CompuGroup Medical
Synchronizing Healthcare

Learn all about the vision, mission as well as the people who shape CompuGroup Medical worldwide.

About us
Career
Magazine

POPIA misconceptions exposed

May 10, 2021

The impending deadline for enforcement of the Protection of Personal Information Act (POPIA) on 1 July 2021 has given rise to many misconceptions around the requirements for healthcare practitioners to be POPIA ready. Healthcare practitioners, among others, are under huge pressure to ensure that their practices and patients have ticked all the boxes.

Highlighted below are some misconceptions around this topic debunked especially for healthcare professionals.

Misconception no. 1: After July 1st 2021 you should only deal with organisations that are POPIA certified.

There is no such thing as a POPIA compliance certificate. The Act does not provide for the Information Regulator to issue certificates proving that an organisation is POPIA compliant.  POPIA is principle-based legislation rather than rules-based legislation. It provides a set of guidelines to which organisations must strive to align themselves on an ongoing basis.

An organisation may be considered POPIA aligned if:

1. It has designated an appropriate person (typically the head of the organisation) to serve as Information Officer.

2. It has drawn up appropriate policies to govern the processing of personal information, and has shared this policy internally and externally with those who interact with the organisation.

3. It has instituted sufficient security measures (physical and cyber security) to protect personal information in its hands and which it processes.

4. It has eliminated all unnecessary caches of personal information, whether in physical or electronic form.

5. It can clearly explain why it holds or processes any piece of personal information, and can confirm that the particular person within the organisation dealing with it is authorised to do so.

6. It has implemented documented procedures for the secure processing of personal information within its organisation, and has safeguards in place to ensure that these procedures are followed.

7. It has procedures in place to detect, report on, mitigate, and halt any data breach, unlawful destruction or unlawful processing that does occur.

 

Misconception no. 2: POPIA is complete and covers everything.

1. In reality, the Act is a general document, and over time, the Information Regulator will release more detailed guidelines in relation to areas of special application – for example, the healthcare sector.

2. It is not clear from the Act whether, for example, the main member of a medical scheme will have the right to see the diagnosis and other healthcare information of his/her dependants.

3. POPIA does not trump any of the HPCSA regulations. For example, the HPCSA confidentiality policy still applies, even now that POPIA is in the picture.

4. Over time, as the Information Regulator and the courts deal with cases of breaches of the Act, details of the Act will be fleshed out and will become clearer.

 

Misconception no. 3: POPIA means you must destroy patient records once you stop seeing the patient.

1. POPIA requires all records to only be held by a responsible party (for example, a Doctor), for as long as they are needed to perform the function for which they were obtained.

2. However, the Act states that a responsible party may hold personal information records for longer if required to do so by any law or regulation.

3. So in the case of medical records, Healthcare Practitioners must still keep patient records for at least six years after dormancy, till a minor turns 21, or in the case of a mentally handicapped individual, until their death.

 

Misconception no. 4: POPIA only applies to electronic records

1. POPIA applies equally to paper-based records.

2. Healthcare practitioners will need to be able to prove that any physical patient files are stored securely, and that individuals will only have access to specific patient information relevant to their functions within the practice.

 

Misconception no. 5: Organisations can outsource responsibility for POPIA to their IT providers or software vendors

1. Overall responsibility for POPIA alignment cannot be outsourced.

2. The Information Officer of an organisation can delegate certain duties to other people within their organisation, or to contracted outside parties, but in the end, the organisation’s Information Officer will be the first in line to go to jail if an organisation breaches POPIA.

These are just a few of the common misconceptions currently doing the rounds, causing confusion and panic. 

As one of the leaders in the medical technology industry, CompuGroup Medical South Africa is committed to supporting our customers through the process of becoming POPIA ready.

 

Related Articles
Create and sign prescriptions 
on the fly

How many times have you or your practice manager fielded calls regarding ...

Dentist testimonial on Dental Practice Management software
The all-in-one dental solution that will keep you smiling
Dr Rickes Putter

 ...