Male technician wearing lab coat and gloves, using microscope in laboratory office of Chicago hospital.

Angola: Cloud in Healthcare Services

An Interactive Guide for Legal and Compliance
Professionals

DOWNLOAD OUR WHITEPAPER: DATA SOVEREIGNTY & THE CLOUD –
A HEALTHCARE PERSPECTIVE

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

The Angolan government has committed itself to the development of a healthcare industry which provides quality healthcare services. There is recognition that technology can be leveraged to provide solutions to some of the country's greatest challenges, including healthcare.1

As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.

Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE ANGOLAN HEALTHCARE SECTOR

Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians, and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease - in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.

Microsoft has valuable worldwide experience from engagements with healthcare institutions, providers, and regulators. Microsoft is therefore committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet both international standards and national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.

In addition, Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance to help enable the tremendous opportunity for economic growth and increase access to cloud and internet services for organizations and people across the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organization on the planet to achieve more in a safe, secure, and legally compliant manner.

Microsoft stands ready to support our healthcare customers in Angola with the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual, and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible, and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.

Microsoft also understands that protected health information (PHI), which is special personal information, constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI.2

Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against several key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270013 and 27002 as well as the cloud specific extension ISO/IEC 270174 and ISO/IEC 270185 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC36 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)7. Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA).8 Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 177889, ISO/IEC 1778910 and ITU-T Y.350211 to ensure a common understanding of terms and definitions in policies and regulation.

THE REGULATORY ENVIRONMENT

The healthcare industry in Angola comprises many different stakeholders and role players. The Base Law on the Health National System12 is the framework legislation providing for a structured uniform health system within the country. The National Health Policy is described under Presidential Decree No. 262/10, dated the 24th of November. In 2014, the National Program for the Humanization of the Health Assistance in Angola was published13.

Each role player in the system is, in turn, regulated by specific Acts and Regulations, including:

  • Doctors are bound to register at the Doctors Bar Association, and must comply with the ethical standards it prescribes14;
  • Nurses are bound to register at the Nurses Bar Association, and must comply with the applicable ethical standards15;
  • Pharmacists are bound to register at the Pharmacists Bar Association, and must comply with the applicable ethical standards;16
  • Angola does not have any particular regulation with respect to traditional medicine or to chiropractic, homeopathy, acupuncture, therapeutic massage therapy, and therapeutic reflexology;
  • Pharmaceutical Activities are regulated by Presidential Decree No. 191/10117;
  • Health care establishments such as hospitals, clinics, and similar facilities, are regulated by the Regulation on Health Care Services in Hospitals and Other Health Facilities18;
  • Health care establishments belonging to the public sector are regulated by Presidential Decree No. 260/1019;
  • Medical schemes, medical scheme administrators and managed health care organizations are regulated by the Bases for the Reform of the Welfare Systems20; and
  • The supply of medicines to the public sector is regulated by the Central for Supply and Distribution of Medicines and Medical Devices of Angola (CECOMA)21.

Those role players who are organs of state would also be required to comply with public procurement laws22 in procuring cloud services.

  • a. Health practitioners are regulated by the professional boards mentioned above, i.e., the Doctors Bar Association and the Nurses Bar Association;

    b. The Public Health National Institute regulates the laboratories national network, traditional medicine, primary health care, and hygiene environment23;

    c. The Ministry of Heath regulates the overall activities and institutions related to the health care system; and

    d. Health establishments are regulated by the relevant Provincial Departments of Health.

  • The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be taken into account, relating to, amongst other things, the obligation on relevant role players to keep confidential and not to disclose certain information (see below).

  • There is presently no uniform regulation of cloud services in Angola. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in moving to the cloud:

    • Certain general and specific requirements relating to security and protection of the confidentiality of patient and medical scheme beneficiary personal medical information, and precluding disclosure save in specified circumstances, such as with consent of the patient or by court order (such duty is foreseen as an ethical rule for the medical professions and is sustained by the constitutional right to privacy).24
    • Health establishments: the person in charge of the health establishment which is in possession of a person's health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept (such obligation is inherent to the constitutional right to privacy).
    • Medical schemes: where managed health care is undertaken by the medical scheme itself or by a third party managed health care organization, the scheme must ensure that a written protocol is in place (which forms part of any contract with a managed health care organization) that deals with confidentiality of clinical and proprietary information. These protocols may need to be amended to reflect the move to cloud services. This is inherent to the right to privacy set forth in the Angolan Constitution.25
    • Pharmacies: the minimum standards for record keeping procedures provide that patient medication records must be kept in the pharmacy, and that the pharmacist is bound by professional secrecy26.

    Given the sensitive nature of health information, it goes without saying that the chosen cloud solution must be secure, and help customers ensure compliance with their data privacy obligations. That said, the relevant provisions of Law No. 22/2011 of 17 June (Data Protection Law)27 must be complied with, including article 14º, which requires the written consent of the relevant person and/or authorization from the data protection authority for such health data to be disclosed.

  • No, there are no laws requiring approval from healthcare regulatory authorities for use of cloud services. Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.

    The role players in the healthcare industry which are organs of state (such as a public healthcare establishment) will also need to follow specific processes (which may necessitate certain approvals) required by the applicable public procurement laws in procuring cloud services.

    To the extent that health information is to be transferred outside of Angola without compliance with the data transfer requirements set out below, the responsible party will require prior notification to the Angolan data protection authority.28

  • The Heath Inspection Services29 of the Ministry of Heath have broad inspection powers which include the power to enter the relevant premises (at a reasonable time) and to access relevant information. For example, a health officer may require the person in charge of a health establishment such as a hospital to produce for inspection or for purposes of making copies or extracts any document including any health record that the establishment is required to maintain. These inspections usually entail the inspectors attending at the scheme's premises and requesting copies of any information considered necessary for the inspection.

  • There are no data transfer requirements specifically for the healthcare industry, but the Data Protection Law will regulate the transfer of personal information and provides that the communication of data to a sub-contracted data processor can only be carried out if the following conditions are complied with30: (a) the subcontractor and the data controller must enter into a written agreement or other legally valid written document, under which terms the subcontractor undertakes to comply with the provisions of the Data Protection Law and to act according to the instructions of the data controller; and (b) notification to the Angolan data protection authority31. These rules only apply to any information with respect to any natural person (individual), but do not apply to companies.

    The data controller may only transfer personal data to a third party outside Angola after notifying the Angolan data protection authority and if the country has a level of protection at least identical to that provided by the Data Protection Law32. Otherwise, the transfer of personal data to a third party outside Angola has to be authorized by the Angolan data protection authority, and such authorization may only be granted when the specific circumstances set out in the Data Protection Law are complied with33.

    Microsoft holds itself accountable and subject to the laws of general application applicable to information technology service providers, and has binding agreements, which, in its view, are likely to constitute adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

  • 1 Constitutional Law of the Republic of Angola (article 77, 1 “The State promotes and assures the measures necessary to grant to all citizens the right to medical and sanitary assistance…”) and Law 22/11 of 17 June 2011 (Preamble). Accordingly, the National Development Plan 2018-2022 establishes in §265 that it is a priority in the health sector to reinforce the Information and Management Sanitary System via its modernisation.
    2 See, for example, Microsoft Cloud for Health and our Cybersecurity in Health solutions. Also see Microsoft Compliance Offerings filtered by "health" industry.
    3 ISO/IEC 27001:2013 Information Security Management Standards
    4 ISO/IEC 27017:2015 Code of Practice for Information Security Controls
    5 ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
    6 Azure, Dynamics 365, and Microsoft 365 compliance offerings
    7 Cloud Security Alliance (CSA) STAR Certification
    8 See here for more information on HIPAA: HIPAA and the HITECH Act
    9 Licence Agreement for Publicly Available Standards 17788
    10 Licence Agreement for Publicly Available Standards 17789
    11 Information technology - Cloud computing - Reference architecture
    12 Law no. 21-B/92, dated the 28th of August.
    13 Dispatch no. 1114/14, dated the 15th of May.
    14 The Doctors Bar Association has been created by Decree no. 68/97, dated the 19th of September.
    15 The Nurses Bar Association has been created by Presidential Decree no. 179/10, dated the 18th of August.
    16 Presidential Decree 191/10, dated 1st September – Aproves the Pharmaceutical Activity Regulation (specially articles 55, 22, 1. b) and 62).
    17 Presidential Decree no. 191/10, dated the 1st of September.
    18 Legal Diploma no. 3964, dated the 31st of December 1969, modified by Legal Diploma no. 10/72, dated the 13th of January 1972.
    19 Presidential Decree no. 260/10, dated the 19th of October.
    20 Law no. 2115, dated the 18th of February 1962.
    21 Presidential Decree no. 269/14, dated the 22nd of September.
    22 Namely, with Law no. 9/16, dated the 23rd of September.
    23 Presidential Decree no. 279/14, dated the 26th of September.
    24 Law 21-B/92, dated 28 August 1992 (article 13, 1 d), Law 22/11, dated 17 June 2011 (article 14), The Doctors Bar Association Statutes (article13, c), The Nurses Bar Association Statutes (article 67, f), Presidential Decree 191/10, dated 1st September (articles 55, 22, 1. b) and 62).
    25 Law 22/11, dated 17 June 2011 (article 30).
    26 Article 62 of the Presidential Decree no. 191/10, dated the 1st of September.
    27 The Law on the Protection of Personal Data Law no. 22/11, dated the 17th of June.
    28 Law 22/11, dated 17 June 2011 (articles 33 and 34)
    29 The “Inspeccção Geral de Saúde” is a service of the Ministry of Health which compeences are broadly indicated in article 18 of Presidential Decree no. 21/18, dated 30 January 2018, and they incluse broad inspection powers as well as closing down the premises that don’t comply with the legislation in force.
    30 Law no. 22/2011 of 17 June
    31 Article 23, section 1, of the Data Protection Law.
    32 Article 33, section 2, of the Data Protection Law.
    33 Article 34 of the Data Protection Law.

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Privacy

Our policies and processes help keep your data private and in your control

Compliance

We provide industry-verified conformity with global standards

Transparency

We make our policies and practices clear and accessible to everyone

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

CUSTOMER STORIES

*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.