The Information Regulator published the Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, 2026.
The Regulations apply to the processing of health information by responsible parties and operators such as Insurance Companies, Medical Schemes, Employers and Institutions working for employers, administrative bodies or pension funds.
The Regulations focus on appropriate safeguards when processing health information, requiring responsible parties to take reasonable technical and organisational measures in accordance with section 19(1) of the Act to prevent: loss of, damage to or unauthorised destruction of health information and unlawful access to or processing of health information.
The Regulations address the required safeguards and require that appropriate measures address: (1) the security and confidentiality of records, which measures must address the risks associated with physical or electronic health records; and (2) the proper disposal of health records to prevent any reasonably anticipated unauthorised use or disclosure of the health information or unauthorised access to the health information following its disposal.
Importantly, the transfer of health information outside of South Africa is prohibited unless if satisfies one or more of the requirements set out in POPIA’s section 72(1).