In the course of a typical day at the hospital, a variety of personal information of anyone patient is harvested by a physician during consultation or treatment and stored in a Hospital cabinet. Some of such information may be generic and common knowledge others may be intrusive and appear prying, others still may hold sentimental value to the patient. All of which would have remained personal knowledge of the patient but for the existing professional relationship between the patient and his or her physician.
Technological advancement and the use of IT-driven devices in almost all sector has created remote access and other faster mode of dissemination of medical record and information from the point of source to the point of use. With such a vast amount of information in the custody and gains control of such a physician comes to an equally proportional obligation of the physician to apply that information only for which it was given, and to ensure the safety and protection of such information from falling into the wrong hands. For this discussion, the right to privacy of records essentially is the right or limitations thereof to control access to medical records or information of a patient, whether conversational or documentary.
According to MD Hiller in his article “Patient Care Management systems, medical records, and privacy: a balancing act,” (1982) Vol 97 (4) Medical privacy or health privacy is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The term can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings.
Aside from the public policy angle, where citizens are reasonably expected to be safe from the exploitation of personal information in the custody of private individuals or public entitles, there is a more rudimentary and basic source of the obligation placed on health care providers to ensure secrecy and confidentiality.
THE HIPPOCRATIC OATH
The Hippocratic Oath is one of the oldest documents that regulate and outlines the duties and obligation of a health caregiver.
Line 7 and 13 of the revised version adopted on 14/10/2017 by the World Medical Association re-echoes the duty of a member of the medical profession to keep personal information secret and to protect the rights of one’s patients. Inclusive of such rights is the right to privacy.
Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new privacy concerns, balanced with efforts to reduce duplication of services and medical errors.
Many countries — including Australia, Canada, Turkey, the United Kingdom, the United States, New Zealand, and the Netherlands — have enacted laws that try to protect people’s privacy. However, many of these laws have proven to be less effective in practice than in theory. The United States passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 in an attempt to increase privacy precautions within medical institutions. Similarly, other countries are legislating on the subject. A case in point is the V.K’s Data Protection Act 2018 and the European Union’s more elaborate General Regulation of 2018. The regulation Data Protection synchronize and harmonize data privacy laws across all of its member countries.
These are stand-alone legislation dedicated to data protection. In other countries like India, the law on medical data privacy is nothing more than a sentence in regulation 5 of the India Medical Council Act, (Code of Ethics) Regulation of 2002 which provides: “I shall respect the privacy & secrets of my patients that are confided in me for professional reasons.” What is immediately apparent is its similarities with the Hippocratic Oath. In Nigeria, the regulatory framework for data protection generally includes the National Information Technology Development Agency Act 2007 and its subsidiary Nigerian Data Protection Regulation of 2019.
An example of such modern equipment is the Electronic Medical Records (EMR) sometimes called the Electronic Health Records (EHR) or Electronic Patient Record (EPR). The EMR is a portable and easy to access, electronic archive of medical records of individual patients per demography or location over some time. It is a collective repository of the personal medical history of large states of patients within a defined area that is shared amongst different medical settings within a country. Information readily available to any primary health care or private facility subscribed to the network include information such as Medical history, allergies, immunization status, laboratory tests done over time, radiology images, and billing information amongst other sensitive data.
Section 25 and 27 of the National Health Act (2014) particularly in its sections 25 and 27 wilts more public awareness on the impact of data accessibility and the need to protect them, it is expected that dedicated legislation on data protection, particularly of the electronic nature will be enacted by the legislature to ensure better data protection of personal and medical records. It is submitted that archives and public records fall under the concurrent list and legislative competence of both the Federal and State houses of Assembly.
It is however very pertinent to stress that the code of medical ethics recognizes a balance between the right to privacy and the need for access to privileged medical information to promote growth and development in the industry. Section 45 of the 1999 Nigerian Constitution (as amended) permits the derogation of the absolute right to privacy in the interest of public safety and public health. A recent example of privacy vs. public health is this Covid19 sage and the mandate by countries that their citizens must be vaccinated regardless of choice. Other areas worthy of note are the right to privacy and the child, the right to privacy and persons living with communicable diseases, incompetent adults or the dead.
The issues of privacy rights also cover more controversial areas of arbiter rights and rights to euthanasia or mercy killing.
There is also the need to consider legislating specifically on data protection in Nigeria.
The establishment of the National Identity Management Commission Act of 2007 was created to mop up the haphazard storage and management of personal information by diverse Government Agencies including the CDN, FRSC, FIRS, EFCC, INEC etc. In furtherance of section 5 of the Act, the NIMC rolled out the National Identification Number to ensure a comprehensive database of residents and citizens of the country. The Commission under the NIMC Act includes a representative of the National Health Insurance Scheme (NHIS). This informs that the database being collated and compiled by the commission includes data and information available within the medical space.
There is no gainsaying that confidentiality is a vital aspect of Health care delivery, there however still needs to be more discussion on the method of proper reception, storage and dissemination of this information without infringing on the sanctity of a patient’s privacy. It is hoped that the regulatory structure in Nigeria provided for data protection will engineer a data management and protection system that will reflect international best practices in the field in balancing the interests of the people vis a vis the affected person.
Co-author: Ishola Agboola
Co-Autor: Tomi Adeyemi