Protecting Your Privacy And Personal Health Information

Protecting Your Privacy And Personal Health Information

Are you confident your personal health information is handled securely and respectfully when seeking addiction treatment online in South Africa?

Last updated: 12 November 2025

Who we are

Changes Addiction Rehab (“Changes”, “we”, “us”, “our”) is a licensed treatment centre in Johannesburg, South Africa. We are the POPIA “responsible party” for personal information processed via changesrehab.co.za and related online services.

Contact: 216 Weltevreden Road, Northcliff, Johannesburg, 2115 • [email protected]081 444 7000

Scope

This policy covers information collected when you browse our Website, use our forms, speak to us by phone or live chat, or receive telehealth communications. It also explains how clinical records are protected under South African health law.

No medical advice

Website content is informational only and not a diagnosis or treatment plan. For emergencies call 112 (mobile) or 10177/10111 in South Africa.

POPIA principles

We follow POPIA’s conditions of lawful processing: accountability, processing limitation, purpose specification, further-processing limitation, information quality, openness, security safeguards, and data-subject participation. Special personal information (health data) is handled with additional protections and lawful grounds.

What we collect

  • Browsing data: standard logs (device, browser type, pages, timestamps, approximate location from IP), error logs, and security telemetry.
  • Cookies: strictly necessary cookies, preference cookies, limited analytics cookies, and live-chat cookies (see “Cookies” below).
  • Contact details (optional): name, email, phone, and your message when you submit a form, email us, or call.
  • Telehealth & scheduling (optional): appointment preferences, contact channel, limited context to arrange care.
  • Clinical records: assessment notes, treatment plans, observations, and discharge information created by clinicians after admission or structured assessment (see “Clinical records”).

You can browse most of the Website without providing personal details. If you choose to share information, we collect only what is necessary for the requested interaction.

What we do not collect

  • We do not require account registration to read our Website.
  • We do not request ID numbers or payment card details via the Website.
  • We do not intentionally collect precise GPS location, biometric templates, or automated decision-making profiles.
  • We do not sell or rent personal information.

Lawful grounds

  • Consent: for non-essential cookies, newsletters, and when you choose to share details via online forms.
  • Care & services: to assess suitability, arrange admission, coordinate care, and communicate about your treatment.
  • Legal duties: to comply with South African health law, professional rules, notifiable conditions, or court orders.
  • Vital interests: to protect life, health, or safety where permitted by law.
  • Security & fraud prevention: to secure systems, prevent misuse, and investigate incidents.

Clinical records

Clinical records form part of your health record under the National Health Act and professional council rules. Access is restricted to authorised clinicians and personnel on a minimum-necessary basis. Records are retained for at least the statutory minimum (often six years, or longer for particular cases). Clinical records are not used for marketing and are never disclosed publicly. Disclosures occur only with your written consent, or where required/permitted by law (e.g., serious and imminent risk, court order).

Separation of systems

Website analytics and security data are stored separately from clinical record systems. Cookies and analytics never grant access to clinical records.

How we use information

  • Provide and improve the Website and its security.
  • Respond to enquiries and arrange call-backs or assessments you request.
  • Coordinate admissions, authorisations, and billing communications you request.
  • Deliver telehealth or remote check-ins on your instruction.
  • Comply with legal, regulatory, and audit requirements.

Direct marketing

We send non-essential updates only with your explicit, separate consent. You may withdraw consent at any time using the unsubscribe link or by contacting us. We do not use behavioural advertising or retargeting pixels.

Children

Services are directed to adults. For minors, a parent or legal guardian must provide consent and be part of the decision-making as required by law and clinical policy.

Sharing

  • Processors: vetted service providers (hosting, email, telephony, live chat, analytics, security) under contractual confidentiality and data-protection terms.
  • Care coordination: with your consent or as required, we may share with treating professionals, medical schemes, or where legally authorised.
  • Legal: courts, regulators, or law-enforcement when mandated.

We do not share clinical details with third parties for their marketing. We do not sell personal information.

Cross-border transfers

Some processors may store or access data outside South Africa (e.g., secure email or cloud hosting). Where this occurs, we implement appropriate safeguards, including contractual protections and transfer mechanisms compliant with POPIA. Clinical records are hosted and safeguarded in line with health-law requirements and our internal policies.

Security

We apply layered safeguards: encryption in transit, hardened hosting, access controls, role-based permissions, logging and monitoring, staff training, and supplier due diligence. No system is perfectly secure; we maintain incident-response procedures and will notify affected individuals and authorities where legally required.

Retention

  • Website enquiries: typically retained up to 24 months for follow-up, audit, and legal record-keeping, then securely deleted or anonymised.
  • Clinical records: retained at least the statutory minimum (often six years), or longer where law or clinical policy requires.
  • Logs & analytics: short to medium terms aligned to security and trend analysis needs.

Your rights

  • To be informed about how we use your information.
  • To access and obtain a copy of your information (PAIA/POPIA processes apply).
  • To correct incomplete or inaccurate information.
  • To object to certain processing or withdraw consent (for consent-based activities).
  • To request deletion where law permits (clinical, legal, or retention duties may limit this).
  • To lodge a complaint with the Information Regulator (South Africa).

To exercise your rights, contact [email protected]. We may need to verify your identity and, for clinical records, involve the treating professional where appropriate.

Information Regulator

If you believe we have not handled your information lawfully, you can contact the Information Regulator (South Africa). See the official website for current contact details: inforegulator.org.za.

Cookies

Cookies are small files placed on your device. We use a minimal set to run the site, remember preferences, secure sessions, and understand aggregated usage. Non-essential cookies are used only with your consent via our cookie banner. You can withdraw or change consent at any time through the banner or your browser settings.

  • Strictly necessary: enable core functionality (security, load balancing, form protection). These cannot be switched off without affecting site operation.
  • Preferences: remember choices such as cookie opt-ins or chat minimised state.
  • Analytics: help us understand pages visited, time on page, and basic device information to improve content. We aggregate results and avoid uniquely identifying you.
  • Live chat: our chat provider may set cookies to enable real-time support (e.g., session continuity and spam prevention).
  • Consent state cookies to store your cookie choices.
  • Session cookies to route traffic securely and mitigate bots.
  • Analytics cookies with IP truncation/anonymisation to measure aggregate visits.
  • Live-chat session cookies to maintain a conversation thread on the same device.

Use our cookie banner to accept or reject non-essential cookies. You can also manage cookies in your browser (block, delete, or set exceptions). Blocking strictly necessary cookies may break parts of the site; blocking analytics and chat will not affect core reading access.

Third-party cookies

Where embedded content or service providers set cookies (e.g., live chat or map tiles), their terms apply in addition to this policy. We vet providers for privacy posture and limit integrations to those required for function and support.

Do Not Track

Some browsers send “Do Not Track” signals. While there is no common standard, we treat DNT as a preference against non-essential tracking and will honour that by defaulting to the most privacy-preserving settings where technically possible.

Live chat

Our optional live-chat tool allows you to request a call-back or share basic contact details. Chat transcripts are retained for limited periods to improve support and for audit/security. Do not share clinical details by chat; clinical information should be exchanged with our clinicians over approved channels.

Email and SMS

When you email or text us, we process your contact details and message to respond. We use reputable providers and apply reasonable safeguards, but third-party email/SMS networks are not fully within our control. Avoid sending sensitive clinical details by ordinary email; we will move conversations to more appropriate channels where needed.

Telehealth

Telehealth sessions may use approved platforms that process audio/video data to provide the service. We select platforms with suitable encryption and privacy commitments. You may opt out of telehealth and choose in-person care where clinically appropriate.

Social media

Our social media pages are public platforms governed by the provider’s terms. Avoid posting clinical information on social media. Direct messages are monitored during business hours; for clinical matters use our official contact routes.

Testimonials and media

We do not publish identifiable patient testimonials, photographs, or recordings without explicit, written, withdrawable consent. Declining consent will never affect your access to care.

Automated decisions

We do not use automated decision-making to approve or deny access to treatment. Admission decisions involve qualified professionals.

External links are provided for convenience. We are not responsible for the privacy practices of third-party sites. Review their policies before sharing information.

Changes

We may update this policy to reflect legal, technical, or operational changes. Material updates will be posted here with a new “Last updated” date. Continued use of the Website after an update signifies your acceptance.

How to contact us

Email [email protected] or call 081 444 7000 for privacy questions, cookie choices, or rights requests. For clinical record access or corrections, we may require additional verification and may involve your treating professional as appropriate.

The First 3–6 Weeks of Care

Consistent daily structure and sleep routine are early markers of stabilisation.

Read more

Related Questions

How does POPIA actually protect my treatment records — and where does it leave gaps?

POPIA (the Protection of Personal Information Act) gives you concrete rights: clinics must have a lawful reason to process your health data, get your consent (or rely on a legal exception), keep it secure, let you inspect or correct records, and notify you if there’s a breach. In practice that means a Johannesburg rehab should name a POPIA officer, publish a privacy notice, and keep secure logs of who accessed your file. The gaps are real: POPIA allows mandatory disclosures (court orders, certain public‑health reporting, and statutory duties), enforcement by the Information Regulator can be slow, and small providers may not be fully compliant. Don’t assume a pretty website equals POPIA compliance — ask for the policy, retention periods, breach procedure and proof of staff training before you share sensitive details.

Is it safe to contact a rehab by WhatsApp, web form or SMS when I need help right now?

Short answer: not all messaging is equal. WhatsApp is end‑to‑end encrypted, but backups to iCloud/Google Drive are not necessarily secure and group chats or shared phones destroy privacy. SMS and standard email are unencrypted and should never carry diagnostic details or ID numbers. If you need immediate contact, use the channel the provider confirms as secure (dedicated encrypted telehealth platform or a clinic phone call), and limit what you send: no ID numbers, no employer details, no clinical symptoms in the first message. Ask the service how they store chat history and who on staff can read it. If a site’s intake form asks for sensitive health details before you’ve agreed terms, walk away and call — initial triage can be done with minimal identifiers.

My family wants to be involved — what can they legally see about my treatment in South Africa?

For competent adults, confidentiality is the default: clinicians may not share clinical notes or progress without explicit written consent. Exceptions exist — if you’re a danger to yourself or others, or if you lack decision‑making capacity, clinicians must act in the patient’s best interests and may share necessary information with family or authorities. For minors, parents/guardians generally have access, but clinicians will still consider the child’s best interests and confidentiality where appropriate. Medical schemes, funders and employers will receive limited information tied to claims or authorisations; those records are still protected but can reveal treatment occurred. If your family claims they “need to know,” they must get your written consent or a legal mandate (power of attorney, court order). If you expect family involvement, set boundaries in writing and ask the facility to record your communication preferences in your file.

Will paying cash keep my rehab visit off the books, or does medical aid create a safer paper trail?

Both routes have trade‑offs. Medical scheme claims leave an auditable trail: the scheme and sometimes your employer or administrator will see a claims line (often a procedure code, not a diagnosis), and statements can raise questions at home. Cash reduces the formal claim trail but won’t disappear from bank or card statements unless you pay in person with cash; some facilities still issue receipts with the service type. Clinics are legally required to keep patient records regardless of payment method. If privacy is a top concern, ask the facility how they describe transactions on receipts and whether they can bill under a general descriptor; some provide discreet invoicing and third‑party billing arrangements. Be cautious of “off‑the‑record” deals — they can compromise your care and create medico‑legal problems. Ask for their billing privacy policy before you pay.

My clinic has leaked my details — what do I do right now to contain the damage?

Act fast and document everything. Demand a written incident report from the clinic that states what was exposed, when, and who had access; preserve copies/screenshots of the leak. Change all passwords tied to that clinician or platform and any accounts that used the same credentials. Notify your medical scheme if claims data may be involved. File a complaint with the Information Regulator of South Africa (POPIA enforcement) and, if a clinician is involved, lodge a complaint with the HPCSA or relevant statutory body. If the leak puts you or your family at risk, inform the police and seek urgent safety advice from your clinician or a social worker. Consider legal advice for civil remedies, and ask the provider for remediation steps — they should offer corrective action, notification to affected parties and proof that staff were retrained and security improved. Privacy breaches are not just administrative errors; they affect your safety and care — treat them as clinical incidents that need formal escalation.

Changes Addiction Rehab professional memberships and accreditations
© 2025 Changes Addiction Rehab PTY LTD (‎2013/152102/07) of 216 Weltevreden Road. Northcliff, Johannesburg, South Africa

Changes Addiction Rehab is licensed by the South African Department of Social Development (Practice No. 0470000537861) and the Department of Health, and is a registered detox facility and practice with the Board of Healthcare Funders. Our treatment programme is led by counsellors registered with the HPCSA, working alongside a multidisciplinary team of medical professionals under a unified practice. We are proud, standing members of the International Certification & Reciprocity Consortium (IC&RC), the Occupational Therapy Association of South Africa, the South African Council for Social Service Professions, the South African Medical Association, the South African Nursing Council and the South African Society of Psychiatrists. Changes Addiction Rehab has been in continuous professional operation since 2007, when it was founded by Sheryl Rahme, who has worked in the addiction treatment field since 1984. Our core clinical team brings over 100 years of combined professional addiction recovery experience.