DOWNLOAD OUR WHITEPAPER: DATA SOVEREIGNTY & THE CLOUD –
A HEALTHCARE PERSPECTIVE
DOWNLOAD OUR LATEST WHITEPAPER
REGULATORY OVERVIEW
The Ministry of Health has committed to provide high quality and equitable preventive and curative health services, and to carry out the regulatory and supervisory role in relation to the services related to the health and safety of citizens using optimal resources and technology advances in effective partnership with the relevant authorities within a comprehensive health policy.1
Jordan is also a member of the global Open Government Partnership.As signatory to this partnership2 , the Jordanian government is committed to develop healthcare services and automate the healthcare sector by providing the infrastructure required to connect the Ministry of Health hospitals and other national health and medical centres.
In this context, the Ministry of Health aims to develop the supporting electronic infrastructure through the implementation of electronic transformation projects, the most important of which is the completion of the digitization of health centres and hospitals. In accordance with Hakeem Agreement,3 the number of computerized hospitals will be increased from 18 in 2017 to 32 in 2022 and the number of health centres will be increased from 142 to 478 centres in 2022.
The Hakeem Agreement program aims to facilitate efficient, high-quality healthcare in the Kingdom through the nationwide implementation of an Electronic Health Record solution (EHR). Physicians, pharmacists, medical technologists and other clinicians will be able to electronically access the medical records of patients within participating health facilities in Jordan by entering the patient’s national ID number.
As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.
Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.
MICROSOFT'S COMMITMENT TO THE JORDANIAN HEALTHCARE SECTOR
Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease - in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.
Microsoft has valuable experience from engagements with healthcare institutions, providers and regulators.
Microsoft is therefore committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.
Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365 and Dynamics 365 - in the Middle East, which will offer enterprise-grade reliability and performance to our customers across the region. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.
Although there is no data protection law in Jordan, Microsoft understands that protected health information (PHI), which is special personal information, constitutes some of the most sensitive data that our customers handle and is subject to stringent requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI.4
Microsoft’s cloud services are subject to rigorous audits by third party experts and are certified against a number of key global standards and regulatory requirements for the healthcare sector Those standards include ISO/IEC 270015 and 27002 as well as the cloud specific extension ISO/IEC 270176 and ISO/IEC 270187 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC38 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)9 . Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA).10 Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 1778811, ISO/IEC 1778912 and ITU-T Y.350213 to ensure a common understanding of terms and definitions in policies and regulation.
THE REGULATORY ENVIRONMENT
The healthcare industry in Jordan comprises many different stakeholders and role-players. The Public Health Law No.47 of 2008 ("PHL") is the main legislation providing for a structured uniform health system within the country. Each role-player in the system is, in turn, regulated by specific Acts and Regulations, including:
- health practitioners; for example, doctors, dentists, nurses and midwives.14
- health care establishments; such as hospitals, clinics and similar facilities.15
- pharmacists and pharmaceutical institutions.16
Other practitioners and healthcare industry role-players are regulated by other regulations issued pursuant to the provisions of the PHL. Those role-players who are organs of state may also be required to comply with public procurement laws in procuring cloud services.
-
Key regulators in this industry include the Ministry of Health in conjunction with the relevant Professional Associations.
-
The use of cloud services is not expressly addressed in any specific healthcare legislation in Jordan. There may however be laws applicable to the healthcare industry which may need to be taken into account, including the obligation on relevant role-players to keep confidential and not to disclose certain information (see below).
-
There is presently no uniform regulation of cloud services in Jordan. Role-players within the healthcare sector would, however, need to be mindful of the following standards and obligations specified in the relevant legislation for each role-player in the healthcare sector in moving to the cloud:
- Certain general and specific requirements relating to the storing of patients records17 and the security and protection of the confidentiality of patient personal medical information. These requirements may preclude disclosure except in specified circumstances, such as with consent of the patient or by court order.18
- Pharmacists should keep the prescriptions for any narcotics and hallucinators as well as the registers, books and document related thereto when those prescriptions are not dispensed in whole, and shall keep any documents relevant for any prescriptions dispensed or sold for at least five years from the date of the last entry.Any documents destroyed should occur in the presence of the inspector.19
The above rules would not preclude simultaneous cloud storage.
Due to the sensitive nature of health information, any cloud solution must be secure, and help customers ensure compliance with their data privacy obligations.
-
No, there are no laws requiring approval from healthcare regulatory authorities for use of cloud services. Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role-players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.
-
Healthcare regulatory authorities possess fairly broad inspection powers which include the power to enter the relevant premises and to access relevant information.20
-
Currently, there is no data protection law in Jordan21, meaning no specific restrictions or requirements for the transfer of personal information to a third party who is in a foreign country exist. Microsoft nonetheless holds itself accountable to and is subject to laws of general application applicable to information technology service providers, including security breach notification law, and has binding agreements. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation which came into force in May 2018.
-
1Ministry of Health
2Also in accordance with commitment number 6 within Jordan’s Third National Plan 2016-2018
3Ministry of Health Strategy for the years 2018-2022
4 See, for example, Microsoft Cloud for Health ( Microsoft Industry Blogs ) and our Cybersecurity in Health solutions ( Health organizations and Microsoft business cloud services ). Also see Microsoft Compliance Offerings ( Microsoft compliance offerings ), filtered by "health" industry.
5ISO/IEC 27001:2013 Information Security Management Standards
6ISO/IEC 27017:2015 Code of Practice for Information Security Controls
7ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
8Azure, Dynamics 365, and Microsoft 365 compliance offerings
9Cloud Security Alliance (CSA) STAR Certification
10See here for more information on HIPAA
11PubliclyAvailableStandards
12Publicly Available Standards
13Y.3502 : Information technology - Cloud computing - Reference architecture
14 Regulated by laws including the PHL, the Jordan Medical Association Law No.13 of 1972, the Jordan Dental Association Law No.17 of 1972, the Nurses and Midwives Association Law No. 18 of 1972, the Dental Profession Licensing Regulation No. 98 of 2016, the Jordanian Medical Council Law No.17 of 2005
15 Regulated by the PHL in addition to Private Hospitals Regulations No. 54 of 2014, Clinics and Centres of Human Medicine Licensing Regulations No. 74 of 2014, Instructions for conditions to be met in clinics and centres of human medicine No.1 of 2016, the Dental Clinics and Centres Licensing Regulations No 52 of 2016
16 Regulated by the PHL, the Drug & Pharmacy Law No. 12 of 2013, Pharmaceutical Institutions Licensing Regulations No. 75 of 2014, Instructions for the licencing requirements of private pharmacy No. 2 for the year 2015,and the Jordan Pharmacists Association Law No. 51 of 1972
17 Article 18 of Private Hospitals Regulations No. 54 of 2014.
18 The medical constitution, duties of the doctor and the code of conduct of the year 1989 and Article 22 of Jordan Dental Association Law No.17 of 1972
19 Article 74 of the Drug & Pharmacy Law No. 12 of 2013
20 Article 66 of the Drug & Pharmacy Law No. 12 of 2013, article 9 of The medical constitution, duties of the doctor and the code of conduct of the year 1989 and article 10 of the Public Health Law No.47 of the year 2008.
21 However, a draft Data Protection Draft Law has been published by the Ministry of Information and Communications Technology for public comment. This indicates that data protection laws are being considered.
WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES
Security
We build our services from the ground up to help safeguard your data
Privacy
Our policies and processes help keep your data private and in your control
Compliance
We provide industry-verified conformity with global standards
Transparency
We make our policies and practices clear and accessible to everyone