NeoHealth

Privacy Policy

Effective: 1 April 2026

1. Purpose

This Privacy Policy explains how Drs Chellan & Lakay Inc, trading as NeoHealth ("we", "us", "our"), collects, uses, stores, and protects personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), the National Health Act 61 of 2003, the Health Professions Act 56 of 1974, and where applicable, principles aligned with the EU General Data Protection Regulation ("GDPR") and the United States Health Insurance Portability and Accountability Act ("HIPAA").

2. About NeoHealth

NeoHealth is a private general practice situated at Suite 12, Prince Vintcent Square, Gloucester Avenue, George, 6530, Western Cape, South Africa. Our BHF Practice Number is 1221566. We provide primary healthcare services including general consultations, chronic disease management, women's health, paediatrics, occupational health, HIV management, minor procedures, and telemedicine.

3. Definitions

  • Data Subject — the individual to whom personal information relates (e.g. a patient, website visitor, or employee).
  • Personal Information — any information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person. This includes, but is not limited to, names, identity numbers, contact details, medical history, and biometric information.
  • Special Personal Information — personal information concerning a data subject's health or sex life, religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, biometric information, or criminal behaviour.
  • Processing — any operation or activity concerning personal information, including collection, receipt, recording, organisation, storage, updating, retrieval, consultation, use, dissemination, merging, restriction, degradation, erasure, or destruction.
  • Responsible Party — the entity that determines the purpose and means of processing personal information. In this case, Drs Chellan & Lakay Inc.
  • Operator — a person or entity that processes personal information on behalf of the responsible party under contract or mandate (e.g. a cloud hosting provider, billing service, or pathology laboratory).
  • Information Officer — the person responsible for ensuring compliance with POPIA within the practice. Our Information Officer is Dr. Ethan Chellan.

4. Our Commitment to Privacy

We are committed to protecting your personal information. We process personal information lawfully, minimally, and only for clearly defined purposes. We implement appropriate technical and organisational measures to safeguard your data against unauthorised access, loss, or destruction. All staff members are bound by confidentiality undertakings and receive regular training on data protection.

5. What Personal Information We Collect

5.1 Patient Information

When you register as a patient or receive healthcare services, we may collect:

  • Full name, title, and preferred name
  • South African identity number or passport number
  • Date of birth and gender
  • Residential and postal addresses
  • Telephone numbers (home, work, mobile) and email address
  • Medical history, including current and past conditions, allergies, medications, surgical history, family medical history, and lifestyle information relevant to your care
  • Medical aid or health insurance details (scheme name, membership number, plan, principal member details)
  • Next-of-kin and emergency contact details
  • Employer information (where relevant to occupational health or billing)
  • Signatures (electronic or physical) for consent forms, treatment authorisations, and financial agreements
  • Biometric data where clinically necessary (e.g. blood pressure, BMI, blood glucose readings)
  • Photographs or images where clinically relevant (with your explicit consent)

5.2 Website Visitors

When you visit our website, we may collect:

  • Cookies and similar technologies — see our Cookie Policy
  • Browser type, operating system, device information, and IP address
  • Pages visited, time spent, and referring URLs
  • Information you voluntarily submit through contact forms, booking forms, or the patient portal

6. Why We Process Your Personal Information

We process your personal information for the following purposes:

  • Healthcare provision — to diagnose, treat, and manage your health; to maintain accurate clinical records; and to provide continuity of care.
  • Billing and administration — to submit claims to medical aid schemes, process payments, issue invoices, and manage your account.
  • Legal compliance — to comply with the National Health Act, Health Professions Act, POPIA, tax legislation, and any lawful request from a competent authority.
  • Communication — to send appointment reminders, follow-up instructions, test results (via secure channels), health information, and practice updates.
  • Security and quality — to protect the safety of patients and staff, prevent fraud, and conduct internal audits and quality improvement.
  • Research and public health — only in anonymised or de-identified form, or with your explicit consent where required.

7. Consent

Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, nor does it affect processing carried out on another lawful basis (for example, where processing is necessary for the performance of a healthcare service or to comply with a legal obligation).

To withdraw consent, please contact our Information Officer using the details provided in Section 14 below. Please note that withdrawal of consent for the processing of your health information may limit our ability to provide you with healthcare services.

8. Who We Share Your Information With

We may share your personal information with the following categories of recipients, only to the extent necessary and in accordance with POPIA:

  • Medical aid schemes and managed care organisations — to process claims and obtain pre-authorisation for procedures.
  • Pathology laboratories and diagnostic service providers — to request and receive test results.
  • Hospitals and emergency services — when you require admission, referral, or emergency care.
  • Referring and referred-to practitioners — to ensure continuity of care.
  • Service providers and operators — such as practice management software providers, cloud hosting services, electronic health record providers, and billing administrators, all of whom are contractually bound to protect your information.
  • Regulatory and professional bodies — including the Health Professions Council of South Africa (HPCSA) and the Information Regulator, where required by law.
  • Law enforcement and courts — where we are compelled by law or court order.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

9. Cross-Border Transfers

Your personal information is primarily stored and processed within South Africa. Where it is necessary to transfer personal information to a country outside South Africa (for example, where we use cloud services hosted abroad), we ensure that the recipient is subject to data protection laws, binding corporate rules, or contractual terms that provide an adequate level of protection, in accordance with Section 72 of POPIA.

10. Record Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Patient clinical records — a minimum of 5 years after the date of the last consultation, or longer where required by HPCSA guidelines or other legislation.
  • Records of minors — until the patient reaches the age of 21 years, plus an additional 5 years, whichever period is longer.
  • Financial and billing records — as required by the Income Tax Act and other applicable fiscal legislation (generally 5 years).
  • Website analytics data — aggregated and anonymised data may be retained indefinitely; identifiable data is deleted within 26 months.

When personal information is no longer required, it is securely destroyed or de-identified in accordance with POPIA.

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal information, including:

  • Encrypted data transmission (TLS/SSL) for all web-based interactions
  • Encrypted storage of sensitive data at rest
  • Access controls and role-based permissions for staff and systems
  • Regular software updates and security patching
  • Firewall and intrusion-detection systems
  • Physical security measures at our premises (locked filing cabinets, access-controlled consulting rooms)
  • Staff confidentiality agreements and regular data protection training
  • Incident response procedures for data breaches, including notification to the Information Regulator and affected data subjects where required by POPIA

12. Your Rights Under POPIA

As a data subject, you have the following rights in relation to your personal information:

  • Right of access — you may request confirmation of whether we hold personal information about you and request a copy of that information.
  • Right to correction — you may request that we correct or update inaccurate, incomplete, or misleading personal information.
  • Right to deletion — you may request that we delete your personal information where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
  • Right to object — you may object to the processing of your personal information on reasonable grounds, including objecting to direct marketing.
  • Right to lodge a complaint — you may lodge a complaint with the Information Regulator if you believe your rights have been infringed.

To exercise any of these rights, please contact our Information Officer using the details in Section 14 below. We will respond to your request within a reasonable time and no later than 30 days, subject to any applicable exemptions.

13. Information Regulator Contact

If you are not satisfied with our response, you may lodge a complaint with:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, 2017
Email: [email protected]
Tel: 010 023 5207

14. Information Officer

Dr. Ethan Chellan
Drs Chellan & Lakay Inc (t/a NeoHealth)
Suite 12, Prince Vintcent Square, Gloucester Avenue, George, 6530
Tel: 044 868 0707
Email: [email protected]

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will publish the updated policy on this page with a revised effective date. We encourage you to review this page periodically. Where changes are material, we will take reasonable steps to notify you (for example, by displaying a notice on our website or sending you an email).

16. Governing Law

This Privacy Policy is governed by the laws of the Republic of South Africa. Any disputes arising from or in connection with this policy shall be subject to the exclusive jurisdiction of the courts of the Republic of South Africa.