The myth
“Doctors can’t share patient information with specialists or medical schemes because of POPIA.”
The Act expressly authorises healthcare processing where necessary for treatment, care or practice administration — and scheme processing for risk assessment and performing the agreement. Referral letters, hospital handovers and medical-aid claims are lawful.
“(a) medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned; (b) insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for— (i) assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing; (ii) the performance of an insurance or medical scheme agreement; or (iii) the enforcement of any contractual rights and obligations;”
Healthcare flows, mapped to the authorisation
The everyday flows all land inside section 32(1): the GP’s referral to the specialist and the specialist’s report back — treatment and care; the hospital handover between shifts and facilities — treatment and administration; the practice’s billing and the scheme’s claim adjudication — performance of the scheme agreement; the pathology lab reporting to the treating doctor — treatment. What the authorisation does not cover is processing outside the care-and-administration purpose: selling de-identified-ish patient data to marketers, or a receptionist browsing a celebrity’s file. The general conditions — minimality, security — keep running underneath.
Employers and sick notes
Two gateways carry the HR file’s health content. The medical certificate supporting sick leave is the rights-and-obligations gateway (s 27(1)(b)) at work — the BCEA right to sick leave is exercised through it. And section 32(1)(f) gives employers specific cover for processing required by laws and schemes that depend on employees’ health status — COIDA claims, occupational-health surveillance, disability benefits. The discipline is scope: the employer processes what leave administration and those laws need, not the employee’s full medical history — see employee information.
The confidentiality overlay
Section 32(2)–(3) subjects the authorisation to confidentiality: practitioners bound by professional secrecy obligations process under them, and others handling health information under section 32 must treat it as confidential. POPIA here reinforces rather than replaces the ethical framework — HPCSA rules, the National Health Act’s confidentiality provisions — so a disclosure that breaches medical confidentiality finds no shelter in section 32. For moving records to cloud systems and offshore platforms, see cross-border transfers and the s 57(1)(d) prior-authorisation trap for special information.