Contracting with Contractors that are NOT POPI Operators: Best Practices

Contracting with Contractors that are NOT POPI Operators: Best Practices

Health care providers and medical scheme companies are generally aware that when personal information is disclosed to a contractor, such as an attorney, accounting bureaaux, consultant or cloud data storage firm, an operator agreement is necessary to comply with POPI and to safeguard the information disclosed. However, not all contractors will be operators, even when such operators may have potential access to personal information, and health care providers and medical schemes may struggle with how to manage risks to personal information in these relationships. The following FAQs address these issues and my solutions for managing and mitigating risk in an efficient and cost-effective manner.

Who are non-operator contractors?

Generally, a contractor is not an operator if it does not receive, use, disclose or maintain personal information. The key risk though is that these contractors may still have potential access to an organisation’s personal information. Examples include the following:

  • An IT vendor that will have access to practice / hospital information systems to install, update or maintain malware protection.
  • A cleaning service which has access to staff offices, medical record rooms or other areas in which personal information may exist.
  • A software company that licenses a locally hosted program that utilizes or processes claims to medical schemes, and that may need access to local information systems for installation or troubleshooting.
  • A consultant who is granted limited access to quality, compliance or other internal reports that include only aggregate information but who may be working in a medical records storage area or be logged into the local network.

What harm can these vendors cause?

Failure to manage data privacy risks with non-operator contractors may lead to both violations of POPI and the National Health Act. Let us consider a recent example to illustrate the importance of addressing data privacy and POPI concerns with contractors who are not operators:

Health care provider engages a local IT security firm to install patches. Parties agree that contractor is not an operator. While in the provider’s information system, a newly hired contractor employee stumbles upon locally maintained patient and employee records. Bored, he starts reviewing the records and finds a former classmate of his. He copies the records to a USB drive and emails the records to the former classmate. Several weeks later, the former classmate contacts the Information Regulator and says “look what the provider gave [the employee] access to.” Contractor employee failed to appreciate the seriousness of the access (no privacy training provided), was under no obligation to report the access to employer, and contractor had no obligation to notify, indemnify, reimburse or cooperate with the provider.

Provider will be in violation of both POPI and section 17 of the National Health Act and regulators can require an extensive corrective action plan.

What strategies should a health care provider or medical scheme pursue to manage the risk caused by non-operator contractors?

Pursue a 3-part strategy addressing organisational policies, due diligence and confidentiality agreements:

  1. Organisational Policies: Avoid limiting privacy and security policies to only POPI compliance – while very important, POPI is not the only privacy and security concern a health care provider or medical scheme should have. Policies should also consider proprietary informationand the National Health Act. Further, ensure that privacy and security polices apply to all contractors, not merely those subject to POPI.
  2. Due Diligence: Consider implementing a contractor-screening tool as part of your contracting process and make data privacy and security a factor when choosing contractors. The purpose of the screening tool is to obtain contractor assurances regarding privacy, receive comfort that the contractors is cognizant of and is addressing privacy concerns and to periodically monitor vendor privacy efforts.
  3. Confidentiality Agreements: Develop a specific template confidentiality agreement for non-operator contractors, the terms of which should reflect the risk profile of the organisation (Note: a standard non-disclosure agreement is generally insufficient for this purpose). Ensure a focus on confidentiality obligations, compliance with laws and policies, incident reporting and reimbursement.

Leave a Reply

Your email address will not be published. Required fields are marked *