Digitising health records: 12 companies submit bids to install system – Dr Anthony

– says 4 to be shortlisted soon

As the Health Ministry forges ahead with the implementation of electronic health records in Guyana, Dr Frank Anthony on Sunday stated that 12 companies have bid to install the new system.
He made this revelation during an event to observe Commonwealth Pharmacy Week at the Pegasus Hotel on Sunday while adding that of the 12 companies, only four of them will be shortlisted.
While he did not divulge any other information about the companies, Guyana Times understands that once the final four are selected, there will be a rigorous process in selecting one that will install the system.
He nevertheless, stated that the Health Ministry is currently finalising the necessary measures and systems needed for the implementation of the new electronic health record system.
However, he referenced the Data Confidentiality Bill which is one of several pieces of legislation that the Health Ministry is currently working on creating and implementing to enhance healthcare delivery across the country.
He highlighted that while the Ministry is currently moving towards digitalising patients’ health records, the risk of leaking or stealing confidential information is high and as such, the Bill was developed to hold persons who steal data accountable.
The Data Protection Bill intends to protect the privacy of individuals and regulate the collection, keeping, processing, use, and dissemination of personal data.
“As we move to electronic systems, if people steal people’s confidential information, then there are some very severe penalties in that law. For individuals, it starts at $20 million and for a corporate entity, it stands at $100 million. We need to start treating peoples’ data appropriately and put the necessary protection to ensure that their confidentiality is not breached.”
The electronic health records system, upon which the data protection legislation lays the foundation, aims to assign each patient a unique identifier so that their records can be easily accessed within healthcare facilities across the country.
Earlier this year, Cybersecurity Director at the National Data Management Authority (NDMA), Muriana McPherson, sounded a call for organisations to put systems in place to ensure that personal data is protected including regular training for employees.
She explained that data protection is important to both reduce risk and enable a proactive response to associated threats. This, she added, is especially crucial given the current age of targeted cyber-attacks aimed at stealing personally identifiable information including financial and health data. On this note, the Cybersecurity Director offered some steps that organisations and individuals can implement to protect personal data.
These include: managing data access by establishing and enforcing policies surrounding levels of access granted to data users, with regular oversight; promptly applying vendor-released patches and software updates to systems given that attackers commonly take advantage of unpatched computer systems and software to gain access to personal data among others.
In August 2023, Guyana passed its first Data Protection Act to regulate the handling of personal data to protect the privacy of individuals concerning their data.
The Cybersecurity Director implored organisations to get familiarised with the Data Protection Act of 2023.
She also asked that they keep an inventory of the type of personal data they use, know where it resides, and how it is accessed and managed. Then, McPherson added, organisations should apply appropriate protection mechanisms to safeguard personal data and maintain privacy.
The Data Protection Bill was created to regulate the collection, keeping, processing, use, and dissemination of personal data. It sets a statutory framework, moving away from the current construct of the country’s legislation, which does not safeguard against rights to data protection.
Personal data has been defined as any information relating to an identified or identifiable person, about private and public life as well as professional activities.
The Bill prescribes that a body be established and recognised as the Data Protection Office, which shall be responsible for the administration and implementation of the Act. The new law also contains sanctions for data protection breaches. A person who fails to comply with the enforcement notice, an information notice, or a special information notice commits to an office and can be fined $1 million or imprisoned for three months.
Any person who intentionally obstructs the execution of a warrant, fails to provide the Police with required assistance, or makes false statements under certain subsections can be fined $1 million- or six months imprisonment.
There are penalties for data controllers, which are persons who determine the manner and purpose of which personal data is processed. It is a criminal offence for such officers to operate without being registered or without nominating a representative, carrying a fine of $10 million- or two months imprisonment.