Nigeria: Privacy And Security In Nigeria's Health-Care Sector

Last Updated: 23 November 2018
Article by Ridwan Oloyede

Introduction

The increased digitalisation and rise of electronic health records (EHRs) is fast replacing the traditional paper records. In Nigeria, there remains a wide digital divide – health records are still largely recorded and stored in paper form. The adoption of healthcare technologies reliant on datafied records are growing and there is an urgent need for a stronger framework to protect the rights and freedom of Nigerians. An unlawful disclosure, illicit access or misuse of health records could reveal intimate and embarrassing details about patients that could result in infringements of individuals' rights to privacy (intrusion), commodification of health data, blackmail and other social discrimination, which weakens the fabric of trust between healthcare providers and users.

Understanding health records, health technology and the intersection with privacy and security Medical record or health data of a patient is regarded as sensitive personal data. Sensitive personal data requires special protection and usually specifically protected by law. They reveals accurate intrinsic details about an individual's healthcare treatment and records. Medical records contain personal data some of which include genetic data, personal statistics such as age and weight, demographics, medical diagnosis and allergies, immunization status, radiology images and medical research data.

Proliferation and advancement of technology has increased the generation, processing, storage, sharing and collection of health data including genetic, clinical, and behavioural data. Clearly, the advancement of Internet of Things connected devices, personalised medicine and genetic testing, cloud-based interoperable EHR, telemedicine, m-health and e-health, portal technology, sensors and wearables, remote monitoring tools hold immense potential for improving healthcare delivery, but also portends niggling questions about privacy and security.

Further, the sharing of patient's health data between health professionals, healthcare providers and facilities, and cross-border data transfer poses privacy and security concerns. Modern technology sweeping the healthcare industry births new challenges that the law must keep abreast with.

However, protecting privacy should not be allowed to muscle out the much needed life-saving innovation in the industry. We must understand that health data is important for the growth and overall improvement of healthcare.

Confidentiality and Privacy

Traditionally, there is a professional obligation in medical practice to ensure the confidentiality of a patient's personal health information, unless consent to release the information is provided by the patient or on any other recognised legal basis. This flows from the Hippocratic oath that imposes confidentiality obligation on healthcare providers. Confidentiality forms part of the pillars of medical practice and it is recognised by law as a privileged communication between two parties in a professional relationship. According to Vivienne Nathanson "protecting the private details of a patient is not just a matter of moral respect, it is essential in retaining the important bond of trust between the doctor and the individual."

Privacy in healthcare context refers to the patient's right to have control and keep his or her health information private. It also entails the circumstances in which a patient's protected health information may be used or disclosed.

Right to privacy is a fundamental right recognised by the Nigerian Constitution. Beyond the constitutional provision and professional obligation, privacy law adds another layer of legal obligation and protection.

Security

Security of both electronic and paper health record is an essential thread in healthcare fabric. Security entails the protection of both the online and physical facilities housing health records. A security breach affects both medical devices and health records. Security breach in the healthcare sector exposes providers to innumerable risk that can cause disruption of services, economic loss, reputational damage, reduced patient's confidence, and penalty under regulation.

With increased digitisation of records, the healthcare sector is witnessing increase in cyber attacks. According to Nass S.J. et. al. "protecting the security of data in health research is important because health research requires the collection, storage, and use of large amounts of personally identifiable health information, much of which may be sensitive and potentially embarrassing."

According to PwC's Health Research Institute 2018 annual report, "there is 525 percent increase in medical device cybersecurity vulnerabilities reported by the government."

According to Deloitte's 2018 Global health care outlook report, "globally, the average total cost of a healthcare data breach to an organization reached USD $3.62 million per incident in 2017."

THE RISK LANDSCAPE

A patient's health record could reveal the medical condition, treatment plan or medications, and could be commercialised for targeted advertisement, health insurance fraud and abuse ( by raising premiums for "at-risk patients"), exposure of patient to loss of privacy, social discrimination, blackmail and other dangers which weaken the fabric of trust between healthcare providers and users.

A patient's privacy rights can be violated when there is an accidental loss of data, unauthorised or abusive privilege access, cyber attack, or unlawful disclosure. According to Verizon's 2018 Protected Health Information Data Breach Report, 58% of all healthcare breaches are initiated by insiders. In July 2018, it was reported that there was a major cyber attack on Singapore's health sector affecting the personal data of over 1.5 million people, including the  country's Prime Minister. The healthcare sector was seriously affected by the wannacry ransomware attack in 2017 and shows how vulnerable the sector is. In Nigeria, the purported health record of a gubernatorial aspirant was a subject of negative politics in the run-up to 2019 general elections.

The pivot toward a national health insurance regime has birthed the rise of health maintenance organisations (HMO's) created for the purpose of managing and providing healthcare services through healthcare facilities accredited by the National Health Insurance Scheme (NHIS). According to BusinessDay, there are currently about 60 HMO's operating in the country.

These organisations process the health data of users. Without a transparent oversight on their operations, such data could be abused and misused – as we have seen with social discrimination and commodification of health records in other climes; this is capable of undermining the public's confidence.

According to Reuters, health data is increasingly more desirable than financial data – "health data, unlike financial data that becomes worthless after the victim discovers the fraud, has a longer shelf life for exploitation".

Treatment and prescription records are permanent. Medical and insurance records provide insights about where people live, what medical treatments they had, who their family members are, demographic information and employment details. Health record has also been employed as a tool for extortion and blackmail.

LEGAL FRAMEWORK FOR PRIVACY AND SECURITY IN NIGERIA'S HEALTHCARE SECTOR

The right to privacy of Nigerians is guaranteed by Section 37 of the Constitution of the Federal Republic of Nigeria 1999. Though, Nigeria currently lacks a general data protection and cybersecurity legislation, there are sector specific frameworks and ongoing legislative efforts to enact one.

National Health Act (NHA) 2014

The NHA is the principal legislation regulating the Nigerian healthcare sector. It also makes adequate provisions for the privacy rights of patients. Section 26 (1) of the NHA provides that "all information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential". The provision imposes the legal obligation of confidentiality. The right is subject to certain derogations imposed under Section 26(2) of the Act. Health information can be disclosed when there is a court order or any law prescribes such disclosure with the consent of the owner in writing, and when non-disclosure will pose a serious threat to public health. Similarly, Section 25 of NHA imposes the obligation to keep health records available to patients. This is right to access.

Section 27 of the Act provides the two legal basis when disclosure of health record of a user can be made available to a third party, another healthcare provider or professional, which include if the disclosure is necessary for any legitimate purpose within the ordinary course and scope of his or her duties; and when such access or disclosure is in the interest of the user. This latter is similar to using vital interest as the legal basis.

Section 28 (1) provides that a healthcare provider can access the health record of a patient with the consent of the patient. This provides for consent as a legal basis. The section also allows health records to be used for research with the consent of the patient. Section 28 (2) provides that the authorisation of the patient or any other authority can be dispensed with for the purposes of research, teaching and studying if the research data does not contain any personally identifiable information.

Section 29 mandates the head of a healthcare facility to put in place "control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept". This implies a good data governance and management policy to prevent unauthorised access, unlawful disclosure, data loss, and data theft – both online and offline. The section prescribes offences and the punishment of two (2) years imprisonment or fine of N250,000 ($816) or both. The offences include falsification or alteration of records, destruction of records without authority, re-identifying de-identified records, unlawful access or interception of records.

Cybercrimes (Prohibition and Prevention) Act Section 5 of Cybercrimes (Prohibition & Prevention) Act 2015 designates certain sectors of the economy as Critical National Information Infrastructure (CNII). Part 7.5 of the National Cybersecurity Policy designates the healthcare sector as a National Critical Information Infrastructure. The Act criminalises attack on sectors designated as critical national infrastructure and this is punishable by imprisonment term not less than 15 years without an option of fine. The Act also includes other offences that could affect the sector.

Section 21 of the Cybercrimes (Prevention and Prohibition) Act mandates that a cyber attack or threat must be reported to the Nigeria Computer Emergency Response Team (NgCERT) – the government's coordination centre responsible for managing cyber incidents in Nigeria. Failure to report within seven days is punishable with a fine of N2,000,000 ($6,535) and denial of internet service. Underreporting remains a debilitating factor for estimating the cost and extent of cybercrime and deprives the industry of shared common knowledge. The NgCERT has created an online platform to report incidence either as an individual or a corporation.

National Health Insurance Scheme Act (NHIS Act) Section 38 of the Act creates a secrecy obligation binding the officials and other employees of the scheme. The officials are mandated to treat all information obtained in the exercise of their powers or in the ordinary course of duty as confidential.

The confidential information can only be disclosed to an arbitration board or the court. Section 38 (2) prescribes a fine not less than N20,000 ($65) or imprisonment for a term of two years or both.

Freedom of Information Act (FOI Act)

Section 16 of the FOI Act provides that a public institution may deny an application for information that is subject to health workers – client privilege. The section recognises and provides a legal backing for the professional confidentiality obligation.

Patients Bill of Rights (PBoR)

The Consumer Protection Council (CPC) recently released the Patients Bill of Rights (PBoR). The Bill is aimed at ensuring easy access to quality health care service in the country. The PBoR is a list of rights already contained in extant laws but recently reduced into a document to sensitise the members of the public.

Interestingly, the bill recognised the rights to privacy of patients, and confidentiality of medical records. While there is a professional obligation of secrecy in the medical profession, a legal obligation further protects the freedom and rights to privacy of patients.

RECOMMENDATION

The Federal Ministry of Health can take a cue from the United State's Health Insurance Portability and Accountability Act (HIPAA) by enacting a national privacy and security rule that defines the privacy and security standards for the protection, storage and transfer of health data held in electronic or physical form. This includes administrative, technical, online and physical safeguards. The privacy rule should clearly define other legal basis for processing and derogations, mechanism for cross-border transfer of health data (patients are becoming more mobile with medical tourism), storage and retention period, other rights should be defined (right to be informed and access is already established under the NHA), framework for reporting breach and notification of users, and put in place stronger transparency and accountability mechanism.

Section 2 of the NHA gives the Federal Ministry of Health the mandate to make a guideline for the development of the health sector which will include addressing emerging privacy and security concerns with new technologies.

There is an urgent need to sensitize health practitioners and members of the public on privacy and security, and how it affects them.

The NHIS should issue a guideline to regulate the activities of HMO's and other health insurance players to prevent insurance fraud, possible discrimination, and other abuse of health record. Section 6 of the NHIS Act empowers the scheme to "issue appropriate guideline to maintain the viability of the scheme." A major breach could erode the scarce trust in the nation's health insurance scheme.

The heads of health institution and facilities should put in place appropriate safeguards and framework to ensure the privacy and security of patient's records and information. They should administer measures to comply with the law which include training and sentisation of its staff, designing a privacy and security policy, implementation of the right technology and training of staff on its use and the possible privacy and security implications of the technology.

According to Deloitte's 2018 Global health care outlook report "many employees at hospitals, health plans, life sciences companies, and governments lack awareness of and training to manage financial, operational, compliance, and cyber risks. Led by senior management, organizations should perform a thorough assessment to understand how recent and upcoming policy changes will impact organizational priorities and explore strategies to build second-line defenses to reduce their administrative, financial, and reputational exposure."

CONCLUSION

The provision of the NHA is a bold sector-specific regulation in a country where there is big clamour for general data protection and cybersecurity framework. It is the opinion of the writer that the privacy and cybersecurity framework in Nigeria will be led by sector driven regulations since it appears a legislative framework has dragged on for too long. Further, the penal sanction appears inadequate, especially the financial sanction in the face of immeasurable loss, erosion of reputation, advancement of technology and emergence of sophisticated security and privacy issues. The NHA creates an enforcement regime and remedy for breach. A general data protection and cybersecurity statute will strengthen the privacy and security concerns in the health sector. In addition, healthcare providers must take quick, decisive action to maintain data privacy and security of medical devices and protect patient's record.

According to Tomiwa Ilori, a policy analyst, "the National Health Act, in its sections 25, 26, 29 and 30 provides a viable template for safeguarding privacy concerns in Nigeria. Though limited to the health sector, it offers a dual balance of protection of data and enforcement against infringement of privacy rights of a patient within the control of a health institution. Due to the sensitive nature of health information of patients, the Act recognizes the dynamic nature of data protection in the digital age and therefore provides safeguards for its use while placing the patient's consent as most important.

It provides exceptions for where the consent of patients might not be sought but these exceptions may be said to be fair. One recommendation in the event of a review of the provision of the Act in the nearest future with respect to the protection of patients' data is that where institutions have to derogate from seeking patient's consent, reasonable proof must be provided for bypassing such consent".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions