In March 2020, the World Health Organization (WHO) declared COVID-19 a pandemic, pointing to the several cases of the coronavirus in over 110 countries and territories around the world and the sustained risk of further global spread of the virus. The declaration was necessitated by the spread of a disease, rather than the severity of the illness it causes. Several countries had at this time initiated lockdown procedures to prevent a further spread of the disease because as the total number of infections rose, so too did the number of cases that spread from person-to-person within communities around the world. Hospitals began to seek other avenues (mostly virtual) separate from in-person consultation, which would provide the much-needed healthcare as well as ensure the safety of all health workers and patients needing healthcare for non-critical ailments, by averting further contact with such high-risk patients.
Telemedicine and its application in Nigeria.
One of these avenues which was actively utilized is Telemedicine. Leveraging Telemedicine to combat the disease worldwide became crucial. The WHO has adopted the following as the definition of Telemedicine- "delivery of health care services, where distance is a critical factor, by all health care professionals using information and communication technologies for the exchange of valid information for diagnosis, treatment and prevention of disease and injuries, research and evaluation, and for the continuing education of health care providers, all in the interests of advancing the health of individuals and their communities".1
Telemedicine seeks to improve a patient's health by a permitting two-way, real time interactive communication between the patient, and the physician or medical practitioner at the distant site. It involves the use of telecommunication technologies to prevent and treat illness and promote the health of individuals and populations. The electronic communication means the use of interactive telecommunications equipment that includes, at a minimum, audio and video equipment. Also, at the heart of the application of Telemedicine in Nigeria is the type of personal data gathered while providing medical services via these electronic platforms. Such personal data may include but is not limited to names, phone numbers, home and email addresses, date of birth, sex, medical history, of the patient.
NDPR and Data Protection Considerations
The National Information Technology Development Agency (NITDA) is statutorily mandated by the NITDA Act of 2007 to develop regulations for electronic governance and monitoring of the use of information technology and electronic data. Conscious of the concerns around privacy and protection of Personal Data and the grave consequences of leaving Personal Data processing unregulated, NITDA issued the Nigeria Data Protection Regulation (NDPR) in 2019. The objectives of the NDPR are as follows:
- to safeguard the rights of natural persons to data privacy;
- to foster safe conduct for transactions involving the exchange of Personal Data;
- to prevent manipulation of Personal Data; and
- to ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a sound data protection regulation.
The NDPR applies to all processing and storage of Personal Data conducted in respect of Nigerian citizens and residents.
At the core of Data Protection are the privacy principles which include but are not limited to the following:
- Data Security: where data controllers and processors are expected to implement security measures (including firewalls, data encryption technologies, etc.) to protect data from theft, cyber-attack, manipulations, environmental hazards, etc.
- Lawful Processing: where at least, one of the following applies i.e. consent has been given, processing is necessary for the performance of a contract, compliance with a legal obligation, protection of the vital interests of the Data Subject or any public interests.
- Data Integrity and Storage Limitation: where personal data is adequate, accurate and stored only for the period within which it is reasonably needed.
The success of Telemedicine could be undermined if privacy and security risks are not addressed. Considering the above, Data Controllers/Health Practitioners are required to take note of the following with respect to Telemedicine:
- One core issue is the matter of the rights and confidentiality of patients while using Telemedicine. There are no formal Telemedicine protocols and procedures yet in effect in Nigeria. Several patients and health-workers are unaware of the quality of practice and how confidentiality should be protected. For example, although the NDPR is generic to personal data in whatsoever sphere/sector in Nigeria, the specificity of privacy rules for medical data in other climes is lacking in Nigeria.
- Liability of a party with respect to data collection, transmission, storage, deletion, back-up/recovery, etc, where the managing of the technology software/platform is outsourced to another entity or the platform is owned by another entity and leased by the health service provider.
Other Jurisdictions and the regulation of personal data from Telemedicine
United States of America.
The Health Insurance Portability and Accountability Act (HIPAA)2 is a legislation enacted in the USA which directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. The HIPAA has set out privacy and security rules for safeguarding medical information, and which require that the information gathered through a telemedicine service is encrypted alongside the network connections being utilized. Additionally, when contacting patients, one is required to ensure that the patients are messaged through a secure connection. Also, before recording and storing video calls, the permission of the patient is required. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
Under the HIPAA, where there is a healthcare data breach the penalties range from as low as $100 per violation to $1.5 million for repeat violations, depending on the severity of the infraction.3
Closely linked to the HIPAA is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, where the US Congress extended the HIPAA to "business associates," entities that "create, receive, maintain, or transmit" identifiable health information to perform a function or service "on behalf of" a covered entity.4 Relevant questions covered by the HITECH include the following: Who provides the technology to the patient (for example, is it a direct-to-patient transaction, or is the technology provided by the doctor)? Who is responsible for the day-to-day operation of the technology (an indication of who is ultimately responsible)? And who controls the information generated by the technology?
Nigeria- Data Protection (DP) Framework (NDPR & Proposed DP Bill)
The current DP framework in Nigeria does not specifically provide for the security of health-related personal data and the entire cycle of data collection, processing, retention and finally, ultimate deletion, given the unique nature of health-related personal data. Relatedly, the NDPR does not mention data retention and this is an issue to be considered, as the personal data of an individual who passes on or is no more a patient to the medical facility hosting the platform or providing the health service, is seemingly not regulated by any contract or legislation.
Furthermore, the liability of a third party (typically where based in a foreign country) who hosts the Telemedicine platform may not be established. This is because the transfer of such data to a foreign country should have been done under the supervision of the Attorney General of the Federation, where the decision is that the foreign country ensures an adequate level of protection. However, where this is not the case, the ability of the regulatory agencies to determine that there has been a breach and impose the appropriate penalties on the liable party, may be difficult. Moreover, the penalties provided by the NDPR may not be stiff enough to ensure compliance with the regulation.
A Telemedicine consultation requires exchanging patient information; thus, it must be done in a manner that the privacy and safety of such information are protected. Privately gathering the information means conducting the consultation in such a way that no one else who is not supposed to be part of the consultation can see the report or hear the conversation. Sending the information safely ensures that only those who are engaging directly in the patient's treatment will have the ability to access it. It is during this process that privacy measures come into play and the question is whether the NDPR is sufficient to back up those privacy principles. Concerns about the privacy and security of Telemedicine systems may adversely affect people's trust in Telemedicine and threaten the ability of these systems to improve the accessibility, quality, and effectiveness of health care. More comprehensive standards and regulations may be needed to ensure stronger privacy and security protections in Nigeria.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.