HPSuite+ protects South African medical practices and their patients with a defence-in-depth architecture built for POPIA and aligned to SAHPRA's emerging requirements for AI-enabled clinical software — designed so intelligent automation can work inside your practice without ever putting patient data at risk.
Most practice systems bolt a login screen and an SSL padlock over a decades-old core, with each third-party plugin widening the attack surface. HPSuite+ handles the full clinical and financial lifecycle natively, so isolation, permission control and accountability are built into the foundation — continuous, not assembled. Patient records are Special Personal Information under POPIA, and a native single-perimeter design removes the multiplied vulnerabilities of wiring several disconnected systems together.
HPSuite+ operates as the Operator, processing personal information on behalf of the practice (the Responsible Party). Lawful processing remains the Responsible Party's determination; the platform provides and enforces the technical controls that support it.
Regulated by the Information Regulator (South Africa); POPIA has been fully enforceable since 1 July 2021. This mapping describes the platform's technical controls and does not itself certify a practice's POPIA compliance.
Crystal, our Clinical Sentient Employee, provides administrative and documentation support — she is not a medical device and is not used for diagnosis or treatment decisions. Crystal can read, draft and suggest, but the platform enforces hard limits she cannot step outside, and a registered clinician approves every action that has effect.
Where AI features fall within SAHPRA's evolving Software-as-a-Medical-Device scope, we are committed to the appropriate classification and authorization pathway; in the interim, our human-in-the-loop design ensures no AI output reaches a patient without a registered clinician's approval.
Every control described here is live in production, bound in our Operator contract, or on a dated roadmap — and each is independently verifiable in a technical review. Field-level encryption is already in force: identifying patient fields exist only as ciphertext at rest.
Our Information Officer and security contact are available on request.