Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: October 2003 (es)

Records management for health providers

October 2003

Failure by health care establishments to comply with the record management duties detailed in the National Health Bill may result in imprisonment, fines and civil liability.

Failure by health care establishments to comply with the record management duties detailed in the National Health Bill may result in imprisonment, fines and civil liability.
Health service providers such as hospitals and clinics are easy targets for cyber terrorists. Hackers who amend medical records of patients can cause significant loss and damage to both the health care provider and the patient - patients may receive the wrong treatment and medication. A hospital being sued by a patient, who had a leg wrongly amputated because his or her patient record was accessed and amended without authority, suddenly seems a real possibility.
During 2000, a sophisticated hacker took command of large portions of the University of Washington Medical Centre's internal network earlier this year, and downloaded computerised admissions records for four thousand heart patients. The intrusions began in June, and continued until at least mid-July, before network administrators at the Seattle teaching hospital detected the hacker and cut him off. The medical centre was purportedly unaware that patient records were downloaded, and elected not to notify law enforcement agencies of the intrusions.
"It is a story of great incompetence," said the hacker, a 25-year-old Dutch man who calls himself Kane. "All the data taken from these computers was taken over the Internet. All the machines were exposed without firewalls of any kind."
In a related incident, a direct marketing organisation hacked into a London hospital's records to gain access to patients' contact details - the patients subsequently received spam e-mails advertising products related to their illnesses.
During the six-week period from August 2003 to middle September 2003, the websites of more than 107 hospitals, clinics and pharmacies were attacked and defaced by hackers worldwide. The list includes the Bantry Bay Pharmacy's website ( that was defaced on 21 July 2003 by a hacker referred to as '7up' (for more details visit:</a>).
Health care providers may, notwithstanding criminal and civil liability, also suffer reputational harm resulting from a successful cyber attack. Who would share confidential and personal medical information with a hospital, clinic, doctor or pharmacy that has been hacked?
In an attempt to, amongst others, secure and protect patients' medical records, the South African Government is in the process of finalising the much awaited National Health Act (currently referred to as the National Health Bill B32 of 2003 (the Bill) available from:
In terms of the Bill, hospitals, clinics, doctors, pharmacies, dentists and other health care professionals have certain duties to protect patients' information from unauthorised access and/or disclosure.
The table on page 10 shows a summary of these duties.
Notwithstanding the record management duties shown in the table, more than 22 other pieces of legislation force health care providers to retain certain records for a specified period. The most common example of these laws is probably the Income Tax Act 58 of 1963, which requires the retention of more than 38 documents or agreements. However, some pieces of legislation, not so commonly known, such as the Wages Act 5 of 1957 and the Stamp Duties Act 77 of 1968 also provide stringent record retention duties and responsibilities.
Before the widespread use of e-mail, records management was fairly easy - certain paper documents had to be filed in certain files. Archive personnel or library staff normally discharged these duties.
However, in terms of the provisions of the Electronic Communications and Transaction Act 25 of 2002 (, electronic data and electronic records are given the same legal status as paper-based records and documents. Businesses therefore have to retain data contained in e-mail messages, attachments to e-mail messages, websites, files downloaded from the Internet, recorded voice messages and computer files.
Failure to comply with legislative record retention provisions may result in fines as high as R10 million, imprisonment of 15 years and civil liability. The deletion of an e-mail message may therefore result in significant legal and financial risk to any business.
For more information contact Buys Incorporated, 011 259 1199.

Others who read this also read these articles

Others who read this also read these regulars

Search Site

Search Directory

  • Search for:


Previous Issues