Notice on Patient Privacy

Introduction

Netcare acknowledges the rights of patients to privacy and dignity. This includes the right to protection of private information. The inherent right to privacy is protected in the Constitution of Republic of South Africa.

All patient information must be protected from unauthorised access, loss or damage and respected as confidential by all users of the Netcare Doctor’s portal.
Failing to show due care for patient confidentiality may result in breach of patient rights and legal consequences.

Personal information is valuable to the Netcare Group.  Collection, storage and use of personal information through daily undertakings form part of normal business activities. In order to treat this information with the highest standard of confidentiality and privacy, it is important that all stakeholders comply with the requirements of this document. Key aspects relating to patient care is extracted for ease of reference below.

Ownership of Information

Any and all information that is processed by Netcare, its employees and/or stakeholders on Netcare electronic equipment, in hard copy format and/or soft copy, or on any storage or transmission system is the property of Netcare and is deemed to be owned by Netcare.

Consent

No personal information may be disclosed or processed in any way that is incompatible with the consent provided, unless subsequent consent has been obtained in the course of conducting business.

Notice

Notice should be provided to the patient at time of collection describing the purpose for which personal information is collected, whether or not the supply of personal information is voluntary or mandatory, the consequences of failure to provide the information and how personal information will be used.

Information security

All reasonable steps must be taken, including physical, administrative and technical safeguards, to protect personal information from loss, misuse, unauthorised access, disclosure, alterations and destruction.

Awareness and education

Stakeholders should ensure that privacy issues are discussed to ensure that all users understand the importance of this pertinent issue and has the means to deal with this in an appropriate manner.

Incidents

All information privacy related incidents must be reported to Netcare Legal for investigation and resolution.

Confidentiality

A duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. The duty of care is embodied in the legislative framework of the law and in professional code of conducts of various health care providers. Patient entrust us with and allow us to gather sensitive information relating to their health and other matters as part of their seeking treatment. Their expectation to privacy and confidentiality is legitimate. No disclosure of patient identifiable information can be done without the express consent of the individual involved. The only override is where it is in the public’s interest to do so.

Legal Framework
  • The Constitution South Africa Act No 108 of 1996 (s14) deals pertinently with the right to privacy and confidentiality.
  • The Children’s Act No 38 of 2005 (13) states that each child has the right to confidentiality regarding his health status except when maintaining such confidentiality is not in the best interest of the child.
  • The Electronic Communications and Transactions Act No 25 of 2002 applies in respect of electronic transactions or data messages and state that data controller should have the express written permission of the data subject for the processing, collecting, collation or disclosure of information of a person.
  • The Medical Schemes Act No 131 of 1998 (57) deals with the business of a medical scheme and the duties of the Board of Trustees to ensure all reasonable steps are taken to protect the information of members.
  • The Mental Health Care Act No 17 of 2002 (8) states that a person’s human dignity and privacy must be respected.
  • The National Health Act No 61 of 2003 (14) stipulates that the information is confidential and may not be disclosed if not consented to.
  • The Nursing Act No 33 of 2005, regulations deal dealing with acts of omission specifies that information obtained concerning a patient in the course of professional activities may not be disclosed without consent.
  • The Pharmacy Act no 53 of 1974, rules relating to good pharmacy practice deals extensively with disclosure of information obtained in the course of professional activities without express consent will constitute unethical or unprofessional conduct.
  • The Promotion of Access to Information Act No 2 of 2000 deals with rights of access to information and clearly state that personal information may not be disclosed to third-party unless the party has given permission for disclosure of information.
Process
  • It is important to recognise for each process or decision that the following is considered before release of information.
    • Does it justify the purpose?
    • Is the minimum patient identifiable detail disclosed?
    • Access to information is on a strict to know basis only?
    • Everyone involved with patient information understand their role?
    • Compliance to the law is a first priority?

 If you answer no to any of these questions it is recommended that you reconsider your decision.

  • Right to refuse or permit the sharing of information
    • It is essential that patients indicate whether their information captured on Netcare records may be shared with treating physician and other doctors that patient may be referred to.
    • The decision made will dictate the extent of sharing of information.
    • Providing of lists to clergy may only be done with the explicit written consent of the patient.
    • The patient always has the right to refuse his/her name being placed on a list.
  • Sharing with Managed Care and Third parties
    • It is important to note that when there is a medical aid involved, the patient’s attention should be drawn to the fact that the medical aid is entitled to full disclosure of patient’s ICD-10 treatment and diagnostic codes.
    • Without this, there may be a dispute regarding payment in which case the patient will be liable for the full amount.
    • This information is shared to facilitate the payment process, and refusal of patient that ICD coding may be disclosed should be dealt with by the reception staff.
    • Where medical aid case workers require more disclosure an indemnity should be provided with the information.
  • Need to know basis
    • In defining the data models for Netcare with access rights the need to know principal and least share philosophy will be adopted.
    • Data access profiles have to be defined on a need to know basis only. Changes to logical data profiles have to be ratified and approved by Netcare to ensure this requirement is met.
    • If a third-party requires information from an individual, permission has to be granted by the individual in the required format prior to providing the information to requestor.