HPCSA-Compliant Websites: What Every South African Healthcare Practitioner Needs to Know

As a healthcare practitioner in South Africa, your website is often the first impression a prospective patient has of your practice. But unlike a restaurant or retail shop, you cannot simply write whatever you like on that site. The Health Professions Council of South Africa (HPCSA) holds registered practitioners to strict ethical advertising standards — and your website is considered advertising material. Building an HPCSA compliant website is not optional; it is a professional obligation that protects both you and your patients.

In this guide we break down exactly what the HPCSA expects from your online presence, how the Protection of Personal Information Act (POPIA) adds another layer of responsibility, and what practical steps you can take to ensure your site stays on the right side of the rules.

Why HPCSA Compliance Matters for Your Website

The HPCSA regulates over 900,000 health professionals across twelve professional boards — from doctors and dentists to psychologists, physiotherapists, and dietitians. Its Ethical Rules of Conduct for Practitioners Registered under the Health Professions Act (Act 56 of 1974), particularly Rule 23 (Advertising and Canvassing), apply directly to any information you publish online, including your website, social media profiles, and directory listings.

Non-compliance is not a theoretical risk. The HPCSA regularly investigates complaints from the public and from fellow practitioners. Penalties can include a formal warning, a fine of up to R100,000, suspension from the register, or even being struck off entirely. Beyond the legal consequences, a non-compliant website can erode patient trust and damage a reputation you have spent years building.

Key HPCSA Advertising Rules That Apply to Websites

Understanding what you can and cannot say on your practice website is the foundation of an HPCSA compliant website. The guidelines under Rule 23 and the associated HPCSA booklets on advertising are detailed, but the core principles relevant to web content can be summarised as follows:

What You May Include

• Your full name, qualifications, and HPCSA registration number. These must be accurately stated. You may list degrees and specialist registrations as recorded with the HPCSA.
• Practice name, address, contact details, and consulting hours. Basic directional and contact information is permitted and encouraged.
• The type of services offered. You may describe the procedures and treatments you provide, as long as the descriptions are factual and not misleading.
• Fees or fee ranges. The HPCSA permits practitioners to inform patients of their fees, though the manner in which this is presented must be professional and not comparative.
• Professional memberships and hospital affiliations. Listing recognised professional associations or hospitals where you hold privileges is acceptable.

What You Must Avoid

• Superlatives and unverifiable claims. Words like "best", "leading", "top-rated", "number one", or "most experienced" are prohibited. You cannot claim to be something that cannot be objectively verified.
• Guarantees of outcomes. Statements such as "guaranteed results", "100% success rate", or "we will cure your condition" are strictly forbidden. Healthcare outcomes vary by patient and guarantees are inherently misleading.
• Comparative advertising. You may not disparage other practitioners or claim superiority over them, whether directly or by implication.
• Sensational or alarming language. Content designed to create undue fear or anxiety to drive patients toward treatment is considered unethical.
• Before-and-after photos without proper context. While clinical images may be permissible in certain circumstances, they must not be used in a way that implies guaranteed results, and patient consent must be obtained and documented.
• Canvassing or touting. You may not actively solicit patients in a manner that could be considered canvassing, including aggressive pop-ups, countdown timers creating false urgency, or misleading calls-to-action.

Patient Testimonials: The Most Common Pitfall

This is where many practitioners unknowingly cross the line. The HPCSA takes a restrictive stance on patient testimonials. Under the ethical rules, practitioners should not publish or cause to be published testimonials relating to the professional services they render. This applies to your website, social media pages, and any platform you control.

In practice, this means you should not solicit patient reviews and feature them on your website, embed Google or Facebook review widgets that display patient endorsements of your clinical skills, or publish video testimonials where patients describe treatment outcomes. This restriction exists because testimonials can create unrealistic expectations — what worked for one patient may not apply to another.

That said, you cannot control what patients post on independent third-party platforms such as Google Business. The key distinction is between content you publish or solicit versus content patients post independently. A prudent approach is to avoid displaying third-party reviews directly on your website while still maintaining your Google Business profile, where patients may leave reviews of their own accord.

POPIA: Protecting Patient Data on Your Website

An HPCSA compliant website also needs to account for the Protection of Personal Information Act (POPIA), which came into full effect on 1 July 2021. POPIA governs how you collect, store, process, and share personal information — and health data is classified as special personal information under the Act, meaning it receives the highest level of protection.

If your website includes contact forms, appointment booking systems, or any mechanism where patients submit personal details, you have POPIA obligations. Here is what your website needs:

• A clear privacy policy. Your site must include a comprehensive privacy policy that explains what data you collect, why you collect it, how it is stored, who has access, and how long it is retained.
• Explicit consent mechanisms. Patients must actively consent to the collection of their data. Pre-ticked checkboxes do not constitute valid consent under POPIA. Use clear opt-in checkboxes with plain-language explanations.
• SSL encryption. Any website collecting personal or health information must use HTTPS (SSL/TLS encryption). This is non-negotiable for data in transit.
• Secure data storage. Form submissions containing patient data must be stored securely, with access limited to authorised personnel. If you use third-party form processors, ensure they comply with POPIA.
• Data subject access requests. Patients have the right to request access to their data, correct it, or ask for it to be deleted. Your website and practice processes must be able to accommodate these requests.
• An appointed Information Officer. POPIA requires that you designate an Information Officer (typically the practice owner for small practices) and register with the Information Regulator.

Failing to comply with POPIA can result in fines of up to R10 million, imprisonment, or both. For a healthcare practice handling sensitive patient information, this is a risk that simply cannot be ignored.

Your HPCSA Website Compliance Checklist

Use this practical checklist to audit your current website or guide the development of a new HPCSA compliant website. If you are unsure about any item, it is worth getting professional guidance before publishing.

• Practitioner names, qualifications, and HPCSA registration numbers are displayed accurately.
• No superlatives ("best", "leading", "top") appear anywhere in the website copy.
• No guarantees of treatment outcomes or success rates are stated or implied.
• No patient testimonials or review widgets are published on the website.
• Before-and-after images, if used, include appropriate disclaimers and documented patient consent.
• Service descriptions are factual, professional, and free from sensational language.
• A comprehensive privacy policy compliant with POPIA is published and easily accessible.
• All forms collecting personal data include explicit consent checkboxes (not pre-ticked).
• The site uses SSL encryption (HTTPS) across all pages.
• Form data is stored securely with access limited to authorised staff.
• Contact details, consulting hours, and practice address are clearly displayed.
• The website does not compare your services to those of other practitioners.
• Any health information published is evidence-based and not misleading.
• An Information Officer has been designated and registered with the Information Regulator.

Why Work With a Healthcare-Specialist Web Agency

Most web designers and general digital agencies have little to no understanding of HPCSA regulations. They may deliver a visually polished site filled with phrases like "the best dental practice in Johannesburg" or a homepage plastered with patient testimonials — both of which put your registration at risk. The problem is that you often do not realise the site is non-compliant until a complaint is lodged.

Working with an agency that specialises in healthcare web design means compliance is built into the process from day one, not bolted on as an afterthought. At Kaizen Technology, we understand HPCSA advertising rules because we work with healthcare practitioners across South Africa every day. From the initial copywriting to the technical implementation of secure patient forms, every element of your site is built with your regulatory obligations in mind. You can explore our healthcare web design packages to see how we approach this.

Our team handles the details that general agencies overlook: POPIA-compliant consent flows, secure form handling, copy that markets your practice effectively without crossing ethical lines, and ongoing maintenance to keep your site compliant as guidelines evolve. You should not have to explain HPCSA rules to your web designer — that is our job.

The Bottom Line

Your website is one of your most powerful tools for attracting patients and building professional credibility. But in the South African healthcare landscape, it must operate within clearly defined ethical boundaries. An HPCSA compliant website protects your registration, builds genuine patient trust, and positions your practice as the ethical, professional operation it is.

Getting compliance right does not mean your website has to be bland or ineffective. It means working with people who understand both the rules and how to market a healthcare practice within them. If you are building a new practice website, or concerned that your current one may not meet the mark, speak to our team. We will review your site, flag any compliance issues, and help you build a digital presence you can be proud of — one that works as hard as you do, without putting your career at risk.