Health data must be protected against hackingComment on this story
RECENTLY it was reported that personal data belonging to about 4.5 million health-care patients in the US was exposed due to the Heartbleed bug.
The hacking event was reported widely in the media and has led to a greater focus on what is done, or not as the case may be, to protect personal information within the sector.
Obviously, health-care information, as a category of personal information, is the most sensitive as it carries the potential to cause a person embarrassment, and expose them to ridicule or even social stigma.
Handing over one’s personal information to a trusted health-care provider is a daily activity for millions of people around the world, including South Africa.
The laws concerning data protection and the manner in which personal information is handled vary from jurisdiction to jurisdiction.
In South Africa, the Protection of Personal Information Act (the Information Act) introduces an entirely new regime for the protection of personal information, particularly health-care information.
While we are awaiting a date for the coming into effect of the Information Act, by proclamation by the president, measures are being effected in order to ensure that health-care providers are able to comply with the rigours of the Information Act insofar as protecting personal health-care information is concerned.
The Health Professions Council of South Africa (HPCSA), pursuant to powers under the Health Professions Act (HPA), has set out principles that should be followed by health-care providers, registered in terms of the HPA, when dealing with a patient’s personal information and how to protect that information once it is in the possession of the health-care provider.
However, the HPCSA’s rules do not bind every member of the health-care sector insofar as the rules apply only to those persons registered in terms of the HPA, such as general practitioners, dentists and psychologists.
This leaves an entire area of the sector without any particular rules, including allied health practitioners, African traditional practitioners and health establishments ranging from clinics and hospitals to service providers assisting with the storage of stem cells and sperm banks.
The Information Act identifies certain special personal information.
As part of the category of “special personal information” are the sub-categories of a data subject’s health, sex life or biometric information.
Accordingly, a great deal of attention is paid by the Information Act to the manner in which information concerning a person’s health, sex life or biometric information (collectively referred to as health information) is processed – bearing in mind that the term “processing” is defined as broadly as possible in the Information Act. Any handling of information concerning health information by any other person will fall within the provisions of the act.
Fundamentally, a data subject or patient must consent to any processing of his or her health information or the processing must fall into one of the exclusion categories in the Information Act.
A great deal of attention is paid to the processing of health information in the act. While it does endeavour to allow for the processing of health information by medical professionals, health-care institutions or facilities or social services, a number of conditions must be met in order for that processing to occur lawfully.
First, the processing must be necessary “for the proper treatment and care of the data subject”, or, second, for the administration of the institution or the provision of a professional practice. Third, the information must be subject to an obligation of confidentiality by virtue of “office, profession or legal provision”.
A separate section of the act is dedicated to the processing of information concerning “inherited characteristics”.
An outright prohibition exists in respect of the processing of such information unless there is a serious medical interest that prevails or the processing is necessary “for historical, statistical or research activities”.
That being said, while there may be relaxed rules in the Information Act concerning the processing of health information, the Information Act does not alleviate the obligation on persons processing such information to keep health information secure or to advise patients when compromises of their health information have occurred due to events such as hacking or any negligent exposure of the information to third parties.
In this regard, the Information Act is careful in imposing security safeguards that must be adopted by all processes of information in order to ensure that personal information is not lost, damaged, destroyed without authorisation, susceptible to unlawful access or processing.
Therefore, the act imposes particular obligations on people processing information to implement measures to:
n “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
n establish and maintain appropriate safeguards against the risks identified;
n regularly verify that the safeguards are effectively implemented; and
n ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.”
In addition, the Information Act requires particular steps to be taken to ensure that information is secure, including written contracts between the health-care practitioner and an operator, being the party who processes information for the health-care practitioner or on behalf of the health-care practitioner and requirements that health-care practitioners must notify patients where information is compromised or unlawfully released.
Such notifications must either be sent directly to the patient or published in the news media or prominently on the website of the health-care practitioner.
The Information Act prescribes the content of a notice of a security compromise as follows:
n “a description of the possible consequences of the security compromise;
n a description of the measures that the responsible party intends to take or has taken to address the security compromise;
n a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
n if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.”
In the context of health information, the possible consequences of health information leaking into the public domain are sometimes extremely severe for a patient. One must assess carefully how to describe to a patient the consequences of his or her information leaking into the public domain.
The potential exposure for the health-care practitioner of the consequences suffered by a patient are severe, especially insofar as our courts have previously handed out damages for health-care providers compromising patients’ confidentiality in respect of a patient’s HIV status.
While the act deals generally with information and its processing and control in South Africa, the processing of health data requires particular attention simply because of its sensitive nature and the consequences for patients if it falls into the wrong hands.
Just understanding how one would feel if one’s health information did fall into the wrong hands or became publicly available, one understands the need for the rigorous obligations to be fulfilled by health-care providers in order to ensure that they are able to meet the requirements of the act.
It is hoped that once the Information Act becomes law in South Africa, health-care information will be properly and lawfully protected and data subjects will have lawful remedies in cases where information is hacked, even by sophisticated bugs like Heartbleed.
Neil Kirby is director: health care and life sciences law at Werksmans Attorneys.