HPCSA Booklet 10 governs the practice of telehealth in South Africa. This guide unpacks the practical compliance requirements for telehealth platforms, the HPCSA registration architecture, and the POPIA interaction.
The Foundational Document for South African Telehealth
The Health Professions Council of South Africa's General Ethical Guidelines for Good Practice in Telehealth, known as Booklet 10, sets the ethical and professional framework for the practice of telehealth in South Africa. The current revision was published in December 2021, reflecting the substantial expansion of telehealth practice during the COVID-19 period and the consolidation of telehealth as a permanent feature of South African clinical practice.
For HealthTech platforms, telemedicine operators, and healthcare providers, Booklet 10 is the reference document against which clinical telehealth practice is assessed in HPCSA enforcement matters. Compliance is non-negotiable.
Scope of Booklet 10
Booklet 10 applies to telehealth practice by healthcare practitioners registered with the HPCSA. It covers synchronous interactions (video and telephone consultations), asynchronous interactions (store-and-forward consultations using messaging or file exchange), and combined modalities. It applies to consultations between practitioner and patient and to provider-to-provider telehealth (for example, remote specialist consultation in support of a primary care practitioner managing a patient).
Importantly, Booklet 10 binds the practitioner; the platform operator is not registered with the HPCSA in respect of the platform itself. This creates a practical accountability split where the platform's design and conduct nonetheless materially affect the practitioner's ability to comply with Booklet 10.
The Existing Relationship Rule
Prior to the 2021 revision, the HPCSA's position was that telehealth consultations should generally occur within an existing professional relationship between practitioner and patient. The 2021 revision expanded the circumstances in which telehealth could be the modality of first consultation, particularly during the public health emergency. Practitioners should consult the operative version of Booklet 10 for the current scope of permissible first-consultation telehealth.
Cross-Border Telehealth
Where the practitioner is outside South Africa and the patient is inside South Africa, the HPCSA's position is that the practitioner must be registered with the HPCSA in addition to any home jurisdiction registration. Cross-border telehealth platforms operating into South Africa should structure their practitioner network with HPCSA registration as a precondition for serving South African patients.
The South African patient's regulatory protection extends only as far as HPCSA-registered practitioners; consultations from non-registered practitioners may constitute the unlawful practice of medicine and expose the platform to liability.
Informed Consent
Informed consent in the telehealth context must address the same elements as face-to-face consent (the nature of the proposed care, the risks and benefits, the alternatives, and the patient's right to refuse) and additionally specific telehealth-related elements: the limitations of remote assessment, the contingency arrangements if technology fails or in-person assessment becomes necessary, the data flow and confidentiality arrangements, and the recording or retention practices applicable to the consultation.
Booklet 10 anticipates documented consent. Voice or video confirmation of consent at the start of the consultation, supplemented by written consent capture for new patient onboarding, is an effective approach.
Confidentiality and Records
The standard of care for confidentiality in telehealth is the same as in face-to-face practice. Booklet 10 requires the practitioner to ensure that the patient's information is protected against improper disclosure at all times. For platform-supported telehealth, this includes verification that the platform's encryption, access control, and data retention practices are fit for purpose.
Records of telehealth consultations must be maintained at the same standard as face-to-face consultation records. The Electronic Communications and Transactions Act 25 of 2002 governs the legal validity of electronic clinical records.
POPIA Interaction
Telehealth involves the processing of health information, which is special personal information under section 26 of the Protection of Personal Information Act 4 of 2013 (POPIA). Section 32 of POPIA establishes the limited grounds on which special information may be processed.
Telehealth platforms must align their data governance frameworks with POPIA's special information conditions: explicit consent for processing health information, purpose limitation, security safeguards under section 19 commensurate with the sensitivity of health data, breach notification obligations under section 22 in the event of compromise, and operator agreement under section 21 with any third-party data processor.
Liability Architecture
The liability landscape for telehealth involves multiple potential defendants. The treating practitioner's professional liability extends to the telehealth consultation. The platform operator's liability arises from product and service quality, system reliability, and where applicable consumer protection obligations under the Consumer Protection Act 68 of 2008. The platform's relationship with the treating practitioner is typically structured as a service agreement allocating liability between the parties; the patient's contractual or delictual claim may be against either or both.
HealthTech operators should ensure adequate professional indemnity coverage for treating practitioners on the platform, platform-level technology and errors-and-omissions insurance, and contractual liability allocation that survives termination.
Common Compliance Gaps
Recurring gaps observed in the sector include practitioner network controls that do not reliably verify HPCSA registration, consent capture systems that do not document the telehealth-specific elements, record retention practices that do not meet the HPCSA standard, POPIA gaps in operator agreements with cloud and infrastructure providers, and breach response protocols that have not been tested.
How Mashiane Attorneys Can Assist
Our HealthTech practice advises telehealth platforms, telemedicine providers, and healthcare institutions on Booklet 10 compliance, practitioner network governance, informed consent design, POPIA special information processing, breach response, and liability architecture. Contact our team for a telehealth compliance assessment.