Membership information 0800 225 677
Medicolegal advice 0800 014 780

Statutory requirements

The National Health Act 2003 obliges healthcare providers to create and maintain a medical record for each of their patients. Moreover, it requires them to introduce control measures to restrict access to those records or the records’ storage facility to authorised personnel (see Box 8).

The key to safeguarding your patients’ confidential information is a sensible records management policy incorporating strong security controls. The policy should apply to both computerised and manual records and include measures to protect the physical integrity of the records (see Appendix 3).

For comprehensive guidance on all aspects of records security, the ISO standard ISO/IEC 27002: 2005 – covers everything you need to know (and more) about averting threats to the confidentiality, integrity and availability of your records. It offers a menu of hundreds of suggested controls for a wide range of security issues such as staff responsibilities and training, premises, business continuity, protocols and procedures, email and internet usage policies and remote access. This standard has been approved for use in South Africa as SANS 27002:2008.

ISO/IEC 27002 covers all manner of threats to records, which might be bewildering for a nonexpert in this field. Fortunately, a recently published standard aimed specifically at the health sector and drawing on ISO/IEC 27002 content has come to the rescue. ISO 27799: 2008 – Health Informatics: Information Security Management in Health – contains all the relevant guidance in ISO/IEC 27002 as it relates to the healthcare sector.

Both these standards can be purchased via the South African Bureau of Standards (see Resources section).


Section 17 of the National Health Act makes it an offence, punishable by a fine, imprisonment or both, to access or copy patient information without authorisation. Controls should be put in place to restrict access to records to staff who need to view the records to fulfil their duties. The level of such access should be arranged on a need-to-know basis, if possible. This is easier to organise when the records are held on computer systems, which lend themselves to passwords and degrees of access.

Nevertheless, access controls can still be effectively introduced for paper records by implementing rigid protocols determining who may access the records and for what purpose, and backing them up with robust staff training, explicit confidentiality agreements, and limited access to keys and access codes, etc.


Although most of us think of security in terms of safeguarding against unauthorised access, there is another important aspect – protecting records from physical damage. Paper records in particular can be easily damaged by moisture, water, fire and insects. And – unlike electronic records – it’s not feasible to create up-to-date copies against the chance destruction of the originals. Your paper records are therefore not only vulnerable, but irreplaceable, so it’s a good idea to carry out a risk assessment to identify ways in which you can reasonably safeguard their physical integrity. Some of the factors that should be considered in a risk assessment are outlined in Appendix 3.

Electronic records should be regularly backed up and the back-up disk should be kept at a secure off-site location.