The regulatory overlay for SA healthtech
POPIA — Health Information
Section 26 special-personal-information rules apply to health data. Section 32 imposes additional grounds for processing health data including consent, public-interest research, and life-threatening emergency. Higher security expectations.
National Health Act 61 of 2003
Section 14 confidentiality of health records; section 13 obligations on health establishments to maintain records; informed-consent framework that interacts with POPIA.
Medicines and Related Substances Act + SAHPRA
Tech intersecting with medicines, medical devices or in-vitro diagnostics may require SAHPRA registration as a medical device. The line between "wellness app" and "medical device" is increasingly enforced.
HPCSA + statutory professional bodies
AI-driven clinical decision support, telemedicine, and prescribing-assistance tools must navigate scope-of-practice rules for medical, pharmacy, allied health and nursing professionals.
Cybercrimes Act + sector-specific incident reporting
Section 22 POPIA breach notification + section 54 Cybercrimes Act + Department of Health incident escalation. Multiple parallel notification obligations.
Frequently asked
What is special-personal-information under POPIA and how does it affect healthtech?
Section 26 of POPIA defines "special personal information" to include health and sex life of a data subject. Section 27 generally prohibits processing of special personal information except in limited circumstances; section 32 then provides additional grounds specific to health data — consent, public-interest research, occupational health, treatment delivery, life-threatening emergency. Healthtech businesses processing health data must satisfy s 27 prohibition + s 32 carve-out + s 26 enhanced security expectations.
Is my wellness app a "medical device" under SAHPRA?
It depends. SAHPRA's medical-device framework covers products intended for diagnosis, prevention, monitoring, treatment, or alleviation of disease. A pure wellness app (mood tracking, fitness recording) is typically not a medical device. An app that diagnoses, recommends treatment, or interprets clinical data is increasingly being characterised as a medical device requiring SAHPRA registration. The line is moving — get specific advice.
Can a SA healthtech platform store data in AWS / Azure outside SA?
Section 72 of POPIA permits cross-border transfer if the recipient is bound by an agreement providing protection substantially similar to POPIA. Major cloud providers offer SA regions (Cape Town, Johannesburg) — keeping health data in-country avoids the section 72 issue entirely. For data flowing offshore, the cloud provider's POPIA-aligned DPA must be reviewed against the enhanced health-data expectations of section 26.
What contract stack does a SA healthtech startup need?
Beyond standard SaaS contracting: a healthcare-specific Data Processing Addendum with enhanced security obligations; clinical-content disclaimers; HPCSA-aligned scope-of-practice statements; telemedicine-specific terms where consultations occur; medical-device classification statement (where relevant); and (for any AI-driven decision support) POPIA s 71 automated-decision compliance. Stack from R45,000; ongoing retainer R10,000–R20,000/month.
How does the Health Professions Act interact with telemedicine platforms?
Telemedicine platforms must ensure that consultations are conducted by HPCSA-registered practitioners practising within their scope of practice. The platform itself is a tool; the practitioner remains the regulated party. Platform terms should make this allocation clear and obligate practitioner users to maintain their own HPCSA registration and professional indemnity. The HPCSA has issued multiple guidance notes on telemedicine that evolve regularly.