1. Digital Health Apps/Software
    1. 1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?
    2. 1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?
    3. 1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?
    4. 2. Are there any other legal regimes that may govern digital health software? (e.g. data protection/ privacy) If yes, please indicate these.
    5. 3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 
    6. 3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.
    7. 3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.
    8. 4. Do any particular features, such as location tracking, or monitoring real-time information, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the general ones applicable to Q1/Q2?
    9. 5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 
    10. 6. Please describe the enforcement mechanism for compliance with regard to the regulations discussed in Q1, Q2, and/or Q4 in your jurisdiction with regard to the software contained in digital health apps. What are the legal consequences for non-compliance?
    11. 7. Are you aware of any future legal developments in your jurisdiction with regard to digital health apps/software?
  2. Telemedicine
    1. 8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?
    2. 9. What laws and/or regulations apply to physicians regarding telemedicine?
    3. 10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?
    4. 11. Do the standards of care applicable to physicians change in the context of using telemedicine?
    5. 11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.
    6. 11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?
    7. 12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?
    8. 13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 
    9. 13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 
    10. 13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?
    11. 14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are. 
    12. 15. Are you aware of any future legal developments in your jurisdiction with regard to telemedicine?

jurisdiction

South Africa
Add jurisdiction

Digital Health Apps/Software

1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?

1.1 Is it considered a “medical device” or a “product” to which liability can attach, and if so, under what regulations?

A digital health application (digital health app) as defined by the World Health Organization (WHO) involves the provision of medical services and information through the use of mobile technologies such as mobile phones and personal digital assistants (PDA). In terms of the Medicines and Related Substances Act 1965 (MRSA), a medical device includes any diagnostic reagent, apparatus or machine that is used in the diagnosis, treatment, mitigation, modification, monitoring or prevention of disease, abnormal physical or mental states or related symptoms. A key distinction to be drawn between the above-mentioned definitions of “medical devices” and “digital health apps” is the way in which the medical services contemplated above are delivered. In this regard, digital health apps require the facilitation of mobile devices and PDAs for the provision of medical services. However, it is worth noting that the wording of this indicates that digital health apps would satisfy the definition of a medical device as defined by the MRSA. In addition, to qualifying as a medical device, the digital health app would also qualify as a product under the Consumer Protection Act 68 of 2008 (CPA), and therefore, the concept of strict liability could be applied for all entities involved in the supply chain, should harm be caused by the product. For example, liability may arise if the product causes harm by the following ways:

  • illness of a person;
  • death or injury; and/or
  • economic loss.   
1.2 If your response to Q1.1 is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)?

Liability may only be excluded in instances where the software used in the digital health app meets the requirements needed in order to qualify as a safe medical device in terms of both the MRSA and the CPA. In this regard, the CPA defines a suitably qualified product as a product which is reasonably suitable for the purposes for which it was intended and requires that all goods supplied must essentially be of good working order and free from any defects. A safe medical device in terms of the MRSA is a device registered with the South African Health Products Regulatory Authority (“SAHPRA”) in terms of section 15 of the MRSA. 

The legal regimes applicable to digital health apps include the:

  • MRSA; 
  • National Health Act 61 of 2003 (“National Health Act”);
  • Health Professions Act 56 of 1974 (“Health Professions Act”);
  • MRSA Control and the Medical and Related Substances Amendment Act 14 of 2015 (“Amendment Act”);
  • CPA;
  • Electronic Communications and Transactions Act 25 of 2002 (“ECTA”);
  • Protection of Personal Information Act 4 of 2013 (“POPI”);
  • Promotion of Access to Information Act 2 of 2002 (“PAIA”); and
  • National Archives of South Africa Act 43 of 1996.

3. If your response to Q2 is yes, please state whether it matters if, the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable). 

3.1 The users are residents using it within their jurisdiction and/or using it outside their jurisdiction.

If users are residents using the medical device (software) either within or outside the republic of South Africa, such device must be registered with the SAHPRA. Such registration provides that the relevant formality requirements needed in order to classify the digital health app as being safe, have been complied with.

3.2 It is a “B2B” (business to business) rather than “B2C” (business to end consumer) service.

The formalities and standard requirements as prescribed by the SAHPRA provide for the same standard whether a business provides medical services from B2B or B2C. However, a distinction is drawn with reference to the level of liability associated with the provision of services from B2B and B2C. As an example, in the case of the provision of services from B2B, a business responsible for the production of a defective medical device (“defective party”) would be limited to the claims brought by affected businesses (“affected party”), (collectively “the parties”) in terms of the agreement between the parties and the regulations as prescribed by the SAHPRA. In the case of the provision of medical devices from B2C, a defective party would be exposed to further liability in terms of the CPA in addition to the standards and requirements provided for by the SAHPRA.

The features mentioned will require the user of such digital health app to consent to the terms and conditions relating to live tracking/monitoring of the user’s real-life information in line with the relevant provisions of POPI (effective 1 July 2020), and the regulations applicable to medical practitioners as further referenced below. 

5. In the context of physicians relying on digital health apps (containing software), whether for in-person or via telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the producer of the software contained in the app, or of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage (or injury)? 

There are various legislative instruments that provide for the regulation of healthcare

practitioners/providers, which includes providers of telemedicine as regulated by Health Practitioners Council of South Africa (“HPCSA”), Guidelines on Good Practice in the Health Care Profession: General Ethical Guidelines for Good Practice in Telehealth [Booklet 10] Health Professions Act, and the National Health Act and other applicable legislative instruments. In addition to the above, any cross-border telemedicine providers who are serving South African patients must be registered with the relevant regulatory body in their own nations, as well as the HPCSA. The above regulatory bodies are responsible for regulating the conduct of health practitioners in South Africa and can impose liability on a medical practitioner for the relevant malpractice and/or misconduct in relation to the provision of medical services. The HPCSA does not require registration by the designer, owner, proprietor or operator of the software or telecommunications platform used by the healthcare practitioner to provide telemedicine services. Thus, there is a limitation on the liability of digital health apps as provided for by the HPCSA, but there can be various instances of liability conferred on a software provider in relation to a digital health app as provided for by the CPA, the MRSA and SAHPRA.

Furthermore, the CPA provides for the ability of a service provider who, in conjunction with the provision of such services applies, supplies, installs or provides access to any goods, shall be regarded as a supplier under the CPA. While in the context of physicians, the CPA seems to confer liability, such liability would have to be directly connected to the harm caused and such physician could not be held liable where the harm is wholly attributable to compliance with a defective party’s instruction in the provision of goods and in this case, services. 

In summary, South African legislation provides for liability in various circumstances and such liability in the context of physicians, telemedicine providers and the producers of software that facilitates telemedicine services may vary on a case by case basis.

All medical devices must be registered with the SAHPRA, failing which a medical service provider and/or medical service devices shall not be legally permitted to operate with in South Africa. Furthermore, the MRSA provides for fines or imprisonment (for a period not exceeding 10 years) for contraventions of the provisions of the MRSA, which prohibits the operation of any business engaged in the manufacturing, distribution or export of a medical device without the requisite licence. 

In relation to the other regulations, various fines can be incurred as a result of non-compliance as well as reputational harm. 

No.

Telemedicine

8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?

All practising physicians in South Africa must be registered in terms of the Health Professions Act, which in turn means that they must abide by the HPCSA’s ethical rules of conduct. Only practitioners who have been deemed competent and are registered in their respective professions are authorised to partake in telehealth practise, either as consulting healthcare practitioners or servicing healthcare practitioners.

9. What laws and/or regulations apply to physicians regarding telemedicine?

  • National Health Act;
  • Health Professions Act;
  • MRSA and Amendment Act;
  • CPA;
  • ECTA;
  • POPI;
  • PAIA; and
  • HPCSA General Ethical Guidelines for Good Practice in Telehealth: Booklet 10 ("Telehealth Guidelines").

10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?

  • A person who provides telemedicine services must be registered as a healthcare practitioner with the HPSCA in accordance with the provisions of the Health Professions Act the National Health Act. Any cross-border telemedicine providers who are serving South African patients must be registered with the relevant regulatory body in their own nations, as well as the HPCSA. The healthcare practitioner is required to be registered with the HPCSA, and the HPCSA does not require registration by the designer, owner, proprietor or operator of the software or telecommunications platform used by the healthcare practitioner to provide telehealth services.
  • Telehealth may only be practiced where there is an existing doctor-patient relationship between the patient and the healthcare practitioner (“consulting healthcare practitioner”) who conducts a “face-to-face” interview or examination with the patient and refers patient’s information to a remote location for further advice or intervention.
  • The relationship between the patient and the healthcare practitioner is established when the practitioner agrees to treat the patient, and the patient agrees to be treated.
  • Health care practitioners using telehealth must ensure:
    • that all data message transmissions, websites or online software platforms which they use for telehealth services, comply with the provisions of ECTA in respect of privacy, authentication and the collection of personal information; and
    • compliance with the provisions of Health Professions Act, the National Health Act, MRSA and the CPA.
  • Healthcare practitioners should not practise telehealth without ensuring that the equipment and accessories used are optimally operational.
  • The quality and quantity of patient information received should be sufficient and relevant for the patient's clinical condition in order to ensure that accurate medical decisions and recommendations are made for the benefit of the patient.

The Telehealth Guide further differentiates between different types of telehealth:

Routine telehealth:

  • This is commonly initiated by the patient or used by a healthcare practitioner for the purpose of obtaining a second opinion from other healthcare practitioners.  It is preferably practised in instances where an existing healthcare practitioner and patient relationship has already been established; the ethical rules of conduct for healthcare practitioners registered with the HPCSA must be taken into consideration at all times in order to ensure that the human resource challenges do not lead to patients being over- and/or under-serviced.

Emergency telehealth

  • This involves strict judgements by healthcare practitioners which are mostly based on sub-optimal patient information.
  • In respect of emergency telehealth, the health and well-being of the patient is the determining factor with regard to stabilising the patient and having the patient referred for thorough face-to-face medical care.  

11. Do the standards of care applicable to physicians change in the context of using telemedicine?

No, the standards of care do not change when using telehealth

Yes.  The Telemedicine Guidelines form the professional duties of healthcare practitioners partaking in telehealth.  The Telemedicine Guidelines provide that a healthcare practitioner should not provide medical advice or treatment using telehealth without obtaining proper informed consent, orally recorded or written, from the patient for both the treatment to be given and the use of telehealth technology. The informed consent should include the following:

  • an agreement by the patient that the healthcare practitioner is to decide whether the condition being diagnosed or treated is capable and appropriate for telehealth consultation;
  • the types of transmissions being consented to using the telehealth technologies such as, but not limited to, prescriptions, refills, appointment scheduling and patient education;
  • the patient's express consent to the transmission of the patient's personal medical information to a healthcare practitioner or other appropriate third parties.

The healthcare practitioners, in the case of telehealth consultations, e.g., by way of videoconferencing, must make the patient aware of the presence of other people, and that the patient’s identity may be revealed to other people, and the patient must consent to this. 

The professional discretion of healthcare practitioners engaging in telehealth regarding the diagnosis, scope of care or treatment should not be limited to or influenced by non-clinical considerations of telehealth use and technologies.  It is also essential that the relevant clinical history is obtained in order to diagnose underlying conditions, as well as any contra-indications regarding the recommended treatment must be obtained before providing treatment, including issuing prescriptions, electronically or otherwise. 

The servicing healthcare practitioner must:

  • keep detailed records of the advice he or she delivers as well as the information he or she receives and on which the advice is based; and
  • ensure that the advice or treatment suggestions given were understood by the consulting practitioner and the patient; and
  • when telemedicine is used, the patient should be informed of the persons who will access their information, the purpose of the telemedicine service, the cost of the service and what the implications of the use of such information will be.
11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

No.  A consulting healthcare practitioners and servicing healthcare practitioners are held to the same standards of medical practice as any other healthcare practitioners who conduct face-to-face consultations without the use of telehealth diagnosis or treatment, including informed consent guidelines, confidentiality guidelines and general ethical guidelines for healthcare professions.  The consulting practitioner remains responsible for the treatment, decisions and other recommendations given to the patient, as well as for keeping detailed records of the patient’s condition and information transmitted and received from the servicing practitioner.

It is further important to note that failure by a consulting healthcare provider to comply with the Telehealth Guidelines shall constitute an act or omission in respect of which disciplinary steps in terms of Chapter IV of the Health Professions Act.

12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?

The only restriction on prescriptions being issued through telemedicine is the caution that any treatment/prescription based solely on an online questionnaire does not constitute an acceptable standard of care in terms of South African law.  Any prescription issued by a health practitioner must comply with certain formality requirements as listed in Rule 2.3.8 of the Digital Health Association Guidelines for South African Telemedicine (“DHA Telemedicine Guidelines”), as well as the relevant legislative frameworks. 

The Telehealth Guidelines further outline that when prescribing care through the use of telehealth, healthcare practitioners must ensure that express informed consent in accordance with the standard practice used in face-to-face issuing of prescriptions is maintained. 

It does not appear that there are restrictions on the type of medicine but it is important to note that the burden is also on pharmacists to take into account Regulation 33(4) of the General Regulations published in terms of the Medicines and Related Substances Act, 101 of 1965 which essentially requires that the pharmacist that dispenses such a prescription shall verify the authenticity of the prescription before dispensing it.

13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine? 

As it currently stands, there are no laws, regulations, policies or guidelines that address a reimbursement framework for telehealth consults in South Africa. Research reveals that there is a virtual consultation fee which is cheaper than the face-to-face consultation fee that would normally be charged, but the exact extent in the differentiation of price depends on the health insurance provider and the individual health practitioner providing the service.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

The cost for such apps is mostly covered by the hospitals themselves or a private company wishing to obtain such app for the benefit of the company. 

14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are. 

In the instance of telehealth consultations, the Telehealth Guidelines provide that "any suitable Information and Communications Technology platforms may be used to exchange information for the diagnosis and treatment of diseases and injuries, research and evaluation.”   In order to protect the identity of a patient, the patient's personal identification ought to be removed and have encryption tools placed on the transmitted information.  In addition, all personal devices of the telehealth service should be accessed by authorised personnel only through the use of password login mechanisms.  Should other healthcare practitioners require specific access to information, that information should be authorised by the healthcare provider in charge of the patient, in accordance to the rules and regulations as outlined in POPI. 

Healthcare practitioners are required to avoid accidental damage and loss of patient information, set out procedures to avoid any unwarranted alteration or elimination of patient data and ensure that patient information that is obtained electronically is kept in accordance with the HPCSA's guidelines on the keeping of patients' records, further ensuring that they comply with the provisions of ECTA and POPI.

Recent developments with regards to telemedicine in South Africa has primarily been that, in December 2021, the Telehealth Guidelines replaced the HPCSA Telemedicine Guidelines and further replaced the term 'telemedicine' with 'telehealth.’