The increased digitalisation and rise of electronic health records (EHRs) is fast replacing the traditional paper records. In Nigeria, there remains a wide digital divide – health records are still largely recorded and stored in paper form. The adoption of healthcare technologies reliant on datafied records are growing and there is an urgent need for a stronger framework to protect the rights and freedom of Nigerians. An unlawful disclosure, illicit access or misuse of health records could reveal intimate and embarrassing details about patients that could result in infringements of individuals’ rights to privacy (intrusion), commodification of health data, blackmail and other social discrimination, which weakens the fabric of trust between healthcare providers and users.
Understanding health records, health technology and the intersection with privacy and security
Medical record or health data of a patient is regarded as sensitive personal data. Sensitive personal data requires special protection and usually specifically protected by law. They reveals accurate intrinsic details about an individual’s healthcare treatment and records. Medical records contain personal data some of which include genetic data, personal statistics such as age and weight, demographics, medical diagnosis and allergies, immunization status, radiology images and medical research data.
Proliferation and advancement of technology has increased the generation, processing, storage, sharing and collection of health data including genetic, clinical, and behavioural data. Clearly, the advancement of Internet of Things connected devices, personalised medicine and genetic testing, cloud-based interoperable EHR, telemedicine, m-health and e-health, portal technology, sensors and wearables, remote monitoring tools hold immense potential for improving healthcare delivery, but also portends niggling questions about privacy and security.
Further, the sharing of patient’s health data between health professionals, healthcare providers and facilities, and cross-border data transfer poses privacy and security concerns. Modern technology sweeping the healthcare industry births new challenges that the law must keep abreast with. However, protecting privacy should not be allowed to muscle out the much needed life-saving innovation in the industry. We must understand that health data is important for the growth and overall improvement of healthcare.
Confidentiality and Privacy
Traditionally, there is a professional obligation in medical practice to ensure the confidentiality of a patient’s personal health information, unless consent to release the information is provided by the patient or on any other recognised legal basis. This flows from the Hippocratic oath that imposes confidentiality obligation on healthcare providers. Confidentiality forms part of the pillars of medical practice and it is recognised by law as a privileged communication between two parties in a professional relationship. According to Vivienne Nathanson ”protecting the private details of a patient is not just a matter of moral respect, it is essential in retaining the important bond of trust between the doctor and the individual.”
Privacy in healthcare context refers to the patient’s right to have control and keep his or her health information private. It also entails the circumstances in which a patient’s protected health information may be used or disclosed. Right to privacy is a fundamental right recognised by the Nigerian Constitution. Beyond the constitutional provision and professional obligation, privacy law adds another layer of legal obligation and protection.
Security of both electronic and paper health record is an essential thread in healthcare fabric. Security entails the protection of both the online and physical facilities housing health records. A security breach affects both medical devices and health records. Security breach in the healthcare sector exposes providers to innumerable risk that can cause disruption of services, economic loss, reputational damage, reduced patient’s confidence, and penalty under regulation.
With increased digitisation of records, the healthcare sector is witnessing increase in cyber attacks. According to Nass S.J. et. al. “protecting the security of data in health research is important because health research requires the collection, storage, and use of large amounts of personally identifiable health information, much of which may be sensitive and potentially embarrassing.” According to PwC’s Health Research Institute 2018 annual report, “there is 525 percent increase in medical device cybersecurity vulnerabilities reported by the government.”
According to Deloitte’s 2018 Global health care outlook report, “globally, the average total cost of a healthcare data breach to an organization reached USD $3.62 million per incident in 2017.”
The Risk Landscape
A patient’s health record could reveal the medical condition, treatment plan or medications, and could be commercialised for targeted advertisement, health insurance fraud and abuse ( by raising premiums for “at-risk patients”), exposure of patient to loss of privacy, social discrimination, blackmail and other dangers which weaken the fabric of trust between healthcare providers and users.
A patient’s privacy rights can be violated when there is an accidental loss of data, unauthorised or abusive privilege access, cyber attack, or unlawful disclosure. According to Verizon’s 2018 Protected Health Information Data Breach Report, 58% of all healthcare breaches are initiated by insiders. In July 2018, it was reported that there was a major cyber attack on Singapore’s health sector affecting the personal data of over 1.5 million people, including the country’s Prime Minister. The healthcare sector was seriously affected by the Wannacry ransomware attack in 2017and shows how vulnerable the sector is. In Nigeria, the purported health record of a gubernatorial aspirant was a subject of negative politics in the run-up to 2019 general elections.
The pivot toward a national health insurance regime has birthed the rise of health maintenance organisations (HMO’s) created for the purpose of managing and providing healthcare services through healthcare facilities accredited by the National Health Insurance Scheme (NHIS). According to BusinessDay, there are currently about 60 HMO’s operating in the country. These organisations process the health data of users. Without a transparent oversight on their operations, such data could be abused and misused – as we have seen with social discrimination and commodification of health records in other climes; this is capable of undermining the public’s confidence.
According to Reuters, health data is increasingly more desirable than financial data – “health data, unlike financial data that becomes worthless after the victim discovers the fraud, has a longer shelf life for exploitation”. Treatment and prescription records are permanent. Medical and insurance records provide insights about where people live, what medical treatments they had, who their family members are, demographic information and employment details. Health record has also been employed as a tool for extortion and blackmail.
Legal Framework for Privacy & Security in Nigeria’s Healthcare Sector
The right to privacy of Nigerians is guaranteed by Section 37 of the Constitution of the Federal Republic of Nigeria 1999. Though, Nigeria currently lacks a general data protection and cybersecurity legislation, there are sector specific frameworks and ongoing legislative efforts to enact one.
National Health Act (NHA) 2014
The NHA is the principal legislation regulating the Nigerian healthcare sector. It also makes adequate provisions for the privacy rights of patients. Section 26 (1) of the NHA provides that “all information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential”. The provision imposes the legal obligation of confidentiality. The right is subject to certain derogations imposed under Section 26(2) of the Act. Health information can be disclosed when there is a court order or any law prescribes such disclosure with the consent of the owner in writing, and when non-disclosure will pose a serious threat to public health. Similarly, Section 25 of NHA imposes the obligation to keep health records available to patients. This is right to access.
Section 27 of the Act provides the two legal basis when disclosure of health record of a user can be made available to a third party, another healthcare provider or professional, which include if the disclosure is necessary for any legitimate purpose within the ordinary course and scope of his or her duties; and when such access or disclosure is in the interest of the user. This latter is similar to using vital interest as the legal basis.
Section 28 (1) provides that a healthcare provider can access the health record of a patient with the consent of the patient. This provides for consent as a legal basis. The section also allows health records to be used for research with the consent of the patient. Section 28 (2) provides that the authorisation of the patient or any other authority can be dispensed with for the purposes of research, teaching and studying if the research data does not contain any personally identifiable information.
Section 29 mandates the head of a healthcare facility to put in place “control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept”. This implies a good data governance and management policy to prevent unauthorised access, unlawful disclosure, data loss, and data theft – both online and offline. The section prescribes offences and the punishment of two (2) years imprisonment or fine of N250,000 ($816) or both. The offences include falsification or alteration of records, destruction of records without authority, re-identifying de-identified records, unlawful access or interception of records.
Cybercrimes (Prohibition and Prevention) Act
Section 5 of Cybercrimes (Prohibition & Prevention) Act 2015 designates certain sectors of the economy as Critical National Information Infrastructure (CNII). Part 7.5 of the National Cybersecurity Policy designates the healthcare sector as a National Critical Information Infrastructure. The Act criminalises attack on sectors designated as critical national infrastructure and this is punishable by imprisonment term not less than 15 years without an option of fine. The Act also includes other offences that could affect the sector.
Section 21 of the Cybercrimes (Prevention and Prohibition) Act mandates that a cyber attack or threat must be reported to the Nigeria Computer Emergency Response Team (NgCERT) – the government’s coordination centre responsible for managing cyber incidents in Nigeria. Failure to report within seven days is punishable with a fine of N2,000,000 ($6,535) and denial of internet service. Underreporting remains a debilitating factor for estimating the cost and extent of cybercrime and deprives the industry of shared common knowledge. The NgCERT has created an online platform to report incidence either as an individual or a corporation.
National Health Insurance Scheme Act (NHIS Act)
Section 38 of the Act creates a secrecy obligation binding the officials and other employees of the scheme. The officials are mandated to treat all information obtained in the exercise of their powers or in the ordinary course of duty as confidential.
The confidential information can only be disclosed to an arbitration board or the court. Section 38 (2) prescribes a fine not less than N20,000 ($65) or imprisonment for a term of two years or both.
Freedom of Information Act (FOI Act)
Section 16 of the FOI Act provides that a public institution may deny an application for information that is subject to health workers – client privilege. The section recognises and provides a legal backing for the professional confidentiality obligation.
Patients Bill of Rights (PBoR)
The Consumer Protection Council (CPC) recently released the Patients Bill of Rights (PBoR). The Bill is aimed at ensuring easy access to quality health care service in the country. The PBoR is a list of rights already contained in extant laws but recently reduced into a document to sensitise the members of the public.
Interestingly, the bill recognised the rights to privacy of patients, and confidentiality of medical records. While there is a professional obligation of secrecy in the medical profession, a legal obligation further protects the freedom and rights to privacy of patients.
The Federal Ministry of Health can take a cue from the United State’s Health Insurance Portability and Accountability Act (HIPAA) by enacting a national privacy and security rule that defines the privacy and security standards for the protection, storage and transfer of health data held in electronic or physical form. This includes administrative, technical, online and physical safeguards. The privacy rule should clearly define other legal basis for processing and derogations, mechanism for cross-border transfer of health data (patients are becoming more mobile with medical tourism), storage and retention period, other rights should be defined (right to be informed and access is already established under the NHA), framework for reporting breach and notification of users, and put in place stronger transparency and accountability mechanism.
Section 2 of the NHA gives the Federal Ministry of Health the mandate to make a guideline for the development of the health sector which will include addressing emerging privacy and security concerns with new technologies. There is an urgent need to sensitize health practitioners and members of the public on privacy and security, and how it affects them.
The NHIS should issue a guideline to regulate the activities of HMO’s and other health insurance players to prevent insurance fraud, possible discrimination, and other abuse of health record. Section 6 of the NHIS Act empowers the scheme to “issue appropriate guideline to maintain the viability of the scheme.” A major breach could erode the scarce trust in the nation’s health insurance scheme.
The heads of health institution and facilities should put in place appropriate safeguards and framework to ensure the privacy and security of patient’s records and information. They should administer measures to comply with the law which include training and sentisation of its staff, designing a privacy and security policy, implementation of the right technology and training of staff on its use and the possible privacy and security implications of the technology.
According to Deloitte’s 2018 Global health care outlook report “many employees at hospitals, health plans, life sciences companies, and governments lack awareness of and training to manage financial, operational, compliance, and cyber risks. Led by senior management, organizations should perform a thorough assessment to understand how recent and upcoming policy changes will impact organizational priorities and explore strategies to build second-line defenses to reduce their administrative, financial, and reputational exposure.”
The provision of the NHA is a bold sector-specific regulation in a country where there is big clamour for general data protection and cybersecurity framework. It is the opinion of the writer that the privacy and cybersecurity framework in Nigeria will be led by sector driven regulations since it appears a legislative framework has dragged on for too long. Further, the penal sanction appears inadequate, especially the financial sanction in the face of immeasurable loss, erosion of reputation, advancement of technology and emergence of sophisticated security and privacy issues. The NHA creates an enforcement regime and remedy for breach. A general data protection and cybersecurity statute will strengthen the privacy and security concerns in the health sector. In addition, healthcare providers must take quick, decisive action to maintain data privacy and security of medical devices and protect patient’s record.
According to Tomiwa Ilori, a policy analyst, “the National Health Act, in its sections 25, 26, 29 and 30 provides a viable template for safeguarding privacy concerns in Nigeria. Though limited to the health sector, it offers a dual balance of protection of data and enforcement against infringement of privacy rights of a patient within the control of a health institution. Due to the sensitive nature of health information of patients, the Act recognizes the dynamic nature of data protection in the digital age and therefore provides safeguards for its use while placing the patient’s consent as most important. It provides exceptions for where the consent of patients might not be sought but these exceptions may be said to be fair. One recommendation in the event of a review of the provision of the Act in the nearest future with respect to the protection of patients’ data is that where institutions have to derogate from seeking patient’s consent, reasonable proof must be provided for bypassing such consent”.
This article was first published by the African Academic Network of Internet Policy