POPI Act compliance – What medical researchers need to know

By Yvette Erasmus – CEO and Vice President of MERC Research Inc


Patient health data confidentiality is nothing new to the medical industry. While personal health information contained in medical records is protected in South African healthcare legislation and the constitution, the Protection of Personal Information Act, (POPIA) will have a significant impact on the medical research industry.


The Health Professions Council of South Africa (HPCSA) imposes guidelines relating to storage, confidentiality and protection of patient information. In addition, the National Health Act, No 61 of 2003 (Health Act) specifically protects the privacy and confidentiality of patient records (which includes information pertaining to a patient's health status, treatment or stay in a health establishment and provides, in particular, that such information may only be disclosed if the patient consents to disclosure in writing, or a court order or law justifies such disclosure, or where non-disclosure of such information represents a serious threat to public health.


POPIA


It is important to note that POPIA does not replace the HPCSA’s existing guidance on safeguarding confidential patient data. But, POPIA will have implications for all research activities that involve the collection, processing, and storage of personal information.


Some important aspects of POPIA for the medical research industry include:

  • Non-compliance with POPIA can result in either a fine or imprisonment.

  • Personal information may only be collected for the specific purpose of providing services to a patient. Only relevant data should be captured, used or retained.

  • Prior authorisations are required for using personal information in data processing activities.

  • One may not retain records if they are no longer necessary for the purpose for which they were obtained or created. Even if consent is given, information cannot be kept indefinitely. A company will have to review that consent periodically. When required, they also need to have a clearly defined process on how to delete that information.

  • Once personal information has been collected from another source, the medical practitioner must take reasonable steps to inform the patient of this, together with the source of the information and the purpose for which it has been collected. This can be relayed to the patient either orally or in writing.

  • Any personal information that is stored must be protected from loss, damage or unauthorised destruction, and unlawful access – it is expected by law to implement reasonable technical and organisational measures to ensure this protection is in place.


Implications for the industry


Overall, compliance with POPIA is a time-consuming process that will cost money. It will require a lot of extra procedures.


A company must always prove POPIA compliance, there must be an audit trail. POPIA requires that an ‘information officer’ is appointed and for such person to take the lead in creating and maintaining internal awareness and training sessions within the organisation, which means educating personnel on the provisions and requirements of POPIA. Each organisation must create their own policy around the protection of personal data. Many companies will have to hire an extra person per medical research site to ensure POPIA compliance.


Since it is expected by law to implement reasonable technical and organisational measures to ensure protection of personal information is in place, security measures must be put in place.


In all industries, there may be additional information technology costs associated with protecting such sensitive information and the vast volumes of data that need to be stored and protected. However, these costs will be higher in the medical research industry. This is because personal information, like ID numbers, dates of birth and addresses are either set in stone or rarely change – service providers can store and protect it more easily. However, healthcare information is constantly changing. The volume of it keeps growing. A simple patient consultation generates a huge volume of sensitive data. All of this needs to be protected.


POPIA is unlikely to have an impact on South Africa’s attractiveness to do trials because Europe and North America are also governed by privacy laws like General Data Protection Regulation (GDPR) in Europe and Health Insurance Portability and Accountability Act (HIPAA) in the United States. While GDPR is more stringent, POPIA is more detailed.


If American or European-sponsored studies are conducted in South Africa, their protocols are approved by the South African Health Products Regulatory Authority (SAHPRA) and will take precedence over POPIA.


One foreseeable issue will be South Africa’s reliance on paperwork (medical records and consent forms). For example, first world countries have very little or no paper-based documents/source. But a large portion of documents/source in South Africa are paper based.


With a sizeable portion of participants in clinical trials coming from rural areas that are over 60 years old, it is going to be a challenge to get them to complete information on a smart phone or tablet. Extensive training will be needed to transition to 100% digital records.


It will be relatively simple for our laboratories to be POPIA compliant, but there is a definite challenge regarding the information derived from physical contact with patients.


About Yvette Erasmus

Yvette Erasmus as the CEO and Vice President of MERC Research Inc. has extensive knowledge and experience within the healthcare industry that extends beyond the borders of South Africa. She is a patron for clinical research and her invaluable contribution is recognized across the globe. Being part of the Clinical Trial Site in Middelburg she has helped the team to acquire two SPRIA (Site Patient Recruitment Innovation Award) awards (2015 and 2019) by SCRS (Society for Clinical Research Sites). Raising clinical trial awareness in local communities continues to be her passion; this is orchestrated through her involvement in developing Community Advisory Boards and Youth Advisory Boards to become advocates on clinical trials in the communities.


SACRA (South African Clinical Research Association) is a non-profit organisation representing the clinical research industry in South Africa. The association provides a forum for information-sharing, networking and the exchange of ideas. SACRA has elected Yvette to form part of the EXCO team to be a voice for the South African Trial Industry. This membership contributes towards a greater goal which aims to turn South Africa into the number one Clinical Trials destination. The African continent with its vast diversity in terms of age, gender, ethnicity, race and genetics, is what the clinical trial industry needs. Yvette believes in and drives her work ethic towards making Africa the chosen continent for future clinical trials as she ironically states, “Africa can and must become the number one trial destination in the world.”