Best Practice Guidelines: Healthcare Practice Management & POPIA Compliance Framework

Best Practice Guidelines: Healthcare Practice Management

POPIA Compliance Framework




Copyright © 2021 GoodX Software. All rights reserved.

GoodX online Learning Centre

learning.goodx.co.za

◄ Previous: 4.1. Diary Administration Business Processes Next: 5. Debtors & Patients: Roles & Purpose ►

4. Diary Administration: Roles & Purpose

4.2. POPIA tips for Diary Administration

These are some tips for POPIA compliance in Diary Administration

The information is based on the POPIA Action Maps, a checklist for practices to assist in implementing the POPIA requirements.

Stage 1: Establish Compliance
PI Security
  • Software access control implemented.
  • Implement a clean desk policy*.
  • Implement the password policy** for software.
  • Printers should be installed in a secure place for printing information (no unauthorised persons may have access).


PI Processing Planning
  • Ensure reception understands the lawful sources for collecting information - preferably from the DS.
  • Determine when electronic files will be archived.
  • Ensure information quality will be maintained by proper training and completion of software fields so that information is complete, accurate and not misleading.
  • Plan the correct configuration and audit trails of data sharing capabilities via third-party platforms, email, SMS etc.
  • Upload terms & conditions into the software for ease of use.


DS Participation Planning
  • Plan & implement capabilities to allow DS to confirm and request information from the practice.
  • Train personnel in how to deal with requests for information from DS.


Publication of information of the practice (RP)
  • Publish the information of the RP and IO on a website, posters, forms, sick notes, scripts and third-party directories.
  • Communicate to DS how to request information and what information of the DS is required to process such requests.
Stage 3: Compliance Continuity

Confidentiality Measures

  • Reception should adhere to a clean desk policy to ensure secure confidential information.
  • Notifications are given to Patients that healthcare information will be shared with Treating Practitioners to protect the Patients' interests.
   Updated Information

  • Keep information of Practitioners updated, e.g. by using third-party databases.

Examples

Please take note: should you wish to use this information, you should adapt it to your practice's needs.

Example of a clean desk policy

  1. Every employee is responsible for protecting the confidentiality of personal and special personal information of the practice, colleagues, and patients.
  2. No confidential information may be left on a desk or other place in the employee's absence, no matter how short the absence is.
  3. Computers and software must be locked when an employee leaves the computer.
  4. Personal mobile devices in a healthcare practice reception should be discouraged.
  5. Physical documents must be kept safe to ensure that unauthorised persons cannot access the documents.
  6. No documents containing confidential information may be thrown into rubbish bins where unauthorised persons can access that information. Documents must be destroyed by shredding or the practice's authorised waste removers.
  7. Documents that do not contain confidential information may be disposed of in the recycling bins.
  8. All confidential information lying around unsupervised must be reported to the practice manager. The practice manager must ensure that those documents are gathered for safekeeping.
  9. Documents may only be taken home or generated at an employee's home, with the practice manager or practitioner's written consent.
  10. No confidential documents or documents containing confidential information may be thrown away at an employee's home. It must be shredded at the office or disposed of through the practice's authorised waste removal contractor.
  11. Hard copy documents should be avoided by using electronic form filling mechanisms.

Example of a password policy

  1. Keep your passwords safe and do not share your passwords with any other persons.
  2. Never use the password of someone else, even if you have consent to use it. If you don't have access to software, you should first enquire from the practice manager/practitioner if you are allowed access and if yes, request your own login.
  3. Do not document your passwords where third parties can get access to the passwords.
  4. Passwords should preferably be a sentence that can easily be remembered.
  5. Passwords should be at least 14 characters long.
  6. Weak passwords typically contain the following:
    1. Less than 14 characters;
    2. A lack of different types of characters;
    3. Personal information;
    4. User-specific information.

◄ Previous: 4.1. Diary Administration Business Processes Next: 5. Debtors & Patients: Roles & Purpose ►