermore,
risk calculations may still be bound to health data relating to current and
past medical scheme members (within a particular scheme or within a particular
group of schemes), requiring access to as comprehensive a health care picture
as possible. Proposals in terms of a social health insurance system may affect
the basis on which data is collected, from whom it is collected and the purposes
for which it is used.
Until data-legislation
is passed, interim measures have to be instituted in line with applicable
legislation and general constitutional principles.
The
initial document is kept and some issues are raised for consideration and
discussion. It is important that the practical implementation of the various
principles are considered, that may prompt further research and investigation.
Some principles may be consolidated and this may serve as the document that
could impact on the health sector part of envisaged Data Protection
legislation.
Definitions
"health care role player" refers to medical schemes,
administrators, service providers, intermediaries and their employees,
governing bodies, trustees and Boards of Directors.
"personal- or health information" refers to all information that is
personal or could be re-linked to a particular person or group and that
pertains to the health and/or health care, treatment, diagnosis, tests,
procedures, stay in health care facilities, and any other related health care
information of any person or group. It includes any record that contains these
types of information, irrespective of its format or type.
Principle 1: All parties dealing with patient health
care and personal information have to take into account relevant legislation,
such as the Constitution of the RSA of 1996, the Medical Schemes Act of 1998,
the Promotion of Access to Information Act of 2000, the National Health Bill of
2003 and specific provisions contained in health- and health care legislation.
Principle 1.1: Information may be disclosed by a
service provider to a medical scheme in execution of a managed care agreement
as provided for in the regulations to the Medical Schemes Act of 1998. Where
such disclosure is made to an administrator or any third party on the basis of
a contract between the scheme and such administrator or third party in terms of
this specific regulation, the administrator or third party is bound by the same
provisions as the scheme. Access to patient information is limited in scope by
the exact provisions of the contract between the managed care organisation and
the scheme and the purpose for which the information is provided, e.g.
evaluation of benefits, motivation for pre-authorisation, etc. This information
should not be passed on to any other department within that organisation,
scheme or administrator which does not deal with managed care.
Principle 1.2: Administrators and intermediaries are
obliged to keep all information and material in their possession and relating
to its duties vis á vis a medical
scheme and/or service provider, confidential, and is bound by the same
principles governing the conduct of the scheme and/or service provider in
relation to patient information confidentiality and disclosure.
Principle 1.3: Any third party request for information
is to be dealt with in terms of the Promotion of Access to Information Act of
2000.
ISSUES UP FOR CONSIDERATION
The National Health Bill provision
on confidentiality, reads as follows:
14. (1) All information concerning a user,
including information relating to his or her health status, treatment or stay
in a health establishment, is confidential.
(2) Subject to section 15, no person may disclose any
information contemplated in subsection (1) unless -
(a) the user
consents to that disclosure in writing;
(b) a court order
or any law requires that disclosure; or
(c)
non-disclosure of the information represents a serious threat to public health.
Specific consideration has to be
given as to whether the Medical Schemes Act and regulations provide for sufficient
authority (in terms of section 14(2)) for the various disclosures that take
place during (a) medical scheme membership administration (including dependent administration)
(b) health service provisions (c) accounts, payments and billing (d) evaluation
of member health status, risk analyses and/or managed care. It is also
important to note that the Promotion of Access to Information Act of 2000 does
not allow for health care information to be withheld if a patient requests such
information. It may be difficult to withhold a person’s health status from him
or her if ICD10 coding is used that appears on an account.
Third party
access, if such a third party is a health care provider, is regulated by section
15(1) that states
that “a health worker or any health care provider that has access to the health
records of a user may disclose such personal information to any other person,
health care provider or health establishment as is necessary for any legitimate
purpose within the ordinary course and scope of his or her duties where such
access or disclosure is in the interests of the user” and section 16 states
that “A health care
provider may examine a user's health records for the purposes of- (a) treatment
with the authorisation of the user…”. The issue is whether medical advisors, case managers, clinical
reviewers, etc., in the employ of a funder or managed care organization, are
also covered by this provision.
Principle 2: For all uses and disclosures of health
information all "health care role players" should remove personal
identifiers consistent with maintaining the usefulness of the information,
unless legislation authorises specific personalised disclosures. Nothing
prevents the compilation and/or manipulation of anonymous information for the
purposes of financial- or other planning, for risk calculation or for statistical
purposes, related to the core business of the entity in possession of the
information. The role player compiling and/or manipulating such information
lawfully owns such information.
ISSUES UP FOR CONSIDERATION
The
right to privacy entails “having control over his or her personal information”
(SALC par 1.2.1). The sale of data, and
the use of such data for purposes other than for what the person has expressly (or
implicitly?) consented to (in writing? - see NHB) have to be considered in this
context.
Principle 3: Privacy protections should follow the
data, irrespective of the number of intermediaries between the patient, as
initial provider of the information, and any final destination. This is also
applies to electronic messaging.
ISSUES UP FOR CONSIDERATION
Section 17 of the National Health
Bill places a duty on health establishments to ensure that there is no unauthorised
access to records, which implies the setting up of mechanisms to verify record
and data requests, even where these are from funding institutions or data
warehouses. Failure to do so constitutes an offence under the Bill.
Principle 4: An individual should have the right to
access his or her own health information, as regulated by the Promotion of
Access to Information Act of 2000 and other relevant legislation, and the right
to supplement such information.
ISSUES UP FOR CONSIDERATION
In terms of the
National Health Bill a person’s right to know his or her health status may be
withheld “in circumstances
where there is substantial evidence that the disclosure of the user's health
status would be contrary to the best interests of the user” (section 6 –
possible repercussions discussed above under principle 1).
Principle 5: Health care role players should, in
effecting their duties in terms of section 57(4)(i) of the Medical Schemes Act,
establish policies, procedures and review mechanisms regarding the protection
of confidentiality, as well as the collection, use, and disclosure of health
information.
ISSUES UP FOR CONSIDERATION
Section 57(4) relates to the
duties of trustees to medical schemes, who may need guidance from staff and/or
administrators. Subsections (4)(g) and (h) could also be applied so as to ensure
compliance.
Principle 6: Individuals should be given notice
about the (possible) uses-, purposes- and disclosures of their health
information in the chain of health care and health care financing. Individuals
have to be informed about their rights with regard to that information. This
should be done at the point of potential delivery of health care, as well as
the point of application for medical scheme membership or health insurance.
ISSUES UP FOR CONSIDERATION
In order for members/patients to
have control over their information, they should at some point consent to the
variety of uses to which their information may be put. In terms of section 52ff
to the Electronic Communications and Transactions Act of 2002, some databases
may be declared “critical databases” and certain measures have to be instituted
to secure the database and access to it.
Principle 7: Health care role players should
implement security safeguards for the storage, use, and disclosure of health
information, irrespective of the format of such information.
Principle 8: Personally identifiable health
information should not be disclosed without patient authorisation, except in
circumstances authorised by law or with the patient's specific, full and
informed consent.
National
Health Bill requires written consent.
Principle 8.1: Informed consent means that the patient
or member should know the reasons why the disclosure is necessary (e.g. for the
execution of duties in terms of a specific section of the Medical Schemes Act
on, for example, waiting periods, and/or a specific regulation). The patient
should also know and understand the implications such disclosure for him or her
in terms of health care delivery and -financing. Health care role players are
encouraged to formulate the various purposes for which private information is
required or should be disclosed, and whether such are authorised by legislation
or whether specific patient consent/member is required.
Principle 8.2: Existing legal rules in terms of
consent by minors under the age of 14 and persons incapable of consenting to a
disclosure have to be abided by.
Principle 8.3: The same rules of confidentiality and
consent to disclosure apply to dependants and steps have to be taken to ensure
sufficient protection of dependant/ beneficiary confidentiality.
Principle 9: Where financial, ownership or
shareholding links exist between a third party and a health care role player
(such as a medical scheme, administrator, intermediary or any health care role
player), confidential- or personal information obtained by such role player in
the course of its business as service provider, managed care organisation,
medical scheme, administrator, broker may not be passed on to-, or be used by-
or utilise in any manner by such third party institution or organisation for
the purpose of conducting their business. The same prohibition applies where
medical scheme benefits are linked to the conditions of work and/or employment
contract. A contribution made by an employer towards an employee's medical
scheme does not entitle that employer to access any personal- or health care
information held by the scheme or any health care role player.
Principle 10: Health care organisations should use an
objective and balanced process to review the use and disclosure of personally
identifiable health information for research purposes. The provisions of
internationally accepted research documents, such as the Helsinki Declaration
have to be adhered to.
It is
important to note that this applies to all research, even where researcher only
uses existing file of patient and has no patient-contact at all.
Principle 11: Health care role players should not
disclose personally identifiable health information to law enforcement
officials or any other person acting in a capacity of investigating any alleged
or suspected offence, absent a compulsory legal process, such as a warrant or
court order.
Relates
to various constitutional protections found in the SA Constitution and the
general principle that rights may only be limited if authorised by a law of general
application that would pass the section 36-muster.
Principle 12: Health privacy protections should be
implemented in such a way as to enhance and not undermine, existing laws
prohibiting discrimination such as the Promotion of Equality and Prevention of
Unfair Discrimination Act of 2000 and the Employment Equity Act of 1998. This
principle also applies to issues such as profiling of practices and patient
groups.
Principle 13: Strong and effective remedies for
violations of privacy protections should be established, including employee
training and -disciplinary measures, appropriate contractual provisions and
penalties with any party contracting with a health care role player, etc.
Principle 14: All role players that handle healthcare
information should be held accountable for breaches of privacy and
confidentiality for information in their hold. Aggrieved persons should have
access to internal procedures and/or outside institutions at which to lodge
complaints.
The National
Health Bill create penalties for health establishments and their staff in terms
of violations of privacy/data protection, but similar penalties should exist
for other role players in this sector.