This post is the contract checklist we wish more practices had before they signed. Six things every medical practice IT support agreement in Johannesburg should cover β and the gaps we see most often when we take over from a previous provider.
1. Mixed-Estate Competence (Mac, Windows, iPad β All in One Room)
Almost every solo or small-group practice we support runs a hybrid estate. Consulting rooms have MacBook Pros or Airs because doctors like them. Reception runs an iMac or a Mac mini connected to a label printer and a card machine. Billing β Elixir, GoodX, MediSwitch, PMA β is Windows-only, so it sits inside a Parallels or VMware virtual machine on the Mac, or on a separate Windows mini-PC behind the desk. Partners carry iPads for ward rounds.
Most IT contracts in Johannesburg are written by Windows shops who treat the Macs as "the doctor's personal device, not our problem." That is the first gap. Your contract must explicitly cover macOS, the Windows VM running on top of it, iPadOS, and the bridge between them. We have serviced well over 18,000 Apple devices through our Hyde Park workshop, and the Mac-side issues β kernel panics during a GoodX sync, T2 chip lockouts, Bluetooth conflicts with the dental loupes camera β are the ones generic providers cannot diagnose. If your contract does not name the platforms by version, push back.
For our primary medical client, Pieterse-Hunt-Meyberg-Laher, the contract names every device class and every billing platform by version. That is the standard to aim for.
2. POPIA and HPCSA Compliance β Written, Not Implied
POPIA has been enforceable since July 2021 and the Information Regulator has now started issuing enforcement notices. HPCSA Booklet 9 sets out the confidentiality duties on top of that. A medical practice IT contract that does not mention either is, frankly, a contract written before 2021.
What we put in writing for our practice clients: a documented data flow showing where patient identifiers live (Mac, VM, cloud, backup), full-disk encryption on every device with FileVault for Mac and BitLocker for the Windows side, mandatory two-factor authentication on every email account that touches patient correspondence, and a registered Information Officer named in the practice's POPIA manual. We also kill the habit of moving ICD-10 batches to Discovery, Bonitas or GEMS over plain FTP. SFTP or the medical aid's HTTPS portal, never anonymous FTP. We see it every month and it is the single biggest POPIA exposure in the average Johannesburg practice.
If your provider cannot explain, in one paragraph, how your practice would respond to a Section 22 breach notification, you do not have a compliant contract.
3. Backup That Actually Restores
Every practice we onboard claims they have a backup. Roughly one in three of those backups actually restores cleanly when we test it on day one. The rest are either Time Machine drives that were unplugged eight months ago, OneDrive folders that only sync the doctor's desktop and not the GoodX data directory, or a single USB stick in the practice manager's handbag with last quarter's patient list on it. Unencrypted. That last one is a POPIA breach waiting to happen.
A proper backup clause in a medical IT contract specifies three things. First, what is being backed up β and crucially, that includes the Windows VM image, not just the host Mac. Second, where it goes β on-site for fast restore, off-site for fire and theft, and encrypted in transit and at rest. Third, how often it is tested. We restore a sample file from every client's backup every month and document the result. Load shedding has made this harder, not easier: a UPS that keeps the router and NAS alive through a 2.5-hour Stage 6 slot is now part of the backup conversation, not separate from it.
4. Hardware Repair and Replacement β In Writing, With Realistic Turnaround
This is the clause that practices skip and regret. When the reception iMac dies at 07:40 on a Monday with a full day of bookings, "we will look into it" is not an answer. Your contract should name the swap-out path: a loan device delivered within a stated window, the failed unit assessed in workshop, and the repair quoted before any work begins.
In our workshop we run our diagnostics from R599 assessment, which is credited against the repair if you proceed. For the deeper jobs β logic board repair on a MacBook that has been carrying the practice's billing VM for four years, or liquid damage recovery after the inevitable coffee spill onto a consulting room keyboard β we offer up to 3-year warranty on the workmanship and the replaced components. That kind of cover is not standard in the Johannesburg market and it is worth asking your provider for it in writing. Apple's own official guidance at Apple Support covers the warranty rules on new units, but out-of-warranty board-level work is where an independent specialist earns the contract.
5. Transparent Pricing β Per Device, Per Month, Per Incident
The medical practice IT market in Johannesburg has a bad habit of opaque retainers. R12,000 a month, "all-inclusive," with no breakdown of what triggers an extra invoice. Three months later there is a R7,400 line item for "after-hours emergency support" that nobody can decode.
Insist on a contract that prices three things separately. A per-device monthly figure for monitoring, patching and antivirus. A per-incident or pooled-hours figure for remote and on-site support, with the after-hours multiplier stated upfront. And a project rate for anything outside business-as-usual β a new room fit-out, a Windows Server migration, a move from on-premise GoodX to GoodX Web. For a typical six-doctor practice in Rosebank or Hyde Park we would expect the monthly retainer to land somewhere between R6,500 and R14,000 depending on device count and whether the billing server is on-site or hosted. Anything dramatically below that is being subsidised by surprise invoices later.
6. A Real Handover Plan When Things Change
The last clause everyone forgets. What happens when a partner leaves the practice and their MacBook needs wiping without losing the shared calendar? What happens when you change billing software from PMA to GoodX and 11 years of patient files need migrating? What happens when your IT provider goes under or you simply want to move?
Your contract should give you, in writing, ownership of your data, ownership of your Microsoft 365 or Google Workspace tenancy, the admin passwords held in escrow, and a 30-day cooperative handover obligation. We have onboarded practices where the previous provider held the domain registrar login hostage for six weeks. Do not let that be you.
If you would like us to review your current contract against this six-point checklist, contact us or WhatsApp us on 064 529 5863 and we will walk through it with your practice manager. You can also book online at zasupport.com/book for an on-site assessment.
Frequently Asked Questions
Q: Do you support practices that use GoodX or Elixir on a Mac?
Yes, this is the bulk of what we do. We set up Parallels or VMware Fusion on the MacBook or iMac, install the Windows licence, run the billing software inside it, and make sure the printer, card machine and ICD-10 export all behave. We have configured this stack across more than 11,000 client sessions over the years.
Q: How quickly can you respond to a practice down during clinic hours?
For contracted clients in Johannesburg β Hyde Park, Sandton, Rosebank, Parktown, Houghton, Morningside, Bryanston β we aim for remote response within 15 minutes during business hours and on-site within 90 minutes for a practice-stopping incident. Out-of-hours response is covered if your contract includes it.
Q: What does a POPIA gap assessment for a medical practice cost?
We run a focused POPIA and HPCSA readiness assessment from R599 per device for the technical side, plus a separate fixed fee for the policy and procedure work. Most solo practices complete the whole thing for under R15,000, which is considerably less than a single Information Regulator fine.
Q: Can you handle the hardware repair as well as the IT support?
Yes, that is one of our differentiators. Most managed service providers outsource hardware. We do it in-house at our Hyde Park Johannesburg workshop, with up to 3-year warranty on logic board and liquid damage work. For deeper component-level reference, the teardowns at iFixit are excellent, but the actual board work for South African clients happens with us.
Q: We are a two-doctor practice. Are we too small for a proper IT contract?
No. We support solo GPs, biokineticists, audiologists and physios. The contract scales down β fewer devices, lighter retainer, same compliance backbone. POPIA does not have a small-practice exemption, so the controls need to be there regardless of size.
Q: What happens to our data if we end the contract?
It remains yours, in full, in a format you can take to the next provider. Our standard agreement includes a 30-day handover obligation where we cooperate with the incoming IT team, transfer admin credentials, and provide documentation of the environment. No hostage-taking, ever.
