(1) |
The person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept. |
(a) |
Fails to perform a duty imposed on them in terms of subsection (1); |
(b) |
falsifies any record by adding to or deleting or changing any information contained in that record; |
(c) |
creates, changes or destroys a record without authority to do so; |
(d) |
fails to create or change a record when properly required to do so; |
(e) |
provides false information with the intent that it be included in a record; |
(f) |
without authority, copies any part of a record; |
(g) |
without authority, connects the personal identification elements of a user’s record with any element of that record that concerns the user’s condition, treatment or history; |
(h) |
gains unauthorised access to a record or record-keeping system, including intercepting information being transmitted from one person, or one part of a record-keeping system, to another; |
(i) |
without authority, connects any part of a computer or other electronic system on which records are kept to— |
(i) |
any other computer or other electronic system; or |
(ii) |
any terminal or other installation connected to or forming part of any other computer or other electronic system; or |
(j) |
without authority, modifies or impairs the operation of— |
(i) |
any part of the operating system of a computer or other electronic system on which a user’s records are kept; or |
(ii) |
any part of the programme used to record, store, retrieve or display information on a computer or other electronic system on which a user’s records are kept, |
commits an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and such imprisonment.