PoPI Compliance through Access Control of Electronic Health Records

Abstract

The electronic health record (EHR) has revolutionised the manner in which healthcare is delivered by providing clinicians with electronic access to patients' complete medical history. Countries such as South Africa aim to take advantage of the EHR by implementing a national EHR system. While this has a number of benefits that are in the best interests of the patient, it also creates security and privacy risks to patients' information. Patient information has been identified as the most sensitive type of personal information. Unlike other types of personal information, it contains confidential information about the patient that cannot be changed such as the patient's medical history. Thus, the EHR needs to be protected from both unauthorised entities and misuse by authorised clinicians. This can be achieved through the regulation of the national EHR system. Although regulations state that personal information must be protected, they do not specify what processes must be followed in order to comply with them. This paper proposes a model to address this problem by indicating the components that are needed in order to assist compliance. The proposed model, which was informed by a scoping review and thematic analysis, is discussed in the context of South Africa's future national EHR system with the focus on the Protection of Personal Information (PoPI) Act.