| (1) | The person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept. |
| (a) | Fails to perform a duty imposed on them in terms of subsection (1); |
| (b) | falsifies any record by adding to or deleting or changing any information contained in that record; |
| (c) | creates, changes or destroys a record without authority to do so; |
| (d) | fails to create or change a record when properly required to do so; |
| (e) | provides false information with the intent that it be included in a record; |
| (f) | without authority, copies any part of a record; |
| (g) | without authority, connects the personal identification elements of a user’s record with any element of that record that concerns the user’s condition, treatment or history; |
| (h) | gains unauthorised access to a record or record-keeping system, including intercepting information being transmitted from one person, or one part of a record-keeping system, to another; |
| (i) | without authority, connects any part of a computer or other electronic system on which records are kept to— |
| (i) | any other computer or other electronic system; or |
| (ii) | any terminal or other installation connected to or forming part of any other computer or other electronic system; or |
| (j) | without authority, modifies or impairs the operation of— |
| (i) | any part of the operating system of a computer or other electronic system on which a user’s records are kept; or |
| (ii) | any part of the programme used to record, store, retrieve or display information on a computer or other electronic system on which a user’s records are kept, |
commits an offence and is liable on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and such imprisonment.
