The key findings of this study are that 90% of doctors and nurses use computers, either at home or in their workplace and approximately two thirds share computers with others. Although computer usage is high, few encrypt patient data saved on the computers or save the data to backup devices. Few individuals receive emails from patients but many store these without encrypting. Patient information therefore becomes vulnerable and at risk. It is unlikely that failure to encrypt transmitted and stored data is intentional. The health professionals in our study do not appear to know about encryption or its importance, as they are not doing it as routine practice.
In 2008, the Health Professions Council of South Africa which is the statutory body that governs medical practitioners published guidance on good clinical practice pertaining to confidentiality and keeping of patient records [10]. Likewise the South African Nursing Council has a code of ethical conduct, which refers to confidentiality. The HPCSA guidelines on keeping patients' records, which have to be kept for six years after the last consultation, merely state that the storage of records on CD-ROM is permissible provided that protective measures are in place, and that the records are encrypted and protected by passwords [10]. What they do not address is storage of patient information on home and workplace computers, computers with multiple users, differing levels of access rights to stored patient information by members of the health team, and guidelines on email communications and their secure storage. Studies have shown that patients and health care workers alike express concerns over privacy of health information when stored electronically and that they attach significant risk to these concerns [11, 12].
The risk to data in patient information systems can be reduced by having at least four levels of security: 1) encryption or a similar technology for protecting confidentiality; 2) digital signatures and passwords or similar technology to ensure integrity, authentication and authorization; 3) a means to perform regular backups; and 4) disassociation of patient identifiers from patient data in a database.
The Canadian Medical Association has published guidelines regarding the use of email for healthcare communication, and cite three main areas of concern; confidentiality, privacy and security. The guidelines set out precautionary measures that need to be adhered to when communicating patient information via email and recommend obtaining written informed consent from patients prior to any email communication [13]. The Medical Protection Society of South Africa provides guidelines for doctors when communicating via email with patients and these guidelines also recommend obtaining written informed consent [14]. In this study, 20% of healthcare professionals email patient information to a third party, of whom 42% obtained written informed consent prior to doing so.
In South Africa an individual's right to privacy is enshrined in the South African Constitution. Section 14(4) of the Constitution states: "Everyone has the right to privacy, which includes the right not to have...the privacy of their communications infringed." In the health context, the patient's common law right to confidentiality has been codified and is explicitly recognized in section 14 of the National Health Act, 61 of 2003 [3].
The Electronic Communications and Transactions Act (ECTA), the first law governing cyber activity in South Africa, was promulgated in 2002. Broadly, this act provides for the facilitation and regulation of electronic communications and transactions. An electronic health record, an email correspondence containing patient information and a video-conferenced teleconsultation all meet the definition of an electronic transaction or communication [15]. Such data are termed "critical data" and are declared, in terms of section 53 to be, "... of importance to the protection of ....the economic and social well-being of its citizens."
Chapter 8 of the ECTA addresses the protection of personal information and sets out principles that must be adhered to when collecting such information. As these are voluntary principles, organisations do not have to adhere to them. The ECTA definition of personal information includes the following, "Information about an identifiable individual, including but not limited to- information relating to race, gender, and pregnancy," all of which can be deemed part of health related information. Clearly, most subjects in this study are not complying with the HPCSA guidelines or the ECTA. That they are wilfully transgressing is unlikely.
In 2011, the South African Department of Health released a white paper on the proposed national health insurance (NHI)[16]. The NHI aims to facilitate equitable medical services and standard of care to all long term residents of South Africa regardless of their financial status. The white paper refers to the use of centralised electronic patient health information systems by all health care professionals. This will require a still to be developed, national electronic medical record. The recently published eHealth strategy for South Africa 2012-2016 reconfirms South Africa's commitment to the use of all forms of information communication technologies to promote, support, and strengthen healthcare [17]. The use of hospital information systems in the public sector in South Africa is not new. A 2008 survey of electronic medical record systems in use showed that just over a third of the provincial hospitals have computerized systems in place but few of these are interoperable [18]. The Inkhosi Albert Luthuli Central Hospital in Durban, KwaZulu-Natal, is one of the few paperless hospitals in the World. Widespread use of ICT to manage patient information is inevitable and will involve all healthcare professionals, in both the public and private sectors.
In the private healthcare sector, a medical insurance company recently launched an application that allows doctors to electronically connect to the insurer's databases to access their patients' medical history, medical aid plans, laboratory results, write electronic prescriptions and make referrals to other healthcare professionals,. The insurer sees the use of the application in reducing diagnostic time, limiting medical error and reducing costs [19].
The move towards greater use of ICT in healthcare is in keeping with international trends where countries such as Australia and in the European Union are proposing centralized electronic health records and national databases that will allow inter jurisdictional access to medical records by healthcare professionals, insurers and governmental agencies in the country and across borders [20, 21, 23]. The HITECH Act in the United States and the EU's eHealth strategy will hasten widespread use of electronic medical records [22, 24].
Various studies have investigated the threat of unauthorised access to patient data, citing lack of technical expertise and responsibility of health professionals [11, 25]. To address these will require an appreciation of the risks to which medical information may be exposed, the development of robust policies for security, and raising the awareness of health professionals on these issues and providing further training for compliancy. Currently many are at risk, albeit unwittingly, of potential litigation.