• Regulation
  • Africa’s eHealth legal framework needs developing – unpacking the 3rd Global Survey on eHealth

    Africa’s eHealth legal and regulatory framework is behind global trends, as eHNA has reported. More insights are provided in Chapter 6 of the WHO Global Observatory for eHealth (GOe) publication eHealth Report of the third global survey on eHealth Global diffusion of eHealth: Making universal health coverage achievable. The report's data source is the WHO Global Survey 2015.

    Key findings include:

    • Slow but steady development of general eHealth regulation, with 33% of countries with  specific policies or legislation to define medical jurisdiction, liability or reimbursement of eHealth services
    • About 47% have legislation to promote safety, quality and standards of health related data
    • About 78% have health data privacy legislation and 55% have legislation to protect the privacy of electronically patient data. They’re up from 73% and 31% since 2010, so a big step up for eHealth data laws.

    The survey focused on EHRs, which are dealt with in detail in Chapter 5. They are seen as the basis of eHealth systems, so a good indicator of general eHealth regulatory framework maturity. Consequently, countries that don’t have EHRs aren’t covered.

    Africa’s overall position’s about half the global average. Catching up is not easy, Much of the current eHealth regulation’s generic, such as data protection laws and telecommunications regulation. It takes time to find a slot in countries' legislative programmes. eHNA posted that Angola took some five years to complete its data protection laws. This’s a typical timescale that other countries have said is needed to move eHealth regulation on.

    The challenge is exacerbated because eHealth regulation extends well beyond EHRs. Examples are data transfer and communication using mHealth services and new regulatory aspects such as eHealth governance and cyber-security. African countries will be unable to set up comprehensive regulations for all eHealth settings in the medium term, so setting eHealth regulation priorities is crucial.

    From these, eHealth laws and regulations are needed alongside finance and resources for a regulatory body and compliance reviews. These have to compete with finance and resources for expanding eHealth services and emerging demands such as cyber-security and human capacity building. An important question for Africa’s how much eHealth regulation’s needed?


    Image from the WHO report

  • India’s planning eHealth laws to tackle data breaches

    As cybercrime expands and eHealth becomes more affected and infected, India’s planning legislation for comprehensive civil and criminal remedies for eHealth data breaches. It’ll also set up an enforcement agency. Provisions are being drafted to deal with any breach of patients’ data.

    A report in the Times of India says the legislation will include a comprehensive legal framework to protect individual’s eHealth data, ownership of eHealth data, and health data standardisation for data collection, storage and exchange. African countries could benefit by monitoring India’s initiative as a comparator for their own eHealth legislation and regulation.

    Much of Africa’s eHealth in its infancy, so most African countries don’t have specific eHealth regulations. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then. eHNA reported previously on Africa’s eHealth regulatory perspectives. Much more remains to be done, but it must not stifle innovation.

  • African eHealth needs data protection laws

    With much of Africa’s eHealth in its infancy it’s not surprising that most African countries don’t have specific eHealth regulations in place. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then.

    One way to address this shortfall is for Africa to follow the EU's example in laying down common laws to help countries protect data as governments implement eHealth. A Liquid Telecom report, Cybersecurity and Data Protection, in ITWEB Africa, highlighted Uganda, Kenya, Tanzania, Ghana, Zimbabwe and South Africa as countries that are in the process of initiating data protection laws in Africa. eHNA reported recently that Angola has approved its data protection laws.

    Kenya’s Data Protection Bill 2013 aims to make it difficult for third parties to mine personal information without owners’ consents. Ghana’s Data Protection Act 2012 is facing slow enforcement. South Africa passed its legislation in September 2016. In Zimbabwe privacy is enshrined in the constitution. The only initiative to encompass most African countries is the African Union's Convention on Cyber Security and Personal Data Protection 2014, which  remains unratified by countries.

    "Some 53 African states came together to agree a legal framework to regulate various fields of ICT activity, ranging from e-transactions and personal data protection to cyber security. The convention is not however any kind of legally binding instrument, and requires that individual countries put its principles into their own statute book," the report said.

    Data protection laws for successful eHealth development are important. While regulation usually lags behind implementation, its key that eHealth’s regulated and regulations are passed in due time.

    Even though the continent’s efforts for general data protection  are fragmented and need further development, the report believes that  some countries are progressive. "There still needs to be more consensus on the meaning of key terms like 'consent', 'public interest' and 'legitimate grounds'. But there is hope that such details can be thrashed out and enshrined in a binding framework that both protects citizens and allows for healthy economic development," the report suggests.

    Data protection in healthcare is an important first step to protecting patients private medical data. While it’s a good foundation, more specific eHealth regulations are needed. An eHNA post sets out some of the challenges and has a link to an article setting out some eHealth regulation themes that for Africa’s eHealth that can go alongside privacy.

  • Angola moves data protection on

    In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified the gap at about 45% behind in Africa’s eHealth regulation compared to developed countries. A year before, in 2011, Angola’s Data Protection Law No. 22/11 came into force in 2011. It provided for a Data Protection Authority (DPA) to be established.

    It defined personal data as 'any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person.' This generic definition is important for advancing regulation for the country’s eHealth.

    The GMS study for ESA identified the long lead time needed to convert eHealth regulatory principles into enabling legislation. The project’s workshops with selected sub-Saharan countries identified a realistic legislative process of about five years. Angola’s experience of moving its data protection initiative on shows that long time scales are needed.

    An article in Data Protection Leader says Angola’s President, His Excellency President José Eduardo dos Santos approved DPA framework in Decree No.214/16, on 10 October 2016, some five years after the Data Protection Act passed into law. The DPAs’ roles include receive notifications and fillings from data processes, support the Government to develop and establish data protection policy and represent the country in international data protection initiatives

    As Africa’s health systems develop their eHealth regulatory environments, it’s essential that realistic timetables are set. The ESA study and Angola’s data protection experience shows that progress won’t be rapid. It reinforces the need to start and sustain a momentum to close the gap.

  • Africa’s eHealth regulation needs a boost

    eHealth regulation in Africa trails well behind developed countries. A study for the European Space Agency (ESA) in 2012, led by Greenfield Management Solutions, identified the gap at about 45% points.

    Acfee’s Tom Jones writes in Data Protection Leader (DPL) “Not much has changed since 2012.”  Considerable challenges remain, including:

    1. eHealth regulation must compete with other eHealth priorities
    2. eHealth regulatory bodies or organisations need establishing, requiring enacting legislation to define their delegated powers and resources
    3. This kind of legislation can take several years to agree on with stakeholders and more time to find a place in countries’ legislative agendas for approval
    4. eHealth regulations need enforcement and compliance reviews, which require resources and new skills
    5. Recruiting, training and retaining smart compliance teams is essential
    6. With so many other competing priorities, it is likely that any recruitment and training developments of eHealth regulation will be modest
    7. Phased, long term, sustainable and achievable goals are needed.

    This seems like an insurmountable task. Tom Jones proposes a start point as setting specific eHealth regulation for privacy, building on the generic privacy legislation already in place in 88% of African countries. Because privacy requirements stretch across many aspects of eHealth, it provides a route into the choices for subsequent steps towards greater legislations. The article sets out examples of these.

    As eHealth keeps expanding with new initiatives, like Big Data and analytics, the eHealth regulation gap keeps widening. It’s essential that Africa’s health systems start to catch up.

  • EC’s mHealth privacy code can meet Africa’s regulation needs

    African countries recognise the need for privacy in eHealth. Many countries’ privacy regulations are for general data protection and may not be specific enough for all eHealth services. With mHealth being a major part of Africa’s eHealth, it seems to offer a good template to start to build up and apply eHealth regulations.

    The European Commission (EC) offers a helpful starting point. Its draft Code of Conduct on privacy for mobile health apps has been completed. It’s derived from data protection law, and awaiting formal approval. When it’s attained, app developers can volunteer their commitment to comply with the Code.

    Eleven questions comprise the issues dealt with by the Code:

    1. How should consent of app users be obtained, including valid, explicit consent from citizens to collect and use their data
    2. What are the main principles that need adopting  before making an mHealth app available, including the purpose limitation, data minimisation, transparency, privacy by design, privacy by default and citizens’ rights
    3. What information shall be provided to users before they can use any app, including a formal notice that identifies the app developer; describe the purpose of the data processing, how the data will be used and fits with products and services, guarantee fair processing; the precise categories of personal data that the app will process; whether personal data will be transferred from the user’s device, and if so, who to; users’ rights to access, correct and personal data; inform users that their app use is but needs their consent to permit personal data processing; provide contact information where users can ask question about data protection; and contain a link to a full privacy policy.  
    4. How long can data be retained, including acknowledging challenges to irreversibly anonymise health data when retention periods expire
    5. Security measures, including confidentiality, integrity and availability of the personal data processed by apps, and completing Privacy Impact Assessments (PIA)
    6. Can apps contain advertisements, including authorisation by users and having different approaches for advertising involving personal data
    7. What’s needed before disclosing data to a third party for processing, including data used for scientific research, analytics or Big Data analysis
    8. Can personal data collected by apps be used for secondary purposes, including processing operations, needing agreements in place with third parties
    9. Where can gathered data be transferred to, including compliance with the rules for international data transfers and where gathered data can be transferred to
    10. What action’s needed if there’s a personal data breach including who to notify
    11. How can data be gathered from children, including parental consent, and especially when apps are for children’s use

    A set of questions are suggested for completing a PIA. They’re

    1. Which kinds of personal data will the app process?
    2. For which purposes will this data be processed?
    3. How have users’ consent been obtained to process their data for every type of use foreseen?
    4. Was someone designated to answer questions about the apps privacy requirements?
    5. Was the app developed in consultation with a healthcare professional to ensure that data is relevant for the app’s purposes and not misrepresented to users?
    6. Explain what’s been done to respect a set of security objectives, or explain why theyr’e not relevant:
    • Principles of privacy by design and privacy by default:
    • Data has been pseudonymised or anonymised wherever possible
    • Appropriate authorisation mechanisms have been built into the app to avoid unlawful access
    •  Effective encryption has been used to mitigate the risk of breaches
    • Independent system security audits have been considered
    • Inform users when updated versions are available
    • Blocks all uses of old apps if the update is security critical  
    1. App has been developed using known guidelines on secure app development and secure software development
    2. App has been tested using mock data before it’s available to real end users
    3. Incidents affecting remotely stored data can be identified and addressed
    4. If any personal data collected or processed by the app is transferred to a third party, has appropriate contractual guarantees about their obligations been obtained, including purpose limitations, security measures, and their liability.

    The Code is culmination of a wide range of contributions. It’s a very valuable contribution as best practice for attaining privacy in apps and for this aspect of mHealth regulation. App developers in Africa can enhance their products by showing how they’ve complied, even if countries haven’t incorporated them into eHealth regulations. These can follow on promptly if countries use the EC Code as their initial draft to prepare their bespoke versions.

  • eHealth algorithm and regulation let down cardiovascular patients

    When eHealth contributes to healthcare mission-critical activities, it’s vital it’s accurate, reliable, consistent and available. It seems that the UK’s NHS may have experienced a bit of a problem. 

    A report in The Times says “hundreds of thousands of patients could have been put at risk of heart attack and stroke or wrongly prescribed statins because of a software glitch.” It seems that an algorithm, the QRISK2 Calculaotr, wasn’t right. As a result, GPs had to contact all their patients assessed cardiovascular conditions using the SystemOne clinical programme since 2009, so over the last seven years. Some 2,700 GP surgeries may be affected. The Medicines and Healthcare Products Regulatory Agency (MRHA) has started an investigation.

    TPP, SystemOne’s owners, says that its solution contain over 40m patient records from more than 5,000 NHS organisations. These include more than 2,700 GP practices and 142 prisons. The system is verified by the NHS Health and Social Care Information Centre

    TPP and MHRA are collaborating to resolve the matter. It’s envisaged that it’ll take some time. The events reveal the need for effective eHealth regulation and compliance, a lesson for African countries. As eHealth moves further into using algorithms to support clinical activities, the more regulation and compliance reviews are needed. Effective eHealth regulation is costly. So’s the lack of regulation.

  • mHealth growth outstripping regulation isn't good

    Huge mHealth growth over recent years has left regulation chugging along in the inside lane. A team from the Netherland’s National Institute for Public Health and the Environment (RIVM) has analysed the difference and found a need to catch up.

    Its findings are in the Journal for Medical Internet Research (JMIR). From about 5,80 mHealth apps in 2011, there were over 23,000 in 2013 in the iTunes store, but not much’s known about their uses, effectiveness and risks. The study focused on an inventory of 116 apps and other tools used with medication. Diabetic patients were asked to complete a questionnaire about their apps’ experiences.

    Many apps mainly offer simple functionalities. The most experienced users’ benefits were for regulating blood glucose levels. A minority of apps for medication use have potentially high risks. For some apps, it’s unclear whether and how personal data are stored.

    A small subset of tools might involve relatively high risks. For the larger group of non-medical devices, risks are lower, but there’s still a mismatch between the enormous availability and low levels of regulation. Users and nonusers said there are issues with the overall quality of apps, such as ease of use, completeness and good functionalities.

    Important mHealth benefits for users, such as better health and self-reliance, arise from regulating blood glucose levels, so improving reliability and quality is likely to offer more benefits. Increased mHealth awareness’s important too. 

    A big challenge remains. There’s still a mismatch between the enormous availability and low levels of regulation. Africa has a regulation deficit compared to developed countries, and as its mHealth expands, catching up will be more demanding. Starting now’s a good option.


    Image from DigitalHealth.net

  • A regulation guide helps mHealth developers

    As more mHealth initiatives build up their momentum, it’s important that they comply consistently with countries’ regulations. Accessing and understanding these can be a bit like trudging through treacle. In the USA, the Federal Trade Commission (FTC) has produced a simple online guide and questionnaire that developers can use to work their way through the regulations they need. It’s a joint project with the Department of Health and Human Services, the Office of the National Coordinator for Health Information Technology (ONC), the Office for Civil Rights (OCR) and the Food and Drug Administration (FDA).

    It’s an initiative that Africa’s health systems can adopt and develop, but it’s clearly a considerable undertaking needing extensive engagement. With fewer mHealth regulations than the USA, an equivalent service should be less demanding to produce. Acfee has a regulation database and model that can provide a start.

    There are three sections:

    • What are the laws?
    • Which laws apply to developers’ mHealth apps?
    • Glossary 

    For Africa’s health systems, the laws may include data protection acts, telecommunications regulations and generic rights of citizens. Health regulations are relevant too. Acfee’s eHealth regulation database shows that many African countries have specific eHealth regulations, so an online checklist will need to be updated as eHealth regulations are developed and applied.

    There are a set of questions needed to identify applicable laws. They include: 

    1. Will the app create, receive, maintain, or transmit identifiable health information?
    2. Is the developer a healthcare provider or health plan?
    3. Do consumers need a prescription to access the app?
    4. Is the app being developed on behalf of hospitals, doctors office, health insurer, or health plan’s wellness programme?
    5. Is the app intended for diagnosing diseases or other conditions, or curing, mitigating, treating or preventing diseases?
    6. Does the app pose minimal risk to users, such as:
      1. Managing their diseases or conditions without providing specific treatment suggestions
      2. Providing users with simple tools to organise and track their health information
      3. Providing easy access to information about health conditions or treatments
      4. Helping users document, show or communicate potential medical conditions to healthcare providers
      5. automating simple tasks for healthcare providers
      6. Enabling users or providers to interact with EHRs
      7. Transferring, storing, converting format or displaying medical device data?
    7. Is your app a mobile medical app intended for:
      1. Use as an accessory to a regulated medical device
      2. Transforming a mobile platform into a regulated medical device
      3. Performing sophisticated analyses or interpreting data from another medical
    8. Does the app offer health records directly to consumers or does it interact with, or offer services to, someone who or an entity that does? 

    Yes or no answers to each question link directly to a list of the laws and regulations that developers need to conform to. It’s very easy to use. A glossary offers more information. It’s an ideal template for Africa’s health systems to use to begin to move their eHealth and mHealth regulations on.

  • Does Africa need telemedicine regulations?

    Clarity on the place of telemedicine isn’t always clear. Some doctors are content to use it without specific regulations, others want clarity on how it fits with the traditional patient and doctor relationships and encounters.

    The USA’s District of Columbia has started formal consultation on telemedicine regulations. There are 14. They may help Africa’s telemedicine to move into a regulated environment. A generalised summary’s:

    1. To use telemedicine, a license to practice medicine’s required, but with some exceptions in existing laws and regulations, and a requirement to comply with regulations in the jurisdictions where the telemedicine provider’s and patients are physically located
    2. Doctors’ medical decisions using telemedicine must adhere to the same standards of care as decision in face to face encounters with patients
    3. Patient evaluations are needed that meet the requirements in existing standards before providing recommendations or making treatment decisions for patients except when performing interpretive services
    4. Doctors must ensure that interpretive services do not result in clinically significant loss of data from image acquisition through transmission to final image display
    5. Doctors practicing telemedicine shall:
      1. Obtain and document patient consent, except for interpretive services
      2. Create and maintain adequate medical records
      3. Follow requirements of existing laws and regulations for confidentiality of medical records and disclosure of medical records
      4. Adhere to other existing relevant laws, requirements and prohibitions
    6. Doctors shall perform patient evaluations to establish diagnoses and identify underlying conditions or contraindications to recommended treatment options before providing treatment or prescribing medication
    7. Licensed doctors may rely on patient evaluations performed by another licensed doctor if the former is providing cover for the latter
    8. If doctor-patient relationships don’t include prior in-person, face-to-face interactions with patients, doctors shall use real-time auditory communications or real-time visual and auditory communications to allow a free exchange of protected health information between patients and the doctors performing the patient evaluation
    9. Licensed telemedicine practitioners shall have the current, minimal technological capabilities to meet all standard of care requirements in order to use telemedicine to deliver services or treatment
    10. Adequate security measures shall be implemented to ensure that all patient communications, recordings and records remain confidential
    11. Written policies and procedures shall be maintained when using email for doctor-patient communications, and these shall be evaluated periodically to make sure they are up to date in addressing:
      1. Privacy, to assure confidentiality and integrity of patient-identifiable information
      2. Responsibilities of all health care personnel, including doctors, who process messages
      3. Hours of operation and availability
      4. Types of transactions permitted electronically
      5. Required patient information to be included in communications, such as patients’ names, identification numbers and types of transactions
      6. Archival and retrieval of patient records
      7. Quality oversight mechanisms
    12. All relevant patient-doctor emails and other patient-related electronic communications shall be stored and filed in patients’ medical records
    13. Patients shall be informed of alternate forms of communications between them and doctors for urgent matters
    14. All licensees shall be subject to the requirements of health and healthcare laws and regulations.

    It’s a start for Africa’s telemedicine regulations where health systems haven’t started down this road. Like the District of Columbia recognises, consultation with the medical profession’s the vital first step. Other stakeholders can make contributions too. Having agreed telemedicine regulations, a follow-up’s to ensure effective implantation and compliance.