The South African government has committed itself to helping grow a healthcare sector which provides quality healthcare for all1 and recognizes that technology can be leveraged to provide solutions to some of the country's greatest challenges, including health.2
As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.
Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.
MICROSOFT'S COMMITMENT TO THE SOUTH AFRICA HEALTHCARE SECTOR
Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease—in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.
Microsoft has valuable experience from engagements with healthcare institutions, providers and regulators. The Phulukisa Healthcare Group is an example of the value we provide. Phulukisa aims to meet the growing needs of the healthcare sector, including compliance requirements, by re-engineering primary health access in an affordable and scalable manner. Using Microsoft cloud-enabled health applications reduces the waiting time for patients at clinics, makes patient diagnostic results accessible immediately, allows automated decision-making with alerts to both patient and care-giver and makes the identification of regional trends using aggregate data a reality.
Microsoft is therefore committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet both international standards and national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.
In addition, Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth, and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure, and legally compliant manner.
Microsoft stands ready to support our healthcare customers in SA with the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual, and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible, and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.
Microsoft also understands that protected health information (PHI), which is special personal information, constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI.3
Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against several key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270014 and 27002 as well as the cloud specific extension ISO/IEC 270175 and ISO/IEC 270186 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC37 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)8. Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA)9. Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 1778810, ISO/IEC 1778911 and ITU-T Y.350212 to ensure a common understanding of terms and definitions in policies and regulation.
THE REGULATORY ENVIRONMENT
The healthcare industry in South Africa comprises many different stakeholders and role-players. The National Health Act, 2003 (NHA) is the framework legislation providing for a structured uniform health system within the country. Each role-player in the system is, in turn, regulated by specific acts and regulations, including:
- health practitioners, for example doctors, dentists, physiotherapists and emergency care personnel, are regulated by laws including the Health Professions Act, 1974 and the Health Practitioners Ethical Rules;13
- health care establishments such as hospitals, clinics and similar facilities, are regulated by the NHA and Private Hospital Regulations.14
- medical schemes, medical scheme administrators and managed health care organisations are regulated by the Medical Schemes Act, 1998 ("MSA") and the MSA Regulations;15 and
- pharmacists are regulated by the Pharmacy Act, 1974 ("Pharmacy Act"), the Pharmacist Code of Conduct Rules16 and the Good Pharmacy Practice Rules.17
Other practitioners and healthcare industry role-players are regulated by other laws.18 Those role-players who are organs of state would also be required to comply with public procurement laws in procuring cloud services.
- Key regulators in this industry include the Health Professions Council of South Africa,19 relevant provincial Departments of Health and the Council for Medical Schemes.20
- There are also many other regulators regulating other practitioners and healthcare industry role-players.21
The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be taken into account, including the obligation on relevant role-players to keep confidential and not to disclose certain information.
There is presently no uniform regulation of cloud services in South Africa. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in moving to the cloud:
- Certain general and specific requirements relating to security and protection of the confidentiality of patient and medical scheme beneficiary personal medical information, which preclude disclosure save in specified circumstances, such as with consent of the patient or by court order.22
- Health establishments: the person in charge of a health establishment which is in possession of a person's health records must set up control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept.23
- Medical schemes:
- where managed health care is undertaken by the medical scheme itself or by a third party managed health care organization, the scheme must ensure that a written protocol is in place that deals with confidentiality of clinical and proprietary information.24
- a scheme is entitled to access any treatment record held by a managed health care organization or health care provider or other information pertaining to the diagnosis, treatment and health status of a scheme's beneficiary, but the information may not be disclosed to any other person without consent.25
- the minimum standards for record keeping procedures provide that patient medication records must be kept in the pharmacy, except in institutional pharmacies26 where the pharmacist has access to the necessary information in the patient’s medical/clinical records kept in the health facility.27
- a prescription book or other permanent record must be kept in respect of certain medicines, in hard copy or electronically on all premises where such medicines are sold or dispensed. A prescription book or other permanent record must be kept for a period of at least five years after the date of the last entry.28
The above rules would not preclude simultaneous cloud storage.
Given the sensitive nature of health information, it goes without saying that the chosen cloud solution must be secure, and help customers ensure compliance with their data privacy obligations.
Once the relevant provisions of the Protection of Personal Information Act, 2013 (POPIA) are in force, information regarding health or sex life will be treated as special personal information, and its processing29 will be subject to specific requirements.30 However, this will not preclude processing with consent of the data subject31 nor processing by, amongst others:
- medical professionals, healthcare institutions or facilities, or social services, if such processing is necessary for the proper treatment and care of the person, or for the administration of the institution or professional practice concerned32
- medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for (i) assessing the risk to be covered by the medical scheme and the person has not objected to the processing, (ii) the performance of a medical scheme agreement; or (iii) the enforcement of any contractual rights and obligations.33
No, there are no laws requiring approval from healthcare regulatory authorities for use of cloud services. Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role-players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.
To the extent that health information is to be transferred outside of South Africa without compliance with the data transfer requirements set out below, the responsible party will require prior authorization from the Information Regulator.34
Healthcare regulatory authorities possess fairly broad inspection powers which include the power to enter the relevant premises (at a reasonable time) and to access relevant information. For example, a health officer may require the person in charge of a health establishment to produce for inspection or for purposes of making copies or extracts any document including any health record that the establishment is required to maintain.35 Similarly, the Registrar of medical schemes may order an inspection into a medical scheme (and/or its administrator) for purposes of routine monitoring of compliance with the MSA. These inspections usually entail the inspectors attending at the scheme's premises and requesting copies of any information considered necessary for the inspection.
Under POPIA, personal information may be transferred out of South Africa as long as the requirements of POPIA are met. POPIA permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in POPIA, or with the person's consent.36 If not, prior authorization will be required from the Information Regulator (as noted earlier).37
Microsoft holds itself accountable and subject to the laws of regions in which it maintains data centres, and has binding agreements, which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.
- 1South African National Development Plan.
- 2South African National Development Plan, and National Integrated ICT Policy White Paper.
- 3See, for example, Microsoft Cloud for Health (https://enterprise.microsoft.com/en-us/trends/microsoft-cloud-for-health/) and our Cybersecurity in Health solutions (https://enterprise.microsoft.com/en-us/solution/industries/health/cybersecurity-in-health-solution/). Also see Microsoft Compliance Offerings (https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings), filtered by "health" industry.
- 9See here for more information on HIPAA: https://www.microsoft.com/en-us/trustcenter/compliance/hipaa
- 13ublished under Government Notice R717, Government Gazette 29079, 4 August 2006, as amended.
- 14Published under Government Notice GN R158, Government Gazette 6832, 1 February 1980.
- 15Published under Government Notice R1262, Government Gazette 20556, 20 October 1999.
- 16Published under Board Notice 108, Government Gazette 31534, 24 October 2008.
- 17Published under Board Notice 129, Government Gazette 27112, 17 December 2004.
- 18Including nurses who are regulated by the Nursing Act, 2005; allied health profession practitioners (engaging in for example chiropractic, homeopathy, acupuncture, therapeutic massage therapy and therapeutic reflexology) who are regulated by the Allied Health Professions Act, 1982; the supply of medicines which is regulated by the Pharmacy Act, the Good Pharmacy Practice Rules, the Medicines and Related Substances Act, 1965 and the General Medicines Regulations; and the supply of medical devices which is regulated by the Medicines Act together with the Devices Regulations.
- 19Which, in conjunction with its 12 professional boards, regulates health practitioners. See list of professional boards at http://www.hpcsa.co.za/Professionals/ProBoards.
- 20Regulating medical schemes, managed health care organisations and medical scheme administrators.
- 21Such as the South African Nursing Council (for nurses); the Allied Health Professions Council of South Africa (for allied health profession practitioners); the South African Pharmacy Council (for pharmacists); the South African Pharmacy Council and, in certain circumstances, the South African Health Products Regulatory Authority (for pharmacies (including pharmaceutical companies); and the South African Health Products Regulatory Authority (for manufacturers, wholesalers and distributors of medical devices).
- 22Sections 14 and 15 of the NHA, rule 13 and Chapter 3 of the Health Practitioners Ethical Rules, rule 4L of the Code Of Ethics Rules/AHPCSA Policy, published under Board Notice 268, Government Gazette 39531, 18 December 2015 in terms of the Allied Health Professions Act; regulation 13 of the Regulations published under Government Notice R767, Government Gazette 38047, 1 October 2014, in terms of the Nursing Act, section 57 of the MSA and rule 1.3 of the Pharmacist Code of Conduct Rules.
- 23Section 17 of the NHA.
- 24Regulation 15D of the MSA Regulations.
- 25Regulation 15J(2)(c) of the MSA Regulations, and subject to the provisions of any other legislation.
- 26An "institutional pharmacy" is a pharmacy situated in a public health facility or private health facility, wherein or from which, inter alia, the following services are provided: the evaluation of a patient's medicine related needs by determining the indication, safety and effectiveness of the therapy, dispensing medicine on prescription and furnishing information and advice with regard to medicine, and excludes a community pharmacy (regulations 1 and 18 of the Practice of Pharmacy Regulations).
- 27Rule 2.9.1(a) and (b) of the Good Pharmacy Practice Rules
- 28Regulation 35 of the General Medicines Regulations.
- 29Section 1 of POPIA defines "processing" as "any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including-
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information".
- 30Sections 26, 27 and 32 of POPIA
- 31Section 27(1) of POPIA.
- 32Section 32(1)(a) of POPIA.
- 33Section 32(1)(b) of POPIA.
- 34Section 57 and 58 of POPIA.
- 35Section 82 of the NHA.
- 36Section 72 of POPIA.
- 37Section 57 and 58 of POPIA.
WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES
Regulating the Use of Cloud Computing by Financial Institutions
Financial institutions (FIs) are increasingly turning to cloud computing technologies to help them meet their IT needs.LEARN MORE
Microsoft's Views on the Central Bank of Jordan Cloud Computing Guidelines.
Central Bank of Jordan Cloud Guidelines: A Microsoft CommentaryLEARN MORE
Cloud Computing and Data Offshoring for Banks
The Prudential Authority, an entity within the South African Reserve Bank (“SARB”) that works to ensure the safety and soundness of financial institutionsLEARN MORE
A compliance checklist for financial institutions in Nigeria
Microsoft is committed to providing a trusted set of cloud services to financial institutions in Nigeria. This checklist is aimed at financial institutions in Nigeria who want to use Microsoft cloud services.LEARN MORE
Trust In A Rapidly Changing Financial Services Market
Read on to find out how the adoption of cloud and knowledge of cloud regulations can help banks and financial institutions mitigate the disruptive influence of FinTech firms.LEARN MORE
Safe Cloud Principles for the Financial Services Industry
Learn more about the best practices that help financial institutions focus on and navigate through the relevant regulatory issues when moving to the cloud.LEARN MORE
Learn more about how Microsoft's Trusted Cloud can help banks and insurers meet their regulatory responsibilities.LEARN MORE
Financial Services, Banking and Capital Markets
Learn more about how Microsoft's cloud technology can help engage customers, empower employees, and optimise operations in the Financial Services, Banking, and Capital Markets industry.LEARN MORE
Data Sovereignty & the cloud – a Healthcare perspectiveLEARN MORE
Responding to the evolving cyber threat landscape in the healthcare sectorLEARN MORE
Microsoft Cloud for HealthLEARN MORE
Microsoft's Virtual Healthcare Information and Management Systems Society (HIMSS) BoothLEARN MORE
Democratizing AI in HealthLEARN MORE
Data Sovereignty - the Oil and Gas PerspectiveLEARN MORE
Responding to the evolving cyber threat landscape in the oil and gas sectorLEARN MORE
Microsoft Cloud for Oil & Gas and Mining Industry.LEARN MORE
Drill Deeper into Digital.
Accenture and Microsoft 2017 Upstream Oil and Gas Digital Trends Survey.LEARN MORE
Banco Angolano de Investimentos (BAI Group)
Innovative Angolan bank rethinks business with a cloud-first approach Read more…
goeasy improves productivity, increases employee satisfaction with Surface Book and Office 365 Read more…
International banking institution increases growth and market share through digital transformation Read more…
Towards a more secure digitized stock trading venue in Kuwait Read more…
Ecobank Ghana Limited
Microsoft Power BI solution helps boost Ecobank’s business performance Read more…
Digital payments company answers questions about using Azure Blockchain Workbench to help build a more prosperous Africa Read more…
The power of four: African bank embraces digitalization and increases efficiency with time-saving Microsoft Flow, PowerApps, Power BI, and SharePoint Read more…
Internet and mobile apps, move over. The new industry disrupter is bot technology. Nedbank, one of the major Read more…
Diamond Bank Plc
Diamond Bank is one of the 22 financial institutions operating in Nigeria, with a mission Read more…
ABN AMRO BANK
To prepare for its digital transformation, ABN Amro simplified and rationalized its IT Read more…
Kuwait Finance House
Islamic banking pioneer innovates again with digital banking shift Read more…
Société Générale Corporate & Investment Banking
This article is part of a series about customers who've worked closely with Microsoft on Service Fabric Read more…
I Choose Life Africa
Supported by cutting-edge Microsoft solutions, Kenyan nonprofit I Choose Life – Africa (ICL) is helping to grow and scale critical sustainable development initiatives across the country, affecting more than one million lives. Read more…
Kenya Red Cross
With solutions based on Microsoft Azure, Dynamics 365, Office 365, and Power BI, the Kenya Red Cross Society is now better equipped to provide key humanitarian aid. Read more…
James 127 Trust
Powered by Microsoft solutions like Azure, the James 1:27 Trust works to improve the quality and reach of care for some of Africa’s most vulnerable children, while supporting other NGOs across the continent Read more…
Based in South Africa, 2Enable is a leading nationwide digital education solution with roots in the Casterbridge Music Development Academy. Read more…
Human Development Foundation
Pakistan-based nonprofit the Human Development Foundation empowers marginalized communities through social capital development, quality education, healthcare, economic development, and sustainable environment initiatives. Read more…
The Citizens Foundation
By building schools in Pakistan’s impoverished areas and rural communities and providing training for principals and teachers, The Citizens Foundation is building a brighter future for all. Read more…
Lebanese Red Cross
With solutions based on Microsoft Azure, Dynamics 365, Office 365, and Power BI, the Lebanese Red Cross is moving toward real-time monitoring and response. Read more…
Qatar Computing Research Institute (QCRI)
Qatar research institute embraces the power of AI for global impact Read more…
Gauteng Provincial Government (GPG)
Youth unemployment in South Africa is 30 percent. Microsoft Services is helping change that. Read more…
Buffalo City Metropolitan Municipality
South African Eastern Cape residents benefit from digitally transformed services Read more…
Iconic London conference center revolutionizes workplace with Microsoft 365 Read more…
Abu Dhabi Global Market Courts
Pioneering digital transformation in the legal and justice system Read more…
Mobile APP on Azure launches for George. Read more…
Johannesburg Roads Agency
The Johannesburg Roads Agency (JRA) maintains roadways, bridges, and Read more…
Gauteng Provincial Legislature
Gauteng Provincial Legislature (GPL), the legislative arm of one of South Africa’s Read more…
Hollands Kroon has radically reimagined what it means to work in Read more…
University Puerto Rico Humacao
The University of Puerto Rico at Humacao wanted to reduce crime and improve compliance Read more…
Agrimetrics is one of four agritech centres set up using government funding with the Read more…
Business Sweden, an organization that helps Swedish companies to grow their global Read more…
New York’s largest healthcare provider streamlines patient care processes with Microsoft business applications Read more…
With Azure AD B2C, top UK healthcare provider now offers a secure web portal as user-friendly as its facilities Read more…
National Department of Health, South Africa
The South African government’s National Department of Health (NDoH) Read more…
Providence St. Joseph Health
Providence St. Joseph Health is moving beyond the typical Read more…
Varian Medical Systems is a leading radiotherapy company recognized for its advanced treatment Read more…
Medical Teams International, a nonprofit provider of health care and humanitarian aid Read more…
Opened in 2005, Soddo Christian Hospital is a 130-bed, full-service facility serving Wolayita Read more…
Transforming IT to create organizational value requires a change in outlook Read more…
Italian National Institute for Insurance Against Accidents at Work
The National Institute for Insurance Against Accidents at Work (INAIL) in Italy wanted to Read more…
365mc improves the efficiency and safety of Liposuction with data analysis Read more…
Scientific Drilling International
Scientific Drilling International uses Power BI to optimize operations Read more…
Chevron productivity climbs with security-enhancing Microsoft cloud services Read more…
Royal Dutch Shell mining oil gas office365
Employee engagement soars as Shell energizes internal communication with Office 365 Read more…
The global population today is approximately 7.4 billion today, and is projected to Watch video
Shell mining oil as azure databricks
Shell invests in safety with Azure, AI, and machine vision to better protect customers and service champions Read more…
Chevron Customer Video
Chevron Customer Video Watch customer video
Royal Dutch Shell
Shell gives developers freedom to create, reduces IT costs with dev-test solution in the cloud Read more…
BP deploys Microsoft 365 to improve user experience and security Read more…
Royal Dutch Shell
How AI is building better gas stations and transforming Shell’s global energy business Read more…
Qatar’s Oryx Gas-to-Liquids (GTL) runs world-leading industrial Read more…
Seadrill is the leading oil and gas deep-water driller, operating globally Read more…
Naas, Ireland–based Oilfield Solutions (OFS) seeks to be a “powerful partner” Read more…