This is a true story.
Mike Michaels* needed to lose weight and the process was frustrating. He requested his doctor to prescribe a drug called Glucophage, to see if it would speed up the weight loss process. While the drug is usually prescribed for diabetics, research has shown promise for its used as a weight loss supplement. After a trial period Mike, however, discontinued the treatment as it proved to be ineffective in his case.
The story does, however, not end there.
Completely unrelated to the weight loss experiment, he contacted his insurance company to arrange for an increase in personal insurance coverage. The insurer came back with a request that he be tested for diabetes before the policy would be approved. Confused, Mike wanted to know why. The insurer informed him that they have records that he had been prescribed glucosamine by Dr X, and that the prescription had been filled on the 28th of October at XYZ pharmacy and that Mike had paid cash for it. Based on that they were concerned that there might be the risk of diabetes since the drug is usually prescribed to diabetics.
Where did the insurance company get this information from? But more importantly, who gave permission that it be shared? Mike Michaels was very sure that he had never given permission that his personal, sensitive information be shared across industries.
This is not a unique incidence.
(*alias used to protect privacy)
The Healthcare Industry arguably processes the most, and the most sensitive, personal information amongst all of the industries.
Every year millions of patient health data records are processed in the Healthcare Industry in South Africa.
The question is this:
have patients provided informed consent for the information that are being processed by all the role-players in the health data record eco-system? And furthermore, do healthcare providers know and understand what happens to the confidential data of their patients once it has been submitted for payment?
Guarding patient confidentiality is nothing new to the healthcare profession, yet these processes aren’t sufficient anymore when it comes to the Protection of Personal Information Act. In fact, there are significant shortcomings.
to see how the current patient health data processes fair when compared to the requirements of the PoPI Act
South Africa has been lagging globally when it comes to the protection of personal information, but there is also benefit in that.
We can learn from others.
That is exactly what we’ve found in the Philippines, where we’ve participated in and observed the process of developing their National Privacy Legislation for the past few years. Their winning formula is the fostering of open dialogue and taking note of where the world has moved to.
We bring that learning to everything that we do in the health industry.
“Privacy by design advances the view that Data Privacy cannot be assured solely by compliance with regulatory frameworks. Privacy assurance must be an organisation’s default mode of operation. Its initiatives must be proactive, not reactive, preventative, and not remedial. It should be considered even before a breach.”
Dr Boying Lallana, of the National Privacy Commission of the Philippines, December 2016
for the latest discussions around privacy, the implementation of PoPI and what we can learn from around the world
How far does the average health care practice fall short of the requirements of the PoPI Act?
Based on our work with a number of clients, the most common issues were found to revolve around:
• Staff practices •
• Contracts •
• Third Party Suppliers •
• Internal systems •
• Patient consent •
Each of these areas constitutes a notable risk when it comes to compliance with the PoPI Act. The complexity of structures and affiliations further increase these risks.
What you need to do
A few basic steps will get you on the road to privacy compliance.
- Understand the requirements of the PoPI Act and how it applies to your situation.
- Determine how far you fall short.
- Implement remedial actions to narrow the gap, making sure you keep records of all processes as required by the PoPI Act.
Interpreting the PoPI Act - given your particular situation - is key to the process since this law is Principle-based, which differs substantially from the usual Rule-based regulation.
Learn more about this here.
How we can help
We bring Insider Knowledge from both the legislative and the Health Care Practice sides to facilitate and simplify the implementation of compliance projects in the Health Care Industry.
Because we understand the time constraints that practitioners work under, we’ve created packages to streamline
- what needs to be done,
- how to do it, and
- what it needs to look like
Our MediPoPI suite of products is custom-built, with a range of packages to accommodate differing complexities.
The place to start
Understanding where you are right now determines how far you need to go.
Do you currently have an AAA rating, or are you closer to a Junk Status?
Our proprietary rating system provides a clear assessment of your current situation, from where you can make informed decisions about how to proceed.
This rating isn’t just an internal compliance barometer. It can also form a key component of your patient relationship management strategy ensuring patients of your commitment to the protection of their privacy.
R12,750 for the initial rating
R2,500 per subsequent annual review
Once you are clear on the task ahead, choose one of our custom packages.
- How to guides
- Case Studies
- Do It Yourself style
R15,000 (excl. VAT)
- How to guides
- Case Studies
- Personal hands-on guidance
R15,000 (excl. VAT) + fees
R1,565/bed (excl. VAT)
R14,500/employed health professional (excl. VAT) + fees