On this page

Legislation applicable on accessing of personal information the healthcare sector

  • Promotion of Access to Information Act, 2000, Act No 2 of 2000 (PAIA)
  • National Health Act, 2003, Act No 61 of 2003 (NHA)
    • Section 15: Access to health records
    • Section 16: Access to health records by health care provider
    • Section 17: Protection of health records
  • Protection of Personal Information Act, 2013, Act No 4 of 2013 (POPI)
    • Section 5: Rights of data subjects
  • Childrens Act, 2005, Act No 38 of 2005
    • Section 13: Information on health care
    • Section 41: Access to biographical and medical information concerning genetic parents
  • Mental Healthcare Act, 2002, Act No 7 of 2002
    • Section 13: Disclosure of information

Ethical rules applicable on accessing of personal information the healthcare sector

  • HPCSA Booklet 5: Confidentiality: Protecting and Providing Information
    • Paragraph 6: The rights of patients to access of information
  • HPCSA Booklet 9: Guidelines on Keeping of Patients Records
    • Paragraph 11: Access to records

General Rules

  • Requests for access
  • Relatives
  • Parents and guardians
  • Deceased patients
  • Court orders
  • The police
  • Solicitors
  • ICD-10 Coding
Legislation applicable on accessing of information in the healthcare sector

Promotion of Access to Information Act, 2000, Act No 2 of 2000 (PAIA)

  • PAIA is legislation that creates the framework to the right to access information enshrined in section 32 of the Constitution of the Republic of South Africa. PAIA is the Promotion of Access to Information Act 2 of 2000.
  • The purpose of this legislation is to promote a culture of transparency, accountability and good governance both in the private and public sectors.
  • The following questions about the PAIA Act can be found here:
    • What is PAIA?
    • Understanding PAIA.
    • Compliance by private bodies.
    • Submission of manual in terms of Section 51 of PAIA.
    • Compliance with section 51 of PAIA.
    • Current Exception
    • Who can make a PAIA request?
    • What procedure must a requester follow when making a PAIA request?
    • What is the cost you can charge for a requester making a PAIA request?
    • What is the cost for accessing records under PAIA?
    • When access to information may be refused?
    • Grounds for refusing access.

National Health Act, 2003, Act No 61 of 2003 (NHA)

Section 15: Access to health records

1)    A health worker or any health care provider that has access to the health records of a user may disclose such personal information to any other person, health care provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interests of the user.

2)    For the purpose of this section, “personal information” means personal information as defined in section 1 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).

 

Section 16: Access to health records by health care provider

1)    A health care provider may examine a user’s health records for the purposes of –

  • treatment with the authorisation of the user; and
  • study, teaching or research with the authorisation of the user, head of the health establishment concerned and the relevant health research ethics committee.

2)     If the study, teaching or research contemplated in subsection (1)(b) reflects or obtains no information as to the identity of the user concerned, it is not necessary to obtain the authorisations contemplated in that subsection

 

Section 17: Protection of health records

  1. The person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept.
  2. Any person who
    1. Fails to perform a duty imposed on them in terms of subsection (1);
    2. falsifies any record by adding to or deleting or changing any information contained in that record;
    3. creates, changes or destroys a record without authority to do so;
    4. fails to create or change a record when properly required to do so;
    5. provides false information with the intent that it be included in a record;
    6. without authority, copies any part of a record;
    7. without authority, connects the personal identification elements of a user’s record with any element of that record that concerns the user’s condition, treatment or history;
    8. gains unauthorised access to a record or record-keeping system, including intercepting information being transmitted from one person, or one part of a record-keeping system, to another;
    9. without authority, connects any part of a computer or other electronic system on which records are kept to –
      1. any other computer or other electronic system; or
      2. any terminal or other installation connected to or forming part of any other computer or other electronic system; or
    10. without authority, modifies or impairs the operation of-
      1. any part of the operating system of a computer or other electronic system on which a user’s records are kept; or
      2. any part of the programme used to record, store, retrieve or display information on a computer or other electronic system on which a user’s records are kept,

commits an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and such imprisonment.

Protection of Personal Information Act, 2013, Act No 4 of 2013 (POPI)

Section 5: Rights of data subjects:

A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right –

  • to be notified that –
    • personal information about him, her or it is being collected as provided for in terms of section 18; or
    • his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
  • to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;

Childrens Act, 2005, Act No 38 of 2005

Section 13: Information on health care

Every child has the right to-

  • have access to information regarding his or her health status;
  • Information provided to children in terms of this subsection must be relevant and must be in a format accessible to children, giving due consideration to the needs of disabled children.

Section 41: Access to biographical and medical information concerning genetic parents

(1) A child born as a result of artificial fertilisation or surrogacy or the guardian of such child is entitled to have access to –

  • any medical information concerning that child’s genetic parents; and
  • any other information concerning that child’s genetic parents but not before the child reaches the age of 18 years.

Mental Healthcare Act, 2002, Act No 7 of 2002

Section 13: Disclosure of information

  • A person or health establishment may not disclose any information which a mental health care user is entitled to keep confidential in terms of any other law.
  • Despite sub section (1); the head of the national department. a head of provincial department or the head of a health establishment concerned may disclose such information if failure to do so would seriously prejudice the health of the mental health care user or other people.
  • A mental health care provider may temporarily deny mental health care users access to information contained in their health records, if disclosure of that information is likely to –
    • seriously prejudice the user; or
    • cause the user to conduct himself or herself in ;t manner that may seriously prejudice him or her or the health of other people.
Ethical rules applicable on accessing of personal information in the healthcare sector

HPCSA Booklet 5: Confidentiality: Protecting and Providing Information

Paragraph 6: The rights of patients to access of information

  • Patients have a right to information about the healthcare services available to them, presented in a way that is easy to follow and use.
  • The National Health Act provides that healthcare providers (this includes healthcare practitioners) must inform patients (patients) of the following:
  • The patient’s health status except in circumstances where there is substantial evidence that the disclosure of the patient’s health status would be contrary to the best interests of the patients;
    • The range of diagnostic procedures and treatment options generally available to the patients;
    • The benefits, risks costs and consequences generally associated with each option; and
    • The patient’s right to refuse health services and explain the implications, risks and obligations of such refusal.
  • Patients also have a right to information about any condition or disease from which they are suffering. Such information should be presented in a manner easy to follow and use, and should include information about the diagnosis, prognosis, treatment options, outcomes of treatment, common and serious side-effects of treatment, the likely timeframes of treatment, and the expected costs, where relevant.
  • Healthcare practitioners should always give patients basic information about the treatment they propose to provide, but should respect the wishes of any patient who asks not to be given detailed information. The latter requests place a considerable onus upon health care providers because, without such information, patients cannot make proper choices as partners in the health care process.

HPCSA Booklet 9: Guidelines on Keeping of Patients Records

Paragraph 11: Access to records

  • In terms of the law the following principles apply in regard to access to information in health records:
    • A health care practitioner shall provide any person of age 12 years and older with a copy or abstract or direct access to his or her own records regarding medical treatment on request (Children’s Act (Act No. 38 of 2005)).
    • Where the patient is under the age of 16 years, the parent or legal guardian may make the application for access to the records, but such access should only be given on receipt of written authorization by the patient (Access to Information Act (Act No. 2 of 2000)).
    • Information about termination of a pregnancy may not be divulged to any party, except the patient herself, regardless of the age of the patient (Choice on Termination of Pregnancy Act (Act No. 92 of 1996)).
    • No health care practitioner shall make information available to any third party without the written authorisation of the patient or a court order or where nondisclosure of the information would represent a serious threat to public health (National Health Act (Act 61 of 2003)).
  • A health care practitioner may make available the records to a third party without the written authorisation of the patient or his or her legal representative under the following circumstances:
    • Where a court orders the records to be handed to the third party;
    • Where the third party is a health care practitioner who is being sued by a patient and needs access to the records to mount a defence.
    • Where the third party is a health care practitioner who has had disciplinary proceedings instituted against him or her by the HPCSA and requires access to the records to defend himself or herself.
    • Where the health care practitioner is under a statutory obligation to disclose certain medical facts, (e.g. reporting a case of suspected child abuse in terms of the Children’s Act, (Act No. 38 of 2005)).
    • Where the non-disclosure of the medical information about the patient would represent a serious threat to public health (National Health Act (Act No. 61 of 2003)).
  • In provincial hospitals medical records must be kept under the care and control of the clinical manager. Access to such records shall be subject to compliance with the requirements of the Access to Information Act and such conditions as may be approved by the superintendent.
General Rules

Requests for access

  • Primary legislation is the PAIA Act.
  • Everyone has a right of access to records held by either public or private bodies for legitimate purposes. In the latter case, people should be allowed access to “any information that is held by another person and that is required for the exercise or protection of any rights”. This includes access to health records.
    • Either the patient him/herself, or someone authorised to act on the patient’s behalf, can request access;
    • The request itself is made in writing and should be responded to within 30 calendar days;
    • The only ground for refusing access is if disclosure “to the relevant person” (ie, the patient or the person requesting access on the patient’s behalf) “might cause serious harm to his or her physical or mental health, or well-being”.

Relatives

  • Relatives have no automatic right of access to an adult patient’s records.
  • If the patient lacks the mental capacity to consent to disclosure, a relative may apply for access to the medical records under the Promotion of Access to Information Act.

Parents and guardians

  • The parents of a child under the age of 12 should be given access to the child’s medical records if they request it.
  • If a child is aged 12 or more, and has the maturity to understand the implications, you will need to secure the child’s consent before disclosing his or her medical record.

Deceased patients

  • The principle of confidentiality extends beyond a patient’s death.
  • Generally speaking, information should only be disclosed to third parties with the consent of the deceased’s next of kin or executors, but there are exceptions to this rule – information can be disclosed if it is required by an inquest magistrate, for example.
  • In addition to obtaining the authority of the deceased’s next of kin or executor, the HPCSA’s advice is to consider the circumstances when deciding whether to accede to a request for information and to consider the effect that disclosure is likely to have on the deceased patient’s partner or family.13

Court orders

  • You should comply with a court order to disclose health records.
  • Even if you have concerns about disclosing the records, you should still comply with the order and attach a covering letter to the judge or the registrar of the court describing your concerns.
  • Generally, compliance with a court order should be considered mandatory, but in exceptional circumstances, if you have concerns, it may be appropriate to seek advice from your lawyer.
  • The mere threat of a court order is not sufficient authority to disclose.

The police

In general, the police have no more right of access to confidential information than anybody else, except in the following circumstances:

  • The patient has given consent to the release of information.
  • The information is needed in compliance with a court order.
  • A written directive has been issued by a judge or a magistrate in terms of section 205(1) of the Criminal Procedure Act 51 of 1977 to disclose information.
  • The public interest in disclosing information outweighs the public interest in preserving patient confidentiality. This is not a decision to be taken lightly, so it is best to consult with your lawyer or a colleague when weighing these competing interests.

Solicitors

  • Solicitors may request a copy of a patient’s medical records in relation to a claim. If the solicitor is acting for the patient, you should not release the records without the patient’s (or a legally recognised proxy’s) consent. If the solicitor is acting for a third party, you should not release the records unless the request is made in terms of the Promotion of Access to Information Act and the information requested is:
    • About an individual who has given written consent to the requestor or you for the disclosure to be made;
    • Already publically available;
    • Information which belongs to a class of information that would or might be made available to the public in any event;
    • About an individual’s physical or mental health, or wellbeing who is under the care of the requester and who is under the age of 18 or is incapable of understanding the nature of the request and giving access would be in the individual’s best interests;
    • About an individual who is deceased and the requester is the next of kin or the solicitor is making the request with the consent of the deceased’s next of kin.

(see Chapter 4 section 63(1) and (2) to the Promotion of Access to Information Act 2 of 2000.)

ICD-10 Coding

  • Previously the HPCSA “strongly recommends” getting a patient’s written consent before disclosing information to a medical scheme.
  • Such written consent can be a “once-off” applying to patient contact concerning the same or a similar clinical condition, but subject to verbal reminders and confirmation (which should be documented in the patient’s records).
  • When the patient presents with a new condition, it will be necessary to obtain new written consent.  The 2008 booklet makes no such recommendation.
  • The patient’s consent must be fully informed, based on a full and frank discussion about who will be accessing the information and for what purpose, and the implications of disclosure versus non-disclosure. The patient should be informed that the medical scheme has the discretion to reject claims with a U 98.0 code (Patient refused to disclose clinical information).
  • Doctors who provide services that do not involve direct contact with the patient (pathologists, for example) should confirm with the commissioning doctor that the patient has consented to his/her medical information being accessed and to clinical information being disclosed to his/her medical scheme.