Male technician wearing lab coat and gloves, using microscope in laboratory office of Chicago hospital.
South Africa: Cloud in Healthcare services

South Africa: Cloud in Healthcare Services

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER: Data Sovereignty & the cloud – a Healthcare perspective

Download now

REGULATORY OVERVIEW

The South African government has committed itself to helping grow a healthcare sector which provides quality healthcare for all1 and recognizes that technology can be leveraged to provide solutions to some of the country's greatest challenges, including health.2

As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.

Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE SOUTH AFRICA HEALTHCARE SECTOR

Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease—in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.

Microsoft has valuable experience from engagements with healthcare institutions, providers and regulators. The Phulukisa Healthcare Group is an example of the value we provide. Phulukisa aims to meet the growing needs of the healthcare sector, including compliance requirements, by re-engineering primary health access in an affordable and scalable manner. Using Microsoft cloud-enabled health applications reduces the waiting time for patients at clinics, makes patient diagnostic results accessible immediately, allows automated decision-making with alerts to both patient and care-giver and makes the identification of regional trends using aggregate data a reality.

Microsoft is therefore committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet both international standards and national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.

In addition, Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth, and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure, and legally compliant manner.

Microsoft stands ready to support our healthcare customers in SA with the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual, and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible, and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.

Microsoft also understands that protected health information (PHI), which is special personal information, constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI.3

Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against several key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270014 and 27002 as well as the cloud specific extension ISO/IEC 270175 and ISO/IEC 270186 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC37 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)8. Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA)9. Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 1778810, ISO/IEC 1778911 and ITU-T Y.350212 to ensure a common understanding of terms and definitions in policies and regulation.

THE REGULATORY ENVIRONMENT

The healthcare industry in South Africa comprises many different stakeholders and role-players. The National Health Act, 2003 (NHA) is the framework legislation providing for a structured uniform health system within the country. Each role-player in the system is, in turn, regulated by specific acts and regulations, including:

  • health practitioners, for example doctors, dentists, physiotherapists and emergency care personnel, are regulated by laws including the Health Professions Act, 1974 and the Health Practitioners Ethical Rules;13
  • health care establishments such as hospitals, clinics and similar facilities, are regulated by the NHA and Private Hospital Regulations.14
  • medical schemes, medical scheme administrators and managed health care organisations are regulated by the Medical Schemes Act, 1998 ("MSA") and the MSA Regulations;15 and
  • pharmacists are regulated by the Pharmacy Act, 1974 ("Pharmacy Act"), the Pharmacist Code of Conduct Rules16 and the Good Pharmacy Practice Rules.17

Other practitioners and healthcare industry role-players are regulated by other laws.18 Those role-players who are organs of state would also be required to comply with public procurement laws in procuring cloud services.

    • Key regulators in this industry include the Health Professions Council of South Africa,19 relevant provincial Departments of Health and the Council for Medical Schemes.20
    • There are also many other regulators regulating other practitioners and healthcare industry role-players.21
  • The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be taken into account, including the obligation on relevant role-players to keep confidential and not to disclose certain information.

  • There is presently no uniform regulation of cloud services in South Africa. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in moving to the cloud:

    • Certain general and specific requirements relating to security and protection of the confidentiality of patient and medical scheme beneficiary personal medical information, which preclude disclosure save in specified circumstances, such as with consent of the patient or by court order.22
    • Health establishments: the person in charge of a health establishment which is in possession of a person's health records must set up control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept.23
    • Medical schemes:
      • where managed health care is undertaken by the medical scheme itself or by a third party managed health care organization, the scheme must ensure that a written protocol is in place that deals with confidentiality of clinical and proprietary information.24
      • a scheme is entitled to access any treatment record held by a managed health care organization or health care provider or other information pertaining to the diagnosis, treatment and health status of a scheme's beneficiary, but the information may not be disclosed to any other person without consent.25
    • Pharmacies:
      • the minimum standards for record keeping procedures provide that patient medication records must be kept in the pharmacy, except in institutional pharmacies26 where the pharmacist has access to the necessary information in the patient’s medical/clinical records kept in the health facility.27
      • a prescription book or other permanent record must be kept in respect of certain medicines, in hard copy or electronically on all premises where such medicines are sold or dispensed. A prescription book or other permanent record must be kept for a period of at least five years after the date of the last entry.28

    The above rules would not preclude simultaneous cloud storage.

    Given the sensitive nature of health information, it goes without saying that the chosen cloud solution must be secure, and help customers ensure compliance with their data privacy obligations.

    Once the relevant provisions of the Protection of Personal Information Act, 2013 (POPIA) are in force, information regarding health or sex life will be treated as special personal information, and its processing29 will be subject to specific requirements.30 However, this will not preclude processing with consent of the data subject31 nor processing by, amongst others:

    • medical professionals, healthcare institutions or facilities, or social services, if such processing is necessary for the proper treatment and care of the person, or for the administration of the institution or professional practice concerned32
    • medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for (i) assessing the risk to be covered by the medical scheme and the person has not objected to the processing, (ii) the performance of a medical scheme agreement; or (iii) the enforcement of any contractual rights and obligations.33
  • No, there are no laws requiring approval from healthcare regulatory authorities for use of cloud services. Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role-players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.

    To the extent that health information is to be transferred outside of South Africa without compliance with the data transfer requirements set out below, the responsible party will require prior authorization from the Information Regulator.34

  • Healthcare regulatory authorities possess fairly broad inspection powers which include the power to enter the relevant premises (at a reasonable time) and to access relevant information. For example, a health officer may require the person in charge of a health establishment to produce for inspection or for purposes of making copies or extracts any document including any health record that the establishment is required to maintain.35 Similarly, the Registrar of medical schemes may order an inspection into a medical scheme (and/or its administrator) for purposes of routine monitoring of compliance with the MSA. These inspections usually entail the inspectors attending at the scheme's premises and requesting copies of any information considered necessary for the inspection.

  • Under POPIA, personal information may be transferred out of South Africa as long as the requirements of POPIA are met. POPIA permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in POPIA, or with the person's consent.36 If not, prior authorization will be required from the Information Regulator (as noted earlier).37

    Microsoft holds itself accountable and subject to the laws of regions in which it maintains data centres, and has binding agreements, which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

    • 1South African National Development Plan.
    • 2South African National Development Plan, and National Integrated ICT Policy White Paper.
    • 3See, for example, Microsoft Cloud for Health (https://enterprise.microsoft.com/en-us/trends/microsoft-cloud-for-health/) and our Cybersecurity in Health solutions (https://enterprise.microsoft.com/en-us/solution/industries/health/cybersecurity-in-health-solution/). Also see Microsoft Compliance Offerings (https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings), filtered by "health" industry.
    • 4https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001
    • 5https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27017
    • 6https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27018
    • 7https://www.microsoft.com/en-us/trustcenter/compliance/soc
    • 8https://www.microsoft.com/en-us/trustcenter/compliance/csa-star-certification
    • 9See here for more information on HIPAA: https://www.microsoft.com/en-us/trustcenter/compliance/hipaa
    • 10http://standards.iso.org/ittf/PubliclyAvailableStandards/c060544_ISO_IEC_17788_2014.zip
    • 11http://standards.iso.org/ittf/PubliclyAvailableStandards/c060544_ISO_IEC_17789_2014.zip
    • 12https://www.itu.int/rec/T-REC-Y.3502-201408-I/en
    • 13ublished under Government Notice R717, Government Gazette 29079, 4 August 2006, as amended.
    • 14Published under Government Notice GN R158, Government Gazette 6832, 1 February 1980.
    • 15Published under Government Notice R1262, Government Gazette 20556, 20 October 1999.
    • 16Published under Board Notice 108, Government Gazette 31534, 24 October 2008.
    • 17Published under Board Notice 129, Government Gazette 27112, 17 December 2004.
    • 18Including nurses who are regulated by the Nursing Act, 2005; allied health profession practitioners (engaging in for example chiropractic, homeopathy, acupuncture, therapeutic massage therapy and therapeutic reflexology) who are regulated by the Allied Health Professions Act, 1982; the supply of medicines which is regulated by the Pharmacy Act, the Good Pharmacy Practice Rules, the Medicines and Related Substances Act, 1965 and the General Medicines Regulations; and the supply of medical devices which is regulated by the Medicines Act together with the Devices Regulations.
    • 19Which, in conjunction with its 12 professional boards, regulates health practitioners. See list of professional boards at http://www.hpcsa.co.za/Professionals/ProBoards.
    • 20Regulating medical schemes, managed health care organisations and medical scheme administrators.
    • 21Such as the South African Nursing Council (for nurses); the Allied Health Professions Council of South Africa (for allied health profession practitioners); the South African Pharmacy Council (for pharmacists); the South African Pharmacy Council and, in certain circumstances, the South African Health Products Regulatory Authority (for pharmacies (including pharmaceutical companies); and the South African Health Products Regulatory Authority (for manufacturers, wholesalers and distributors of medical devices).
    • 22Sections 14 and 15 of the NHA, rule 13 and Chapter 3 of the Health Practitioners Ethical Rules, rule 4L of the Code Of Ethics Rules/AHPCSA Policy, published under Board Notice 268, Government Gazette 39531, 18 December 2015 in terms of the Allied Health Professions Act; regulation 13 of the Regulations published under Government Notice R767, Government Gazette 38047, 1 October 2014, in terms of the Nursing Act, section 57 of the MSA and rule 1.3 of the Pharmacist Code of Conduct Rules.
    • 23Section 17 of the NHA.
    • 24Regulation 15D of the MSA Regulations.
    • 25Regulation 15J(2)(c) of the MSA Regulations, and subject to the provisions of any other legislation.
    • 26An "institutional pharmacy" is a pharmacy situated in a public health facility or private health facility, wherein or from which, inter alia, the following services are provided: the evaluation of a patient's medicine related needs by determining the indication, safety and effectiveness of the therapy, dispensing medicine on prescription and furnishing information and advice with regard to medicine, and excludes a community pharmacy (regulations 1 and 18 of the Practice of Pharmacy Regulations).
    • 27Rule 2.9.1(a) and (b) of the Good Pharmacy Practice Rules
    • 28Regulation 35 of the General Medicines Regulations.
    • 29Section 1 of POPIA defines "processing" as "any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including-
      (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
      (b) dissemination by means of transmission, distribution or making available in any other form; or
      (c) merging, linking, as well as restriction, degradation, erasure or destruction of information".
    • 30Sections 26, 27 and 32 of POPIA
    • 31Section 27(1) of POPIA.
    • 32Section 32(1)(a) of POPIA.
    • 33Section 32(1)(b) of POPIA.
    • 34Section 57 and 58 of POPIA.
    • 35Section 82 of the NHA.
    • 36Section 72 of POPIA.
    • 37Section 57 and 58 of POPIA.

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

Security

We build our services from the ground up to help safeguard your data

Learn more
Privacy

Privacy

Our policies and processes help keep your data private and in your control

Learn more
Compliance

Compliance

We provide industry-verified conformity with global standards

Learn more
Transparency

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

RECOMMENDED RESOURCES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.