LEGAL CONSIDERATIONS FOR ELECTRONIC MEDICAL RECORD
SYSTEMS IN HEALTHCARE ESTABLISHMENTS1
Documentation of patients' data remains paramount towards supporting effective care of patients' health and is in fact mandated by law. Section 25 of the National Health Act 2014,2 mandates that healthcare establishments maintain health records for every user of the establishment. Health records are a collection of facts/data related to a person's health history and typically include vitals, medication information, family history, treatment history, medical directives, tests conducted and results, consent forms, existing medical conditions and diagnoses, treatments and progress notes.3 Paper based health records have been the more prevalent option for healthcare providers in Nigeria. However, electronic health records (EHR) also described as electronic medical records (EMR) have been increasingly adopted. EMR presents several advantages for both the healthcare professional and patients including legible documentation, improved data privacy and security, interoperability, or easy transfer of medical history between healthcare professionals, ease of processing, access, and retrieval. The storage risks associated with paper-based records are ameliorated by the electronic medical record option. However, switching to electronic records raises unique legal considerations for both healthcare establishments and their users and constitutes the focus of this article.4
The major legal concerns for patients in relation to their health data revolve around ownership and control of the data, availability and accessibility, privacy, confidentiality, security and integrity of the data.
Ownership and Control
In determining ownership of health or medical record, the starting point is to concede that the information contained in the record belongs to the patient against whom the record is made for the purpose of providing healthcare. However, the record is in the custody of the healthcare provider as this is necessary to optimise healthcare, and required by law.5 When the question of ownership is assessed from a data protection and privacy standpoint, it becomes apparent that control lies with the healthcare provider. However, the Data Protection Act, 20236 ensures that the rights of the data subject limit the said "control" by granting right of access, right to erasure7 etc., on the data subject who is the patient in this context. The NDPR Implementation Framework provides that data controllers are to design systems and processes that make data request and access easy for data subjects (patients), as well as processes to enable data subjects easily transfer (port) data to another platform at minimal costs.8
Therefore, while the healthcare provider is in possession and control of the records to provide care, the patient or healthcare user must be granted access to personal data and health records among other rights in line with data privacy law. In the United States, the state of New Hampshire by legislation grants patients ownership rights of their health data.9 In Nigeria on the other hand, there is no clear delineation of ownership reposed in either party.
Confidentiality in healthcare is an important issue and is a widely perceived advantage of electronic medical records. The National Health Act, 2014 equally recognises the importance of a patient's right to confidentiality. Section 26(1) of the National Health Act10 provides that "All information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential". This shows that confidentiality of health-related matters is not merely an ethical consideration but of legal import. Section 26(2) provides the instances when health records may be disclosed to include grant of consent of the user/patient to the disclosure in writing, order of court or a provision of law to that effect or where non-disclosure poses a threat to public health.11
In addition, Section 27 of the Act provides that health workers or health care providers who have access to the health records of a user may disclose such personal information to any other person, healthcare provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interest of the user.12 Section 16 of the Freedom of Information Act, 201113 reinforces the importance of confidentiality by providing that a public institution may deny an application for information that is subject to health workers - client privilege. Section 25(f) of the Data Protection Act, 2023 similarly provides that data controllers and processors must ensure the confidentiality, integrity, and availability of the personal data using appropriate technical and organisational methods.
Privacy and Security
As stated above, health records are sensitive in nature and could disclose information related to infectious diseases, drug dependence, terminal diseases, psychological and psychiatric treatments, which could expose the data subject to blackmail, unwanted marketing, and product promotion etc.14 Hence, the need to ensure the privacy of the data subject is protected.
Privacy ordinarily means the state of being free from public attention or disturbance, and was defined in Incorporated Trustees of Digital Rights Lawyers Initiative & Ors. v. NIMC as the "protection of personal information and personal data".15 The right to privacy is guaranteed by the Constitution16 and further protected by the Nigeria Data Protection Regulations, 2019 (NDPR)17 and the Data Protection Act, 202318 and thus of great significance for data controllers in the healthcare sector. Although information relating to an identified or identifiable natural person including medical information is regarded as personal data under the Data Protection Act, data relating to heath status is classified as sensitive personal data.
The NDPR stipulates the need for data processors and data controllers to develop methods to protect the security of data and recommends that the management of a healthcare facility/establishment sets up firewalls, stores data securely with access granted to specific authorized individuals, employ data encryption technologies, develop organizational policy for handling personal data (and other sensitive or confidential data), protect emailing systems and ensure continuous capacity building for staff.19 In addition to this, data protection impact assessments are required to ascertain privacy and security implications when data processing involves sensitive data or data of a highly personal nature, relates to vulnerable or differently-abled data subjects; and when health establishments consider the deployment of innovative processes or application of new technological solutions.20
Section 29 of the National Health Act provides for the protection of health records and states that proper measures must be put in place to ensure that the management of health establishments in possession of a user's health records are to set up control measures to prevent unauthorised access to those records and to the storage facility or system by which, records are kept. The Act further prescribes a fine of two hundred and fifty thousand Naira (250,000) or a term of two years imprisonment or both as penalties for any person who fails to perform this function.21
The NDPR goes further to impose a duty of care on anyone who is entrusted with or in possession of personal data of a data subject.22 What this means, is that healthcare facilities must ensure that their EMR (software-as-a-service) service provider must guarantee the safety of the sensitive personal data of patients or face liability in the event of breach. The software must be built with sufficient security protocols such as encryption and password security protocols. This responsibility continues post deployment of the EMR software in the healthcare facility as healthcare providers must ensure proper monitoring of the system, regular maintenance and upgrades. They must also keep up with cybercrime trends while practicing good data governance guidelines.23
In light of the new Data Protection Act 2023, there is need for a review of Section 23(1)(a) of the National Health Act, 2014, which provides that information can be validly withheld from a patient where it is considered to be in the interest of the patient to do so. The circumstances in which withholding information will be considered to be in the "best interest" of the patient is unknown and stands contrary to a patient's right to information and to request access to the record. The Patient's Bill of Rights, 2018 which currently contains twelve (12) rights derived from the Constitution,24 the defunct Consumer Protection Act25 and the National Health Act 2014, also fails to provide clarity on this issue. The Bill of Rights, 2018 states that the healthcare establishment or provider is to provide the patient's medical records on request by the patient or other authorized persons, in accordance with prevailing laws. With both the National Health Act, 2014 and the Data Protection Act, 2023 being at dissonance, patients may be unable to fully exercise their rights.
Furthermore, while healthcare establishments are central to the discourse on health and medical data, there is need to beam the light on EMR software vendors as well. The adoption of health technology places software providers as key stakeholders in the healthcare sector. Therefore, close attention should be paid to data protection compliance of start-ups and companies in the business of EMR software. The self-reporting mechanism under the NDPR needs to be emphasised particularly for EMR software companies in servicing healthcare establishments. In the same vein, EMR companies must be conscious of the legal considerations highlighted above, in developing, maintaining and improving their software solutions.
1. Juliana Okegbile, Associate, Cross-Departmental, S.P.A. Ajibade & Co., Abuja, Nigeria.
2. National Health Act, No. 8 of 2014.
3. Digital Health Folio 3 "The 10 Components of a Medical Record in a Hospital", available at https://digitalhealth.folio3.com/blog/10-components-of-a-medical-record/ accessed on 25th May 2023.
4. Aderibigbe T. O., Sodipo B., "Patient's Medical Records, Privacy and Copyright in Nigeria: On-Going Research" available at https://www.law.uwa.edu.au/data/assets/pdf_file/0005/3052724/5.-Titilayo-O.-Aderibigbe-and-Bankile-Sopido.pdf accessed on 30th May 2023.
5. Laurinda B. Harman, Cathy A. Flite, and Kesa Bond, "Electronic Health Records: Privacy, Confidentiality, and Security", available at https://journalofethics.ama-assn.org/article/electronic-health-records-privacy-confidentiality-and-security/2012-09 accessed on 25th April 2023.
6. Data Protection Act, 2023.
7. Section 35(b).
8. See Paragraph 4.2 of the NDPR Implementation Framework, 2020 available at https://ndpb.gov.ng/Files/ImplementationFramework.pdf accessed on 5th July 2023.
9. Raj Sharma, "Who Really Owns Your Health Data?" available at https://www.forbes.com/sites/forbestechcouncil/2018/04/23/who-really-owns-your-health-data/?sh=438761d56d62 accessed on 31st May 2023.
10. National Health Act, 2014.
11. Section 26(2).
12. Section 27.
13. Freedom of Information Act, 2011 available at https://www.cbn.gov.ng/foi/freedom%20of%20information%20act.pdf accessed on 5th July 2023.
14. Karen N. Brown, "How Medical Data Sharing is Impacted by EU GDPR", available at https://www.volusonclub.net/empowered-womens-health/how-medical-data-sharing-is-impacted-by-eu-gdpr/ accessed on 11th May 2023.
15. Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v. NIMC (2021) LPELR-55623(CA).
16. Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended).
17. Nigeria Data Protection Regulations, 2019 (NDPR).
18. Nigeria Data Protection Act, 2023.
19. Article 2.6 of the Nigeria Data Protection Regulation, 2019.
20. See Paragraph 5.2 of the NDPR Implementation Framework, 2020 available at https://ndpb.gov.ng/Files/ImplementationFramework.pdf accessed on 5th July 2023.
21. Section 29(2) of the National Health Act, 2014.
22. Article 2.1(2) of the Nigeria Data Protection Regulation, 2019.
23. Section 29 of the National Health Act, 2014.
24. The Constitution of the Federal Republic of Nigeria, 1999.
25. Consumer Protection Act, Cap C25 LFN 2004.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.