It is not uncommon that disputes arise between healthcare practices and service providers like bureaux or managing agents, or healthcare practices and practitioners leaving the practices over whom owns the patient files and data.

Practices must make sure that there is a properly communicated procedure for patients to request their data

There are three main issues that need to be carefully thought through: 


According to the HPCSA’s ethical guidelines, Booklet 9, a health record may be defined as any relevant record made by a health care practitioner at the time of or after a consultation and/or examination or the application of health management. A health record contains the information about the health of an identifiable individual recorded by a healthcare professional, either personally or at his or her direction. 

The health record consists of special personal information according to the Protection of Personal Information (POPI) Act, and the data is owned by the patient or data subject. The patient can request that the health record is provided to him/her, but the practice must keep at least a copy of the record for a minimum period of six years, depending on the age and capacity of the patient. 

Practices must make sure that there is a properly communicated procedure for patients to request their data, and to inform them of the information of the patient that the practice will need to respond positively to such requests. 


If a healthcare practice outsources a service, like billing, to a bureau, the bureau has a right of retention on the billing data until their account has been settled in full by the practice. The service provider never becomes owner of the data, but the practice could find itself in a situation where the bureau withholds the data from the practice. 

It is important to decide how service providers will have access to the data of the practice. If the practice’s patient base will be created on the service provider’s software, how will the practice have access to that data and how will the data be transferred to the practice should the business relationship end? The POPI Act does not clearly prescribe in which format data must be returned to the practice, except that it must be in a readable format. This can put large practices in a position where they can eventually be left with spreadsheets filled with data that is difficult to import into new software, should the need arise. 


Every healthcare practice possesses business equity consisting of among other things their patient base and therefore, their patient files. When the value of a practice is calculated for purposes of selling the practice or calculating which capital investment a new practitioner should make to become a partner or director of the practice, this data will be used to calculate the goodwill and equity of the practice. 

If, for example, two practitioners consulted with the same patients, it becomes difficult to ascertain which practitioner has a right to the patient files. If a partnership is ended or an incorporated company is liquidated, it will be of great importance to have an agreement in place that specifically addresses the issue of who gets the patient files. 

To sum up, healthcare practices should consider the following: 

  • That their data is kept in their own licenced software and only accessed by their service providers through separate users. This will enable them to always have access to their own patient files and they don’t have to worry about losing valuable information. 
  • If it is not possible for data to be kept on the practice’s own software, ensure that your agreement with the service providers make explicit mention of how the data of the practice will be transferred to the practice in case the agreement ends.  
  • See to it that contractual agreements are in place within partnerships or incorporated companies so that practitioners can stay clear of disputes about where patient files will be kept and who owns the business equity of the healthcare business.