Male technician wearing lab coat and gloves, using microscope in laboratory office of Chicago hospital.

Nigeria: Cloud in Healthcare Services

An Interactive Guide for Legal and Compliance
Professionals

DOWNLOAD OUR WHITEPAPER: DATA SOVEREIGNTY & THE CLOUD –
A HEALTHCARE PERSPECTIVE

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

The Nigerian government and policy makers have over time, expressed a growing commitment to addressing the gaps in the quality of health care services in Nigeria and to help grow a healthcare industry which provides quality healthcare for all. Despite the fact that technology is yet to be substantially utilized in the provision of health care services in Nigeria, the government recognises that technology can be leveraged to provide solutions to some of the country's greatest challenges, including in health.1

As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.

Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk

MICROSOFT'S COMMITMENT TO THE NIGERIAN HEALTHCARE SECTOR

Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians, and researchers to improve detection and diagnosis, treatment, and management, as well as prediction and prevention of disease—in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.

Microsoft is therefore committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.

Microsoft stands ready to support our healthcare customers in Nigeria. Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - from data centres located in Africa, which will offer enterprise-grade reliability and performance to customers across the country and region. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.

Microsoft also understands that protected health information (PHI), which is special personal information, constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI.2

Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against several key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270013 and 27002 as well as the cloud specific extension ISO/IEC 270174 and ISO/IEC 270185 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC36 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)7 . Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA).8 Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 177889, ISO/IEC 1778910, and ITU-T Y.350211 to ensure a common understanding of terms and definitions in policies and regulation.

THE REGULATORY ENVIRONMENT

The healthcare industry in Nigeria comprises many different stakeholders and role-players at the federal, state and local council level. The National Health Act, 2014 ("NHA") provides the framework for the regulation, development and management of the health system and sets standards for rendering health services in Nigeria. Each role-player in the system is, in turn, regulated by specific Acts and Regulations, including:

  • medical practitioners and dental surgeon are regulated by the Medical and Dental Practitioners Act12, Community Health Practitioners (Registration, Etc.) Act
  • nurses and midwives are regulated by the Nursing and Midwifery (Registration, etc) Act
  • pharmacists are regulated by the Pharmacists Council of Nigeria Act
  • medical laboratory scientists are regulated by the Medical Laboratory Science Council of Nigeria Act
  • federal university teaching hospitals are regulated by the University Teaching Hospitals (Reconstitution of Boards, Etc.) Act.
  • various state university teaching hospitals are regulated by relevant university teaching hospital Acts.
  • health care facilities such as hospitals, clinic, and similar facilities are regulated by relevant state laws of the state where the health care establishments are located. In Lagos, for example, the Lagos State Health Sector Reform Law 2006 regulates the health facilities.
  • healthcare insurance is regulated by the National Health Insurance Scheme Act;
  • manufacture, exportation, importation, distribution, salem and use of drugs is regulated by the National Agency for Food and Drugs Administration and Control Act;

Those role players who are organs of state would also be required to comply (1) with public procurement laws in procuring cloud services13 and (2) other regulations that may affect the adoption of cloud services by organs of state.

    1. Key regulators in this industry include the Federal Ministry of Health14, State Ministry of Health15, Ministry of Health in every state in Nigeria16, Community Health Practitioners Registration Board of Nigeria17, the Medical and Dental Council of Nigeria 18,and the National Health Insurance Scheme (NHIS)19.
    2. There are also many other regulators regulating other practitioners and healthcare industry role-players20.

  • The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be considered, relating to, amongst other things, the obligation on relevant role players to keep confidential and not to disclose certain information.

  • There is presently no specific or uniform regulation of cloud services for healthcare in Nigeria. A move to cloud services would require consideration of a number of regulatory regimes in various sectors that may impact the adoption of cloud services by the public sector. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in moving to the cloud:

    • Certain general and specific requirements relating to security and protection of the confidentiality of patient and medical scheme beneficiary personal medical information, and precluding disclosure save in specified circumstances, such as with consent of the patient or by court order.21
    • Health establishments: the person in charge of the health establishment which is in possession of a person's health records must set up control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept.22
    • Food and Drugs Administration: disclosure of information regarding certain substances is prohibited under the Food and Drugs Act except (i) with the written consent of the person who supplied the information; or (ii) in accordance with the directions of the Minister of Health; or (iii) for the purposes of any proceedings under the Food and Drugs Act.23
    • Medical schemes: All NHIS accredited health care facilities are required to put in place a functional medical records unit/department as a prerequisite to their accreditation. The unit is required to coordinate the information technology of the facility.24
    • Pharmaceutical Laboratories: All pharmaceutical laboratories are to establish and maintain procedures for the identification, collection, indexing, retrieval, storage, maintenance, and disposal of and access to all quality and technical/scientific records. Laboratories are to ensure that (i) data processing equipment is verified as being suitable to use; (ii) procedures are established and implemented for protecting the integrity of data and for making, documenting and controlling changes to information stores in computerised systems25; and (iii) electronic data should be backed up at appropriate regular intervals to prevent loss.26 Manufacturers, Importers, Wholesalers, and Retailers of drugs, Poisons and devices are also mandated to keep appropriate records of the receipt and disposal of drugs.27

    Given the sensitive nature of health information, it goes without saying that the chosen cloud solution must be secure, and help customers ensure compliance with their data privacy obligations.28

  • No, there are no specific laws requiring approval from healthcare regulatory authorities for use of cloud services. However, certain processes may need to be followed and certain requirements, waivers or authorisations may need to be met prior to migrating to cloud services. Regard must also be given to the above considerations given that stringent obligations are placed on the sector's role players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.

    The role-players in the healthcare sector which are organs of state (such as a public healthcare establishment) will also need to follow specific processes (which may necessitate certain approvals) required by the applicable public procurement laws in procuring cloud services. They might also, in certain circumstances, need to engage with the National Information Technology Development Agency (“NITDA”).

  • The Regulatory Authorities possess broad inspection powers which include the power to enter the relevant premises (at a reasonable time) and to access relevant information. For example, a health officer may undertake inspection of imported food, drugs, cosmetics, medical devices, bottled water, and chemicals and establish relevant quality assurance systems, including certification of the production sites and of the regulated products.29 Similarly, the auditors appointed under the National Health Insurance Scheme Act are entitled at all reasonable times to require to be produced to them accounts and other records kept by a Zonal Office and to inquire from any member, agent, or employee of the Zonal Office such information and explanations as in the opinion of the auditors are necessary for the purpose of their audit.30 Other regulations also allow authorized personnel access to inspect documents which may contain relevant information on certain conditions.31

    Also, health workers or health care providers that have access to the health records of a user may disclose such health records to any other person, health care provider, or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of their duties where such access or disclosure is in the interest of the user.32

  • Various data protection provisions may be applicable. Under the draft NITDA Guidelines on Data Protection (the "Draft Guidelines"), personal information may be transferred out of Nigeria provided the requirements of the Draft Guidelines are met. The Draft Guidelines will permit the transfer of personal information outside Nigeria where adequate provisions are in place for its protection. This could take the form of legislation or contractual provisions which ensure adequate protection of personal information or could be sanctioned by consent of the data subject.

    Microsoft holds itself accountable to and subject to laws of general application applicable to information technology service providers, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO/IEC 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

  • 1 National Health ICT Strategic Framework 2015 – 2020 issued by the Federal Ministry of Health
    2 See, for example, Microsoft Cloud for Health and our Cybersecurity in Health solutions. Also see Microsoft Compliance Offerings filtered by "health" industry.
    3 ISO/IEC 27001:2013 Information Security Management Standards
    4 ISO/IEC 27017:2015 Code of Practice for Information Security Controls
    5 ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
    6 Microsoft compliance offerings
    7 Cloud Security Alliance (CSA) STAR Certification
    8 See here for more information on HIPAA: HIPAA and the HITECH Act
    9 Licence Agreement for Publicly Available Standards 17788
    10 Licence Agreement for Publicly Available Standards 17789
    11 Information technology - Cloud computing - Reference architecture
    12 CAP M8 Law of the Federation of Nigeria 2010
    13 Public Procurement Act 2007, Lagos State Public Procurement Agency Law 2011
    14 Which regulates health practitioners, nurses, health establishments, medical schemes, managed health care organisations and medical scheme administrators and pharmacists,
    15 Which regulates health practitioners
    16 Which regulates health establishments, nurses and pharmacists
    17 Which regulates health practitioners
    18 Which regulates health practitioners
    19 Which regulates medical schemes, managed health care organisations and medical scheme administrators
    20 Such as Nursing and Midwifery Council of Nigeria (for nurses); Pharmacists Council of Nigeria (for pharmacists); the Pharmacists Council of Nigeria, The Registration of Pharmaceutical Premises Regulations, 2005, Inspection, Location and Structure of Pharmaceutical Premises Regulations, 2005, and in certain circumstances, the National Agency for Food and Drugs Administration and Control (all for pharmacies, including pharmaceutical companies), the National Agency for Food and Drugs Administration and Control and the Nigeria Customs Service (for manufacturers, wholesalers and distributors of medical devices) and the Nigerian Institute of Medical Research and the National Institute for Pharmaceutical Research and Development (for researchers and scientists).
    21 Section 26, Part III of the National Health Act 2014, Sec 10 (3), 11 (1),13(1) and 14 (4) of the HIV and AIDS (Anti-Discrimination) Act,
    22 Section 29, Part III of the National Health Act 2014
    23 Section 4(3) Foods and Drugs Act, CAP F32, LFN 2004
    24 Section 2.13.11.National Health Insurance Scheme Operational Guidelines 2012
    25 Section 1.14 of the NAFDAC Guidelines for Good Practices in Pharmaceutical Quality Control Laboratories 2016
    26 Section 1.19 of the NAFDAC Guidelines for Good Practices in Pharmaceutical Quality Control Laboratories 2016
    27 Section 5, Registration of Pharmaceutical Premises Regulation, 2005.
    28 The NHA mandates health care providers to protect health records by setting up control measures to prevent unauthorised access. Under the draft National Information Technology Development Agency Guidelines on Data Protection 2017 (the “Draft Guidelines”), personal information also includes medical records.
    29 Section 5 of the National Agency For Food And Drug Administration And Control Act, CAP N1 LFN 2004.
    30 Section 25 of the National Health Insurance Scheme Act
    31 Section 6(f), 8 (d) Counterfeit and Fake Drugs and Unwholesome Processed Foods (Miscellaneous) Act, Section 17 Dangerous Drugs Act, Section 10(1e) Foods and Drugs Act
    32 Section 27 of the NHA

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Learn more

Privacy

Our policies and processes help keep your data private and in your control

Learn more

Compliance

We provide industry-verified conformity with global standards

Learn more

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

Data Sovereignty & the cloud – a Healthcare perspective

LEARN MORE
Close-up of medical lab technician‘s gloved hands placing vial of blood in vial rack.
A close up of a woman with line illustrations on the left-hand side

AI in Africa

Download the full whitepaper to learn more about the future of AI in Africa.

Learn more
A man and a woman using Microsoft HoloLens

The Future Computed

Artificial Intelligence and its role in society

Read more Download the book
Global network security illustration with tablet and stylus in background

GDPR

Safeguard individual privacy with the Microsoft Cloud

Take GDPR assessment
Highway lights blur to depict fast digital connection

Digital Transformation in the Cloud

Partnering with Microsoft helps your organization transform into a digital company by developing new capabilities.

Read more Download the book
Microsoft Cyber Defense Operations Center

Cloud for Global Good

A roadmap to a trusted, responsible, and inclusive cloud

Read more Download the book

CUSTOMER STORIES

Australian Government Department of Health Logo

Department of Health

Department of Health injects more clarity with Dynamics 365

Read more
Alder Hey Children’s Hospital Logo

Alder Hey Children’s Hospital

Alder Hey Children’s Hospital plans to take holograms into the operating theatre

Read more
Northwell Health Logo

Northwell Health

New York’s largest healthcare provider streamlines patient care processes with Microsoft business application

Read more
Nuffield Health Logo

Nuffield Health

With Azure AD B2C, top UK healthcare provider now offers a secure web portal as user-friendly as its facilities

Read more
National Department of Health, South Africa Logo

National Department of Health, South Africa

The South African government’s National Department of Health (NDoH)

Read more
Providence St. Joseph Health Logo

Providence St. Joseph Health

Providence St. Joseph Health is moving beyond the typical...

Read more
Phulukisa Logo

Phulukisa

Read more
Varian Logo

Varian

Varian Medical Systems is a leading radiotherapy company recognized for its advanced treatment

Read more
Medical Teams International Logo

MTI

Medical Teams International, a nonprofit provider of health care and humanitarian aid

Read more
Soddo Logo

Soddo

Opened in 2005, Soddo Christian Hospital is a 130-bed, full-service facility serving Wolayita

Read more
Fortis Logo

Fortis

Transforming IT to create organizational value requires a change in outlook

Read more
INAIL Logo

Italian National Institute for Insurance Against Accidents at Work

The National Institute for Insurance Against Accidents at Work (INAIL) in Italy wanted to...

Read more
365mc Logo

365mc

365mc improves the efficiency and safety of Liposuction with data analysis

Read more
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.