Longstanding legislation and newly gazetted regulations are creating serious legal risk for South African employers, according to one of South Africa’s leading occupational health and wellness providers.
Workforce Healthcare, which operates 101 occupational health clinics and nine mobile medical units, is raising the alarm about what the law requires, what most employers are doing, and the consequences of getting it wrong.
The management of employee medical records, including who owns them, how they are stored, who may access them, how long they must be retained, and how they are destroyed, poses challenges for employers.
Explains Dr Robin George, Senior Occupational Medicine Practitioner and National Operations Manager, Workforce Healthcare, “The management of medical records and the personal information contained within those records is a heavily regulated area. Yet in our experience, many employers, including some healthcare service providers, are not meeting the legislative requirements.”
The urgency has intensified. Regulations specifically governing the processing of health information by responsible parties, including employers, medical schemes, managed healthcare organisations, and insurers, were gazetted on 6 March 2026 under the Protection of Personal Information Act (POPIA).
The regulations establish binding requirements around the security, confidentiality, and lawful processing of health data. Under POPIA and the National Health Act, health data carries the highest level of legal protection because the consequences of unauthorised disclosure can be devastating. Employees may be affected by discrimination in promotion or retrenchment decisions, different treatment by managers and colleagues, and in conditions carrying social stigma, such as HIV status or mental health diagnoses, lasting damage to relationships and career.
POPIA classifies health data as special personal information, affording it the highest level of protection under South African law. Processing, sharing, storing, or granting access to this information is generally prohibited unless it is strictly necessary for treatment, care, or authorised administration by a healthcare professional. Responsible parties who breach these provisions face notices, fines, and potentially more severe sanctions from the Information Regulator.
Who owns medical records?
At the heart of the problem is who owns the medical record in occupational healthcare. Ownership can reside with the healthcare provider who creates the record, or with the employer who pays for the service. The legislation requires that this be formally agreed between the service provider and the client before services commence. In practice, this conversation rarely happens.
Employers who assume they have access to employees’ medical information may already have exposed themselves to liability. Employers who receive physical medical files from their occupational health provider without a formal ownership agreement and compliant storage arrangements in place may be unlawfully holding records.
Dr George continues, “Once you accept ownership, you accept legal responsibility for storage, access control, retention, and eventual destruction. Occupational healthcare service providers should preferably avoid handing over complete medical files containing sensitive personal information to employers without certainty that those files will be managed in accordance with relevant legislation. Service level agreements should adequately address the management of medical files.
There are very specific obligations, such as storing physical records in locked, fire- and flood-resistant facilities and ensuring that electronic records are password-protected and encrypted. Disclosure of any information in a medical record to a third party requires the patient’s written consent, a court order, or a defined public health justification.
Compliant medical records management is costly. Workforce Healthcare advises that these costs should be formally factored into service agreements from the outset. Clarity on who bears them must be reached before any occupational health contract is signed.