(1) | The person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept. |
(a) | Fails to perform a duty imposed on them in terms of subsection (1); |
(b) | falsifies any record by adding to or deleting or changing any information contained in that record; |
(c) | creates, changes or destroys a record without authority to do so; |
(d) | fails to create or change a record when properly required to do so; |
(e) | provides false information with the intent that it be included in a record; |
(f) | without authority, copies any part of a record; |
(g) | without authority, connects the personal identification elements of a user’s record with any element of that record that concerns the user’s condition, treatment or history; |
(h) | gains unauthorised access to a record or record-keeping system, including intercepting information being transmitted from one person, or one part of a record-keeping system, to another; |
(i) | without authority, connects any part of a computer or other electronic system on which records are kept to— |
(i) | any other computer or other electronic system; or |
(ii) | any terminal or other installation connected to or forming part of any other computer or other electronic system; or |
(j) | without authority, modifies or impairs the operation of— |
(i) | any part of the operating system of a computer or other electronic system on which a user’s records are kept; or |
(ii) | any part of the programme used to record, store, retrieve or display information on a computer or other electronic system on which a user’s records are kept, |
commits an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and such imprisonment.