This post is what I tell those practice owners when they sit down with a coffee and ask me to be straight with them. POPIA is not theoretical anymore. The Act has been in force since 1 July 2021, the Regulator has issued enforcement notices, and the fines run up to R10 million or ten years imprisonment for serious breaches. As the doctor or practice owner, you are the Responsible Party under the Act. The buck stops with you, not your receptionist and not your IT supplier.
What POPIA Actually Requires from a Medical Practice
The Act itself is dense, but the practical compliance checklist for a small to medium practice is not unmanageable. You need to register an Information Officer with the Regulator (in most small practices this is the principal doctor, though it can be delegated). You need a Personal Information Impact Assessment on file, showing you have thought about where patient data flows, who touches it, and what the risks are. You need written processor agreements with every supplier who handles patient information β that includes your practice management software vendor, your medical aid switching house, your cloud backup provider, and yes, your IT support company.
You need encryption at rest on every device that stores patient records. On a Mac that means FileVault is switched on. On a Windows machine that means BitLocker. On any external backup drive or NAS, AES-256 encryption is the minimum. You need encryption in transit, which in practical terms means TLS 1.3 for any web-facing service and SFTP rather than the ancient FTP that some pathology labs still insist on using.
And you need a breach notification process that can get a notification to the Regulator and to affected patients within 72 hours of discovering a compromise. Not 72 working hours. Not "as soon as we figure out what happened". Seventy-two hours.
Where Most Johannesburg Practices Are Failing
We have serviced more than 30,000 devices in our time, and a meaningful slice of those have been for medical and allied health practices across Johannesburg. The same gaps come up again and again.
FileVault is off on the doctor's personal MacBook that gets carried between the practice and home. The reception iMac has a four-character password and automatic login enabled. Patient files are sitting in a shared Dropbox folder that the previous practice manager set up in 2018, still active, still accessible to a staff member who left eighteen months ago. The "backup" is an external hard drive plugged into the server, unencrypted, that nobody has tested a restore from in three years.
These are not exotic failures. They are the ordinary state of a busy practice that has been focused on patients rather than infrastructure. The Regulator does not particularly care how busy you have been. If a laptop containing 800 patient records is stolen from a car in the Hyde Park Corner parking lot and FileVault was not enabled, that is a reportable breach and a defensible-or-not enforcement question.
What a POPIA-Aware IT Partner Actually Does
When a new medical client engages us, we start with an assessment from R599 that covers every device touching patient data: workstations, laptops, the practice server if there is one, mobile phones that receive practice email, the router, and the backup target. We document the operating system, the encryption status, the patch level, the user accounts, and the network configuration. We check whether macOS or Windows is still receiving security updates β we still see practices running Mojave or Windows 8.1, both of which are well past their support windows and have no business storing patient data.
From there the work splits into hardware and configuration. On the hardware side, we deal with the failing logic boards, the dying SSDs, the swollen batteries on five-year-old MacBooks that the doctor refuses to retire. Our logic board repair work on medical-practice machines is up to three-year warranty backed, which matters because the last thing a practice needs is a repeat failure six months into a compliance programme. If a device has taken a coffee spill β and you would be amazed how often that happens at a reception desk β our liquid damage recovery service can often recover the data even where the machine itself is not economically repairable, which matters enormously when that data is the only copy of three weeks of consultation notes.
On the configuration side, we enable FileVault or BitLocker on every device, set up proper user accounts with individual logins rather than a shared "Reception" account, configure automatic security updates, install a reputable endpoint protection product, and set up an encrypted backup that follows the 3-2-1 principle (three copies, two different media, one off-site). We document everything in a register that you can hand to the Regulator if they come knocking.
We also write the processor agreement between your practice and us, which is itself a POPIA requirement that most IT companies in Johannesburg quietly ignore. Apple's own guidance on device encryption and security, which you can read at Apple Support, gives a good baseline for the Mac side of things, but the practice-level paperwork is what the Regulator will ask for first.
Being Honest About Cost and Load Shedding
A small two-doctor practice can usually reach a defensible POPIA posture for somewhere between R8,000 and R25,000 in initial work, depending on how much of the existing hardware is salvageable and how many staff devices need attention. Ongoing monthly support that includes patch management, backup monitoring, and incident response sits in a range that depends on headcount, but it should not feel ruinous. If anyone quotes you R50,000 a month for a four-person practice, walk away.
Load shedding deserves a mention because it is a genuine POPIA risk that nobody outside South Africa thinks about. Unexpected power loss corrupts databases, kills hard drives, and interrupts backup jobs mid-run. A UPS on the server and a tested generator or inverter setup is not luxury infrastructure for a medical practice β it is part of the "appropriate technical measures" the Act requires you to take.
What to Expect When You Engage Us
You can contact us or book online at zasupport.com/book for an initial site visit. We come to your rooms, we look at what is actually there, and we give you a written report that lists every gap against POPIA requirements with a priority rating. No upsell theatre. If your existing setup is largely fine and just needs three small fixes, we will tell you that. If it is a mess, we will tell you that too, with a costed plan to fix it.
For urgent matters β a stolen laptop, a ransomware alert, a staff member who has clicked something they should not have β WhatsApp us on 064 529 5863 and we will respond. Speed matters under POPIA because the 72-hour clock starts the moment you become aware of the breach, not the moment it is convenient to deal with it.
Frequently Asked Questions
Q: Do I have to register as an Information Officer with the Regulator?
Yes. Every Responsible Party must register an Information Officer, and for most small practices that will be the principal doctor or practice owner. Registration is done through the Regulator's online portal and is free. We can help you complete the registration as part of an assessment.
Q: Is cloud storage allowed for patient records under POPIA?
Yes, with conditions. The cloud provider must offer encryption at rest and in transit, you must have a written processor agreement with them, and you must be satisfied with their security posture. Many international cloud providers meet these requirements, but you need the paperwork to prove it during an audit.
Q: What happens if a staff member loses a laptop with patient data?
If the laptop was properly encrypted with FileVault or BitLocker and the password was strong, the practical risk to patients is low and your defensibility is high. If it was not encrypted, you have a reportable breach and 72 hours to notify the Regulator and affected patients. This single configuration setting is the difference between a near-miss and a serious incident.
Q: How long does a POPIA assessment take?
For a typical two-to-four doctor practice in Hyde Park or surrounding Johannesburg suburbs, the on-site assessment takes about two hours. The written report follows within three working days. Implementation of recommendations depends on scope but most practices can be brought to a defensible standard within two to three weeks.
Q: Do I need new hardware to be POPIA compliant?
Usually not. Most Macs from 2017 onwards and Windows machines that can run Windows 11 are perfectly capable of meeting the technical requirements. Where we recommend replacement, it is normally because a device is out of vendor security support or has hardware faults that make it unreliable. Our repairs carry up to three-year warranty cover so we are not pushing replacement for its own sake.
Q: What is the difference between POPIA and HPCSA requirements for record keeping?
HPCSA rules govern how long you must retain patient records and in what form. POPIA governs how you must protect those records while you hold them and how you must dispose of them when retention is no longer lawful. The two regimes overlap and a properly designed practice setup satisfies both at once, but they are distinct legal obligations and a compliance plan needs to address each on its own terms.
