Morningside is home to one of Johannesburg's densest concentrations of medical practitioners. Specialists, general practitioners, physiotherapists, and dental practices line Rivonia Road and the surrounding streets, each handling sensitive patient data across multiple devices every day. In our experience working with Morningside medical practices since 2015, the consistent finding is this: most practices have IT support, but very few have a documented IT provider agreement that would satisfy the Information Regulator during a POPIA assessment or data breach investigation.
This is not a theoretical risk. The Information Regulator has been actively investigating data breaches in the healthcare sector since POPIA's enforcement date. When they arrive at your practice, one of the first documents they request is your written agreement with your IT service provider β the entity that has access to your systems, your patient data, and your network infrastructure. If that agreement does not exist, your practice has a compliance gap that no amount of technical security can compensate for.
The Difference Between a Microsoft DPA and a POPIA Section 21 Agreement
Many practices believe their Microsoft 365 Data Processing Agreement covers their IT compliance obligations. It does not. The Microsoft DPA is a global document between Microsoft and their tenant. It addresses how Microsoft handles data within their cloud infrastructure. It does not address:
These are practice-specific obligations that require a written agreement between your practice and your IT provider β not between your practice and Microsoft. The Microsoft licence gives you tools. A managed IT provider configures, monitors, and ensures compliance with those tools. The written IT provider agreement is what the Regulator asks for.
What HPCSA Practitioners Need to Understand
As an HPCSA-registered practitioner, you have a personal regulatory obligation regarding patient data. This is not delegated to your practice manager or your IT provider β it sits with you. The HPCSA Ethical Rules and the Health Professions Act require that you take reasonable steps to protect patient confidentiality, and in 2026, that means digital data protection, not just physical file security.
When your MacBook containing patient notes is stolen from your car in Morningside, the Information Regulator will ask: Was FileVault encryption enabled? Was the device managed through an MDM solution? Was there a written IT provider agreement documenting these security measures? Was there an incident response plan?
If the answer to any of these questions is no, you are personally liable. Not your practice. Not your IT person. You.
Our Managed IT Service for Morningside Medical Practices
At ZA Support, we provide a managed IT service specifically designed for medical practices in the Morningside area and across Gauteng. This is not generic IT support β it is a compliance-focused service built around the specific regulatory requirements that HPCSA practitioners face.
Written IT Provider Agreement
The foundation of our service is a formal written agreement that satisfies POPIA Section 21 requirements. This document specifies exactly how we handle your data, what security measures we maintain, how we respond to incidents, and what our obligations are regarding confidentiality. This is the document the Information Regulator will request during any assessment.
JAMF MDM Deployment
We deploy JAMF Pro for Apple device management across your practice. This gives you centralised control over every Mac, iPhone, and iPad in your practice β enforcing encryption, managing application deployment, configuring security policies, and enabling remote wipe capability if a device is lost or stolen.
FileVault Encryption Verification
Every Mac in your practice must have FileVault enabled. We verify this during onboarding and monitor it continuously through JAMF. If FileVault is disabled on any device β accidentally or intentionally β we are alerted immediately and can remediate remotely.
Backup Monitoring and Verification
We do not just set up Time Machine and forget about it. We monitor backup completion, verify backup integrity monthly, and ensure that at least one backup set is stored off-site (encrypted, in compliance with POPIA). A backup that exists but has not been verified is not a backup β it is a hope.
Network Security Assessment
We assess your practice's network infrastructure: Wi-Fi security (WPA3 enforcement), network segmentation between patient-facing and staff networks, firewall configuration, and IoT device isolation. Many Morningside practices share a network between patient iPads in the waiting room and the practice management system β this is a compliance risk.
Incident Response Planning
We create and maintain an incident response plan tailored to your practice. This covers data breach notification (you have 72 hours under POPIA), device theft procedures, ransomware response, and communication templates for patients and regulators. When an incident occurs, you will know exactly what to do and in what order.
Ongoing Support and Maintenance
Hardware and software support for all Apple devices in your practice. Priority response for medical practices β we understand that system downtime in a medical environment has different consequences than in a corporate office.
Pricing for Morningside Medical Practices
Our managed IT service is priced per device per month, with the IT provider agreement and compliance documentation included:
We provide a detailed proposal after an initial assessment of your practice's infrastructure, devices, and compliance requirements. Every practice is different, and we do not believe in one-size-fits-all pricing for compliance-sensitive environments.
Why Morningside Practices Need This Now
The Information Regulator's enforcement activity is increasing. In 2025, several healthcare providers received enforcement notices for inadequate data protection measures. The Regulator has stated publicly that healthcare is a priority sector for compliance audits due to the sensitivity of patient data.
Approaching compliance from a position of documented corrective action β implementing proper IT governance, signing an IT provider agreement, deploying MDM, verifying encryption β is significantly better than responding reactively after a breach. The Regulator views proactive compliance favourably. Reactive compliance after a breach invites scrutiny.
For Morningside practices specifically, the concentration of medical professionals in the suburb means that a single breach incident could prompt the Regulator to audit multiple practices in the area. Being prepared is not paranoia β it is professional responsibility.
Hardware Repair for Medical Practice Devices
In addition to managed IT, we provide the same component-level repair service to Morningside medical practices that we offer to all clients:
Medical practices receive priority scheduling for hardware repairs. We understand that a failed iMac running your practice management system is not the same as a personal machine β it is a business-critical asset that affects patient care.
Getting Started
The process is straightforward:
Frequently Asked Questions
Do I really need a written IT provider agreement for my medical practice?
Yes. POPIA Section 21 requires a written agreement between the responsible party (your practice) and any operator (your IT provider) that processes personal information on your behalf. The Information Regulator will request this document during any assessment or breach investigation.
What is the difference between generic IT support and managed IT for medical practices?
Generic IT support fixes things when they break. Managed IT for medical practices includes proactive compliance monitoring, POPIA documentation, HPCSA-aware security configurations, and incident response planning. The regulatory context is fundamentally different from corporate IT support.
Can ZA Support manage non-Apple devices in my practice?
Our primary expertise is Apple devices. For practices with mixed environments (Apple and Windows), we manage the Apple devices and can recommend trusted partners for Windows infrastructure. We do not pretend to be experts in everything β we are experts in Apple.
How quickly can you respond to a hardware failure at my practice?
Medical practices receive priority scheduling. For critical failures (practice management system down, data access issues), we aim for same-day assessment. Standard hardware repairs are scheduled within one working day of contact.
What happens if there is a data breach at my practice?
Our incident response plan covers the immediate technical response (containment, evidence preservation), regulatory notification (Information Regulator within 72 hours), patient notification, and post-incident remediation. Having this plan documented before an incident occurs is essential.
Is JAMF MDM necessary for a small practice with only two or three devices?
Even for small practices, MDM provides enforcement of encryption, remote wipe capability, and centralised management that manual approaches cannot match. The cost is modest relative to the compliance benefit and the protection it provides if a device is lost or stolen.
Written by Courtney Bentley with AI assistance, based on 17 years of hands-on experience supporting medical practices across Johannesburg.
