Updated 22 January 2021
PATIENT PRIVACY NOTICE
The Vula Platform, an Application (“App”) and website, established by Mafami (Pty) Ltd trading as Vula Mobile (“Vula Mobile”) is used by a Doctor or other Healthcare Worker (“Health Practitioner”) to transfer patient information and details of the patient’s condition (the “Information”) to a medical specialist selected by the Health Practitioner because of his/her expertise (“the Specialist”).
The Vula Platform is a tool which allows the Health Practitioner to share patient Information with medical and surgical Specialists in order to obtain expert advice and expedite referrals. To provide this service, the Information of the patient needs to be entered into the Vula Platform by the Health Practitioner (or approved administrative associate), on a case by case basis, and shared with the selected Specialist(s).
Reference in this policy to “Vula”, “we”, “us”, “our” or any similar term may be construed as reference to Vula Mobile.
The end users (“Data Subjects”) as defined in the Protection of Personal Information Act No. 4 of 2013 (“POPIA) of the Vula Mobile App or Dashboard are typically Health Practitioners, Specialists, or people employed in an administrative role and acting on behalf of a healthcare establishment, department of health or a private healthcare practice providing a Healthcare Service.
We act as a Responsible Party and Process, as the term is defined in POPIA, Personal Information and Special Personal Information on behalf of our Data Subjects, and in accordance with an agreement with the aforementioned individuals, to provide Vula’s services. This Patient Privacy Notice pertains to our role as a Responsible Party who collects, processes, stores and shares patient Personal Information and Special Personal Information.
This Patient Privacy Notice provides information on:
- Expectations of the Health Practitioner
- Patient Information Collected
- Processing of Patient Information
- Sharing of Information
- Patient Privacy and Confidentiality
- Information Security
- Transborder Flow of Information
- Retention of Patient Information
- Electronic Communications
- Data Breaches
- Revisions to this Notice
- Privacy Queries
- Information Officer
EXPECTATIONS OF THE HEALTH PRACTITIONER
Vula expects and presumes that, in accordance, with the applicable laws regulating the healthcare profession, the Health Practitioners and administrative staff concerned –
- have obtained consent to treat the patient, and further process the patient’s Personal Information and Special Personal Information, as defined in POPIA, to third parties, such as Vula;
- the Health Practitioner is allowed to collect the patient’s Information in accordance with the laws governing health care services, and will not collect any information that he/she is not empowered to collect.
Compliance with privacy law is primarily the Health Practitioner’s responsibility, as the Responsible party who initially collected a patient’s Personal Information and Special Personal Information. Health Practitioners are obliged to take steps to ensure that their patients are aware of how and why any of their Information will be collected and processed and, where required, shared with Third Parties in performance of a contract.
Health Practitioners can either explain to their patients how the Vula service works and what Information will be collected and processed, or show this notice to patients, or both. Should a patient be under the age of 18, the Health Practitioner should advise the parent or guardian that the minor is in the care of in the same way of how the patient’s Information will be collected and processed.
If a Health Practitioner is unable to explain this to a patient if the patient is, for example, unconscious, mentally incapacitated, or an unaccompanied minor, then the Health Practitioner must explain and obtain consent from the patient’s guardian or a guardian appointed by the State when it is possible to do so.
It is not mandatory for the patient to supply the Information requested by the Health Practitioner in order to enter it into the Vula Platform. However, if the patient does not supply this information, the Health Practitioner cannot use the Vula Platform to obtain further assistance from, or refer a patient to a Specialist.
Vula processes Personal Information and Special Personal Information of patients for healthcare purposes and, from time to time, this may include Special Personal Information relating to children under the age of 18 years old. Health Practitioners warrant and undertake that they have obtained the necessary consent for the processing of special information from the parent or guardian where the patient is under the age of 18 years, and indemnify Vula to the fullest extent permitted by law in this regard. Vula reserves the right to request, at any time, that a Health Practitioner furnishes us with evidence of such consent having been obtained from a parent or guardian.
If it is not reasonably practicable for the Health Practitioner to explain this to a parent or guardian due to the minor being unaccompanied and parent or guardian unreachable, then the Health Practitioner must receive consent from the guardian appointed to care for the child by the State.
PATIENT INFORMATION COLLECTED
Patient Information collected, by [the health practitioner or Vula] will be restricted to the following:
- Name and Surname
- Contact Information (phone number and/or email address)
- Physical Address (if applicable)
- Age or Date of Birth
- Weight and/or height (if applicable)
- ID Number or Hospital/Practice Folder Number (unique identifier to the patient)
- Medical Aid Number (if applicable)
- Basic Health Information
- Medical History
- Comorbidities, existing conditions and current treatments
- Family History or relative specific related information
- Information related to the patient’s current medical condition including assessment, diagnosis and treatment
- Images including photographs of physical ailment, x-rays, diagnostic reports or results, or other where required
- Admission forms that may include a patient’s (or guardian’s) signature
- Chat correspondence related to the patient during the referral process
The patient Information collected by the Health Practitioner is transferred securely within the Vula Platform to a Specialist to obtain advice which may lead to a more accurate diagnosis or treatment. It may also lead to the Specialist recommending a follow-up appointment with him/herself or another Health Practitioner. The Information may potentially be transferred to multiple Specialists using the Vula Platform in order to further advise, treat or follow up with patients.
PROCESSING OF PATIENT INFORMATION
POPIA sets out eight conditions for the lawful Processing, as defined in POPIA, of Personal Information (“the Eight Conditions”). Vula is committed to complying with the Eight Conditions and presumes that the Health Practitioners and Specialists comply also with the Eight Conditions of processing, as failure to comply with the Eight Conditions may result in substantial fines and penalties for the Vula. The Eight Conditions of processing include:
- Condition 1 – Accountability
- Condition 2 – Processing Limitation
- Condition 3 – Purpose Specification
- Condition 4 – Further Processing Limitation
- Condition 5 – Information Quality
- Condition 6 – Openness
- Condition 7 – Data Security
- Condition 8 – Data Subject Participation
The patient Personal Information and Special Personal Information that Vula collects, and the ways in which Vula processes it, are necessary for us to provide and improve the services available to Health Practitioners and their patients through the use of the Vula Platform, and to comply with our regulatory and compliance obligations.
All Health Practitioners and Specialists listed in the Vula Platform have been verified in their respective medical field by the Vula Support Team and thus approved to use the Platform. The patient Personal Information and Special Personal Information collected by the Vula Platform is only available to the approved Health Practitioner(s) and Specialist(s) on their mobile devices (the Vula Mobile App) or via a secure web portal (the Vula Dashboard).
The Health Practitioner will be responsible for providing the patient with his/her Personal Information or Special Personal Information should a request be made in accordance with local privacy laws. Health Practitioners can download reports of their patients and referrals from the Vula Dashboard at any time.
SHARING OF INFORMATION
Should Vula share any Information with a Third Party outside the scope of obtaining advice from, or referring a patient to a Specialist or Health Practitioner, they undertake to do so only on the following conditions:
- Any information that can identify a person will be removed to protect the person’s privacy. This includes the name, surname, identity number, and facial images.
- Any information that can be used to communicate with a person will be removed to prevent unauthorised communications being sent. This includes phone numbers and email addresses.
- The information shared will only be used for research purposes.
Where necessary to protect our legal rights and interest, or the interests of others, we may also use patient Information in relation to legal claims, compliance, audit, risk management and regulatory functions.
We may, from time to time, share Information contained in reports with the Departments of Health for research purposes. However, we will only share Personal Information in these reports insofar as it is necessary for the governmental institution to fulfil its functions in advancing public health or other public interests.
We may disclose Personal Information to our third parties, as defined in POPIA, for legitimate business purposes, in accordance with applicable law and subject to applicable professional and regulatory requirements regarding confidentiality. In addition, we may disclose Personal Information in order to provide support services to our data subjects. We may also share patient information with:
- any person that works for us and is in the employ of Vula, either as a permanent employee, consultant or contractor;
- companies and organisations that provide services to us, including in relation to technical infrastructure, and web and app development and support;
- our professional advisers, consultants and other similar services;
- legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
- any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights;
- any relevant party for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including, but not limited to, safeguarding against and the prevention of threats to public security.
We will otherwise treat all patient Information as private and confidential and will not share it with other parties except:
- where permission has been given;
- where we believe it is reasonably necessary to comply with any law, regulation, legal process or governmental request, to enforce our Terms and Conditions of use or other agreements, or to protect the rights, property, or safety of us, our customers or others;
- where we may transfer rights and obligations pursuant to an agreement with the Health Practitioner, Specialist or Patient.
PATIENT PRIVACY AND CONFIDENTIALITY
At Vula, we value each patient’s privacy and, and strive to ensure patient confidentiality is maintained at all times. Vula will only collect, process, store and share patient Personal Information and Special Personal Information in accordance with this Patient Privacy Notice, in accordance with the agreement with a Health Practitioner and Specialist, in accordance with the applicable legislation and the Terms and Conditions of use of the Vula Platform they agreed to when registering to use our products and services.
Vula places great importance on ensuring the security of all patient Information and is obliged to prevent the loss of, damage to, or unauthorised destruction of Personal Information and Special Personal Information as well as the unlawful access to or processing of this information. The patient Information collected is securely stored within the Vula Platform using regularly reviewed, up to date, and appropriate and reasonable technical and organisational measures as required by applicable law to protect the Information from loss, misuse, unauthorised access, unauthorised disclosure, alteration or destruction.
The Vula Platform, including both the Mobile App and the Dashboard, are developed using secure technologies with Security by Design and Privacy by Default principles at the forefront of its architecture, and can only be accessed using strong access control protocols, and only by Vula approved and validated end users.
The Vula Platform is a cloud based solution hosted by Heroku (a Salesforce Company) in a HIPAA certified Amazon Web Services (AWS) Data Centre in Europe. All patient Information collected, processed and stored is, thus, done so in this location. The AWS Data Centre is ISO 27001 certified which provides assurance with regards to the physical, logical and environmental security of the hosted solution and the patient Information therein, as well as the business continuity and availability of the services we offer.
Vula, in collaboration with the AWS Data Centre, has further taken reasonable measures to:
- identify all reasonably foreseeable internal and external risks to Personal Information in its possession or under its control;
- establish and maintain appropriate safeguards against the risks identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
TRANSBORDER FLOW OF INFORMATION
As indicated in the Information Security section above, the patient Personal Information and Special Personal Information we collect may be transferred to an area outside your local country of operation in order for the Healthcare Practitioner to utilise the Vula Platform and its services.
Personal Information may be transferred to a third party outside of the Republic of South Africa provided that the third party is subject to a law, binding corporate rules or a binding agreement that seeks to protect the Personal Information in line with this Privacy Notice and the transfer is necessary in order to provide the services that are required by you.
You may withdraw your consent to us processing your Personal Information across borders, however this may mean that the Healthcare Practitioner will no longer be able to utilise this service to you
RETENTION OF PATIENT INFORMATION
Vula will retain patient Information for at least the minimum length of time required by Health Care Laws stipulating the retention periods for medical records.
At times, and on a case by case basis, Vula may send patients additional information regarding their scheduled or follow-up appointments with a Specialist or other Health Practitioner, or with regards to the treatment and management of their medical condition. This will be done in the form of electronic communication including, but not limited to, SMSs and eMails. The patient consents to receiving all communications electronically and is responsible for providing the Health Practitioner with valid and accessible contact information to which any communications may be sent. Any communications sent to the contact information provided by the patient will be deemed to have been received by him/her.
In the event of any privacy or security breaches of the Vula Platform, or at our Third Party Hosted Data Centre, that are likely to result in any risk to a patient’s Personal Information and/or Special Personal Information, or to the patient’s rights and freedoms, we will notify Health Practitioners, Specialists, and the relevant Regulatory Authority as soon as we become aware of such.
End users of the Vula Platform have also been advised to notify Vula immediately where they have reasonable grounds to believe that their accounts or patient data have been accessed or acquired by any unauthorised person.
REVISIONS TO THIS NOTICE
We may amend this Patient Privacy Notice from time to time. Health Practitioners and Specialists should check the Vula Platform regularly to see when this Patient Privacy Notice was last updated and to review the updated notice.
Should you have any query in relation to this Patient Privacy Notice or how we handle your patient Personal Information or Special Personal Information, please contact us by sending an email to email@example.com
Vula’s current Information Officer is:
Name: Kim-Lisa Gad
Department: Legal and Compliance
Telephone Number: 082 974 3860
Email Address: firstname.lastname@example.org