This article on health data privacy protection has been co-authored by Rachel Clad and Ruan Viljoen*.
The disclosure of personally identifiable health information, such as HIV status, can result in stigma, embarrassment or discrimination, and lead to loss of employment and reduced trust in and engagement with the healthcare system.
Cloud computing, along with increasingly ubiquitous digital tools for collection, aggregation, and analysis of health data, offer the substantial potential to help the African continent leapfrog many more mature systems in transforming healthcare and improving health outcomes. However, more rigor and attention must be focused on protecting the privacy and security of health data.
Health data privacy and security protections carry strong health equity implications. The disclosure of personally identifiable health information, such as HIV status, can result in stigma, embarrassment or discrimination, and lead to loss of employment and reduced trust in and engagement with the healthcare system. Free and informed consent around data disclosure and control over one’s own health data should be equally applied across all geographies. This must be a focus across Africa.
Historical Context to Health Data Privacy Protection
Almost 20 years ago when people across the African continent were dying daily by the tens of thousands from HIV/AIDS, the US President’s Emergency Plan for AIDS Relief (PEPFAR) program was launched to save lives. PEPFAR and other global HIV programs, as well as many other urgent infectious disease efforts over the years, have been noble and laudable in their hyperfocus to save lives.
Through those years huge volumes of data were collected across Africa, some of it personally identifiable health data. Safeguarding this data, while considered, was a much lower priority than getting the lifesaving drugs and services to those most in need. And while significant investments have been made in strengthening health systems, there has been limited attention on the rigor required to protect health information, particularly with the heightened frequency of cybercrime and cyber terrorism worldwide.
Over the past two decades we have seen major advances in technology and digital health tools, which mean that most health data is now automated and stored digitally, and sharable for research, policy, and program implementation. Key privacy laws have also been formalized in many parts of the world to 1) confirm the privacy and stewardship of personally identifiable health information (PHI) and 2) require that those holding this information protect and secure it from unauthorized use or release. About half of African countries have now passed laws to protect a person’s right to the privacy of their health information; however, even in African countries that have enacted privacy legislation, practically speaking these laws have seen limited enforcement and impact.
Nonetheless, these legal frameworks signal important progress in advancing health data privacy and security agendas.
Current State of Play
Hundreds of digital health technologies, many of these free or open sources, have been piloted and implemented across countries in Africa. Despite their noble intent, these technologies have not been subject to the kinds of scrutiny that rigorous compliance frameworks such as POPIA, GDPR, or the US-based HITRUST certification process bring. It is critical to explore:
- Securing the privacy of health information via robust cloud computing
- Ensuring the myriad of digital health technologies are hardened enough to offer end-to-end protection of health data, including PHI
Some assume that cloud computing means data is ‘offshored’ and is no longer private nor protected by a local country’s regulations. This has led to some countries calling for health and other data to be stored physically within the country’s borders. Yet, this may mean less rigorous IT security provisions than could possibly be found with a global provider.
Locally developed or freely available digital health software tools and applications are also being deployed across Africa, which is exciting, but it is critical to ensure these systems are subject to the design, technical, and process compliance needed to secure health data.
Opportunities in Health Data Privacy Protection
There are several areas that could be explored to advance the privacy and security of health data on the African continent. These include the following:
Advancing Policy and Practice. The global development community must focus more attention on protecting health information through policy development, education and awareness, and systems strengthening.
For example, an overarching WHO-led regulatory framework for health data privacy and security has been discussed, but this sort of regulatory framework, beyond promoting general principles of data privacy, has yet to come to fruition. This means a continued patchwork of impractical, inconsistent, or non-existent governance approaches to securing health data for the foreseeable future.
Health data privacy and security policy and practice need to be a focused part of the development agenda going forward.
Embracing Cloud Computing.
Several of the large cloud offerings from Microsoft, Google, and Amazon, offer secure, cost-efficient ways to manage health data for African healthcare. However, these global tech players need to navigate the maze of legal frameworks across African countries, which may be partially implemented and sometimes contradictory. African country governments and their supporting development donors need to take advantage of the global tide of cloud computing so that they can harness the best technologies for managing increasing volumes of data.
Hardening Digital Tools and Applications.
African governments and their ecosystem actors also need to consider enhanced scrutiny of the various digital health tools and software applications to ensure these have adequate data protection and security features. Deploying full-on POPIA or GDPR-like legal requirements or implementing a rigorous system certification requirement such as HITRUST across Africa would be cost-prohibitive and impractical; yet, there are some components that should be explored. For example, a “lite” version of HITRUST certification could become a minimum standard for digital health technologies and cloud computing offerings.
While much progress has been made in health development across the African continent, this progress has not kept up with exponential growth in digital health. This includes harnessing the best of what scalable technology can bring, while also managing the accompanying risks in a connected digital world, including securing health data assets.
*Rachel Clad is a Director, Partnerships and Alliances, BroadReach Group; Ruan Viljoen is the Chief Technology Officer, BroadReach Group.
[To share your insights with us, please write to firstname.lastname@example.org]