-Advertisement-

Opinion

GHIMS vs LHIMS: How is patient data being protected in the process?

Story By Irene Devine Dzirasa

The transition from private, foreign-hosted Lightwave Health Information Management System (LHIMS) to a state-owned Ghana Health Information Management System (GHIMS) is a watershed moment for Ghana’s digital health care.

Driven by serious contractual breaches and concerns over data sovereignty, the move rightly refocuses attention on the crucial question: How does Ghana’s legal framework, specifically the Data Protection Act, 2012 (Act 843), protect sensitive medical records of every Ghanaian citizen?

Securing sovereignty
The Health Minister’s assurance that GHIMS will safeguard national health data is a direct response to the loss of administrative control experienced under LHIMS, whose cloud infrastructure was hosted outside Ghana.

This crisis highlights the vulnerability of outsourcing a nation’s most sensitive data without robust safeguards.

 

The shift to a state-owned and managed system, which will prevent any single vendor from monopolising the data, is a welcome step, though long overdue, towards ensuring data sovereignty.

Legal mandate
Ghana’s Data Protection Act (DPA) provides a foundation for protecting patient data, which is classified as “special personal data” due to its highly sensitive nature.

The DPA mandates that anyone processing this data must do so lawfully and reasonably, “without infringing the privacy rights” of the patient.

Crucially, the DPA’s Lawfulness of Processing principle generally requires the prior consent of the data subject.

Experience Honest comfort
While the law permits processing special data for “medical purposes” (diagnosis, care, research) when a health professional is involved and bound by a duty of confidentiality, this framework places a clear and immediate responsibility on both the former processor (LHIMS) and the new one (GHIMS) to maintain absolute confidentiality and apply stringent data security safeguards.

Human cost
LHIMS’ refusal to hand over administrative access to the nation’s health data is more than a contractual dispute; it is a profound human rights issue.

When hospitals across the country were logged out, the action constituted a direct denial of the patient’s fundamental right to health and, potentially, the right to life.

Patient medical history is the bedrock of safe and effective care.

The instant lack of access to this data, which includes critical information on past surgeries, chronic conditions, and medication regimens built up over years, forces healthcare providers to return to archaic folder systems and, worse, requires patients to attempt to “rebuild” their own medical history.

Mitigating breach risk
A key threat in the transition from LHIMS to GHIMS is the unauthorised retention or use of patient data by the previous vendor, LHIMS.

Patients have a Data Subject Right to request that a data controller destroy or delete personal data when it no longer has the authorisation to retain it.

The use of this historical data by LHIMS for secondary purposes, such as research without consent, would violate the DPA’s Specification of Purpose and Compatibility of Further Processing principles.

LHIMS collected data for patient care management under a contract; At the end of the contract, any further use or retention of the records could be termed as an unauthorised infringement.

The Data Protection Commission (DPC) must intervene to enforce the destruction or handover of these records.

Comparing frameworks
Ghana’s Data Protection Act (DPA) shares essential elements with Europe’s General Data Protection Regulation (GDPR), which is the global benchmark for data rights.

Both legal frameworks emphasise explicit consent for processing, especially for sensitive data; and strong data subject rights (access, rectification, and erasure).

However, the LHIMS case clearly demonstrated the risks of external data hosting.

While the GDPR imposes strict rules on Cross-Border Transfers, requiring an ‘adequate level of protection,’ LHIMS’s foreign-hosted infrastructure exposed Ghana’s data to jurisdiction risk.

The DPA is robust in principle, but enforcement and resource allocation to the DPC in Ghana remain a challenge compared to Europe’s highly funded regulatory bodies.
Recommendations

To fully secure patient data under the new GHIMS platform and prevent future lapses, the following actions are critical:

• The Data Protection Commission (DPC) must immediately take strong action against LHIMS to compel the full, verified destruction or secure transfer of all patient data.

• Government must enact a clear policy requiring all critical national health data to be hosted within Ghana’s geographical borders, under state-controlled infrastructure, to ensure true and permanent data sovereignty.

• The Data Protection Commission (DPC) must be provided with adequate financial and human resources to effectively monitor and enforce compliance, conduct mandatory audits of GHIMS, and investigate data breaches promptly.

• Launch a campaign to inform Ghanaians of their Data Subject Rights under the DPA, especially concerning their health records, and the straightforward process for filing complaints with the DPC.

The move to GHIMS is an opportunity to reset the standard for digital health security in Ghana.

We must ensure that the governing law is not just a promise but is robustly enforced to protect the privacy and confidentiality of every Ghanaian patient.

The writer is a health policy consultant.
E-mail: idzirasa@yahoo.com

You might also like
Opinion

English Traced to Arabic

Opinion

Kendi Bawah — A rising voice in global marketing and student empowerment

Opinion

The Unified Front Against Fraud: Why vigilance is our best defense

Opinion

It took a woman – Nii Okai Sekyere writes

Leave A Comment

Your email address will not be published.