Male technician wearing lab coat and gloves, using microscope in laboratory office of Chicago hospital.
Kenya: Cloud in Healthcare services

Kenya: Cloud in Healthcare Services

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER: Data Sovereignty & the cloud – a Healthcare perspective

Download now

REGULATORY OVERVIEW

The government of Kenya is committed to helping grow a healthcare sector that provides affordable healthcare accessible to all. During the 2017 Madaraka Day celebrations, the President of Kenya announced the Big Four agenda priority areas for the government. These include ensuring food security, affordable housing, manufacturing, and affordable healthcare1. The policy statements support the use of ICT in healthcare to improve public service delivery. 2

As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.

Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE KENYAN HEALTHCARE SECTOR

Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians, and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease—in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.

Microsoft is therefore committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet both international standards and national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.

Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 — from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across the country and region. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual, and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible, and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.

Microsoft also understands that protected health information (PHI) constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI. 3

Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against a number of key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270014 and 27002 as well as the cloud specific extension ISO/IEC 270175 and ISO/IEC 270186 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC37 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)8 . Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA)9. Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 1778810, ISO/IEC 1778911 and ITU-T Y.350212 to ensure a common understanding of terms and definitions in policies and regulation.

THE REGULATORY ENVIRONMENT

The healthcare industry in Kenya has many different stakeholders. The Health Act No. 21 of 2017 establishes a unified health system, coordinates the inter-relationship between the national government and county government health systems and seeks to regulate health care services, health care service providers, health products, and health technologies.

Each stakeholder is regulated by specific Acts and Regulations, for example:

  • Clinical Officers are regulated by the Clinical Officers Act (Training, Registration and Licensing Act) No. 20 of 2017; and
  • Doctors, medical officers, and dentists are regulated primarily by the Medical Practitioners and Dentists Act CAP 253 of the Laws of Kenya.

Other practitioners and healthcare industry role-players are regulated by other laws.13

    • The key regulator in this industry is The Ministry of Health which is in charge of the health sector and the co-ordination of health service delivery generally.
    • There are also many other regulators regulating practitioners and healthcare industry role-players14. All these regulatory bodies are established under separate Acts of parliament but account and answer to the Ministry of Health within their respective mandates.
  • The use of cloud services is not expressly addressed in any specific healthcare legislation. However, the Kenya Standards and Guidelines for mHealth Systems, 2017 provide standards to ensure the design, development, and implementation of interoperable, scalable, sustainable mHealth solutions where mHealth refers to interventions and programs designed to support health service provision through mobile technology and devices. The Kenya National eHealth Policy 2016 – 2030 also provides for the overarching provisions on the use of ICTs in healthcare delivery and envisages increased use of ICTs. It also prescribes circumstances in which health data should be anonymized and/or encrypted, or otherwise stored with permission of the Ministry of Health15. The Health Information System Policy further cements the government position which encourages the use of ICTs for healthcare service delivery. The Draft ICT Policy (2016)16 proposes an action plan to integrate mobile internet, cloud computing, big data, and the internet of things with modern manufacturing; promoting public service delivery among other sectors. The Health Sector ICT Standards and Guidelines (Ministry of Health, June 2013) seek to encourage the adoption of virtualization, thin clients and cloud computing technologies in the Ministry of Health’s programs to achieve IT efficiency.

    The Kenya mHealth Standards and Guidelines which are aimed at guiding the utilization of wireless and mobile applications and devices to improve outcomes in health defines that health Information should be held in Kenya; however, it can be held offshore with the consent of the Ministry of Health.

    Microsoft is able to offer its customers the flexibility of various options for anonymisation and encryption.17

  • There is presently no uniform express regulation of cloud services in Kenya. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in adopting the use of cloud services and cloud-based solutions:

    • General legislation on confidentiality and protection of privacy
      • The Health Act, Cancer Prevention and Control Act, HIV and AIDS Prevention and Control Act the Public Health Act, the Kenya National eHealth Policy 2016 – 2030 and the Health Information System Policy all emphasize the importance of confidentiality and non- disclosure of information relating to a person’s health status, tests, treatment, or stay in a health facility.18 The right to privacy and confidentiality can only be waived by the individual in writing or as required by a court order or under legislation.
      • The Health Sector Strategic Plan for Health Information Systems 2009-2014, the Kenya National e-Health Strategy 2011-2017 and the Kenya Standards and Guidelines on mHealth Systems 2017 also stress the need to ensure confidentiality.
    • Requirements on record keeping
      • The Information Communication and Technology Authority (ICTA) has established standards that are to be followed by all government ministries, county governments and government agencies.
      • Of importance in this case are the cloud computing standards.19 Some of the key requirements for cloud computing standards include:
        • The Ministry, County, or Agency (hereinafter referred to as MCAs) shall ensure Service Level Agreements (SLAs) cover issues such as ending the arrangement, dispute resolution, early warning of bankruptcy (or similar), compensation for data loss/misuse, change of control and assignment/novation, and change of terms at the discretion of the provider.
        • Cloud services should first be adopted in markets that have achieved an acceptable level of maturity.
          • MCAs shall ensure that data is stored in agreed locations, and is retrievable inside agreed timeframes
          • MCAs shall ensure they maintain control of the data and information in cloud storage and ensure protection from loss.
          • MCAs shall ensure the cloud provider adheres to regulatory law in relation to privacy and public record-keeping requirements. MCAs shall consider any legal obligations they have towards customers or other parties, and whether cloud will allow them to continue to meet them.
          • MCAs shall ensure the provider is vetted to ensure compliance with government standards.

    The IT Governance Standards would also be of importance. MCAs are required to develop and sign SLAs with service providers (for example relating to provision of internet, systems support and maintenance services) to ensure availability and reliability of IT enabled services.

    The Kenya Standards and Guidelines on mHealth Systems, April 2017 require the documentation of the development of the mHealth systems in order to facilitate continuity among the system users and developers.

    Microsoft contractually commits to provide products and services which comply with specific globally accepted and internationally recognised standards.20

  • No, there are no laws requiring approval from regulatory authorities for use of cloud services. Cloud Service Providers in Kenya are deemed to be over the top service providers and are not required to obtain licenses from the ICT industry regulator, the Communications Authority.21 Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.

    The Health Information Systems Policy states that health information should be hosted by the Division of Health Information Systems under the Ministry of Health and requires that warehousing be created and maintained for data and information at a central level within the health sector. The mHealth Guidelines also permit information to be stored outside the country, provided that certain requirements are met and approval is obtained from the Ministry of Health.

  • Under the IT Governance Standards MCAs are required to monitor achievement of service levels and compare them with agreed service level targets in the SLA.

    The SLA should have accountability mechanisms for failure to meet service levels and MCAs shall monitor and report on achievement of services and compare them with agreed service levels.

    MCA must have an IT function that reports directly to an accounting officer.

    The Health Sector ICT Standards and Guidelines (Ministry of Health, 2013) provides cloud computing guidelines adopted by the MOH which include the implementation of a governance and audit management process.

    Further, the Kenya Standards and Guidelines on mHealth Systems (April, 2017) require assurance processes to be put in place to ensure that the accountability needs of the data are met. These assurance processes include audit trails.

  • The Kenya Standards & Guidelines on Mhealth Systems April 2017 state that data can only be stored outside the jurisdiction of Kenya with permission from the Ministry of Health. Therefore, if data is to be stored abroad, approval will be required from the Ministry of Health. Kenya has no legislative provisions on data transfer and data localization. However, the Health Information Systems Policy states that health information should be hosted by the Division of Health Information Systems under the Ministry of Health, and should be stored in de-identified form.

    Furthermore, the draft Data Protection Bill, 201822 contemplates possible future restrictions on the flow of personal data outside Kenya save in specified circumstances, such as where:23

    • the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
    • the data subject consents to the transfer;
    • the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
    • the transfer is for the benefit of the data subject.

    The draft Data Protection Bill also indicates that health information will be treated as special personal information, and its processing may be subject to specific requirements24 but this will not preclude processing with consent of the data subject nor processing in certain circumstances, including:25

    • Certain institutions for purposes of treatment and care.
    • Administrative bodies, pension funds and employers processing for purposes of implementing law relating to health of the data subject.

    The Kenya Standards and Guidelines on mHealth Systems, April 2017, provide that communication context and content used in mHealth applications shall remain the property of the Government of Kenya and cannot be transferred without written approval from the relevant ministry, for instance the Ministry of Health.

    Microsoft holds itself accountable to and is subject to the laws of general application applicable to information technology service providers, and has binding agreements which, in its view, are likely to constitute adequate measures. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO/IEC 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

  • This checklist provides a detailed look into the legal obligations that may affect your usage of Microsoft Cloud Services in the healthcare sector.

    Click here to download the checklist.

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

Security

We build our services from the ground up to help safeguard your data

Learn more
Privacy

Privacy

Our policies and processes help keep your data private and in your control

Learn more
Compliance

Compliance

We provide industry-verified conformity with global standards

Learn more
Transparency

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

RECOMMENDED RESOURCES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.