DOWNLOAD OUR WHITEPAPER: DATA SOVEREIGNTY & THE CLOUD – A
HEALTHCARE PERSPECTIVE
DOWNLOAD OUR LATEST WHITEPAPER
REGULATORY OVERVIEW
The Mauritian Government is committed to providing universal, accessible and quality healthcare services free to the population, and recognizes that technology can be leveraged to improve the quality of service delivery across all public health institutions.1 The Government eHealth vision is to “exploit ICT to extend seamless continuity of care through affordable, high-quality, user-centric service to all healthcare stakeholders in Mauritius and to promote knowledge and networking among them.”2
As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.
Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.
MICROSOFT'S COMMITMENT TO THE MAURITIAN HEALTHCARE SECTOR
Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease - in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.
Microsoft has valuable worldwide experience from engagements with healthcare institutions, providers and regulators.
Microsoft is also committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet both international standards and national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.
In addition, Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance to help enable the tremendous opportunity for economic growth and increase access to cloud and internet services for organizations and people across the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organization on the planet to achieve more in a safe, secure and legally compliant manner.
Microsoft stands ready to support our healthcare customers in Mauritius with the Microsoft Cloud - including Microsoft Azure, Office 365 and Dynamics 365. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.
Microsoft also understands that protected health information (PHI), which is special personal information, constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI.3
Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against several key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270014 and 27002 as well as the cloud specific extension ISO/IEC 270175 and ISO/IEC 270186 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC37 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)8. Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA).9 Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 1778810, ISO/IEC 1778911 and ITU-T Y.350212 to ensure a common understanding of terms and definitions in policies and regulation.
THE REGULATORY ENVIRONMENT
The healthcare industry in Mauritius comprises many different stakeholders and role players.Each role player in the system is, in turn, regulated by specific Acts and Regulations, including:
- Health practitioners, for example doctors, dentists, physiotherapists and emergency care personnel, are regulated by laws including the Medical Council Act13 and the Dental Council Act, which regulate medication practitioners and dentists, respectively.
- Nurses are regulated by the Nursing Council Act14;
- Allied health profession practitioners who engage in, for example, chiropractic, homeopathy, acupuncture, therapeutic massage therapy, therapeutic reflexology and ayurvedic medicine are regulated by the Ayurvedic and Other Traditional Medicines Act15;
- Health care establishments such as hospitals, clinics and similar facilities, are regulated by the Private Health Institutions Act16;
- Medical schemes provided under insurance schemes are regulated by the Insurance Act;
- Pharmacists are regulated by the Pharmacy Council Act17 and, inter alia, the supply of medicines is regulated by the Dangerous Drugs Act18.
Those role players who are organs of state would also be required to comply with public procurement laws in procuring cloud services.
-
The key regulator in this industry is the Ministry of Health and Quality of Life which is responsible for the health sector and the co-ordination of health service delivery generally and regulates health establishments.
There are also many other regulators regulating practitioners and healthcare industry role-players.19 All these regulatory bodies are established under separate Acts of Parliament but account and answer to the Ministry of Health within their respective mandates.
-
The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be considered, relating to, amongst other things, the obligation on relevant role players to keep confidential and not to disclose certain information (see below).
-
While there is no regulation expressly pertaining to cloud services in Mauritius, the type of information moved to the cloud may fall under the Data Protection Act 2017 (“DPA 2017”). Role players in the healthcare sector would need to be mindful of the following legislative and regulatory provisions, including:
- Certain general and specific requirements relating to security and protection of the confidentiality of patient and medical scheme beneficiary personal medical information, and precluding disclosure save in specified circumstances, such as with consent of the patient or by court order.
- Health establishments: the person in charge of the health establishment which is in possession of a person's health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept.
- Pharmacies: the person in charge of the pharmacy must ensure that security and organizational measures must be put in place to ensure that the customers’ personal data, including health information are protected from, e.g., unauthorized disclosure or destruction.
-
No, there are no laws requiring approval from health regulatory authorities for use of cloud services, however to the extent that a healthcare customer moves personal data to the cloud, then it will have to comply with the DPA 2017.The role players in the healthcare industry which are organs of state (such as a public healthcare establishment) will also need to follow specific processes (which may necessitate certain approvals) required by the applicable public procurement laws in procuring cloud services.
-
The Regulatory Authorities possess fairly broad inspection powers which include the power to enter the relevant premises (at a reasonable time) and to access relevant information. For example, as regards the activities of a pharmacist, an inspector is empowered under the Pharmacy Act20 to inspect premises registered or licensed under the Act and examine any document required to be kept under the Act. As regards health information, the Medical Council is empowered to request the production of documents if it is investigating a complaint of professional misconduct.21
-
Under DPA 2017, personal data22 may be transferred out of Mauritius provided the requirements of DPA 2017 are met.
Health data of an individual may be transferred to another country with the explicit consent of the individual concerned (after the individual has been informed of any possible risks of the transfer owing to the absence of appropriate safeguards), or if other statutory derogations apply23. Permitted circumstances include where the Commissioner has been provided with proof of appropriate safeguards, or if such transfer is necessary for the performance of a contract with the individual or in order to protect the vital interests of the individual or of other persons (where the individual is physically or legally incapable of giving consent).24
Microsoft holds itself accountable and subject to the laws of general application applicable to information technology service providers, and has binding agreements, which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.
-
1Government Programme 2015-2019, 25 January 2015 Available at: GOVERNMENT PROGRAMME 2015 – 2019
2He@lth 2015 at page 15
3 See, for example, Microsoft Cloud for Health and our Cybersecurity in Health solutions. Also see Microsoft Compliance Offerings filtered by "health" industry.
4ISO/IEC 27001:2013 Information Security Management Standards
5 ISO/IEC 27017:2015 Code of Practice for Information Security Controls
6 ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
7 Microsoft compliance offerings
8 Cloud Security Alliance (CSA) STAR Certification
9See here for more information on HIPAA
10 Licence Agreement for Publicly Available Standards 17788
11 Licence Agreement for Publicly Available Standards 17789
12 Y.3502 : Information technology - Cloud computing - Reference architecture
13Act No.30 of 1999, as amended.
14Act No.47 of 2003
15Act No.37 of 1989
16Act No.11 of 1989
17Act No.13 of 2015
18Act No.41 of 2000
19Such as the Medical Council which regulates health practitioners; the Nursing Council which regulates nurses; The Ayurvedic and Other Traditional Medicine Board which regulates Traditional Medicine Practitioners; the Pharmacy Council of Mauritius which regulates pharmacists; and the Pharmacy Board which regulates pharmacies (including pharmaceutical companies).
20Act No.60 of 1983
21Section 13(2) of the Medical Council Act. If a person refuses to communicate any document on the ground of confidentiality, the Registrar of the Medical Council may apply for a court order directing the person to disclose the evidence required. If disciplinary proceedings are instituted against a medical professional before the Medical Disciplinary Tribunal, the latter may order a person to appear before it and to give evidence or produce any document as it may need (section 16(3)(a) of the Act)
22This requirement applies to personal data generally and personal data includes health information
23Section 36(1)(c) of the DPA 2017
24Section 36(1)(c)(v) of the DPA 2017
WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES
Security
We build our services from the ground up to help safeguard your data
Privacy
Our policies and processes help keep your data private and in your control
Compliance
We provide industry-verified conformity with global standards
Transparency
We make our policies and practices clear and accessible to everyone
INDUSTRY RESOURCES
Data Sovereignty & the cloud – a Healthcare perspective
RECOMMENDED RESOURCES
AI in Africa
Download the full whitepaper to learn more about the future of AI in Africa.
The Future Computed
Artificial Intelligence and its role in society
GDPR
Safeguard individual privacy with the Microsoft Cloud
Digital Transformation in the Cloud
Partnering with Microsoft helps your organization transform into a digital company by developing new capabilities.
Cloud for Global Good
A roadmap to a trusted, responsible, and inclusive cloud
CUSTOMER STORIES
Department of Health
Department of Health injects more clarity with Dynamics 365
Alder Hey Children’s Hospital
Alder Hey Children’s Hospital plans to take holograms into the operating theatre
Northwell Health
New York’s largest healthcare provider streamlines patient care processes with Microsoft business application
Nuffield Health
With Azure AD B2C, top UK healthcare provider now offers a secure web portal as user-friendly as its facilities
National Department of Health, South Africa
The South African government’s National Department of Health (NDoH)
Providence St. Joseph Health
Providence St. Joseph Health is moving beyond the typical...
Phulukisa
Varian
Varian Medical Systems is a leading radiotherapy company recognized for its advanced treatment
MTI
Medical Teams International, a nonprofit provider of health care and humanitarian aid
Soddo
Opened in 2005, Soddo Christian Hospital is a 130-bed, full-service facility serving Wolayita
Fortis
Transforming IT to create organizational value requires a change in outlook
Italian National Institute for Insurance Against Accidents at Work
The National Institute for Insurance Against Accidents at Work (INAIL) in Italy wanted to...
365mc
365mc improves the efficiency and safety of Liposuction with data analysis