Important tips for Healthcare Providers regarding security breaches

Important tips for Healthcare Providers regarding security breaches

Important tips for Healthcare Providers regarding security breaches

Healthcare providers use different systems for data collection and maintenance of patients’ health records.

The aim of Protection of Personal Information Act 4 of 2013 (POPI Act) is to provide specific guidelines on how information is collected and stored, and who has access to such information. The Health Professions Council of South Africa (HPCSA) lays the foundation for privacy principles, and it is important to note that POPI compliance is an extension implemented in accordance with the South African Medical Guidelines. All Healthcare Professionals have an obligation to the POPI Act, this blog deals specifically with security breaches. 

What are ‘records’ as per the POPI Act and why are they an asset?

The POPI Act defines a record as any recorded information, which includes data stored on ‘any device’, e.g. mobile devices, laptops, computers, etc. Healthcare providers are responsible for loss of data. Privacy entails that a data subject can control the use of and access to their personal information. Personal information can be compromised when data is transferred across a network or is lost due to physical theft of the device on which sensitive information is stored.

The value of personal data has increased significantly in the information age, which means personal data, especially sensitive data, is a commodity that can be bought, sold or traded. The threat of data loss is considered a major global risk within the technology domain, leading to concerns about privacy and data collected by making use of different systems.

The importance of IT service providers in the Healthcare industry

According to the latest breach level index, the healthcare industry has been a main target for hackers and infiltrators. It is therefore essential that IT service providers comply with international standards, South African guidelines and the POPI Act to protect the data of their clients and patients against security breaches.

The greatest security risk lies within the healthcare value chain (medical aid schemes, third party, hospitals, clinics, etc.), therefore it is necessary to determine at what point in the value chain the healthcare provider becomes liable or responsible for security breaches.

Third-party storage should be taken into consideration as medical records may be stored for up to 21 years (paediatric patients). Research has shown that theft or loss of data or illegal access to patient information is more lucrative than accessing credit card information and could cause more harm to a healthcare provider than theft of a data subject’s credit card information.


The POPI Act requires that the healthcare provider take reasonable steps to protect a patient’s records by implementing organisational and technical measures, thus ensuring that IT service providers, all healthcare providers in the value chain and third parties adhere to the provisions of the Act.

SERR Synergy assists businesses in identifying where in the value chain the healthcare provider will become liable for security breaches. Once the position of the healthcare provider has been established, we assist in drafting agreements between parties and making recommendations to assign responsibilities in order to minimise any liability of healthcare professionals.

About the Author: Retha van Zyl completed her BCom Hons (Economics and Risk Management) studies at the North West University. She joined our team in January 2016 and currently holds the title ‘Information Compliance Advisor’. She specialises in POPI and PAIA compliance, which includes compiling and submitting PAIA manuals to the Human Rights Commission. She also compiles the Data and Information Protection Report to identify risks associated with information security and drafts Information Security policies for procedural compliance in each department within

an organisation.



You May Also Like

What businesses need to know about POPIA and the GDPR
May 02, 2018
How will the POPI Act and the European General Data Protection Regulations (GDPR) impact businesses in South Africa? In a progressively connected world, the protection of personal information and data has become a main concern for legislators in a number of jurisdictions.
How South African legislation links to Information Compliance
November 02, 2018
Due to the rapid changes in technology, information strategies should support an  organisation’s objectives to comply with all relevant legislation.  The Constitution of South Africa specifically protects the right to freedom of expression; the right of access to information -
Remote workplace tips for protecting personal information
May 29, 2020
Measures to control and prevent the spread of Covid-19 will involve more people working remotely than usual.
Online Resource & News Portal