The government of Kenya is committed to helping grow a healthcare sector that provides affordable healthcare accessible to all. During the 2017 Madaraka Day celebrations, the President of Kenya announced the Big Four agenda priority areas for the government. These include ensuring food security, affordable housing, manufacturing, and affordable healthcare1. The policy statements support the use of ICT in healthcare to improve public service delivery. 2
As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.
Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.
MICROSOFT'S COMMITMENT TO THE KENYAN HEALTHCARE SECTOR
Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians, and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease—in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.
Microsoft is therefore committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet both international standards and national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.
Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 — from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across the country and region. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual, and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible, and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.
Microsoft also understands that protected health information (PHI) constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI. 3
Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against a number of key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270014 and 27002 as well as the cloud specific extension ISO/IEC 270175 and ISO/IEC 270186 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC37 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)8 . Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA)9. Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 1778810, ISO/IEC 1778911 and ITU-T Y.350212 to ensure a common understanding of terms and definitions in policies and regulation.
THE REGULATORY ENVIRONMENT
The healthcare industry in Kenya has many different stakeholders. The Health Act No. 21 of 2017 establishes a unified health system, coordinates the inter-relationship between the national government and county government health systems and seeks to regulate health care services, health care service providers, health products, and health technologies.
Each stakeholder is regulated by specific Acts and Regulations, for example:
- Clinical Officers are regulated by the Clinical Officers Act (Training, Registration and Licensing Act) No. 20 of 2017; and
- Doctors, medical officers, and dentists are regulated primarily by the Medical Practitioners and Dentists Act CAP 253 of the Laws of Kenya.
Other practitioners and healthcare industry role-players are regulated by other laws.13
- The key regulator in this industry is The Ministry of Health which is in charge of the health sector and the co-ordination of health service delivery generally.
- There are also many other regulators regulating practitioners and healthcare industry role-players14. All these regulatory bodies are established under separate Acts of parliament but account and answer to the Ministry of Health within their respective mandates.
The use of cloud services is not expressly addressed in any specific healthcare legislation. However, the Kenya Standards and Guidelines for mHealth Systems, 2017 provide standards to ensure the design, development, and implementation of interoperable, scalable, sustainable mHealth solutions where mHealth refers to interventions and programs designed to support health service provision through mobile technology and devices. The Kenya National eHealth Policy 2016 – 2030 also provides for the overarching provisions on the use of ICTs in healthcare delivery and envisages increased use of ICTs. It also prescribes circumstances in which health data should be anonymized and/or encrypted, or otherwise stored with permission of the Ministry of Health15. The Health Information System Policy further cements the government position which encourages the use of ICTs for healthcare service delivery. The Draft ICT Policy (2016)16 proposes an action plan to integrate mobile internet, cloud computing, big data, and the internet of things with modern manufacturing; promoting public service delivery among other sectors. The Health Sector ICT Standards and Guidelines (Ministry of Health, June 2013) seek to encourage the adoption of virtualization, thin clients and cloud computing technologies in the Ministry of Health’s programs to achieve IT efficiency.
The Kenya mHealth Standards and Guidelines which are aimed at guiding the utilization of wireless and mobile applications and devices to improve outcomes in health defines that health Information should be held in Kenya; however, it can be held offshore with the consent of the Ministry of Health.
Microsoft is able to offer its customers the flexibility of various options for anonymisation and encryption.17
There is presently no uniform express regulation of cloud services in Kenya. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in adopting the use of cloud services and cloud-based solutions:
- General legislation on confidentiality and protection of privacy
- The Health Act, Cancer Prevention and Control Act, HIV and AIDS Prevention and Control Act the Public Health Act, the Kenya National eHealth Policy 2016 – 2030 and the Health Information System Policy all emphasize the importance of confidentiality and non- disclosure of information relating to a person’s health status, tests, treatment, or stay in a health facility.18 The right to privacy and confidentiality can only be waived by the individual in writing or as required by a court order or under legislation.
- The Health Sector Strategic Plan for Health Information Systems 2009-2014, the Kenya National e-Health Strategy 2011-2017 and the Kenya Standards and Guidelines on mHealth Systems 2017 also stress the need to ensure confidentiality.
- Requirements on record keeping
- The Information Communication and Technology Authority (ICTA) has established standards that are to be followed by all government ministries, county governments and government agencies.
- Of importance in this case are the cloud computing standards.19 Some of the key requirements for cloud computing standards include:
- The Ministry, County, or Agency (hereinafter referred to as MCAs) shall ensure Service Level Agreements (SLAs) cover issues such as ending the arrangement, dispute resolution, early warning of bankruptcy (or similar), compensation for data loss/misuse, change of control and assignment/novation, and change of terms at the discretion of the provider.
- Cloud services should first be adopted in markets that have achieved an acceptable level of maturity.
- MCAs shall ensure that data is stored in agreed locations, and is retrievable inside agreed timeframes
- MCAs shall ensure they maintain control of the data and information in cloud storage and ensure protection from loss.
- MCAs shall ensure the cloud provider adheres to regulatory law in relation to privacy and public record-keeping requirements. MCAs shall consider any legal obligations they have towards customers or other parties, and whether cloud will allow them to continue to meet them.
- MCAs shall ensure the provider is vetted to ensure compliance with government standards.
The IT Governance Standards would also be of importance. MCAs are required to develop and sign SLAs with service providers (for example relating to provision of internet, systems support and maintenance services) to ensure availability and reliability of IT enabled services.
The Kenya Standards and Guidelines on mHealth Systems, April 2017 require the documentation of the development of the mHealth systems in order to facilitate continuity among the system users and developers.
Microsoft contractually commits to provide products and services which comply with specific globally accepted and internationally recognised standards.20
- General legislation on confidentiality and protection of privacy
No, there are no laws requiring approval from regulatory authorities for use of cloud services. Cloud Service Providers in Kenya are deemed to be over the top service providers and are not required to obtain licenses from the ICT industry regulator, the Communications Authority.21 Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.
The Health Information Systems Policy states that health information should be hosted by the Division of Health Information Systems under the Ministry of Health and requires that warehousing be created and maintained for data and information at a central level within the health sector. The mHealth Guidelines also permit information to be stored outside the country, provided that certain requirements are met and approval is obtained from the Ministry of Health.
Under the IT Governance Standards MCAs are required to monitor achievement of service levels and compare them with agreed service level targets in the SLA.
The SLA should have accountability mechanisms for failure to meet service levels and MCAs shall monitor and report on achievement of services and compare them with agreed service levels.
MCA must have an IT function that reports directly to an accounting officer.
The Health Sector ICT Standards and Guidelines (Ministry of Health, 2013) provides cloud computing guidelines adopted by the MOH which include the implementation of a governance and audit management process.
Further, the Kenya Standards and Guidelines on mHealth Systems (April, 2017) require assurance processes to be put in place to ensure that the accountability needs of the data are met. These assurance processes include audit trails.
The Kenya Standards & Guidelines on Mhealth Systems April 2017 state that data can only be stored outside the jurisdiction of Kenya with permission from the Ministry of Health. Therefore, if data is to be stored abroad, approval will be required from the Ministry of Health. Kenya has no legislative provisions on data transfer and data localization. However, the Health Information Systems Policy states that health information should be hosted by the Division of Health Information Systems under the Ministry of Health, and should be stored in de-identified form.
Furthermore, the draft Data Protection Bill, 201822 contemplates possible future restrictions on the flow of personal data outside Kenya save in specified circumstances, such as where:23
- the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
- the data subject consents to the transfer;
- the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
- the transfer is for the benefit of the data subject.
The draft Data Protection Bill also indicates that health information will be treated as special personal information, and its processing may be subject to specific requirements24 but this will not preclude processing with consent of the data subject nor processing in certain circumstances, including:25
- Certain institutions for purposes of treatment and care.
- Administrative bodies, pension funds and employers processing for purposes of implementing law relating to health of the data subject.
The Kenya Standards and Guidelines on mHealth Systems, April 2017, provide that communication context and content used in mHealth applications shall remain the property of the Government of Kenya and cannot be transferred without written approval from the relevant ministry, for instance the Ministry of Health.
Microsoft holds itself accountable to and is subject to the laws of general application applicable to information technology service providers, and has binding agreements which, in its view, are likely to constitute adequate measures. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO/IEC 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.
This checklist provides a detailed look into the legal obligations that may affect your usage of Microsoft Cloud Services in the healthcare sector.
Click here to download the checklist.
- 1Speech By His Excellency Hon. Uhuru Kenyatta, C.G.H., President And Commander In Chief Of The Defence Forces Of The Republic Of Kenya During The 2017 Jamhuri Day Celebrations At The Moi International Sports Centre, Kasarani On 12th December, 2017 http://www.president.go.ke/2017/12/12/speech-by-his-excellency-hon-uhuru-kenyatta-c-g-h-president-and-commander-in-chief-of-the-defence-forces-of-the-republic-of-kenya-during-the-2017-jamhuri-day-celebrations-at-the-moi-international/
- 2National ICT Policy 2006, Kenya National eHealth Policy 2016 – 2030, Health Information System Policy, Ministry of Health- Ministerial Strategic & Investment Plan July 2014 – June 2018
- 3See, for example, Microsoft Cloud for Health (https://enterprise.microsoft.com/en-us/trends/microsoft-cloud-for-health/) and our Cybersecurity in Health solutions (https://enterprise.microsoft.com/en-us/solution/industries/health/cybersecurity-in-health-solution/). Also see Microsoft Compliance Offerings (https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings), filtered by "health" industry.
- 9See here for more information on HIPAA: https://www.microsoft.com/en-us/trustcenter/compliance/hipaa
- 13Including nurses who are regulated by the Nurses Act CAP 257 of the Laws of Kenya; pharmacists and pharmaceutical technologists who are regulated by the Pharmacy and Poisons Act CAP 244 of the Laws of Kenya; physiotherapists who must be licensed in accordance with the Physiotherapists Act No. 20 of 2014; medical laboratory technicians who are licensed and regulated under the Medical Laboratory and Technologists Act No 10 of 1990; and nutritionists and dieticians who are registered and regulated under the Nutritionist & Dietitians Act No 18 of 2007.
- 14Such as the Health Records and Information Managers Board which is required to establish and improve the standards of professional health records and information management in Kenya; Pharmacy and Poisons Board (for pharmacists); the Kenya Medical Practitioners and Dentists Board (for doctors, medical officers and dentists); the Council of Clinical Officers (for clinical officers); the Nursing Council of Kenya (for nurses); the Physiotherapy Council of Kenya (for physiotherapists); the Kenya Medical Supplies Authority (for medical supplies procurement, storage and distribution for public health programmes); the Medical Laboratory Technicians and Technologist Board (for medical laboratory technicians and technologists); the Kenya Nutritionist and Dietitians Institute (for nutritionists and dieticians).
- 15Kenya National eHealth Policy 2016 – 2030
- 16It is expected that the Draft ICT Policy will be promulgated in 2018 following Stakeholder engagement and Cabinet approval.
- 17Such as under ISO/IEC 20889, in relation to anonymisation techniques.
- 18Constitution of Kenya 2010, Kenya National eHealth Policy 2016 – 2030, Health Information System Policy Section 11 Health Act, section 3 Cancer Prevention and Control Act, Section 21 of HIV and AIDS Prevention and Control Act and section 54 of Public Health Act
- 19ICTA-2.001:2016 Cloud Computing Standard http://icta.go.ke/standards/cloud-computing-standard-2/.
- 20Such as ISO/IEC 19086
- 21 Kenya Information and Communications Act, CAP 411A
- 22We have considered the Data Protection Bill, 2018, issued under Kenya Gazette Supplement No. 66 (Senate Bills No. 16) dated 30 May 2018 http://kenyalaw.org/kl/fileadmin/pdfdownloads/bills/2018/DataProtectionBill_2018.pdf. This version may be subject to future amendment.
- 23Section 31 of the Draft Data Protection Bill, 2018
- 24Part III of the Draft Data Protection Bill, 2018
- 25 Section 28 of the Draft Data Protection Bill, 2018
WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES
Regulating the Use of Cloud Computing by Financial Institutions
Financial institutions (FIs) are increasingly turning to cloud computing technologies to help them meet their IT needs.LEARN MORE
Microsoft's Views on the Central Bank of Jordan Cloud Computing Guidelines.
Central Bank of Jordan Cloud Guidelines: A Microsoft CommentaryLEARN MORE
Cloud Computing and Data Offshoring for Banks
The Prudential Authority, an entity within the South African Reserve Bank (“SARB”) that works to ensure the safety and soundness of financial institutionsLEARN MORE
A compliance checklist for financial institutions in Nigeria
Microsoft is committed to providing a trusted set of cloud services to financial institutions in Nigeria. This checklist is aimed at financial institutions in Nigeria who want to use Microsoft cloud services.LEARN MORE
Trust In A Rapidly Changing Financial Services Market
Read on to find out how the adoption of cloud and knowledge of cloud regulations can help banks and financial institutions mitigate the disruptive influence of FinTech firms.LEARN MORE
Safe Cloud Principles for the Financial Services Industry
Learn more about the best practices that help financial institutions focus on and navigate through the relevant regulatory issues when moving to the cloud.LEARN MORE
Learn more about how Microsoft's Trusted Cloud can help banks and insurers meet their regulatory responsibilities.LEARN MORE
Financial Services, Banking and Capital Markets
Learn more about how Microsoft's cloud technology can help engage customers, empower employees, and optimise operations in the Financial Services, Banking, and Capital Markets industry.LEARN MORE
Data Sovereignty & the cloud – a Healthcare perspectiveLEARN MORE
Responding to the evolving cyber threat landscape in the healthcare sectorLEARN MORE
Microsoft Cloud for HealthLEARN MORE
Microsoft's Virtual Healthcare Information and Management Systems Society (HIMSS) BoothLEARN MORE
Democratizing AI in HealthLEARN MORE
Data Sovereignty - the Oil and Gas PerspectiveLEARN MORE
Responding to the evolving cyber threat landscape in the oil and gas sectorLEARN MORE
Microsoft Cloud for Oil & Gas and Mining Industry.LEARN MORE
Drill Deeper into Digital.
Accenture and Microsoft 2017 Upstream Oil and Gas Digital Trends Survey.LEARN MORE
Banco Angolano de Investimentos (BAI Group)
Innovative Angolan bank rethinks business with a cloud-first approach Read more…
goeasy improves productivity, increases employee satisfaction with Surface Book and Office 365 Read more…
International banking institution increases growth and market share through digital transformation Read more…
Towards a more secure digitized stock trading venue in Kuwait Read more…
Ecobank Ghana Limited
Microsoft Power BI solution helps boost Ecobank’s business performance Read more…
Digital payments company answers questions about using Azure Blockchain Workbench to help build a more prosperous Africa Read more…
The power of four: African bank embraces digitalization and increases efficiency with time-saving Microsoft Flow, PowerApps, Power BI, and SharePoint Read more…
Internet and mobile apps, move over. The new industry disrupter is bot technology. Nedbank, one of the major Read more…
Diamond Bank Plc
Diamond Bank is one of the 22 financial institutions operating in Nigeria, with a mission Read more…
ABN AMRO BANK
To prepare for its digital transformation, ABN Amro simplified and rationalized its IT Read more…
Kuwait Finance House
Islamic banking pioneer innovates again with digital banking shift Read more…
Société Générale Corporate & Investment Banking
This article is part of a series about customers who've worked closely with Microsoft on Service Fabric Read more…
I Choose Life Africa
Supported by cutting-edge Microsoft solutions, Kenyan nonprofit I Choose Life – Africa (ICL) is helping to grow and scale critical sustainable development initiatives across the country, affecting more than one million lives. Read more…
Kenya Red Cross
With solutions based on Microsoft Azure, Dynamics 365, Office 365, and Power BI, the Kenya Red Cross Society is now better equipped to provide key humanitarian aid. Read more…
James 127 Trust
Powered by Microsoft solutions like Azure, the James 1:27 Trust works to improve the quality and reach of care for some of Africa’s most vulnerable children, while supporting other NGOs across the continent Read more…
Based in South Africa, 2Enable is a leading nationwide digital education solution with roots in the Casterbridge Music Development Academy. Read more…
Human Development Foundation
Pakistan-based nonprofit the Human Development Foundation empowers marginalized communities through social capital development, quality education, healthcare, economic development, and sustainable environment initiatives. Read more…
The Citizens Foundation
By building schools in Pakistan’s impoverished areas and rural communities and providing training for principals and teachers, The Citizens Foundation is building a brighter future for all. Read more…
Lebanese Red Cross
With solutions based on Microsoft Azure, Dynamics 365, Office 365, and Power BI, the Lebanese Red Cross is moving toward real-time monitoring and response. Read more…
Qatar Computing Research Institute (QCRI)
Qatar research institute embraces the power of AI for global impact Read more…
Gauteng Provincial Government (GPG)
Youth unemployment in South Africa is 30 percent. Microsoft Services is helping change that. Read more…
Buffalo City Metropolitan Municipality
South African Eastern Cape residents benefit from digitally transformed services Read more…
Iconic London conference center revolutionizes workplace with Microsoft 365 Read more…
Abu Dhabi Global Market Courts
Pioneering digital transformation in the legal and justice system Read more…
Mobile APP on Azure launches for George. Read more…
Johannesburg Roads Agency
The Johannesburg Roads Agency (JRA) maintains roadways, bridges, and Read more…
Gauteng Provincial Legislature
Gauteng Provincial Legislature (GPL), the legislative arm of one of South Africa’s Read more…
Hollands Kroon has radically reimagined what it means to work in Read more…
University Puerto Rico Humacao
The University of Puerto Rico at Humacao wanted to reduce crime and improve compliance Read more…
Agrimetrics is one of four agritech centres set up using government funding with the Read more…
Business Sweden, an organization that helps Swedish companies to grow their global Read more…
New York’s largest healthcare provider streamlines patient care processes with Microsoft business applications Read more…
With Azure AD B2C, top UK healthcare provider now offers a secure web portal as user-friendly as its facilities Read more…
National Department of Health, South Africa
The South African government’s National Department of Health (NDoH) Read more…
Providence St. Joseph Health
Providence St. Joseph Health is moving beyond the typical Read more…
Varian Medical Systems is a leading radiotherapy company recognized for its advanced treatment Read more…
Medical Teams International, a nonprofit provider of health care and humanitarian aid Read more…
Opened in 2005, Soddo Christian Hospital is a 130-bed, full-service facility serving Wolayita Read more…
Transforming IT to create organizational value requires a change in outlook Read more…
Italian National Institute for Insurance Against Accidents at Work
The National Institute for Insurance Against Accidents at Work (INAIL) in Italy wanted to Read more…
365mc improves the efficiency and safety of Liposuction with data analysis Read more…
Scientific Drilling International
Scientific Drilling International uses Power BI to optimize operations Read more…
Chevron productivity climbs with security-enhancing Microsoft cloud services Read more…
Royal Dutch Shell mining oil gas office365
Employee engagement soars as Shell energizes internal communication with Office 365 Read more…
The global population today is approximately 7.4 billion today, and is projected to Watch video
Shell mining oil as azure databricks
Shell invests in safety with Azure, AI, and machine vision to better protect customers and service champions Read more…
Chevron Customer Video
Chevron Customer Video Watch customer video
Royal Dutch Shell
Shell gives developers freedom to create, reduces IT costs with dev-test solution in the cloud Read more…
BP deploys Microsoft 365 to improve user experience and security Read more…
Royal Dutch Shell
How AI is building better gas stations and transforming Shell’s global energy business Read more…
Qatar’s Oryx Gas-to-Liquids (GTL) runs world-leading industrial Read more…
Seadrill is the leading oil and gas deep-water driller, operating globally Read more…
Naas, Ireland–based Oilfield Solutions (OFS) seeks to be a “powerful partner” Read more…