The POPI Act came into effect on 1 July 2020, but gave a 12-month grace period for businesses to prepare. Your practice must be compliant from 01 July 2021 with the requirements of POPIA.

Personal Information means information relating to an identifiable, living, natural person (human), or an identifiable, existing juristic person (organisation). The person or organisation that the Personal Information belongs to is known as the Data Subject.

Personal Information includes, but is not limited to: 

Physical address / correspondence / marital status / disability / preferences / race/ gender / age / language / employment history / criminal record/ biometrics; phone number / pregnancy / health status / date of birth / nationality / correspondence / identity number / biometrics / education / e-mail address / opinions / others' opinions about you / name

Special Personal Information is a sub-set of Personal Information which is particularly sensitive, and can have serious consequences if shared inappropriately. All Personal Information relating to your Patients’ health qualifies as Special Personal Information.

Special Personal Information includes, but is not limited to:

Health information / philosophical beliefs / sex life / race / religious beliefs / ethnic origin / criminal behaviour / trade union membership / political persuasion.

Section 26 of POPIA sets down a blanket ban on the processing of Special Personal Information, unless the person processing the information is specially authorised to do so. Section 32 of POPIA sets down who is specially authorised to process health information, and for what purposes they are allowed to process it. For your purposes, these include: 

• Medical professionals like you, healthcare institutions and facilities, and social services for the proper treatment or care of a Data Subject, and for the administration of a medical practice.
• Insurance companies, medical schemes, administrators, managed care organisations for the assessment of risk, performing in terms of an agreement with the Data Subject, enforcing contractual rights, or supporting the provision of proper treatment or care in the interests of the Data Subject’s health. CGM falls into this category. 

The information can only be processed subject to an obligation of confidentiality imposed by the Responsible Party’s office, employment, profession, legal obligation, or written contract.

The Special Personal information must always be treated as confidential. In particular, Personal Information regarding inherited characteristics can’t be processed unless a serious medical interest prevails or the processing is necessary for historical, statistical or research activity.

In any organisation, ultimately the head of the organisation is the registered Information Officer, and is responsible for privacy, but he/she can appoint a Deputy Information Officer or so-called Privacy Officer or suitably qualified person to oversee implementation.

There is no such thing as a POPIA certificate at this stage. The regulator has not put a certification system in place which means no one can provide a certificate. At this stage, organisations and practices can only become POPIA ready. 

POPIA is principle-based legislation, not rules-based legislation. Practices need to strive to adhere to the principles enshrined in the Act – namely the intrinsic right to privacy (including the right to be forgotten), the data subject’s ownership of their Personal Information, and the obligations of any Responsible Party or Operator to act as responsible custodians of Personal Information when they are processing it for any authorised reason.

Yes, although CGM is not a legal firm or provider of legal advice. CGM will provide you with a draft Data Processing Agreement to use with your staff, and with a draft Patient Consent document. 

Yes. CGM will be sending you a Data Processing Agreement to formalise the rights and obligations between your practice and CGM in relation to processing Personal Information.

Yes. Go to https://www.justice.gov.za/inforeg/portal.html and register as Information Officer online. 

You will find more information about the duties of the Information Officer on the following page: https://justice.gov.za/inforeg/docs.html

Yes. All businesses will need to register and you will have to therefore register.

If it is their only available means of communication, and the communication is in their interests, then yes. But rather choose a more secure form of communication when Personal Information, and in particular health information is being shared.

Ensure you use secure platforms like our CLICKDOC Telehealth platform embedded in CGM MEDEDI and MEDISTAR to do video consultations, rather than open platforms which cannot guarantee security safeguards.

Yes. but again refer to the earlier question regarding "compliancy". In effect, there are no compliancy rules, etc. published, but CGM has ensured the switching services are aligned and POPIA ready.

GDPR is the European Union’s equivalent of South Africa’s POPIA. There is about an 85% overlap between the legislation, with one of the most significant differences being that POPIA protects not just the right of individual people to privacy, but also the right of organisations (juristic persons) to privacy. It will be interesting to see how this plays out in practice.

The patient is the owner of their health information. Practices are not the owner of the data. Practices are obliged to hand it over unless there is a very specific reason (in the patient’s interest) not to – for example, if the patient is suicidal, and the information in the file would push them over the edge. As a healthcare practitioner, you need to apply yourself if the information contained within the records are appropriate to handover.

Yes. You can only hand over information to do with the bill and contact details though. If possible, block out the fields which show the diagnosis, medication names, etc, if they appear on the bill.

Best to not include specifics. Just stick to the fact that the person is booked off for X number of days, unless the patient gives you explicit permission to share their diagnosis with their employer.

They must send you proof that the patient has consented to the sharing of this information. Many people, when they initially sign up for life insurance, give a general consent to such enquiries in the initial form they fill out with the insurance company. However, POPIA requires you to check before releasing such information.

Yes, you will. You are sharing this information specifically for the benefit of the patient being treated.

CGM’s products and services were designed from the start to protect Personal Information. At this stage, CGM is putting a couple of formalities in place (like Data Processing Agreements with all our customers, for example) to confirm that suitable protections are in place.

It is important to secure all information especially clinical information. This includes referral letters and prescriptions. CGM has functionality that integrates with third-party applications ensuring that shared information is secured.

Everyone in the practice needs to have and use their own password, which they do not share. This password must have sufficient complexity: It should be at least ten characters long, should include upper- and lower-case letters, numbers, and special characters. And don’t write it down on a sticky note which you pop on your screen or into your desk!

Your operating system and software must be up to date enough to still receive security patches. Your IT provider should advise you in this regard. Not being willing to spend money on a computer upgrade is a poor reason for jeopardising the future of your practice. One significant Personal Information security breach is sufficient to wipe out a practice.

If your practice’s data is backed up to the cloud, then your provider handles the back-ups. If you do not use a cloud-based service, then you need to make at least 2 daily back-ups, one of which must be stored off-site. Your back-ups must be checked regularly to ensure that they work and are not corrupted.

MFA is available on our Telehealth solution CLICKDOC. It requires activation. Although MEDEDI, PMO and Practice Perfect already include the functionality to support complex password protection, we will introduce further product updates to meet and exceed industry standards for password strength enforcement. This will ensure that all users of our applications within your practices will need to use their unique password. The updates will enable users to reset passwords securely.  

Yes.

Yes.

You could send them a guide on how to encrypt the document. Otherwise, if the technological requirements will provide a severe obstacle, you can ask the patient to send the information to you, and then once you have it, make sure you save it in a more secure format, and then delete the mail from your inbox.

Most corporate companies would suggest using a complex password made up with one of each of the following: Capital, lower-case, numerical and special Character with at least 8 characters in length such as: P@ssw0rd123

However, make your password memorable, or a phrase which you will remember such as AsIwalkthroughthevalley or As1walkthr0ughtthev@ll3y each of these passwords would take more than a 1000 centuries for an average computer to crack.

Test your passwords on https://password.kaspersky.com/

As with any solution for security and safety of data it depends on how the solution is deployed and how it is configured, this depends on the policies, procedures and the group of people or person implementing the solution.

Microsoft 365 backups refer to the Microsoft productivity suite’s backup for E-mails, OneDrive, SharePoint and so on. If your Data Lose Protection rules and policies are properly implemented and monitored the basic functionality from Microsoft 365 will suffice in protecting your data in terms of recovery but not in terms of Data breach.

Microsoft Azure offers a service called Azure Recovery Services. The service can be implemented to backup a local on-premises Server or desktop environment, as well as existing Hosted applications regardless of it being in the Azure environment. This service, when implemented correctly can offer both fast data recovery and Disaster Recover for your environments.

HPCSA published the "Ethical guidelines for good practice in the health care professions". You can find them here.

Booklet 4 speaks about "Seeking patients’ informed consent: The ethical considerations" and booklet 9 about "Guidelines on Patient Records".

While all Public entities must have a PAIA manual, Private entities only need one if they have 50 employees or more. So, most of our customers don’t need one at all. The government provides a template. We can provide you a copy of this template if needed. You can also find many examples on the internet. For example, CGM’s can be found at https://www.cgm.com/zaf_en/about-cgm/paia-manual.html. Most large companies have theirs on their websites.

No. You must just have a copy at your practice or headquarters available for members of the public to view. This can therefore be in a hard-copy format or soft-copy, but needs to be made available to a requesting party, if applicable to your organisation.

All of CGM’s staff have signed confidentiality and data security agreements as part of their employment terms. They will only get access to your system when you actively grant them access, and their access will automatically time out if there is no activity for any length of time. If a CGM employee committed a data breach, they could be reported to the Information Regulator.

Yes. This is in progress and we will inform you once released.

If the server is in the US, then possibly not. It is best to choose storage solutions that are either inside South Africa, or else that comply with GDPR – which is the European Union’s equivalent of POPIA.

That consent was only for Discovery ID. It did not give your practice the right to process the patient’s personal information, or for you to share that patient’s information with any other company (for example CGM) to provide them with integrated digital healthcare or switch their claims.

To be aligned to POPIA, a practice should have a POPIA Policy, Data Processing Agreements with staff and all third parties it deals with, and consent documents from all patients, as a minimum. Additional policies could be drawn up by your practice such as data storage, data retention, and data description policies, amongst others. 

There is no definitive checklist, as POPIA is principle-based legislation rather than rule-based legislation. It is more about really understanding the value of private information and doing your best to put it in place and then adhere to policies and procedures to protect private information

You don’t need to send them any documents unless they contact you specifically and ask you to do so. You just need to register with the Information Regulator as an Information Officer for your practice.

CGM has created a plain language Data Processing Agreement which it is busy sending out to all practices for signature. Please lookout for it. Please contact us if you have not received a request to sign one yet.

A hosted cloud solution is more expensive than a locally installed solution. However, the small monthly cost for the cloud solution may prove a small price to pay relative to the bother of having to make 2 daily database back-ups per day yourself, regularly testing your back-ups, no need for expensive hardware to host your on-premises systems, and the potentially catastrophic consequences for your practice in the event of a data breach. However, if you are in an area with poor internet connectivity, a cloud solution might not be appropriate for your practice.

Yes, it is sufficient for you to accept a POPIA third-party agreement with a tickbox or via email.

It is our opinion that your legal obligations as a doctor and in terms of HPCSA guidelines trump a patient’s demand for you to destroy their records in such a situation. As long as your reason for keeping the data would stand up to the legal challenge, you can keep it – as long as you keep it securely and do not share it without legal permission.

Once your practice has taken the necessary steps to put proper data security in place, to create a Privacy Policy, to register an Information Officer, train its staff, and ensure that its processes are POPIA aligned, then it can’t hurt to add a little note to the practice signature saying that ‘This practice takes the protection of information seriously’ with a link to your Privacy Policy.

There is no certificate that you can put up in your practice to show that you are POPIA aligned. Hanging up a copy of your Information Officer registration form will also not make a difference. CGM does have POPIA posters available for customers to use in your practice simply  CLICK HERE to complete a request form and we will contact you. 

However, it wouldn’t hurt for you to print out a sign for your reception area stating that ‘This practice is serious about the protection of personal information. Our Information Officer is [fill in name and phone number and email address here].

Ideally anyone over 18 should complete their own consent form for the practice. 

Third party operators can be medical schemes, medical facilities, insurers, administrators, other medical practitioners, pharmacies, and electronic service providers – like CGM. In order for CGM to switch medical claims to medical schemes on behalf of your practice, the personal information recorded on the claims (for example your practice details, the patient’s name and medical aid number, their diagnosis and ICD-10 codes) will ‘pass through CGM’s hands’ via CGM’s electronic switch. The information is encrypted during this totally automated process, and CGM does not open and look at any of the content. Besides which, all of CGM’s staff have signed confidentiality and data security agreements as part of their employment conditions. So even if you contacted our call centre with a query about a particular claim and showed it to our staff, they are bound to treat the information with absolute confidentiality.

In CGM’s case, we would not be able to switch patient claims to medical schemes on your behalf, as the personal information on the claims would not be allowed to pass through our hands. In the case of medical schemes, if you do not send them the ICD-10 codes for your patient’s claims, they will not pay out for these claims. In the case of insurers, if you do not allow them access to the patients’ medical history when they are applying for insurance, the individual will not be able to obtain insurance. So some degree of careful and responsible sharing is essential in order to provide integrated medical care for your patients in their own interest.

Each third party will only be entitled to process the information according to the specific mandate they have for collecting it. So this will differ from third party to third party. For example, CGM would process the personal information of patients by switching the claims containing it to medical schemes, or by switching lab results from pathology labs back to practices, or by transmitting e-scripts from practices to pharmacies. An insurer would have received an application from an individual to take out life cover. In the application the individual will have needed to consent to the insurer collecting health information about that individual for the purpose of assessing the risk of granting them the insurance policy. So the insurer would then apply to healthcare providers, like yourself, for copies of that individual’s health records. On receipt, the insurer would assess the health records to decide whether or not they were willing to take the individual on as a life-assurance client.

1. Register your principal as Information Officer for the practice with the Information Regulator. Find the link to the online registration form on the Information Regulator’s website.
2. Draft and implement a Privacy Policy in your practice.
3. Sign Data Processing agreements with all staff and third parties.
4. Get all patients to sign Consent agreements.
5. Ensure that all your practice’s hardware and software is sufficiently up to date to receive all the latest security patches, and that you have sufficient cybersecurity protection, and possibly insurance as well.
6. Ensure that everyone at the practice has their own sufficiently complex password which they use all the time and do not share.
7. Ensure that all paper and electronic records are safely stored and transmitted.
8. Ensure that all staff are trained in POPIA aligned handling of personal information – for example, no more calling out to a patient across the waiting room to confirm their phone number or address.
9. Ensure that your practice’s database is being backed-up daily, and that if you do not use a cloud service, that there are at least 2 copies of the back-up all the time, one of which is stored off-site.