POPIA, the Protection of Personal Information Act, sets the rules for how every South African medical practice must handle patient information: collect it for a clear purpose, keep it secure, and respect the rights patients have over their own data. Patient health information counts as “special personal information” under the Act, so clinicians are held to a higher standard than most businesses. This guide covers what that means for your practice and how to get compliant.
What is POPIA, and does it apply to my practice?
POPIA (the Protection of Personal Information Act, 4 of 2013) is South Africa’s data protection law. Its main provisions took effect on 1 July 2020, practices were given a one-year grace period to comply, and the Information Regulator (South Africa) has been able to enforce the Act since 1 July 2021. It applies to any “responsible party” that processes personal information. A practice that records patient names, ID numbers, contact details, clinical notes, diagnoses or billing information is squarely within scope.
Three terms from the Act are worth knowing:
- Data subject: the person the information is about, in this case your patient.
- Responsible party: whoever decides why and how the information is processed. That is your practice.
- Operator: a third party that processes data on your behalf, such as your EMR provider or billing bureau.
Why patient data is “special personal information”
POPIA treats certain categories of information differently: health, sex life, biometric data, religious beliefs, race and a few others. Processing this special personal information is prohibited by default, with narrow exceptions. The exception that matters most to clinicians sits in section 32. Registered medical professionals and healthcare institutions may process health information where it is necessary for the proper treatment and care of the patient, or for the administration of the practice, provided they are bound by an obligation of confidentiality.
So you can keep clinical records, treat your patients and run your billing without asking for special permission each time. What you carry in return is a heightened duty to keep that information confidential and secure.
The eight conditions for lawful processing
POPIA is built around eight conditions. Every practice should be able to demonstrate each one:
- Accountability: the practice is responsible for compliance, not its software vendors.
- Processing limitation: collect only what you need, lawfully and with a justified basis.
- Purpose specification: collect for a specific, defined purpose such as clinical care or billing.
- Further processing limitation: don’t reuse the data for unrelated purposes.
- Information quality: keep records accurate and up to date.
- Openness: be transparent with patients and maintain a PAIA manual.
- Security safeguards: protect data with appropriate technical and organisational measures.
- Data subject participation: let patients access and correct their information.
What POPIA requires from a medical practice
Translated into day-to-day obligations, a compliant practice should:
- Register an Information Officer with the Information Regulator. By default this is the head of the practice, and registration must happen before they take up the role.
- Publish a PAIA manual and a privacy notice explaining how patient data is handled.
- Process patient data only for clear clinical, administrative or billing purposes.
- Secure data with appropriate safeguards: encryption, access control, authentication and audit logging.
- Put a written agreement in place with every operator (software vendors, billing bureaus) requiring them to protect the data.
- Have a process to notify the Regulator and affected patients if data is breached.
- Honour patient requests to access and correct their information. Requests to delete clinical records are more limited, because HPCSA retention rules usually require you to keep them.
- Keep records only as long as necessary, in line with HPCSA retention guidance.
How long must you keep patient records?
POPIA’s retention principle is simple: don’t keep personal information for longer than you need it, unless another law or professional rule requires you to. For clinical records that rule comes from the HPCSA’s guidelines, which say records should be kept for at least six years from the date they become dormant. Several categories must be kept longer. Records of minors are kept until the patient turns 21. Records of patients who are mentally incompetent are kept for the patient’s lifetime. Records of occupational injuries and diseases are kept for up to 20 years after treatment, under the Occupational Health and Safety Act. Check the current HPCSA guidance for your discipline before destroying anything.
What to do if patient data is breached
Section 22 is direct on this point. If you have reasonable grounds to believe patient information has been accessed or acquired by an unauthorised person, you must notify the Information Regulator and the affected patients as soon as reasonably possible. The notification must give patients enough detail to protect themselves. An incident plan prepared in advance, together with software that logs every access, makes the difference between a controlled response and a scramble.
POPIA vs HIPAA vs GDPR: how they compare
If you’ve read international guidance, here’s how POPIA lines up against the better-known American and European regimes:
| POPIA (South Africa) | HIPAA (United States) | GDPR (European Union) | |
|---|---|---|---|
| In force | 2020 (enforced from 2021) | 1996 (Privacy Rule 2003) | 2018 |
| Scope | All personal information | Protected health information | All personal data |
| Health data | Special personal information | Core scope (PHI) | Special category data |
| Regulator | Information Regulator | HHS Office for Civil Rights | National data authorities |
| Max penalty | R10m or 10 years’ imprisonment | About $2m per violation category, per year (adjusted annually) | €20m or 4% of global turnover |
How to choose a POPIA-compliant EMR or AI scribe
Most of your POPIA obligations are met or broken by the software you use to hold patient data. When evaluating an EMR, AI scribe or billing tool, look for:
- Encryption of data in transit and at rest (AES-256 is the standard).
- South African data hosting, or documented safeguards for any cross-border transfer.
- Access control and authentication, including biometric or multi-factor login.
- Audit logging of every read and write, so you can prove who accessed what.
- A signed operator agreement committing the vendor to POPIA-grade security.
- A clear, published approach to data handling, ideally with a PAIA manual and AI terms of use.
GreenNotes was built for exactly this. It encrypts data with AES-256, hosts in Google Cloud’s South Africa region, supports biometric login and full audit logging, and publishes both a PAIA manual and AI Terms of Use. You can read our full privacy policy for the details.
POPIA compliance checklist
Use this as a quick self-audit for your practice:
- ☐ Information Officer registered with the Information Regulator
- ☐ PAIA manual and privacy notice published
- ☐ Patient data collected for clear, stated purposes only
- ☐ Records encrypted, access-controlled and audit-logged
- ☐ Written operator agreements with every software vendor and billing bureau
- ☐ A breach-notification plan in place
- ☐ A process for patient access and correction requests
- ☐ A retention schedule aligned to HPCSA rules
Getting POPIA right protects your patients, your practice and your professional standing. Most of the heavy lifting sits in the software you choose, so pick tools that were built with the Act in mind and the checklist above becomes routine admin rather than a project.
See how GreenNotes keeps your practice POPIA compliant
Explore GreenNotes