POPIA for Healthcare Practices: What Doctors, Dentists, and Practice Managers Need to Know About Patient Information

POPIA for Healthcare Practices: What Doctors, Dentists, and Practice Managers Need to Know About Patient Information

South Africa's Protection of Personal Information Act (POPIA) applies to every organisation that processes personal information — and for healthcare practices, the obligations run deeper than most. Patient records contain health data, which POPIA classifies as special personal information, attracting stricter protections. Whether you run a solo GP practice, a multi-chair dental surgery, or a specialist clinic, understanding how POPIA frames your data responsibilities is an important part of running a compliant practice.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

Why Healthcare Practices Face Heightened POPIA Obligations

POPIA draws a clear distinction between ordinary personal information (names, contact details, ID numbers) and special personal information — a category that explicitly includes health or medical information. Under POPIA section 26, the processing of special personal information is generally prohibited unless a specific authorisation applies. Section 27 sets out those authorisations; for healthcare providers, the most relevant is that processing is permitted where it is necessary for the proper treatment or care of the data subject, or where it is carried out by a responsible party subject to an obligation of confidentiality recognised in law or by the rules of a professional body.

This means patient health records are not simply sensitive — they are legally restricted data that require a deliberate, documented justification before they are touched.

---

The Eight Conditions: A Framework for Every Practice

POPIA section 8 establishes eight conditions for lawful processing that apply to all personal information, including health records. In plain terms, your practice should be able to answer yes to every one of these:

1. Accountability — Your practice has a designated Information Officer registered with the Information Regulator.
2. Processing limitation — You collect only the information you actually need for patient care.
3. Purpose specification (s13) — You have defined, specific purposes for which you collect patient data (diagnosis, treatment, billing, referrals) and patients are aware of those purposes.
4. Further processing limitation (s15) — Any secondary use of patient information (for example, sharing records with a specialist) is compatible with the original purpose of collection.
5. Information quality — Records are accurate, complete, and kept up to date.
6. Openness (s18) — Patients are informed, at the time their information is collected, of who you are, why you are collecting their data, whether they are required to provide it, and their rights.
7. Security safeguards (s19) — You have taken reasonable technical and organisational measures to protect patient information from loss, damage, or unauthorised access.
8. Data subject participation (s23, s24) — Patients have the right to access their own records and to request corrections.

---

Collecting Patient Information: Tell Patients What You Are Doing

When a new patient registers at your practice, POPIA section 18 requires that they be notified of key details before or at the time their information is collected. This includes:

• The name and contact details of your practice as the responsible party
• The purpose for which the information is collected
• Whether supply of the information is voluntary or mandatory
• The consequences of not providing it
• Any third parties to whom the information may be disclosed (medical aids, referring specialists, laboratories)
• Their right to access and correct their information

A well-drafted patient registration form, combined with a short privacy notice, is a practical way to meet this requirement.

---

Keeping and Disposing of Records: Retention Rules

POPIA section 14 addresses how long you may keep personal information. The general principle is that records should not be kept longer than necessary for the purpose for which they were collected. Healthcare practices also operate under separate statutory retention obligations — for example, the National Health Act and the Health Professions Council of South Africa (HPCSA) have their own guidance on minimum retention periods for patient records. Where those obligations require longer retention, POPIA's section 14 accommodates that. Where no other obligation applies, patient information should be securely destroyed or de-identified once the purpose for holding it has been fulfilled.

For up-to-date guidance on minimum record retention periods, refer directly to the HPCSA and the Department of Health.

---

Security Safeguards: Protecting the Records You Hold

POPIA section 19 requires responsible parties to take appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised access, or unlawful processing of personal information. For a healthcare practice, this translates into practical steps:

• Physical security: Consultation rooms, filing cabinets, and server rooms should be access-controlled.
• Digital security: Practice management software should require strong passwords; access should be role-based so that reception staff cannot view clinical notes without clinical need.
• Staff training: Everyone who handles patient records — clinical and administrative — should understand their obligations.
• Third-party operators: If you use a cloud-based practice management system, billing bureau, or transcription service, POPIA requires that you have a written agreement with those operators governing how they handle patient data on your behalf.

---

Breach Notification: What to Do If Something Goes Wrong

If patient information is compromised — a laptop is stolen, a folder of records is lost, an email is sent to the wrong recipient — POPIA section 22 requires that you notify both the Information Regulator and the affected patients as soon as reasonably possible. The Information Regulator has published guidance on breach notification procedures on its website at inforegulator.org.za.

Delaying notification in the hope that the incident will go unnoticed is not an approach POPIA supports. Build an incident response procedure into your practice now, before you need it.

---

Sharing Patient Information: Referrals, Medical Aids, and Third Parties

Sharing patient information for the purpose of providing care — a referral letter to a specialist, a pathology request, a claim to a medical aid — is generally compatible with the original purpose of collection under POPIA section 15. However, sharing information for purposes unrelated to care (marketing, research, sale of data) requires separate justification and, in most cases, explicit patient consent.

If your practice is considering any data transfer outside South Africa — for example, using a clinical software system hosted on overseas servers — POPIA section 72 governs cross-border transfers. The recipient country's laws, or a binding agreement, must provide comparable protection to POPIA.

---

Your Information Officer

Every practice that processes personal information must appoint an Information Officer. For most small practices, that is the owner or principal practitioner. POPIA section 55 sets out the duties of the Information Officer, which include encouraging POPIA compliance, dealing with requests from data subjects, and working with the Information Regulator. You are required to register your Information Officer with the Information Regulator — registration can be done through the Regulator's portal at inforegulator.org.za.

---

A Practical Starting Point for Your Practice

If your practice has not yet worked through its POPIA obligations, a reasonable starting point includes:

1. Register your Information Officer with the Information Regulator.
2. Map what patient information you collect, where you store it, how long you keep it, and who you share it with.
3. Review your patient registration forms and privacy notices against the section 18 notification requirements.
4. Assess your security measures — physical, digital, and contractual — against the section 19 standard.
5. Draft or update your breach notification procedure.

This is not an exhaustive list, and every practice's circumstances differ.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including your obligations under the National Health Act, HPCSA rules, or any other applicable legislation — consult a qualified attorney.