Membership information 0800 225 677
Medicolegal advice 0800 014 780

Medicolegal matters in healthcare practice

30 November 2022

Last month Medical Protection celebrated 15 years of its flagship Ethics For All conference in South Africa. During this year’s webinar for healthcare professionals, Dr Blesset Nkambule and Dr Zarina Sonday, Medicolegal Consultants, took delegates through a series of frequently asked questions they come across while assisting Medical Protection members. A replay of the session can be watched in full, however this article will provide high level advice for a selection of the most frequently asked questions.

How long should I store patient records for?

HPCSA has recently updated its Booklet 9 on record keeping. The updated guidance states that patient records should ideally be stored indefinitely. If not possible, records should be kept for a minimum period of six years from the date they become dormant.1

However, practitioners should also be mindful that, for specific patient cohorts, health records may have to be kept for a longer duration. Table 1 below illustrates this succinctly.

 Patient group

 Duration for retention of records

 Minors < 18 years

 Until minor’s 21st birthday

 Mentally incompetent patients2

 Patient’s lifetime

 Occupational illness and accidents

 Up to 20 years after treatment of disease or trauma3


The provision on balancing the cost of storage, with duration, has also been removed in the new version. It would therefore no longer be possible to use cost as a justification for not storing records.

Healthcare practitioners must also remain aware of legislative provisions related to patient records and ensure that they keep abreast with changes that may affect retention times.


Do I have to keep paper copies if I scan them electronically first?

The short answer is ‘no’. Once you have a representable electronic copy that is complete, accessible, accurate as well as contemporaneous – then that should suffice.

Healthcare practitioners should ensure that, when converting to electronic records, nothing is being omitted in respect of reports or results.

You should also aim to be consistent in your record keeping format to avoid duplication. If you have decided to keep electronic records, where possible all records should be electronic. This also ensures continuity of care which is important for good patient outcomes. Hybrid record-keeping is therefore discouraged.


How should I store my digital records? Can I store patient records on Google Drive or Dropbox? How secure should it be?

There have been considerable digital advances in all aspects of medicine. Record keeping is no exception, with numerous platforms now available. The most important consideration for healthcare professionals is to ensure that, whatever platform is used, there is stringent information governance so that they do not fall foul of their ethical duty of confidentiality and legal obligations under the Protection of Personal Information (POPI) Act.

Healthcare practitioners are advised to limit access as reasonably as possible. Think about who has access to confidential patient information. Also think about what security measures are in place to safeguard patient data such as passwords and data encryption before you decide to store patient data on particular platform.


My car was stolen and contained my patient files. What do I do now?

Another interesting question that comes up is on what to do in the event of patient data breaches and the law is clear on this. According to the POPI Act you have a duty to secure the integrity and confidentiality of personal information in your possession or under your control. In the event of a data breach – intended or unintended – a practitioner is required to firstly inform the affected patients that there has been a data breach as well as inform the inform regulator of this data breach.

Can I send photos of patient records or clinical photos to colleagues via WhatsApp if we are in the same clinical team treating the patient?

This question relates to professional interactions on social media platforms. Collaboration between colleagues is encouraged especially if it is in the patient’s best interests. As always, healthcare practitioners should be cautious and ensure that there is proper information governance when engaging on digital platforms. WhatsApp is one of several platforms with end-to-end encryption, and so does offer protection in that regard. However, the onus remains on the healthcare practitioner to ensure patient records are being shared appropriately and safely. Also be mindful that the WhatsApp conversation will likely make up part of the clinical records.

Ensure that the members of that group share your ethical values and are aware of their POPI Act obligations. It is vital to always get consent from the patient to process their personal patient data on such a platform. Always attempt to protect the patient’s identity to the best of your ability when using messaging platforms. This can include by anonymizing the patient as far as possible by covering eyes, tattoos and other distinguishing features, as well as redacting identifying information such as patient names, file numbers and identification numbers.


A mental health patient wants access to their records, but I think that would cause them harm; do I have to hand them over?

The Promotion of Access to Information Act 2000 gives everyone the right to access records.

The only grounds for refusal of disclosure to the relevant person is if it might cause serious harm to their mental, physical or wellbeing. However, these grounds are not absolute.

Records may be disclosed in this instance provided that you have taken reasonable steps to mitigate for the perceived harm. Therefore, in the above scenario the healthcare provider may facilitate the release of records by firstly ensuring that there is adequate counselling prior to and during the disclosure of records for the affected patient. This is to ensure that the disclosure of records limits, alleviate or avoids such harm.4

It is important to note that in terms of access to records every situation is unique and can be a difficult ethical dilemma. Practitioners can contact their indemnifier to seek assistance. The MPS team of legal and medical experts can deliberate on the matter and assist the practitioner in making an informed decision on how to proceed.


I have received a letter from a lawyer requesting my records. What now?

This question relates to our obligations as healthcare providers in as far as the Promotion of Access to Information Act and the POPI Act.

When a healthcare practitioner is requested by a third party – including a lawyer – to release patient records, they must ensure that the requisite consent from the patient is in place. If in doubt, as part of best practice, make contact with the patient and confirm that they did indeed give consent for you to release their records, including the extent of content to be release to the third party.


Is it essential to provide written notes or is a report sufficient when I receive requests for records?

First you need to ascertain the purpose for which the records are being sought.

In some instances, it would be sufficient to provide a factual report, such as if a patient wants to seek a second opinion or be referred to a different geographical location. In other instances, you may have to provide copies of the actual heath record – such as when there is an investigation into a claim for medical negligence, inquest, insurance claim disputes or as part of HPCSA proceedings to name a few.


I received a letter from the HPCSA enclosing a patient’s complaint. What now?

Practitioners are advised not to ignore such correspondence from the HPCSA as the regulator may make a determination without your input, which may adversely affect your ability to practice. Pay special attention to due dates for letters of explanations and respond timeously. You should be mindful that any explanations provided to the regulator may become discoverable in the event of any further legal action. Given the potential seriousness, it is advised that you get legal assistance in drafting your explanation letter. MPS can assist members in this regard to protect your position and reputation.


Am I obligated to appear in court if I get a subpoena?

The short answer is yes. You may be held in contempt of court and may be arrested and or face a fine. We would caution that you must engage with attorneys or your indemnifier to seek advice in such instances.

You could be exempt if an attorney engages with the prosecutor on your behalf explaining reasons why you cannot or are unable to attend. In those instances, a factual report may suffice.

It is not usual practice for practitioners to be requested to appear in court. But this brings us back to the basics – the importance of good record-keeping – because you never know when you may be called to court to clarify your record of events. A record that is representative and adequately ‘paints the picture’ of all the events that transpired may negate the need for you to appear in court.


Can I terminate a practitioner/patient relationship? And how?

Yes, you can. It is a relationship after all.

However, the important thing here is for the patient not to be abandoned.

Firstly, outline for yourself the reasons for termination of the doctor-patient relationship.

Then, if conducive, have a conversation with the patient, outlining why you feel you can no longer be their practitioner – maybe there has been a breakdown of trust, perhaps you are scaling down your practice – and outline what options are available to them. Be open and honest. Once they have decided, you can provide a report either directly to the new practitioner or to the patient to take along with them.


I want to conduct telehealth consultations for patients overseas. Is this permitted by the HPCSA?

Telehealth and all its ethical intricacies are provided for in Booklet 10 of the HPCSA.

In it the regulator provides that practitioners should be appropriately registered in the jurisdiction of the patient in order to conduct telehealth consultations.

This would mean that you would need to have appropriate registration in that country.

Practitioners are encouraged to contact the relevant authorities in that patient’s country to make the necessary arrangements. Finally, you need to ensure you have appropriate indemnity arrangements in place, so contacting your indemnifier is a must.


Recent changes on keeping of patient records

A consistent theme across all medicolegal matters is that practitioners should stay up to date on any changes to relevant legislation or regulation as it pertains to their practice. As we’ve mentioned, a recent example is HPCSA’s updated guidelines on the keeping of patient records (Booklet 9). Changes around retention of records have been summarised here, but updated guidance can be found in full online.

If healthcare practitioners are in doubt, either about the new guidance or about any of the medicolegal matters covered in this article, they should contact their indemnifier for advice.

The full session from Medical Protection's 15th Ethics For All conference can be viewed online.

1HPCSA Booklet 9 Keeping of Patient Records September 2022.
2HPCSA Booklet 4 Seeking patients’ informed consent: the ethical considerations 2016. sec 8.3.
3Occupational Health and Safety Act no. 85 of 1993.
4Promotion of Access to Information Act No. 2, 2000 sec 61 (30) (a).