• Regulation
  • Kenya takes the lead with new ethical and legal rules for mHealth

    All eHealth has legal and ethical implications. Kenya Standards and Guidelines for mHealth Systems sets out the Ministry of Health approach. A core component is responsibility to protect data stored on mobile devices from unauthorised access. It proposes two authorisation levels.

    The standards make it explicit that mHealth developers must comply with Kenya’s laws. It requires that data is:

    Obtained and processed fairly and accuratelyOnly collected for specified and legitimate purposesNot used inappropriatelyOnly stored for as long as it’s neededRecorded appropriately and proportionatelyAccurate.

    Standards for using mHealth data and devices include:

    OwnershipAccess and disclosureStorage required within Kenya’s jurisdiction without formal authorisationMaintain confidentiality when used for diagnoses and prescriptionsComply with data protection and other technology legislation and regulationComply with intellectual property rights.

    Kenya’s mHealth must also comply with WHO guidelines. These add to Kenya’s strict regulatory code. It offers a standard for all Africa’s eHealth.

  • AeHIN and Acfee to collaborate on supporting regional eHealth

    At today’s eHealthAFRO, Jai Ganesh Udayasankaran, Council Member of the Asian eHealth Information Network (AeHIN) presented his organisation’s history and successes. It plays a substantial catalytic role in supporting eHealth’s development in the Asian region.

    Mr Udayasankaran confirmed that AeHIN will collaborate with Africa’s emerging network, the Africa Centre for eHealth excellence (Acfee), on several aspects of eHealth that are priorities both for Africa and Asia. The main themes include:

    eHealth governanceeHealth regulationCyber-security.

    eHealth governance is well-developed in AeHIN. It promotes COBIT 5, a sophisticated standard. Most of Africa’s eHealth governance needs an initial entry point. Countries can use AeHIN’s experiences to see a trajectory of where their eHealth governance could lead.

    Acfee’s research on eHealth regulation in Africa reveals a significant deficit. The 2013 data are a few years out of date, though progress remains slow. They show an extensive reliance on telecommunications regulations, with little specific eHealth regulation, as shown below.

    These figures are well behind good practices. The deficit’s about 45% points, showing that progress is vital to avoid the African region falling further behind.

    Cyber-security has become increasingly critical. Acfee accumulates data on issues, priorities and guidance, much of which is posted on eHNA. Acfee’s basic cyber-security handbook for Africa sets out some features in what are rapidly changing and more effective cyber-threats.

    Collaboration with AeHIN will move further ahead this year. Progress will be reported at next year’s eHealthAFRO 2018 and in eHNA

  • Kenya’s mHealth standards for documentation add clarity

    Covering a wide range of mHealth standards, Kenya’s Ministry of Health has set a firm foundation to step up its wide eHealth regulation and good practices. The first main section in Kenya Standards and Guidelines for mHealth Systems deals with development and functions. It’s comprehensive.

    Software development has to comply with a set of phases: 

    Requirement gatheringSystems analysisSystems designDevelopment and implementationSystems testingOperations and maintenanceSupportPost-implementation M&E.

    Documentation needed for these includes:

    ·       Systems Requirement Specification (SRS)

    ·       Software design documents, depending on the mHealth software design methodology, will include some of:

    o   Unified Modelling Language (UML) diagrams

    o   Data Flow Diagrams (DFD)

    o   Flow charts

    o   Entity relationship diagrams

    ·       Implementation plan, including:

    o   Implementation manual

    o   Training and capacity building manual

    ·       Test plans

    ·       Deployment procedures

    ·       M&E criteria.

    Three other required documents are:

    Technical manualDeveloper’s guideUser manual.

    Four requirements for data validation are included:

    First order, ensure valid data formats and values and prevent obvious data entry errorsSecond order, historical data comparisons for alerts for changesThird order assess data for consistency in specific forms and indicator setsFourth order, assess statistical outliers for validity. 

    These examples show the range and rigour of Kenya’s mHealth standards. They fit all types of eHealth too. It’s a considerable benchmark for all Africa’s health systems.

  • Kenya’s setting up new mHealth legislation

    Africa’s eHealth legislation and regulation needs considerable developed. Kenya’s stepping it up, eHealth experts have welcomed proposed eHealth legislation, including the Health Act 2017 and the Kenya Standard and Guidelines for mHealth Systems. They see the legislation as facilitating Interoperability (IOp) between private and public healthcare, and as guidelines to move wider eHealth on says an article in ITWEB Africa.

    The Health Act 2017 says within three years of its operation, the Ministry of Health (MoH) will implement management information banks. They’ll include an IOp framework for data interchange and security to improve personal health information management.

    Tony Wood, Managing Director at My Dawa, an online service for ordering prescription and wellness products, said he welcomed legislation that builds the eHealth ecosystem. "With everything, as you look at the world, technology is moving faster than regulation, governments and policy. More can now be done on how these are implemented going forward. I hope they are going to be implemented through open consultation where the public and private sector are working together." This seems like the next step.

    The 66-page guidelines are wide ranging. They set out definitions and extend across mHealth implantation, standards, governance and policy. The proposed legislation’s scheduled for debate in the national assembly. It’s a crucial stepping stone implementing successful and sustainable mHealth and wider eHealth.

  • UK’s NHS made illegal patient data transfer to Google’s DeepMind

    As eHealth expands its reach, and Artificial Intelligence (AI) becomes routine, benefits will increasingly depend on health systems handing over their patient data to specialist companies. It seems inevitable, but it might not always be legal. The UK’s NHS found that it wasn’t.

    An article in the UK’s Guardian says the Royal Free London NHS Trust, based in London, broke the law in November 2015 when it transferred 1.6m patient-identifiable records to DeepMind, the AI outfit owned by Google. It was part of a project where DeepMind’s built Streams, an app that provides clinical alerts about kidney injury. It needed the data for testing.

    The ruling says by transferring the data and using it for app testing, the Royal Free breached four data protection principles and patient confidentiality under common law. It sees the transfer as not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it, and their information rights weren’t available to them. 

    The UK’s Information Commissioner agreed. Its view’s that the core issue wasn’t the innovation. It was the inappropriate legal basis for sharing data which DeepMind could use to identify all the patients. A better way’s to keep the data in the health system and interface with apps such as Streams only when a clinical need arises. 

    Two issues are important. One’s dealing with an apparent data-grab of millions of patient records by a global organisation. The other’s the way the NHS seems keen to embed a global company into its routing working. Both need regulating and protection of patients’ rights and interests. 

    These offer insights for Africa’s health systems to deal constructively with external eHealth and AI firms. The relationships are already on a trajectory. A lesson from the NHS and DeepMind project’s essential that Africa avoids being dragged along its wake. There’s still time to do it.

  • Sierra Leone sets up a National eHealth Coordination Hub

    Succeeding with eHealth’s complexities across national health systems invariably needs a core organisation. Sierra Leone’s Ministry of Health and Sanitation has set up its National eHealth Coordination Hub to co-ordinate and regulate eHealth. It’ll also support eHealth expansion across the country’s health system. The Ministry of Information and Communications is a leading part of the initiative too.

    A report in Awoko says support’s provided by UNICEF as part of a US$2 million project financed by the United States Agency for International Development (USAID) to strengthen Sierra Leone’s eHealth Management Information System in Sierra Leone. It’s part of the US Government’s commitment to strengthen health systems and services after Ebola. Laurie Meininger, Deputy Chief of Mission, said the Awoko that “Sierra Leone is taking a step in the right direction, recognizing the growing importance of health coordination for the future health and sustainable development goals in Sierra Leone.”

    The Hub has three main goals I supporting the government’s eHealth ambitions. They’re:

    Co-ordinationRegulationImprove alignment of data with national health system goals.

    Acfee’s regulations database has extending across 64 eHealth regulation topics shows Africa’s health systems trailing those on other continents. Catching up’s a big task that needs resources for regulation risk assessments, regulation decisions and compliance reviews. Selecting and implementing relevant and appropriate priorities are essential to expanding eHealth regulations.

    It’s an important achievement. For Africa’s health systems, affordable, sustainable eHealth decisions are tough to take. Creating the Hub provides Sierra Leone with a constructive way to take them. 

  • Africa’s eHealth legal framework needs developing – unpacking the 3rd Global Survey on eHealth

    Africa’s eHealth legal and regulatory framework is behind global trends, as eHNA has reported. More insights are provided in Chapter 6 of the WHO Global Observatory for eHealth (GOe) publication eHealth Report of the third global survey on eHealth Global diffusion of eHealth: Making universal health coverage achievable. The report's data source is the WHO Global Survey 2015.

    Key findings include:

    Slow but steady development of general eHealth regulation, with 33% of countries with  specific policies or legislation to define medical jurisdiction, liability or reimbursement of eHealth servicesAbout 47% have legislation to promote safety, quality and standards of health related dataAbout 78% have health data privacy legislation and 55% have legislation to protect the privacy of electronically patient data. They’re up from 73% and 31% since 2010, so a big step up for eHealth data laws.

    The survey focused on EHRs, which are dealt with in detail in Chapter 5. They are seen as the basis of eHealth systems, so a good indicator of general eHealth regulatory framework maturity. Consequently, countries that don’t have EHRs aren’t covered.

    Africa’s overall position’s about half the global average. Catching up is not easy, Much of the current eHealth regulation’s generic, such as data protection laws and telecommunications regulation. It takes time to find a slot in countries' legislative programmes. eHNA posted that Angola took some five years to complete its data protection laws. This’s a typical timescale that other countries have said is needed to move eHealth regulation on.

    The challenge is exacerbated because eHealth regulation extends well beyond EHRs. Examples are data transfer and communication using mHealth services and new regulatory aspects such as eHealth governance and cyber-security. African countries will be unable to set up comprehensive regulations for all eHealth settings in the medium term, so setting eHealth regulation priorities is crucial.

    From these, eHealth laws and regulations are needed alongside finance and resources for a regulatory body and compliance reviews. These have to compete with finance and resources for expanding eHealth services and emerging demands such as cyber-security and human capacity building. An important question for Africa’s how much eHealth regulation’s needed?

    -------------------------------------

    Image from the WHO report

  • India’s planning eHealth laws to tackle data breaches

    As cybercrime expands and eHealth becomes more affected and infected, India’s planning legislation for comprehensive civil and criminal remedies for eHealth data breaches. It’ll also set up an enforcement agency. Provisions are being drafted to deal with any breach of patients’ data.

    A report in the Times of India says the legislation will include a comprehensive legal framework to protect individual’s eHealth data, ownership of eHealth data, and health data standardisation for data collection, storage and exchange. African countries could benefit by monitoring India’s initiative as a comparator for their own eHealth legislation and regulation.

    Much of Africa’s eHealth in its infancy, so most African countries don’t have specific eHealth regulations. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then. eHNA reported previously on Africa’s eHealth regulatory perspectives. Much more remains to be done, but it must not stifle innovation.

  • African eHealth needs data protection laws

    With much of Africa’s eHealth in its infancy it’s not surprising that most African countries don’t have specific eHealth regulations in place. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then.

    One way to address this shortfall is for Africa to follow the EU's example in laying down common laws to help countries protect data as governments implement eHealth. A Liquid Telecom report, Cybersecurity and Data Protection, in ITWEB Africa, highlighted Uganda, Kenya, Tanzania, Ghana, Zimbabwe and South Africa as countries that are in the process of initiating data protection laws in Africa. eHNA reported recently that Angola has approved its data protection laws.

    Kenya’s Data Protection Bill 2013 aims to make it difficult for third parties to mine personal information without owners’ consents. Ghana’s Data Protection Act 2012 is facing slow enforcement. South Africa passed its legislation in September 2016. In Zimbabwe privacy is enshrined in the constitution. The only initiative to encompass most African countries is the African Union's Convention on Cyber Security and Personal Data Protection 2014, which  remains unratified by countries.

    "Some 53 African states came together to agree a legal framework to regulate various fields of ICT activity, ranging from e-transactions and personal data protection to cyber security. The convention is not however any kind of legally binding instrument, and requires that individual countries put its principles into their own statute book," the report said.

    Data protection laws for successful eHealth development are important. While regulation usually lags behind implementation, its key that eHealth’s regulated and regulations are passed in due time.

    Even though the continent’s efforts for general data protection  are fragmented and need further development, the report believes that  some countries are progressive. "There still needs to be more consensus on the meaning of key terms like 'consent', 'public interest' and 'legitimate grounds'. But there is hope that such details can be thrashed out and enshrined in a binding framework that both protects citizens and allows for healthy economic development," the report suggests.

    Data protection in healthcare is an important first step to protecting patients private medical data. While it’s a good foundation, more specific eHealth regulations are needed. An eHNA post sets out some of the challenges and has a link to an article setting out some eHealth regulation themes that for Africa’s eHealth that can go alongside privacy.

  • Angola moves data protection on

    In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified the gap at about 45% behind in Africa’s eHealth regulation compared to developed countries. A year before, in 2011, Angola’s Data Protection Law No. 22/11 came into force in 2011. It provided for a Data Protection Authority (DPA) to be established.

    It defined personal data as 'any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person.' This generic definition is important for advancing regulation for the country’s eHealth.

    The GMS study for ESA identified the long lead time needed to convert eHealth regulatory principles into enabling legislation. The project’s workshops with selected sub-Saharan countries identified a realistic legislative process of about five years. Angola’s experience of moving its data protection initiative on shows that long time scales are needed.

    An article in Data Protection Leader says Angola’s President, His Excellency President José Eduardo dos Santos approved DPA framework in Decree No.214/16, on 10 October 2016, some five years after the Data Protection Act passed into law. The DPAs’ roles include receive notifications and fillings from data processes, support the Government to develop and establish data protection policy and represent the country in international data protection initiatives

    As Africa’s health systems develop their eHealth regulatory environments, it’s essential that realistic timetables are set. The ESA study and Angola’s data protection experience shows that progress won’t be rapid. It reinforces the need to start and sustain a momentum to close the gap.