CompuGroup Medical
Synchronizing Healthcare

Learn all about the vision, mission as well as the people who shape CompuGroup Medical worldwide.

About us
Career
Magazine

POPI. Think Privacy.

The deadline for enforcement of the POPI Act is around the corner. From 01 July 2021, every business and healthcare practice in South Africa must comply with the regulations of the Protection of Personal Information Act ("POPIA" for short).

POPIA aims to protect yours, your practice’s, your staff’s, and your patient's Personal Information by establishing a framework around processing of Personal Information – including collecting, amending, sorting, storing, sharing, deleting, and further processing it. 

Further processing is when you use the Personal Information for a purpose other than that for which it was originally collected – so you can’t share your diabetic patients’ contact details with someone who wants to set up a Diabetic Support Group, for example, unless you have obtained the prior express consent of each of those patients to do so.

 

There is no checklist of do's and don’ts when it comes to the implementation of POPIA requirements. We have created some resources for you to help you get your practice POPIA aligned.

Your questions answered

1. What does POPIA stand for?

Protection of Personal Information Act 4 of 2013

2. When does the Act become enforceable?

The POPI Act came into effect on 1 July 2020, but gave a 12-month grace period for businesses to prepare. Your practice must be compliant from 01 July 2021 with the requirements of POPIA.

3. What Personal Information does POPIA refer to? 

Personal Information means information relating to an identifiable, living, natural person (human), or an identifiable, existing juristic person (organisation). The person or organisation that the Personal Information belongs to is known as the Data Subject.

Personal Information includes, but is not limited to: 

Physical address / correspondence / marital status / disability / preferences / race/ gender / age / language / employment history / criminal record/ biometrics; phone number / pregnancy / health status / date of birth / nationality / correspondence / identity number / biometrics / education / e-mail address / opinions / others' opinions about you / name

Special Personal Information is a sub-set of Personal Information which is particularly sensitive, and can have serious consequences if shared inappropriately. All Personal Information relating to your Patients’ health qualifies as Special Personal Information.

Special Personal Information includes, but is not limited to:

Health information / philosophical beliefs / sex life / race / religious beliefs / ethnic origin / criminal behaviour / trade union membership / political persuasion.

4. Who is allowed to process Health Information?

Section 26 of POPIA sets down a blanket ban on the processing of Special Personal Information, unless the person processing the information is specially authorised to do so. Section 32 of POPIA sets down who is specially authorised to process health information, and for what purposes they are allowed to process it. For your purposes, these include: 

  • Medical professionals like you, healthcare institutions and facilities, and social services for the proper treatment or care of a Data Subject, and for the administration of a medical practice.
  • Insurance companies, medical schemes, administrators, managed care organisations for the assessment of risk, performing in terms of an agreement with the Data Subject, enforcing contractual rights, or supporting the provision of proper treatment or care in the interests of the Data Subject’s health. CGM falls into this category. 

The information can only be processed subject to an obligation of confidentiality imposed by the Responsible Party’s office, employment, profession, legal obligation, or written contract.

The Special Personal information must always be treated as confidential. In particular, Personal Information regarding inherited characteristics can’t be processed unless a serious medical interest prevails or the processing is necessary for historical, statistical or research activity.

5. Who is responsible for implementing privacy in my medical practice?

In any organisation, ultimately the head of the organisation is the registered Information Officer, and is responsible for privacy, but he/she can appoint a Deputy Information Officer or so-called Privacy Officer or suitably qualified person to oversee implementation.

6. How can I certify my practice for POPIA?

There is no such thing as a POPIA certificate at this stage. The regulator has not put a certification system in place which means no one can provide a certificate. At this stage, organisations and practices can only become POPIA ready. 

POPIA is principle-based legislation, not rules-based legislation. Practices need to strive to adhere to the principles enshrined in the Act – namely the intrinsic right to privacy (including the right to be forgotten), the data subject’s ownership of their Personal Information, and the obligations of any Responsible Party or Operator to act as responsible custodians of Personal Information when they are processing it for any authorised reason.

7. Can CGM provide customers with POPIA compliant document templates?

Yes, although CGM is not a legal firm or provider of legal advice. CGM will provide you with a draft Data Processing Agreement to use with your staff, and with a draft Patient Consent document. 

8. As a CGM customer, do I need to sign a Data Processing Agreement with CGM?

Yes. CGM will be sending you a Data Processing Agreement to formalise the rights and obligations between your practice and CGM in relation to processing Personal Information.

9. Will each medical practice need an Information Officer?

Yes. Go to https://www.justice.gov.za/inforeg/portal.html and register as Information Officer online. 

You will find more information about the duties of the Information Officer on the following page: https://justice.gov.za/inforeg/docs.html

10. As the only person in the practice must I register as an information officer?

Yes. All businesses will need to register and you will have to therefore register.

11. Is communicating with patients through WhatsApp advisable?

If it is their only available means of communication, and the communication is in their interests, then yes. But rather choose a more secure form of communication when Personal Information, and in particular health information is being shared.

Ensure you use secure platforms like our CLICKDOC Telehealth platform embedded in CGM MEDEDI and MEDISTAR to do video consultations, rather than open platforms which cannot guarantee security safeguards.

12. Are CGM's switching services POPIA compliant?

Yes. but again refer to the earlier question regarding "compliancy". In effect, there are no compliancy rules, etc. published, but CGM has ensured the switching services are aligned and POPIA ready.

13. Is GDPR Europe also considered POPIA?

GDPR is the European Union’s equivalent of South Africa’s POPIA. There is about an 85% overlap between the legislation, with one of the most significant differences being that POPIA protects not just the right of individual people to privacy, but also the right of organisations (juristic persons) to privacy. It will be interesting to see how this plays out in practice.

14. If a patient requests a copy of his / her medical file, am I obliged to hand it over?

The patient is the owner of their health information. Practices are not the owner of the data. Practices are obliged to hand it over unless there is a very specific reason (in the patient’s interest) not to – for example, if the patient is suicidal, and the information in the file would push them over the edge. As a healthcare practitioner, you need to apply yourself if the information contained within the records are appropriate to handover.

15. Can I hand over a patient account to an attorney?

Yes. You can only hand over information to do with the bill and contact details though. If possible, block out the fields which show the diagnosis, medication names, etc, if they appear on the bill.

16. What information can I share on sick leave notes?

Best to not include specifics. Just stick to the fact that the person is booked off for X number of days, unless the patient gives you explicit permission to share their diagnosis with their employer.

17. What information can I share with life insurance policies (Sanlam etc.) who request medical history about patients?

They must send you proof that the patient has consented to the sharing of this information. Many people, when they initially sign up for life insurance, give a general consent to such enquiries in the initial form they fill out with the insurance company. However, POPIA requires you to check before releasing such information.

18. When an anaesthetist contacts me for my Drs ICD10 code, will I be able to give the code to them?

Yes, you will. You are sharing this information specifically for the benefit of the patient being treated.

19. Will it be possible for CGM to send us a detailed email as to all the measures they will be implementing with regards to POPIA?

CGM’s products and services were designed from the start to protect Personal Information. At this stage, CGM is putting a couple of formalities in place (like Data Processing Agreements with all our customers, for example) to confirm that suitable protections are in place.

20. What would be the safest method to send patient reports via email i.e. encryption or password?

It is important to secure all information especially clinical information. This includes referral letters and prescriptions. CGM has functionality that integrates with third-party applications ensuring that shared information is secured.

21. How important and what guidelines do we need to follow for a password, soft data access, and backup of software databases? The act is still very light on cyber guidelines!

Everyone in the practice needs to have and use their own password, which they do not share. This password must have sufficient complexity: It should be at least ten characters long, should include upper- and lower-case letters, numbers, and special characters. And don’t write it down on a sticky note which you pop on your screen or into your desk!

Your operating system and software must be up to date enough to still receive security patches. Your IT provider should advise you in this regard. Not being willing to spend money on a computer upgrade is a poor reason for jeopardising the future of your practice. One significant Personal Information security breach is sufficient to wipe out a practice.

If your practice’s data is backed up to the cloud, then your provider handles the back-ups. If you do not use a cloud-based service, then you need to make at least 2 daily back-ups, one of which must be stored off-site. Your back-ups must be checked regularly to ensure that they work and are not corrupted.

22. Will your systems include MFA (Multiple Factor Authentication)?

MFA is available on our Telehealth solution CLICKDOC. It requires activation. Although MEDEDI, PMO and Practice Perfect already include the functionality to support complex password protection, we will introduce further product updates to meet and exceed industry standards for password strength enforcement. This will ensure that all users of our applications within your practices will need to use their unique password. The updates will enable users to reset passwords securely.  

23. When sending scripts or replying to a patient's email, should this be encrypted?

Yes.

24. If a medical specialist sends back a report of a patient to the general practitioner, do I need to send the report as a PDF that is password protected?

Yes.

25. With COVID some patients prefer filling in their intake forms online and they email the form back to reception. Does this need to be sent back to us password protected? If a patient doesn't know how to do that, what can we do to assist those patients to complete their forms online?

You could send them a guide on how to encrypt the document. Otherwise, if the technological requirements will provide a severe obstacle, you can ask the patient to send the information to you, and then once you have it, make sure you save it in a more secure format, and then delete the mail from your inbox.

26. What is the suggested combination of elements for a secure password?

Most corporate companies would suggest using a complex password made up with one of each of the following: Capital, lower-case, numerical and special Character with at least 8 characters in length such as: [email protected]

However, make your password memorable, or a phrase which you will remember such as AsIwalkthroughthevalley or [email protected] each of these passwords would take more than a 1000 centuries for an average computer to crack.

Test your passwords on https://password.kaspersky.com/

27. Is Microsoft 365 backup as secure as a hosted solution? And in general, can it be used for backups? How secure are backups in Microsoft?

As with any solution for security and safety of data it depends on how the solution is deployed and how it is configured, this depends on the policies, procedures and the group of people or person implementing the solution.

Microsoft 365 backups refer to the Microsoft productivity suite’s backup for E-mails, OneDrive, SharePoint and so on. If your Data Lose Protection rules and policies are properly implemented and monitored the basic functionality from Microsoft 365 will suffice in protecting your data in terms of recovery but not in terms of Data breach.

Microsoft Azure offers a service called Azure Recovery Services. The service can be implemented to backup a local on-premises Server or desktop environment, as well as existing Hosted applications regardless of it being in the Azure environment. This service, when implemented correctly can offer both fast data recovery and Disaster Recover for your environments.

28. Where can I find information from the HPCSA regarding Patient Consent and Data Privacy?

HPCSA published the "Ethical guidelines for good practice in the health care professions". You can find them here.

Booklet 4 speaks about "Seeking patients’ informed consent: The ethical considerations" and booklet 9 about "Guidelines on Patient Records".

29. Please advise where I can get a PAIA manual

While all Public entities must have a PAIA manual, Private entities only need one if they have 50 employees or more. So, most of our customers don’t need one at all. The government provides a template. We can provide you a copy of this template if needed. You can also find many examples on the internet. For example, CGM’s can be found at https://www.cgm.com/zaf_en/about-cgm/paia-manual.html. Most large companies have theirs on their websites.

30. Must my practice have a website to publish a PAIA manual?

No. You must just have a copy at your practice or headquarters available for members of the public to view. This can therefore be in a hard-copy format or soft-copy, but needs to be made available to a requesting party, if applicable to your organisation.

31. When CGM staff connects remotely to my practice system, what guarantee do I have that your staff are a) authorised to access my and my patient's data? b) what recourse do I have if something goes wrong?

All of CGM’s staff have signed confidentiality and data security agreements as part of their employment terms. They will only get access to your system when you actively grant them access, and their access will automatically time out if there is no activity for any length of time. If a CGM employee committed a data breach, they could be reported to the Information Regulator.

32. Can you include a POPIA consent form on your Medme solution?

Yes. This is in progress and we will inform you once released.

33. Can you advise regarding storing data on google drive? Is it safe?

If the server is in the US, then possibly not. It is best to choose storage solutions that are either inside South Africa, or else that comply with GDPR – which is the European Union’s equivalent of POPIA.

34. When patients have provided consent to process their data already, e.g. for Discovery ID, must they give consent again?

That consent was only for Discovery ID. It did not give your practice the right to process the patient’s personal information, or for you to share that patient’s information with any other company (for example CGM) to provide them with integrated digital healthcare or switch their claims.

35. What documents must a practice have in place to ensure POPIA compliance?

To be aligned to POPIA, a practice should have a POPIA Policy, Data Processing Agreements with staff and all third parties it deals with, and consent documents from all patients, as a minimum. Additional policies could be drawn up by your practice such as data storage, data retention, and data description policies, amongst others. 

36. Is there a written checklist of everything we need to make sure our practice is compliant?

There is no definitive checklist, as POPIA is principle-based legislation rather than rule-based legislation. It is more about really understanding the value of private information and doing your best to put it in place and then adhere to policies and procedures to protect private information

37. What type of documents must I send to the Information Regulator?

You don’t need to send them any documents unless they contact you specifically and ask you to do so. You just need to register with the Information Regulator as an Information Officer for your practice.

38. Does a practice need a POPIA agreement with CGM going forward?

CGM has created a plain language Data Processing Agreement which it is busy sending out to all practices for signature. Please lookout for it. Please contact us if you have not received a request to sign one yet.

39. Is a hosted cloud solution not expensive? I can not afford to add more costs to my practice.

A hosted cloud solution is more expensive than a locally installed solution. However, the small monthly cost for the cloud solution may prove a small price to pay relative to the bother of having to make 2 daily database back-ups per day yourself, regularly testing your back-ups, no need for expensive hardware to host your on-premises systems, and the potentially catastrophic consequences for your practice in the event of a data breach. However, if you are in an area with poor internet connectivity, a cloud solution might not be appropriate for your practice.

40. Do I need to physically sign a POPIA third-party agreement? Or is it okay for me to accept with a tickbox or accept via email?

Yes, it is sufficient for you to accept a POPIA third-party agreement with a tickbox or via email.

41. We are a Paediatric practice and as POPIA requires, we ask the patients to sign consent for us to retain their (and their child’s) personal and medical information. But the act also states that a subject may withdraw consent. Where do we stand if the HPCSA guidelines state that we must keep records until the child turns 21? Are we obliged to destroy the medical information if a parent were to withdraw consent – this appears to conflict with the HPCSA guidelines?

It is our opinion that your legal obligations as a doctor and in terms of HPCSA guidelines trump a patient’s demand for you to destroy their records in such a situation. As long as your reason for keeping the data would stand up to the legal challenge, you can keep it – as long as you keep it securely and do not share it without legal permission.

42. Could you share a Privacy Policy sample template to attach to our emails or letters or is it not necessary?

Once your practice has taken the necessary steps to put proper data security in place, to create a Privacy Policy, to register an Information Officer, train its staff, and ensure that its processes are POPIA aligned, then it can’t hurt to add a little note to the practice signature saying that ‘This practice takes the protection of information seriously’ with a link to your Privacy Policy.

43. Do you have a template of a poster / sign to be displayed in our reception area to show we are POPIA aligned or could we just display a copy of the Registration certificate?

There is no certificate that you can put up in your practice to show that you are POPIA aligned. Hanging up a copy of your Information Officer registration form will also not make a difference. CGM does have POPIA posters available for customers to use in your practice simply  CLICK HERE to complete a request form and we will contact you. 

However, it wouldn’t hurt for you to print out a sign for your reception area stating that ‘This practice is serious about the protection of personal information. Our Information Officer is [fill in name and phone number and email address here].

44. Is it necessary for patient consent forms to be signed by all patients above 18 years of age or only the main member of file?

Ideally anyone over 18 should complete their own consent form for the practice. 

45. Who would be considered 3rd Party operators?

Third party operators can be medical schemes, medical facilities, insurers, administrators, other medical practitioners, pharmacies, and electronic service providers – like CGM. In order for CGM to switch medical claims to medical schemes on behalf of your practice, the personal information recorded on the claims (for example your practice details, the patient’s name and medical aid number, their diagnosis and ICD-10 codes) will ‘pass through CGM’s hands’ via CGM’s electronic switch. The information is encrypted during this totally automated process, and CGM does not open and look at any of the content. Besides which, all of CGM’s staff have signed confidentiality and data security agreements as part of their employment conditions. So even if you contacted our call centre with a query about a particular claim and showed it to our staff, they are bound to treat the information with absolute confidentiality.

46. If the practice (on the patient's behalf) does not grant permission to share information, what are the consequences?

In CGM’s case, we would not be able to switch patient claims to medical schemes on your behalf, as the personal information on the claims would not be allowed to pass through our hands. In the case of medical schemes, if you do not send them the ICD-10 codes for your patient’s claims, they will not pay out for these claims. In the case of insurers, if you do not allow them access to the patients’ medical history when they are applying for insurance, the individual will not be able to obtain insurance. So some degree of careful and responsible sharing is essential in order to provide integrated medical care for your patients in their own interest.

47. What will be done with the information in the e.g. (Insurers hands)?

Each third party will only be entitled to process the information according to the specific mandate they have for collecting it. So this will differ from third party to third party. For example, CGM would process the personal information of patients by switching the claims containing it to medical schemes, or by switching lab results from pathology labs back to practices, or by transmitting e-scripts from practices to pharmacies. An insurer would have received an application from an individual to take out life cover. In the application the individual will have needed to consent to the insurer collecting health information about that individual for the purpose of assessing the risk of granting them the insurance policy. So the insurer would then apply to healthcare providers, like yourself, for copies of that individual’s health records. On receipt, the insurer would assess the health records to decide whether or not they were willing to take the individual on as a life-assurance client.

48. To prepare your practice for POPIA, you will need to:
  1. Register your principal as Information Officer for the practice with the Information Regulator. Find the link to the online registration form on the Information Regulator’s website.
  2. Draft and implement a Privacy Policy in your practice.
  3. Sign Data Processing agreements with all staff and third parties.
  4. Get all patients to sign Consent agreements.
  5. Ensure that all your practice’s hardware and software is sufficiently up to date to receive all the latest security patches, and that you have sufficient cybersecurity protection, and possibly insurance as well.
  6. Ensure that everyone at the practice has their own sufficiently complex password which they use all the time and do not share.
  7. Ensure that all paper and electronic records are safely stored and transmitted.
  8. Ensure that all staff are trained in POPIA aligned handling of personal information – for example, no more calling out to a patient across the waiting room to confirm their phone number or address.
  9. Ensure that your practice’s database is being backed-up daily, and that if you do not use a cloud service, that there are at least 2 copies of the back-up all the time, one of which is stored off-site.

By loading the video, you agree to transmitting data to YouTube and that you have read our privacy policy.

Accept
Preparing your practice for POPI

Practice Resources

POPIA Draft Agreements

Please note that these templates are a guidelines only and are not offered as a substitute for official legal advice.

Get your own POPIA Awareness Kit

          Please note that the POPI Awareness Kit is a guideline only and is                        not offered as a substitute for official legal advice.