Massive legal warning for employers in South Africa
New Protection of Personal Information Act (POPIA) regulations in South Africa pose a serious legal risk for South African employers regarding employee medical records.
According to Workforce Healthcare, which provides health and wellness services, managing employee records should be a serious focus.
Employers face challenges in managing employee medical records, including who owns them, how they are stored, who may access them, how long they must be kept, and how they are destroyed.
“The management of medical records and the personal information contained within those records is a heavily regulated area,” said Dr Robin George from Workforce Healthcare.
“In our experience, many employers, including some healthcare service providers, are not meeting the legislative requirements.”
Urgency has intensified following the March gazetting of new POPIA regulations that specifically govern the processing of health information by responsible parties.
These parties include medical schemes, managed healthcare organisations, and insurers. The new regulations establish binding regulations over security, confidentiality, and the processing of health data.
Workforce Healthcare noted that health data carries the highest level of legal protection under POPIA and the National Health Act, as unauthorised disclosure can have devastating consequences.
Employees can be affected by discrimination in promotion or retrenchment decisions, or by different treatment from managers, resulting in lasting damage to their relationships and careers.
Several conditions, including HIV status or mental health diagnoses, can carry social stigma and impact the working world.
POPIA deems health data as special personal information, which affords it the highest level of protection under South African law.
That means processing, sharing, storing or granting access to this information is prohibited unless it is necessary for treatment, care, or authorised administration by a healthcare professional.
The Information Regulator can impose notices, fines, and potentially more severe sanctions on responsible parties who breach these provisions.
Who owns what
A central problem regarding medical records is who owns the record in occupational healthcare.
Ownership can reside with the healthcare provider who created the record or with the employer who paid for the service.
Legislation requires that this be formally agreed upon between the service provider and the client before services begin. However, this conversation rarely happens in practice.
Employers who assume they have access to employees’ medical information may expose themselves to liability.
Employers who receive physical medical files from their occupational health provider without a formal ownership agreement and compliant storage arrangements in place could be unlawfully holding records.
“Once you accept ownership, you accept legal responsibility for storage, access control, retention, and eventual destruction,” said Dr George.
“Occupational healthcare service providers should preferably avoid handing over complete medical files containing sensitive personal information to employers without certainty that those files will be managed in accordance with relevant legislation.”
The healthcare company added that service-level agreements also need to adequately address the management of medical records.
There are sometimes very strict obligations, including storing physical records in locked, fire- and flood-resistant facilities and also ensuring that electronic records are password-protected and encrypted.
Disclosure of any information in a medical record to a third party also requires the patient’s written consent, a court order, or a defined public health justification.
As compliant medical records management is costly, Workforce Healthcare said that these costs should be formally factored into service agreements from the start.
Loading ...