Health Data Act

Privacy laws are more relevant today than ever before. With data crossing borders following the increased internet penetration and increased use of social media and other digital information platforms, it is becoming more important to ensure that personal data is protected, processed, and used for the correct purpose. While these protection laws are (sometimes) good news for those who have data stored or transferred online, it may not be so for those who must navigate this mass of regulation.

Questions on how private information is being handled around the globe, Kenya particularly are on the rise due to the Data protection Act of 2019 enaction. Several healthcare institutions have adopted technologies in the management of their patients’ data as well as the Enterprise Resource Planning.

Therefore, with the adoption of these technologies, it comes along with systems and applications that may be vulnerable as they manage the health information and risks around that must be managed, so how is patient’s data protected against breaches of Confidentiality, Integrity and Availability?

Three important and related concepts are often used interchangeably in discussing protection of health information within the Kenyan healthcare system: confidentiality, privacy, and security.  Yet, each of these concepts has a different fundamental meaning and unique role.

Most frequently “HIPAA, GDPR, ISO 27701:2018” comes to mind when health information privacy is discussed; however, the concept of patient confidentiality has been around for much longer.

In Kenya, the processing of medical data (which is personal data) is regulated under:

  1. The Public Health Act 2012 (‘Public Health Act’).
  2. The Health Act, 2017 (‘Health Act’); and
  3. The HIV and AIDS Prevention and Control Act, 2006 (‘HIV and AIDS Prevention and Control Act’).

This article will briefly explore differences in meaning of privacy, security, and confidentiality of health information. The different roles and key fundamentals in protection of private information in the healthcare sector.

Confidentiality

Confidentiality refers to the secrecy of information between parties involved that is, Data is protected from unauthorized parties. Confidentiality in health care refers to the obligation of professionals who have access to patient records or communication to hold that information in confidence.  This means being rooted in confidentiality of the patient-provider relationship.

When considering sensitive health information requiring special layers of confidentiality, such as with mental health treatment, the government provides guidance for health information management professionals.

Privacy

Privacy is viewed as the right of the individual client or patient to be let alone and to make decisions about how personal information is shared. The right to privacy should protect a patient in a court of law in case breaches occur.

Security

Security refers directly to protection, and specifically to the means used to protect the privacy of health information and support professionals in holding that information in confidence.   The concept of security has long applied to health records in paper form; locked file cabinets are a simple example. As use of electronic health record systems grows, and transmission of health data to support billing became the norm, the need for regulatory guidelines specific to electronic health information became more apparent.

Following these revelations, healthcare sector information must be protected, and proper guidelines followed. These includes proper documentation of procedures and policies according to the ISO 27701:2018, The Data Protection Act and GDPR.

Managing electronic health information presents unique challenges for regulatory compliance, for ethical considerations and ultimately for quality of care.  As electronic health record system “meaningful use” expands, and more data are collected, such as from mobile health devices, that challenge for healthcare organizations expands.

A response to the challenge is information governance, described as the strategic management of enterprise-wide information including policies and procedures related to health information confidentiality, privacy, and security. Health information managers are uniquely qualified to serve as health information stewards, with an appreciation of the various interests in that information, and knowledge of the laws and guidelines speaking to confidentiality privacy and security. The role of the steward encompasses not only ensuring the accuracy and completeness of the record, but also protecting its privacy and security.

All who work with health information— health informatics and health information management professionals, clinicians, researchers, business administrators and others— have responsibility to respect that information.  And as patients, we have privacy rights about our own health information and an expectation that our information be held in confidence and protected.  As citizens, our public interest in health information may prevail, such as in situations involving public health or crime.  Balancing the various interests in health information and upholding its confidentiality, privacy and security present ongoing and important challenges within the healthcare and legal systems, and career opportunities for health information management professionals.

Mary Njoroge, Senior Consultant