Study on Regulatory Aspects - ESA Business Applications Regulatory Study... · CISSP Certified Information Systems Security Professional ... International relations initiatives

Sate l l i te -Enhanced Telemedicine and eHealth for Sub -Saharan Afr ica

(eHSA) Programme

Study on Regulatory Aspects

Summary Report 16-07-2013

The work described in this report was done under ESA contract. Responsibility for the contents resides in the author or organisation that prepared it. The copyright in this document is vested in Greenfield Management Solutions. This document may only be reproduced in whole or in part, or stored in a retrieval system, or transmitted in any form, or by any means electronic, mechanical, photocopying or otherwise, either with the prior permission of Greenfield Management Solutions or in accordance with the terms of the ESA Contract N: 4000105500/12/NL/AD.

Summary Report: Study on Regulatory Aspects of eHealth Page 2 of 37

ESA Tender AO/1-6936/11/NL/AD

Contents

1. Abbreviations ....................................................................................................................... 4

2. Executive Summary .............................................................................................................. 5

2.1 Overall study goal .................................................................................................. 5

2.2 Study structure ...................................................................................................... 5

2.3 Main achievements ................................................................................................ 6

2.4 Linked initiatives .................................................................................................... 6

2.5 Implications ........................................................................................................... 6

3. Why regulate eHealth? ......................................................................................................... 7

4. Overview of the study on regulatory aspects ....................................................................... 7

4.1 Study benefits ........................................................................................................ 7

5. The Reference Regulatory Model (RRM) .............................................................................. 9

5.1 eHealth regulation priorities ................................................................................ 11

6. Global good practice .......................................................................................................... 12

6.1 Selected countries................................................................................................ 12

6.2 Completeness of the relevant regulatory framework ........................................... 12

6.3 Proven fertility of the regulatory framework ........................................................ 12

6.4 Challenges faced by the good practice countries .................................................. 13

6.5 Strengths, Weaknesses, Opportunities and Threats (SWOT) analyses ................... 13

7. The eHealth regulatory environment in SSA ...................................................................... 14

7.1 Key issues for developing eHealth regulation ....................................................... 14

8. The eHealth Regulation Readiness Index (RRI) ................................................................... 18

8.1 RRM index ........................................................................................................... 20

8.2 ITU and WHO index .............................................................................................. 21

8.3 Healthcare per capita spending ............................................................................ 21

8.4 The RRI ................................................................................................................ 22

8.5 General issues in all countries .............................................................................. 23

9. The roadmap for ready countries ....................................................................................... 25

9.1 Roadmap method for the ready countries ............................................................ 26

9.2 Essential roadmap activities ................................................................................. 26

9.3 eHealth regulation action plan ............................................................................. 27

9.4 eHealth regulation challenges .............................................................................. 29

9.5 Decisions for eHealth regulation .......................................................................... 30

9.6 Action plan for eHealth regulation ....................................................................... 30



9.7 Risk assessment for average rated countries ........................................................ 33

10. The roadmap for other countries ....................................................................................... 35

11. The eHealth regulation workshops ..................................................................................... 35

12. Conclusions ........................................................................................................................ 37



1. Abbreviations

AU African Union

AUC African Union Commission

BYOD Bring-your-own-device

BPMN Business Process Model and Notation

CISSP Certified Information Systems Security Professional

eHSA eHealth for Sub-Saharan Africa

ESA European Space Agency

HPO Healthcare Provider Organisation

ICT Information Communication Technology

ITU International Telecommunications Union

REC Regional Economic Community

RRI Regulatory Readiness Index

RRM Regulatory Reference Model

SSA Sub-Saharan Africa

SWOT Strengths, Weaknesses, Opportunities and Threats

WHO World Health Organization

WHO-AFRO World Health Organization - African Region



2. Executive Summary

2.1 Overall study goal

The eHealth regulation study is one of four horizontal studies that contribute to the planning phase of the satellite-enhanced telemedicine and eHealth for sub-Saharan Africa (eHSA) Programme. Its primary objective is to provide an overview of the eHealth regulatory framework needed for eHealth services. The study:

Provides an overview of eHealth regulation in 48 African countries

Suggests specific actions needed to implement a complete eHealth regulatory framework

Identifies the most promising scenarios for implementing fertilisation projects in the implementation phase of the eHSA Programme.

The goal of the eHSA Programme is to “enable the development of a satellite-enhanced eHealth and telemedicine infrastructure for the benefit of the Sub-Saharan African region”. The programme is a key recommendation of the Telemedicine Task Force, a group which was set up to develop a detailed understanding of telemedicine opportunities in SSA and formulate recommendations for implementation.

The programme emphasises strong African ownership, contribution to United Nations’ Millennium Development Goals (MDGs), and support to counteract the workforce shortage in the region.

2.2 Study structure

The study on eHealth regulation is one of four horizontal studies that address aspects needed to support successful eHealth initiatives. The three other studies address governance, interoperability and sustainability. Each study addresses the four thematic eHealth areas of the eHSA Programme: eCare, eLearning, eSurveillance and eAdministration/ eGovernance.

The study on regulatory aspects deals with seven tasks to:

1. Develop a Reference Regulatory Model (RRM) for eHealth 2. Identify worldwide good practice to fertilise the eHealth roadmap 3. Describe the current eHealth regulatory environment in sub-Saharan Africa (SSA) 4. Critically review the eHealth SSA regulatory environment using a Regulation

Readiness Index (RRI) 5. Propose a roadmap for countries that are ready to develop their eHealth regulation 6. Propose a roadmap for other countries 7. Organise eHealth regulation workshops to engage with African countries and

promote the use of the study findings.

Each of these is summarised in separate sections below.



2.3 Main achievements

The high-level achievements and findings for the seven main tasks are:

1. The RRM was developed and instantiated for all types of eHealth. It includes 64 eHealth regulatory aspects, grouped into six eHealth regulation aspects.

2. Five good practice countries were identified: Brazil, Canada, Estonia, Malaysia and Norway. They provided performance measures for the 64 eHealth regulatory aspects.

3. The current eHealth regulatory environment in SSA was reviewed. It lags behind the five good practice groups on all six eHealth regulation aspects. This is particularly because SSA relies primarily on telecommunications, data protection legislation and cyber-security legislation, rather than specific eHealth regulations.

4. Ten SSA countries were classified as ready to develop eHealth regulation using a RRI that comprises each country’s: RRM position, information society and eHealth maturity using the International Telecommunications (ITU) information development index and the World Health Organization’s (WHO) eHealth survey, and healthcare spending per capita.

5. A roadmap was developed for the ten ready countries. It has a five-year horizon with the first two years assigned to developing eHealth regulation processes, organisations and resources and compliance, then expanding specific eHealth regulation from year three.

6. A roadmap was developed for the other countries. It has a five-year horizon with the first four years assigned to developing eHealth regulation processes, organisations, resources and compliance, then expanding specific eHealth regulation from year five as they expand their eHealth initiatives.

7. Countries that attended the eHealth regulation workshops reported enthusiasm for the study and committed themselves to taking the initiatives forward in the steps proposed by the roadmap.

2.4 Linked initiatives

International relations initiatives established during the study include:

1. Commitment from the African Union Commission (AUC) to contribute to coordination of communication with countries and using the study to develop its eHealth regulation policies and initiatives for the whole of Africa

2. Commitment from WHO-AFRO to support dissemination and promote the study as part of its eHealth strategy

3. Local arrangements for the study team to provide modest, short-term support to some ready countries after the study’s May 2013 conclusion, including launch of a web based platform for sharing information about eHealth in Africa, which will be maintained by NGO TinTree International eHealth.

2.5 Implications

There are three critical findings from the study. The first is that eHealth regulation in SSA countries lags behind the good practice countries by some 45%. The second is that ten SSA countries, about 21%, are closer to good practice countries and are more ready for eHealth



regulation than the other SSA countries. Third these ready countries need about five years to assemble eHealth regulation priorities, processes, organisations, resources and legislation. Taking all three findings together, it shows that eHealth regulation is a long-term initiative for SSA.

3. Why regulate eHealth?

Two workshops on the findings of the study with selected SSA countries identified a common challenge: making the case for eHealth regulation in order to secure the processes, organisations, resources and legislation needed to implement the regulations. The question “why regulate eHealth?” needs an answer. There are several reasons. Two drivers of eHealth regulation identified at the workshops were to:

Improve and sustain security to respond to increasing challenges

Develop the eHealth market by enhancing the role of ministries of health, encouraging effective competition between eHealth suppliers, and increasing certainty and market stability for suppliers.

There are many other reasons to strengthen eHealth regulation, which combine to enable decision makers to set clear goals, strategies, priorities and objectives for eHealth regulation. Examples are:

Protect patients and citizens using services that rely on eHealth

Ensure that countries can expand sustainable eHealth successfully and economically for the benefit of patients, citizens and the healthcare system

Clarify links between eHealth regulation and the regulation of the healthcare system

Help to strengthen the healthcare system

Ensure effective collaboration with other countries.

eHealth regulation is distinct from other regulatory efforts that are critical to healthcare service provision, though it frequently needs to interface with them. Examples of related healthcare issues requiring regulation are:

Access – expand access to healthcare services

Quality – ensure quality of healthcare services

Redress – deal with specific grievances between patients, citizens and communities against healthcare professionals or health professional organizations.

These principles apply equally and consistently to ESA’s four eHealth categories of eLearning, eCare, eSurveillance and eAdministration/eGovernance.

4. Overview of the study on regulatory aspects

4.1 Study benefits

The study will enable SSA countries to strengthen their eHealth regulatory environments, to answers questions such as:



What regulation do I need for my telemedicine service?

I'm planning an electronic patient record system for all our hospitals, so which regulations do I need now?

I have an unregulated, multi-national eSurveillance initiative, so what regulations do I need in place over the next four to five years?

I want my health workers to use eLearning more, so what regulations do I need?

We need to improve our billing performance, so what regulations do I need to use aggregated workload data with case-mix groupings?

Addressing questions like these needs three broad eHealth regulation categories:

Generic eHealth regulations that fit most, or all countries

eHealth regulations specific to each country’s needs for national and cross-border regulations

Regional, international and global regulations.

The study has many components that have complex links. Figure 1 shows an overview of the eHealth service and eHealth regulatory environments addressed in the study.

Figure 1: Overall view of the eHealth regulation study

Countries’ eHealth Initiatives

Countries’ eHealth

Priorities

eHealth Services

RRM

eHealth Regulatory

Environment

Ready Countries

Countries’ eHealth

Regulation Priorities

Ready Countries

Countries Not Yet Ready

Countries’ eHealth Regulation Initiatives

eHealth Regulation Readiness Assessment

Countries Not Yet Ready

Generic Road Map

Continuous eHealth Regulation Development

Regulatory Environment Services

AU, NEPAD, RECs, WHO eHealth

Regulation Priorities

AU, NEPAD, RECs, WHO eHealth

Priorities

SSA Country Reviews Legend:



The RRM is based on an overarching principle that eHealth regulation should be relevant to each country’s needs, not designed to match regulation in litigious, developed countries. This principle applies to the entire study. Relevance depends extensively on identifying and building from each country’s current regulatory coverage and eHealth profile. The study uses the RRM and RRI for SSA countries to identify each country’s opportunities to adopt and develop eHealth regulation to support the provision of eHealth services.

Countries attending the eHealth regulation workshops were clear that reaching a position of continuous eHealth regulation development is a long-term goal. They see the need for sustained support and capacity building to reach it.

5. The Reference Regulatory Model (RRM)

This RRM provides a mechanism to identify which regulations apply to which issues in eHealth service implementation and provision. The various regulatory issues identified in eHealth service provision in the RRM provide a comprehensive specification of how regulation affects the different types of eHealth services. The specification includes descriptions of the extent to which regulation affects the implementation and provision of eHealth. For instance, telecommunication licensing might affect the implementation environment of eHealth services, whereas provisions for telecommunication tariffs in regulation will directly affect the operation of some eHealth services and the extent of eHealth service uptake.

The structure enables the RRM to identify the types of regulation needed for eHealth services. It also provides the foundation for extended analysis as countries expand their eHealth regulatory aspects and enables the management of the complex relationships that emerge.

Figure 2: The RRM cube

Figure 2 shows the RRM as a split cube, a four-dimensional object with each face representing a two dimensional relationship. The relationships are between:

eHealth categories



eHealth services

Regulatory aspects

Specific regulations.

The need for four dimensions arises because of the many-to-many relationships between each of the four variables. For each eHealth Category there is more than one eHealth Service applicable and each eHealth Service may appear in more than one eHealth Category. This pattern follows for the relationship between eHealth Services and Regulatory Aspects, and between Regulatory Aspects and Regulations.

Two main sets of data are collected for the RRM. One is about the eHealth regulatory environment, the other about eHealth services in SSA. Overall, the RRM describes a structured end-to-end framework of regulatory aspects and processes for SSA countries to consider when implementing and operating their eHealth services. It provides the means to identify and analyse the regulation and legislation needed to provide the supporting environment for eHealth. It includes regulations that comply with country’s existing and expected laws, rules, policies and practices. Figure 3 shows how the RRM structure relates to the overall eHealth regulatory environment.

Figure 3: Overview of the RRM in the eHealth regulatory environment

The RRM provides data for comparative analyses between the current regulatory environment in SSA countries and the good practices from the regulatory situation in five countries identified worldwide as part of global best practice analysis. It comprises two main parts: eHealth laws and regulations as input, and draft eHealth regulations as outputs.



Structural metadata generated about the regulatory environment for implementing the various types of eHealth supports RRM development. The metadata defines the structural components that make up the RRM’s regulatory environment. The identified business processes in the provision of the various types of eHealth services and their related business rules and regulatory aspects that match their appropriate locations in the eHealth environment are inputs to the RRM. For its output, the RRM provides generic draft eHealth regulations with prospective regulation that needs considering when implementing and operating eHealth services.

A set of business process models and notations (BPMN) are in the RRM for each of ESA’s four eHealth categories of eCare, eLearning, eSurveillance and eGovernance/ eAdministration. These business process models parameterise to fit the various types of eHealth.

5.1 eHealth regulation priorities

The study has identified numerous topics for eHealth regulation. The higher priorities include:

Access to and ownership of data

Security and access to clinical information systems by patients and care providers

Privacy and confidentiality

Informed consent for data use

Data ownership

Access rights to patient data

Integrity of data

Patient safety

Secure transmission of patient data

Electronic and physical security

Reliability of electronic portable medical devices used with eHealth

Accuracy and reliability of online information for patients

Sustainability of accuracy and integrity of electronic patient medical records

Validity and reliability of clinical decision support systems

Quality of care using eHealth processes

Availability of efficient and effective communication systems for transferring patient data

Reliability and dependability of telemedicine and telemonitoring.

These are too many for an SSA country to pursue simultaneously. Pragmatic decisions on eHealth regulatory priorities are essential together with the need to set up eHealth regulation processes, organisations and resources.

A priority may be to select privacy, confidentiality, security and standards as sufficient to deal with over the next three to five years and to sustain these into the longer-term.



6. Global good practice

6.1 Selected countries

Five countries were identified as demonstrating good practices in eHealth regulation: Brazil, Canada, Estonia, Malaysia and Norway. Experienced representatives of each country provided detailed information about their eHealth regulatory environments. The different kinds of generic eHealth regulations were listed and classified and used to reinforce the RRM. This provided a checklist to ensure that the RRM covered the full range of eHealth regulations, services and workflows.

6.2 Completeness of the relevant regulatory framework

All five good practice countries have substantially complete eHealth regulatory frameworks. They have established national foundations for eHealth and provide strong regulatory frameworks in five areas:

1. Identification and authentication: the countries designed and implemented an identification and authentication regime for health information as a fundamental part of secure and reliable access and shared health information.

2. Information protection and privacy: the countries established a robust privacy and regulatory regime to authorise specific eHealth initiatives and ensure appropriate privacy safeguards and consent processes for access to, and use of health information and participation in eHealth initiatives.

3. National eHealth information standards: most of the selected countries have a national programme to define eHealth information standards to underpin the consistent and accurate collection and exchange of health information. This involves accelerating the implementation and adoption of the eHealth standards and identifying and prioritising the next tranche of national eHealth standards.

4. Investment in information communication technology (ICT) infrastructure: the relatively poor quality of computing infrastructure of PCs, network connectivity and core patient, clinical and practice management systems across many countries worldwide is barrier to eHealth take-up. The good practice countries established mechanisms to encourage healthcare providers to implement and maintain an acceptable computing infrastructure baseline.

5. National broadband services: the countries collaborate with relevant government and telecommunications organisations to extend planned broadband connectivity infrastructure to all of their healthcare providers.

6.3 Proven fertility of the regulatory framework

The success of an eHealth system depends on the success of:

eHealth regulations

Established eHealth programmes and initiatives

Governmental support

Sustainable funding.

The five selected countries fulfil these four criteria satisfactorily.



6.4 Challenges faced by the good practice countries

All five countries have well-developed, modern health systems and are dealing with numerous similar challenges. One is the challenge to the traditional doctor-patient relationship. The Internet has made an impact on this relationship and patients can access unprecedented amounts of health information of varying quality about many types of illnesses and disorders. Regulating this service cuts across jurisdictions and is a challenge for many types of eServices in many types of commercial and business activities. Solutions are proving elusive.

Another is the challenge to the liability of healthcare professionals where, through the Internet, an individual can contact and create a professional relationship with a healthcare professional and provider in cyberspace with accompanying risk management considerations. This has many features, including:

Is a provider-patient relationship established during telemedicine consultation?

What is the appropriate standard of care for telemedicine?

What is a provider’s liability for a missed diagnosis due to technological, rather than human error?

What injuries might a patient suffer, or claim to suffer, which would stem from long distance healthcare that relies on eHealth services?

Modern information technologies have the potential for the boundaries of the body of knowledge to be expanding constantly, thus, at what point will health information become part of the body of knowledge of which a reasonable health professional would have been aware?

Since telecommunications allow medicine to be quickly and efficiently practiced across state boundaries, how are jurisdictional issues settled around healthcare providers’ liabilities?

What is the scope of medical practitioners’ duties of confidentiality of patient information in telemedicine consultations?

Are healthcare providers aware of the privacy and confidentiality issues that arise in the use of email to discuss sensitive health information?

Challenges to the right of privacy is a major issue for eHealth initiatives where modern computing capabilities mean that huge quantities of data are stored, sorted and accessed by large numbers of people in ways that were not possible before. How can adequate security and privacy arrangements be set in place for handling personal information?

How can eHealth regulators create confidence among consumers and users of both networked and non-networked industries?

How can eHealth regulators promote a secure electronic environment in line with Multimedia Super Corridor objectives?

How can eHealth regulators facilitate the registration of healthcare professionals where the advent of eHealth, provision of telemedicine services across state borders and national borders creates issues for the registration of healthcare professionals?

6.5 Strengths, Weaknesses, Opportunities and Threats (SWOT) analyses

For each good-practice country, eHealth regulatory strengths, weaknesses, opportunities and threats (SWOTs) were explored and described. Each issue that was identified for a SWOT



component was counted as 1, allowing comparison of countries strengths, weaknesses, opportunities and threats.

The SWOT analyses reveal that the number of strengths outweigh the number of weaknesses by a considerable margin, some 7.1 times in total. The external view is different. There are twice as many threats as opportunities.

Developed eHealth regulation offers reasonable strengths (54% of all SWOTs) to countries’ eHealth services, minimises their weaknesses and creates new opportunities. It does not remove all threats (25% of all SWOTs).

Whilst developing eHealth regulation is worth it, policy makers and regulatory bodies should not be complacent. eHealth regulation needs a continuing effort to take the modest opportunities and minimise the number of threats.

Figure 4 shows a summary of the number of SWOTs. The percentages show the proportionate spread of the number of strengths, weaknesses, opportunities and threats identified for each country. The sum of these four values is the full SWOT profile for each country, which is 100%.

Figure 4: Summary of SWOT analyses of five Good Practice Countries

7. The eHealth regulatory environment in SSA

7.1 Key issues for developing eHealth regulation

All SSA countries have telecommunications laws and regulations that deal with competition and the market. Many have laws dealing with computer misuse, data protection and cyber-crime. The study provides evidence that confirms that eHealth regulation is not in place, and therefore needs to be developed virtually from scratch.

EHealth Regulation SWOT Overview

0%

15%

30%

45%

60%

75%

90%

S W O T

Brazil Canada Estonia Malaysia Norway



Most constitutions include rights to privacy, providing a core component of eHealth regulation. This limited regulatory situation means that only a few countries are classified as ready.

The study identified that most SSA countries have four main issues in common:

Limited eHealth regulation, if any

Limited eHealth initiatives compared to other global regions

A need for long-term timescales that include establishing processes, organisations and resources for eHealth regulation

Considerable limitations on the availability of finance for eHealth regulation.

The regulatory environment for eHealth comprises healthcare, telecommunications, data protection and cyber security legislation. Figure 5 summarises the main links.

Figure 5: The eHealth regulatory environment

The eHealth regulatory environment was analysed and relevant eHealth services described for each of the four eHealth categories. This data, shown in Table 1, is included in the RRM.

Table 1: eHealth Services for each eHealth category

eCare eLearning eSurveillance eAdministration/

eGovernance

1. Electronic medical record systems/patient management systems

2. Electronic patient monitoring systems

3. Electronic laboratory/imaging/ other diagnostic systems

4. Electronic pharmaceutical/prescription/dispensing systems

5. Electronic decision

1. Internet based healthcare training systems that support a range of learning activities including Continued Professional Development at all levels (CPD)

2. Remote interactive healthcare training

3. Computer simulated healthcare training

4. Virtual classroom

1. Disease outbreak monitoring/notification systems

2. Health service reporting systems

3. Geographic information systems for health

4. Modelling systems for health

5. Statistical systems for health

1. Technology regulation

2. Healthcare standards

3. Technology standards

4. Interoperability

5. Integration

6. Health management information systems, including aggregation for reporting performance indicators

7. Electronic patient billing systems

Regulatory environment

Influence of culture, custom and customary law (for 31 SSA countries customary law is formalized in the constitution)

Services

Health Laws

eHealth Services

eHealth

Regulation

Data Protection Laws

Telecommunications Services

Cyber Laws

Telecommunications

Regulation

Telecommunications Laws



support systems/artificial intelligence systems

6. Vaccination and immunization

7. Electronic patient registration systems

8. Electronic patient tracking systems

9. Electronic logistics and supply chain systems

10. Telemedicine systems

11. Telemonitoring systems

12. Electronic biomedical devices

13. Electronic knowledge management systems

14. Electronic patient reminder/notification/alert systems

15. Patient information websites

16. Electronic public health awareness systems

healthcare training

5. Digital media healthcare training content

6. Electronic/digital broadcast training for health

7. eResearch and related clinical aspects

8. Electronic patient insurance systems

9. Skills and expertise

10. Governance/coordination centres

11. Standard operating procedures

12. Adoption guidelines

13. eHealth advocacy

14. Data warehousing/data mining/business intelligence systems for health

The final RRM has six eHealth regulatory aspects, with 64 sub-aspects, as shown in table 2. This template is used to compile the actual eHealth regulatory coverage for each SSA country.

The study evaluated each country’s eHealth regulatory environment and determined, for each of the 64 sub-aspects, whether it was covered in some way by existing legislation (score 1) or not (score 0). Each country’s overall eHealth regulatory coverage was calculated by counting the number of the 64 sub-aspects covered and converting this to a percentage: proportion of the sub-aspects covered. The evaluation did not test the quality of coverage or the extent of coverage, but simply whether existing law could be identified to regulate each sub-aspect.

Table 2: eHealth regulatory aspects and sub-aspects

Data & Information

Storage Access to Data

Data Communication

Technology User Data Provision of

eHealth Services

Aggregation Authorization Liability Standards Registration Definition of Services

De-identification Authentication Security Reliability Notification Licensing

Anonymisation Availability Reliability Validity Consent Accreditation

Coding (Cryptography)

Disclosure Accuracy Availability Access Limitations of non-accreditation

Security Equity Availability Licensing Compliance Cross-border

Integrity Ethics Intention Accountability Master Indices Quality of Care

Interoperability Purpose of Use Accountability Certification Administration Rights



For SSA countries that do regulate a sub-aspect, most derive it from legislation and regulations for telecommunications, data protection, computer misuse and cyber-security, rather than through specific eHealth regulations. This was regarded as sufficient to regard a sub-aspect as covered. However, the scope and effectiveness of these combined regulations applied to health is generally lower than those of the good practice countries, where sub-aspect coverage implies specific eHealth regulation.

There are considerable differences between the eHealth sub-aspect coverage for good practice and SSA countries. Table 3 shows that the average coverage for SSA countries is less than half that for good practice countries.

Table 3: Comparison of eHealth regulatory aspects coverage

Regulation Aspects Good practice

countries coverage 48 SSA countries’

coverage

Data and information storage 60% 18%

Access to data 57% 20%

Data communication 63% 15%

Technology 70% 15%

User data 53% 19%

Provision of eHealth services 67% 9%

Average 62% 16%

The combination of the lower percentage sub-aspect coverage for SSA countries in Table 3 and the limited scope and effectiveness of their eHealth regulations points to a set of three choices for SSA countries. They could assign priority to:

Expanding the number of sub-aspects covered to match the good practice levels

Improving the scope and quality of the current eHealth regulations

Developing both together.

All options rely on countries establishing their processes, organisations and resources first, as the countries at the two eHealth regulation workshops proposed.

Quality Cross-border Quality Ownership Obligations

Accuracy Functionality Confidentiality Liability

Standards Accreditation of Vendors

Digital Signatures

Ownership Rights

Privacy Deletion

Confidentiality Retention

Deletion Culture

Retention Common Law

15 7 8 10 15 9



Whilst effective telecommunications is a foundation for eHealth, the telecommunications regulatory environment’s market focus provides limited experience for eHealth regulation because the overall set of requirements is different for the eHealth case, which includes:

Privacy

Confidentiality

Data integrity and quality

Sharing data about citizens and patients, between professionals and entities

Standards for health information

Accrediting Health suppliers and their solutions

Physical security

Electronic security

Aggregating data

Transferring data.

8. The eHealth Regulation Readiness Index (RRI)

The study identified that readiness for eHealth regulation has several components, including the existing regulatory environment, maturity and usage of ICT generally, existence of eHealth services and investment in healthcare. A country’s use of general electronic information and its eHealth status provides an indication of its relative need, and readiness for eHealth regulation. The analysis includes the overall eHealth dimension.

Many countries have several eHealth initiatives. These are primarily in segments of healthcare rather than across the whole health system. An increasingly common feature is Health Management Information Systems (HMIS), although they vary in their scope and reliance on linked paper-based information.

The study team could not find any indices for eHealth regulation readiness. The RRI is a combined index made up of the sum of the following sub-indices:

eHealth regulatory coverage in the RRM

ITU Information Development Index (ITU 2011)

WHO eHealth survey (WHO 2011)

Healthcare spending per capita in 2008 (WHO 2011).

The RRM index measures the current, estimated percentage coverage of eHealth regulation sub-aspects shown in tables 2 and 3. There are 64 regulatory aspects organized in six categories. The average coverage for SSA countries is about 16% of the 64 eHealth regulatory sub-aspects, mostly for the eHealth regulatory environment supported by telecommunications and data protection, but with few specific eHealth regulations. The equivalent rate for good practice countries is about 61%, which includes several eHealth regulations. The relative presence of these sub-categories in each country provides an indication of its regulation development and is one measure of readiness.

The ITU Information Development Index and the WHO eHealth survey provide an indication of the relative status of each country’s information and eHealth development. It is part of the country reviews, and is a proxy for the information developments’ readiness for



regulation. The combined ITU-WHO index is an aggregation of the two indices to show the relative information and eHealth development status of SSA countries.

The healthcare per capita spending index is a proxy for countries’ potential to afford the resources needed for new initiatives for eHealth regulation processes, organisations and activities. Financing eHealth regulation requires sustainable finance. It competes with other healthcare priorities for resources, such as more doctors and nurses, more drugs and new drugs. Financing eHealth regulation is very demanding for countries with low healthcare spending levels. It may be marginally less demanding for countries that spend relatively more on healthcare.

Countries with the highest readiness are countries with a proven mix of:

Existing substantial investment in eHealth

Planned substantial investment in eHealth

Existing legislation for telecommunications regulation and data protection

A proxy for potentially sustainable finance for eHealth regulation

An RRI score that is more than the RRI average plus one standard deviation rating on the combined index.

Data from the RRM, external country surveys by the ITU and the WHO, and data from the RRM completed by the study team provide the data for the ranking. The average scores of the ready and not ready countries differ for each index. Figure 6 shows a comparison.

Figure 6: Comparison of Average Scores of Ready and Not Ready Countries

The RRM and spend per head indices show the biggest, considerable differences between ready and not ready countries. The ITU+WHO index shows that the difference is 60% of the not ready countries average score. For the combined index, the difference is 80%. These differences indicate a reasonable degree of difference between the two country types of ready and not ready.

0.00

1.00

2.00

3.00

4.00

5.00

6.00

RRM ITU+WHO US$ Spend Combined

Me

an S

core

s

Indices

ESA SSA Ready and Not Ready Differences for Regulatory Indices

Ready Countries Not Ready Countries Difference



The individual indices and the combined index to which they contribute are described below. The figures provided are not intended to give a detailed country by country view, but rather to illustrate visually the difference in performance of the cohort of countries designated ready defined as above the mean plus one standard deviation, compared to the rest of the countries, making up a cohort designated not ready, and below the mean plus one standard deviation.

The ranking reflects the criteria of:

Readiness of each country to adopt eHealth services from a regulatory perspective

Regulatory constraints and degrees of risk they face in implementing and operating eHealth services and their criticality

Regulatory initiatives under discussion, either on the political agenda, or in the process of approval, including accountability of stakeholders to enforce initiatives

Funding sources and their connection to the regulatory environment

External information from surveys that quantify each country’s information status.

8.1 RRM index

Figure 7 shows the rank order and scores of the RRM index. Nine countries score above the mean of 0.36 plus the standard deviation of 0.19. Three of these, Ghana, Namibia and Cape Verde, score above the mean plus one standard deviation. They have greater coverage of eHealth regulatory sub-aspects than the subsequent six ready countries. Countries scoring below the mean are shaded beige.

Figure: 7 RRM Index Rank

0.00

0.10

0.20

0.30

0.40

0.50

0.60

0.70

0.80

Gh

ana

Nam

ibia

C

ape

Ver

de

Ken

ya

Zim

bab

we

Za

mb

ia

Eth

iop

ia

Cam

ero

on

R

wan

da

Mau

riti

us

Uga

nd

a M

oza

mb

iqu

e A

ngo

la

Bo

tsw

ana

Sen

egal

M

alaw

i N

iger

ia

Seyc

hel

les

Mal

i So

mal

ia

Gu

inea

D

RC

Li

ber

ia

Sud

an

Togo

Sa

o T

om

e &

Pri

nci

pe

Tan

zan

ia

Bu

run

di

Leso

tho

N

iger

So

uth

Su

dan

Th

e G

amb

ia

Erit

rea

Ben

in

Bu

rkin

a Fa

so

Cen

tral

Afr

ican

…

Ch

ad

Co

ngo

Rep

ub

lic

Equ

ato

rial

Gu

inea

G

abo

n

Gu

inea

-Bis

sau

M

adag

asca

r Si

erra

Leo

ne

Swaz

ilan

d

ESA SSA eHealth Regulation Readiness RRM Coverage Scores



8.2 ITU and WHO index

Seventeen countries score above the mean of 3.06 plus the standard deviation of 1.05. They are shaded green in the figure above. Nine countries are above one standard deviation above the mean, shaded pale green in figure 8. The top three, Mauritius, Botswana and Seychelles, stand apart as currently having greater information maturity. The long, sloping tail of not ready countries is clear to see. Countries scoring on or below the mean are shaded beige.

Figure 8: ITU+WHO Index Rank

8.3 Healthcare per capita spending

eHealth regulation requires financial resources. These are very scarce in SSA healthcare. Few, if any, will be able to allocate significant additional resources to eHealth regulation from government sources or from within healthcare budgets. This was confirmed at the eHealth Regulation Workshops. The best possibility is to allocate a small resource for an eHealth regulation team in ministries of health. An indication of the relative scope to achieve this is to use the estimated spending per head on healthcare as a proxy.

Eight countries, 17%, score above the mean of 0.02 as share of the total SSA spending per capita, plus one standard deviation of 0.03. These are shaded green. Of these, the top five, Equatorial Guinea, Botswana, Mauritius, Seychelles and Gabon score above the mean plus one standard deviation and are shaded pale green. They stand apart as currently having more healthcare finance per head. Countries scoring on or below the mean are shaded beige. The long, sloping tail of lower healthcare financing is clearly visible. Namibia, Swaziland and Angola are in between.

0.00

1.00

2.00

3.00

4.00

5.00

6.00

7.00

8.00

Mau

riti

us

Bo

tsw

ana

Seyc

hel

les

Nam

ibia

K

enya

G

han

a R

wan

da

Sen

egal

U

gan

da

Cap

e V

erd

e M

oza

mb

iqu

e G

abo

n

Mal

i N

iger

ia

Zim

bab

we

Sud

an

Sier

ra L

eon

e C

AR

Eq

uat

ori

al G

uin

ea

Mal

awi

Som

alia

So

uth

Su

dan

Th

e G

amb

ia

Mau

rita

nia

D

jibo

uti

Za

mb

ia

Co

te d

'Ivo

ire

An

gola

Sw

azila

nd

Ta

nza

nia

M

adag

asca

r To

go

Bu

run

di

Bu

rkin

a Fa

so

Cam

ero

on

Le

soth

o

DR

C

Lib

eria

Sa

o T

om

e &

Pri

nci

pe

Co

ngo

Rep

ub

lic

Co

mo

ros

Ben

in

Erit

rea

Eth

iop

ia

Gu

inea

-Bis

sau

C

had

G

uin

ea

Nig

er

ESA SSA eHealth Regulation Readiness ITU+WHO Index



Figure 9: Spending Per Head Index Rank

8.4 The RRI

Figure 10: RRI Rank

0

200

400

600

800

1 000

1 200

1 400

1 600

1 800

Equ

ato

rial

Gu

inea

B

ots

wan

a M

auri

tiu

s Se

ych

elle

s G

abo

n

Nam

ibia

Sw

azila

nd

A

ngo

la

Djib

ou

ti

Cap

e V

erd

e Su

dan

Sa

o T

om

e an

d P

rin

cip

e Le

soth

o

Nig

eria

U

gan

da

Cam

ero

on

R

wan

da

Sier

ra L

eon

e C

on

go

Sen

egal

So

uth

Su

dan

C

ote

d'Iv

oir

e G

uin

ea-B

issa

u

Zam

bia

B

urk

ina

Faso

Th

e G

amb

ia

Mau

rita

nia

G

han

a K

enya

To

go

Tan

zan

ia

Ben

in

Mal

awi

Ch

ad

Gu

inea

M

ali

Lib

eria

M

oza

mb

iqu

e B

uru

nd

i Et

hio

pia

M

adag

asca

r N

iger

C

om

oro

s D

RC

C

AR

Zi

mb

abw

e So

mal

ia

Erit

irea

ESA SSA eHealth Regulation Readiness US$ Spend Per Head

0.00

1.00

2.00

3.00

4.00

5.00

6.00

7.00

8.00

Mau

riti

us

Bo

tsw

ana

Seyc

hel

les

Cap

e V

erd

e G

han

a Se

neg

al

Rw

and

a N

amib

ia

Uga

nd

a K

enya

Zi

mb

abw

e

Gab

on

M

ali

Mo

zam

biq

ue

Nig

eria

Su

dan

Za

mb

ia

Sier

ra L

eon

e Eq

uat

ori

al G

uin

ea

Mal

awi

Som

alia

A

ngo

la

Sou

th S

ud

an

Cen

tral

Afr

ican

…

The

Gam

bia

D

jibo

uti

M

auri

tan

ia

Co

te d

'Ivo

ire

Swaz

ilan

d

Cam

ero

on

Ta

nza

nia

To

go

Mad

agas

car

Eth

iop

ia

Bu

run

di

Bu

rkin

a Fa

so

Leso

tho

D

RC

Li

ber

ia

Sao

To

me

& P

rin

cip

e C

on

go R

epu

blic

C

om

oro

s B

enin

Er

itre

a G

uin

ea-B

issa

u

Gu

inea

C

had

N

iger

ESA SSA eHealth eHealth Regulation Combined Readiness Scores



The ranking includes all 48 SSA countries. It uses data from the RRM for each of ESA’s four eHealth categories of eCare, eLearning, eSurveillance and eAdministration/eGovernance.

Ten countries comprise the ready group of countries. They are Mauritius, Botswana, Seychelles, Senegal, Uganda, Ghana, Namibia, Cape Verde, Kenya and Rwanda.

Seventeen countries score above the mean of 3.25 plus one standard deviation of 1.17. These are shaded green. Ten countries scoring above the mean plus one standard deviation are shaded pale green. Countries scoring below the mean are shaded beige.

Figure 11 compares the ten ready countries with the five good practice countries and all the SSA countries. The ten ready countries are much closer to the good practice countries than all SSA countries, revealing a considerable difference between the ten ready countries and the other SSA countries.

Figure 11 Comparison of Percentage Coverage of Six Regulatory Aspects by Five Good Practice

Countries, Ten Ready SSA Countries and All SSA countries

8.5 General issues in all countries

There are several common issues from the readiness ranking and private research by TinTree International eHealth that are found in all SSA countries. These are summarised below and except for mHealth, not included in the SWOT to avoid repetition.

A common feature is the continuing growth in mobile phone use. This had created the consequent development and potential of mHealth. mHealth regulation is a significant matter for all SSA countries and an important component of the SWOT. mHealth regulation

0%

10%

20%

30%

40%

50%

60%

70%

80%

Data and information

storage

Access to data Data communication

Technology User data Provision of eHealth services

Average

Comparison of eHealth Regulation Coverage of Five Good Practice Countries, 48 SSA Countries and Ten Ready SSA Countries

Five good practice countries Ten ready SSA countries 48 SSA countries



is a combination of telecommunication regulation for matters such as devices, competition and prices, and eHealth regulation for the health data used in mHealth. Given the important issue of affordability, need for explicit relative priorities, the growth in, and opportunities of mHealth create challenging impacts for eHealth regulation.

The results of the study show that generic eHealth regulations are needed across the whole eHealth domain. Regulations for high priority topics such as privacy, data integrity, confidentiality, standards and security apply to all four of ESA’s eHealth categories. Segmenting these for each category dilutes the initiatives needed by ready countries to step up their eHealth regulation scope. Therefore, the SWOT is for eHealth as a whole, not specific eHealth items.

An important finding from the SWOT for SSA countries is the weakness that each country needs to establish an eHealth regulator and develop working links with the ministry of justice, ministry of technology and other regulators. This leads on to the associated requirements of processes, organisations, affordability and budgets for eHealth regulation. Without this, progress on developing eHealth regulation can only be limited at best.

Common weaknesses are that all countries need to:

Establish processes, organisations and resources for eHealth regulation, then develop their eHealth regulations, creating a demanding workload that cannot be achieved in the short term

Establish an eHealth regulator and develop working links with the ministry of justice, ministry of technology and other regulators and deal with affordability and budgets

Develop their coverage of RRM eHealth regulatory sub-aspects

Develop generic regulations for eHealth that draw from existing regulations such as data protection, telecommunications and cyber-crime prevention

Increase the use of ICT security tools, facilities and protocols

Develop the limited skills in eHealth regulation.

The eHealth workshops identified the weakness of no, or limited processes, organisations and resources for eHealth regulation. Without these components in place, countries are unable to develop and implement specific eHealth regulations. Where they are in place, countries reported severe limitations of resources for eHealth regulation.

Discussions with health ministers and senior civil servants as part of the Commonwealth Secretariat’s eHealth initiative identified affordability as the main constraint in eHealth investment. Their views are different to ESA’s, which sees an adverse or weak regulatory environment that may appear to be the showstopper for eHealth implementation and operation.

Limited affordability underpins all eHealth initiatives in SSA, but may impact unevenly. mHealth offers more scope for expansion.

Common opportunities include:

Scope for SSA countries to work collaboratively with their RECs, the AUC and WHO-AFRO in order to tackle common challenges efficiently, learn from each other and develop national capacity and capabilities for eHealth regulation.



Common threats are:

The scale of change needed for major improvement may not be affordable due to the lack of additional resources for healthcare

The time needed to develop and approve eHealth legislation, and identified as at least ten years by the eHealth regulation workshop

ICT security standards and facilities are prevalent for all SSA countries, as they are for all countries globally.

The regulations identified by the study were shown to be general principles that apply to all types of ICT, including eHealth. This principle avoids regulations that need rewriting to keep pace with developing and changing ICT and eHealth, especially the increasing reliance on mHealth in SSA. These generic foundations for regulation lead to stable eHealth regulations that apply to all four of ESA’s eHealth categories equally, without the need for specific, changing regulations. Examples are regulations for privacy, confidentiality, data integrity and security. These apply to and cut across all eHealth categories and sub-categories. The SWOT findings also apply to all types of eHealth.

9. The roadmap for ready countries

This roadmap is for SSA countries judged to have eHealth regulatory environments sufficiently fertile to be ready to adopt, totally or partially, the regulation of eHealth services in the short to medium term. Short term is up to two years, medium term is up to five years. It draws findings from the study to illustrate the regulatory requirements needed for new eHealth services in those countries judged ready to do so. It is a roadmap showing all the necessary steps from legal and social perspectives over the short to medium term.

Countries designated by the study as ready for eHealth regulation are Mauritius, Botswana, Seychelles, Cape Verde, Ghana, Senegal, Rwanda, Namibia, Kenya, and Uganda.

Reports from the RRM and the eHealth RRI show that each ready country has:

A different set of operational eHealth services

Some required eHealth regulatory aspects already in place

Gaps in the required eHealth regulatory aspects.

Dealing with these differences needs a generic set of roadmap principles, including required consultations and new structures. This is supplemented by specific country actions needed to develop the eHealth regulatory environment. This approach is supported by one of our advisory board members when advice was sought on the roadmap. Prof Maurice Mars of the University of KwaZulu-Natal said:

“As you know I am not a fan of a one size fits all template approach. I think that if you can fashion the roadmaps based on where a government wants to get to with an eHealth solution and founded on the principles of thorough needs assessments and I include clinical, technical, human resource and regulatory needs, leading to a decision to either continue or review the goal, leading to the development of a business case followed by a further review



and then the development of the appropriate plans, including change management, to achieve the goal.”

The roadmap for ready countries has two parts:

A generic part describing the principles, consultations and structures required for ready countries to move forward

A country-specific part showing the regulatory aspects in place, the aspects that are missing to cover existing eHealth services and the aspects that need addressing to expand eHealth services and priorities for an action plan to address the gaps in the regulatory aspects.

9.1 Roadmap method for the ready countries

A roadmap provides a clear future objective and answers the critical questions: why, what, how and when? These questions define and explain a clear action plan for reaching the objective. This creates four parts to a roadmap:

The first part defines the roadmap’s domain, the objectives, and strategy for achieving those objectives; the why question of a roadmap. The roadmap's definition and strategy often include market and competitive assessments as well as planned applications.

The second part defines direction, or the team's plans; the “what” question of a roadmap. The direction includes challenges, the architecture and evolution of the team's solution, and measurable performance targets to achieve the objective.

The third part describes the evolution of technologies needed to achieve the objective; the “how” question of a roadmap.

The fourth part defines the timing of the required actions; the “when” question of a roadmap. The action plan identifies key development actions, resources required, risks, and technology investment strategy.

The SMART concept is used during the implementation of this roadmap:

S Specific about what has to be achieved, so not ambiguous, and communicate clearly;

M Ensure results are measurable, with clearly defined outcomes such as key performance indicators (KPI);

A Make sure that proposed actions have appropriate and achievable outcomes R Check that actions are realistic, taking account of time, ability and finances; T Make sure it is time restricted in a realistic and achievable time frame, with set

deadlines, milestones and progress checks.

The ten ready countries show different characteristics across the three component indices of RRM, ITU-WHO and healthcare spending. It is important to reflect these differences in the roadmap.

9.2 Essential roadmap activities

With the emphasis on developing processes, organisations and resources in the first two years, the activities include:



Engagement with core stakeholders to agree on the goals of eHealth regulations and each step ahead

Identifying and agreeing the top priorities and scope

Preparing draft regulations

Describing all the necessary authorisations, commitments, constraints, licenses, requirements and qualifications required by the applicable regulatory environment and the specific time scales needed to obtain them

Consultation, initially on structures and draft regulations with all the relevant recognised authorities

Describe and justify the arrangements needed to approach them as part of the engagement methodologies needed for successful change programmes

Implementation arrangements for structures and drafts

Arrangements and practices for compliance reviews and enforcement.

9.3 eHealth regulation action plan

This deals with questions of what needs to be in place to develop eHealth regulation in the short to medium term. There are several choices, and decisions depend on each country’s start point, context, priorities and eHealth strategy. Each country’s overall direction should build on its current eHealth investment and eHealth regulatory environment then converge on its medium term eHealth strategy, priorities and investment plan. These range across eCare, eLearning, eSurveillance and eAdministration/eGovernance, with the emphasis possibly changing as countries move from their existing eHealth profile into the future.

The countries chosen for the short term roadmap have the highest RRM position in the RRI. Some important first steps to be taken in order to enhance the eHealth regulations are:

Review the eHealth regulation aspects with no coverage scores in all 64 sub-aspects provided by the RRM

Review the quality and rigor of sub-aspect regulations that are in place

Security is an increasing concern and can support other sub-aspects, such as logins and access.

As eHealth becomes more expansive and integrated, it is likely that the transfer of data within and between ESA’s four eHealth categories increases. This may change the regulatory priorities, with an increase on regulating the transferring of, or access to, data over networks. This is consistent with increased data sharing found in interoperable electronic patient records (EPR) and health records (Dobrev 2010). In this context, each country should be clear about the eHealth regulation priorities that it intends to address over the medium term.

9.3.1 eHealth environment

To set the direction for eHealth regulation, each country should set out its eHealth environment as:

Current eHealth services

Financed, planned eHealth services over the short to medium term and ready for implementation



Other planned eHealth services over the short to medium term

Types of eHealth services for eCare, eLearning, eSurveillance and eAdministration/eGovernance.

This profile of eHealth investment into the future provides the context and requirements for eHealth regulations.

9.3.2 eHealth regulations needed

Two main types are general and specific. A simple example for general eHealth regulation is an overall direction that secures improved:

Privacy, a right that peoples’ health data will not be used to observe, monitor, or disturb them without their consent

Confidentiality, a right that health workers and healthcare organisations are entrusted with patients’ data and will keep it secret

Data quality and integrity, where data is accurate, timely, complete, and reliable

Access to, and sharing of, patients’ data by health workers for the benefits of patients

Security, electronic and physical

Accreditation of eHealth suppliers for procurement, implementation, and operation

Standards, including interoperability, architecture, functionality and data definitions for implementation and operating eHealth services.

Some of these, such as privacy, confidentiality, and security, may already be included in telecommunications and data protection regulation as part of the eHealth regulatory environment.

Simple examples of specific eHealth regulation may deal with activities such as:

Sharing patient data between GPs and hospital doctors for treating current patient conditions and using selected international standards and secure computers and networks

Transferring clinical data from GPs and hospitals to eSurveillance services using international standards and secure computers and networks

Protocols for anonymising and de-identifying types of patient data from GPs and hospitals for healthcare managers to use in planning and resource utilization studies.

These lead to a set of decisions for the direction of eHealth regulation:

What eHealth regulations do countries needed now?

What eHealth regulations do countries need in the short term to medium term?

Why do they need them?

What do they need to introduce them?

From these positions, countries can develop the direction of their eHealth regulation initiatives. They can also develop their arrangements for eHealth regulation enforcement. Before these are set, it is essential that they are dealt with by engaging key stakeholders. These include associations representing patients and citizens, healthcare professional bodies, healthcare entities, eHealth suppliers and other ministries.



9.4 eHealth regulation challenges

The current position, opportunity and challenges in SSA are:

Introduce enough regulation so that acceptable standards are maintained and innovation is not stifled, which is a decision that each SSA country must take as more of a judgement for themselves rather than just an analysis or relying entirely on the RMM

Governments, especially the Ministries of Health, should set a few generic principles in place, leaving eHealth regulators and HPOs to deal with details and contexts

Compliance should be affordable for HPOs, so does not take resources away from eHealth initiatives

Enforcement should be costly enough to encourage users to comply, but not too costly that it causes financial and affordability problems

Affordability and financing eHealth regulation and eHealth

Collaborate with existing regulators, such as telecommunications, data protection and cyber-crime prevention to build on the current eHealth regulatory environment

Can eHealth regulators match the pace of eHealth change that brings more smart phones, tablets and other mobile devices into use in healthcare?

Using mobile phones in healthcare has specific challenges that are not often part of eHealth initiatives. For mHealth, some specific challenges include:

What types of devices should HPOs allow and support?

Should healthcare professionals use their personal devices or must they use ones issued by their HPOs?

Are mobile communications secure?

Are there documented policies and procedures governing mobile device usage? 1

The HPOs’ mobility strategies can extend across the use of smart phones, pagers, Wi-Fi phones and tablets. A survey1 in the USA found that a typical hospital supported some 67% of smart phones and pagers and about 49% of Wi-Fi phones and tablets in use. Only 34% of hospitals had a documented mobility strategy, and 31% are developing a strategy. Some 37% of hospitals said they had no plans for a mobility strategy. This is a vastly different finding compared to that of another survey2 from the USA, published at a similar time that found only 3% of HPOs have no plans to create a policy. Whilst the two surveys are not measuring precisely the same phenomenon, the difference is so great as to be difficult to reconcile. However, the difference does not dilute the common theme of the need for HPOs to have an effective, current mobile technology strategy. Of all the mobile devices in circulation, over half belong to users. This is the bring-your-own-device (BYOD) concept. Some 64% of hospitals in the USA support these. This phenomenon emphasises the need to regulate the links between telecommunications and healthcare data, so the need for telecommunications and eHealth regulators to collaborate continuously.

Evidence for simple legislation is that the RRM reveals the extremely wide range of eHealth contacts within an equally wide range of healthcare contexts. Attempting to legislate to

1 Survey Results: The Role of Mobility Strategies in Healthcare Amcom Software White Paper December 2012

2 2

nd Annual HIMSS Mobile Technology Survey Health Information Management Systems Society December 2012



regulate all these is not practical, likely to be incomplete, and will need revisions to legislation as healthcare and eHealth technology develops. From this, the apparent conclusion is the need for simple legislation with good principles building on the current eHealth regulatory environment.

Health workers are using mobile devices to improve the provision of direct healthcare. Some of the eHealth regulatory questions are:

Are the devices password protected?

Are password policies enforced?

Is remote data wipe-enabled?

Is mobile security software installed to protect against viruses or malware?

Are wireless networks secure?

Is data encrypted when it is transmitted?

Are passwords required to retrieve data containing electronic protected health information (ePHI)?

Are mobile applications safe and secure?

The Survey sees the solution as “Designing and implementing a comprehensive mobility strategy is a critical step in securing patient privacy and enhancing patient safety in the age of portability”.3

Balancing regulation and freedom to invest so regulation is not a constraint to eHealth initiatives

9.5 Decisions for eHealth regulation

The main types of decision for eHealth regulation are:

Who is the eHealth regulator?

Legislation and regulations approved by legislature – simplified and generic, not detailed and specific, such as rights and obligations for privacy, confidentiality, data quality, security and standards.

Detailed and specific for entities adopting eHealth so they know where to look in the healthcare and eHealth processes to achieve regulatory compliance.

Detailed and specific for regulators to know where to look in the healthcare and eHealth processes to achieve regulatory review and enforcement.

Actions and changes needed by HPOs to comply with eHealth regulations.

This leads to the need for two roadmaps: one for eHealth regulators and one for HPOs that have to comply within the resources available.

9.6 Action plan for eHealth regulation

Legislation and regulations rely on principles and concepts, and so need limited detailed information. This needs new, detailed, specific information that the RRM can provide, and this is a dependency. The action plan items are in chronological order. Each action is

3 Survey Results: The Role of Mobility Strategies in Healthcare Amcom Software White Paper December 2012



dependent on the previous actions. It has two timescales, short term of one and two years, and the medium term of three and five years, as shown in Table 4.

Table 4: Generic eHealth regulation action plan for ready countries

ACTION PLAN

No. Specific Actions Specific Actions

Dependencies

People and Teams for The

Actions Timings

1. Health minister and permanent secretary appoint the eHealth regulator within the ministry of health, possibly a temporary role. Create eHealth organisations and expand the processes and resources for eHealth regulation.

Prioritisation of eHealth regulation by health ministries

Health minister and permanent secretary

1-2 Years

2. Link with other ministries and other regulators for telecommunications, data protection and cyber-security and set up a multi-disciplinary eHealth regulation team

Prioritisation of eHealth regulations by related ministries

Health minister 1-2 Years

3. Identify and secure sustainable finance for regulation, including resources needed to train regulators

Prioritisation of eHealth regulation by health ministries

Recognition of positive socio-economic return from eHealth investment

eHealth regulator

1-2 Years

4. Start engagement with stakeholders and users, including professional bodies, healthcare provider organisations and suppliers, including formal consultation on new eHealth laws, decrees and regulations

Stakeholder support eHealth regulator

1-2 Years

5. Review eHealth regulation sub-aspects with no regulations against RRM and global good practice benchmarks to test for quality

Secure resources for review

Access to RRM

eHealth regulator

1-2 Years

6. Review existing regulations against RRM and global good practice benchmarks to test for quality


Access to RRM

eHealth regulator

1-2 Years

7. Check against global good practice benchmarks and current eHealth, planned eHealth projects for regulations that are needed, including expanding eHealth on mobile phones, cloud computing, BYOD and social media


Access to RRM

eHealth regulator

1-2 Years

8. Review eHealth security and link with national security initiatives.


eHealth regulator

1-2 Years



ACTION PLAN


Dependencies


Actions Timings

9. Compliance reviews – these can start immediately

Secure resources for reviews

Develop expertise for reviews

eHealth regulator

1-2 Years

10. Actions to ensure compliance with existing regulations

Secure commitment of stakeholders to change

eHealth regulator

3-5 Years

11. Draft legislation and decrees as needed

Political priority of government for legislation

eHealth regulator, ministry of justice and ministry of technology

3-5 Years

12. Pass laws and decrees

Political priority of government

Minister of health

3-5 Years

13. Implement laws and decrees, such as training, dissemination, standards, procurement

Secure resources and expertise for change

eHealth regulator

3-5 Years

14. Draft regulations needed Develop expertise for regulation drafting

eHealth regulator, ministry of justice and ministry of technology

3-5 Years

15. Pass regulations, through the relevant country’s law making processes

Political priority of government

Minister of health and permanent secretary

3-5 Years

16. Segment the regulations between healthcare provider organisations and suppliers

Develop expertise for regulation

eHealth regulator

3-5 Years

17. Decide which healthcare providers are regulated – start with public system move onto private, NGOs and continue with faith-based


Health minister and permanent secretary

3-5 Years

18. Decide which suppliers are regulated and the licences and accreditations they need


Gain stakeholder support

eHealth regulator

3-5 Years

19. Implement regulations, such as training, dissemination, standards and procurement

Develop expertise for regulation and change

eHealth regulator

3-5 Years



ACTION PLAN


Dependencies


Actions Timings

20. Monitoring and evaluation of progress at end of years 1, 2, 3, 4 and 5

Develop expertise for regulation monitoring

eHealth regulator

3-5 Years

21. Implement findings from monitoring and evaluation

Develop expertise for regulation implementation


eHealth regulator

3-5 Years

22. Reset the action plan for years 6 onwards Develop expertise for regulation


eHealth regulator

Year 5

Simple examples of short-term strategies to facilitate the smooth implementation and operation of new eHealth services that comply with the existing legal and socio-cultural environment include:4

1. Extend the existing eHealth regulatory environment of telecommunications and data protection acts and regulation into eHealth regulations

2. Develop and approve health legislation to include the requirements of modern eHealth, including privacy, confidentiality, data quality, health workers access to and sharing of patient data, security, standards

3. Set up an independent eHealth regulator that engages continuously with healthcare professions, healthcare entities and eHealth suppliers

4. Empower the eHealth, telecommunications and data protection regulators to collaborate and work together

5. Give the eHealth regulator power to deal with the eHealth market to avoid market disruption, accredit eHealth suppliers, ensure patient and consumer interests are protected, create and safeguard effective competition and prevent anti-competitive practices

6. Routine accountability to government, the legislature, citizens, healthcare professionals and eHealth suppliers

7. Ensure that eHealth regulation does not diminish the opportunities to invest in new eHealth initiatives

8. Ensure that eHealth suppliers are accredited to meet each country’s eHealth needs.

9.7 Risk assessment for average rated countries

The first step in regulation risk mitigation strategies is to appoint an eHealth regulator. Without this, no one can begin the required actions needed to develop and improve eHealth regulation. From this, following and resourcing the steps in the roadmap within the

4 Legal and Institutional Aspects of Regulation Module 6 ICT Regulation Toolkit Telecommunications Management Group, Inc.



proposed timescales mitigates the risks. The extent to which this mitigates risk depends on the availability of finance and capacity of regulation skills available to the eHealth regulator.

At the eHealth regulation workshops, affordability and budgets were identified as major constraints to progress. In addition, timescales that exceed five years are typical for new legislation. These indicate a very limited degree of mitigation over the medium term. It is not justified to propose significant risk mitigation before five years.

An assessment of the exposure to risks of the adoption and operation of eHealth services from a regulatory perspective uses the TinTree Risk Assessment Model. This helps to identify, locate, and categorise risks associated with eHealth regulation. The risk factors are:

Total regulatory aspects not covered as shown by the RRM

Limited prevalence of developed regulations

eHealth Regulatory Body not in place

Availability of people with Certified Information System Security Professional (CISSP) qualifications

Extensive BYOD use

Extensive cloud use

Extensive social media use

Few links with ministry of ICT

Few links with ministry of Justice

Few links with telecommunications regulator

Few links with data protection regulator

Few links with cyber-crime prevention regulator

ITUWHO eHealth development index score.

Figure 12 Estimated eHealth Regulation Risk Exposure of Ten Ready Countries

0%

20%

40%

60%

80%

100%

Good Practice

Botswana Cape Verde

Ghana Kenya Mauritius Namibia Rwanda Senegal Seychelles Uganda

ESA SSA eHealth Regulation Study Estimated Regulation Risk Exposure



Most SSA countries have high scores on some of these risk factors, especially the lack of eHealth regulators, so very limited stakeholder engagement contributing to high risk exposure because there is no one who can deal with the activities and implement the measures needed to mitigate risks.

The estimated risks exposure of the ten ready countries is shown in Figure 12.

10. The roadmap for other countries

This is similar to the roadmap for ready countries but with two major differences.

First, these countries tend to have lower levels of eHealth investment

Second, the pace of eHealth regulation in SSA countries needs to match changes in eHealth investment in order to close the gap with good practice.

This complies with the principle that eHealth regulation tends to follow eHealth. At best, it can fit alongside eHealth and be integrated with these initiatives.

Because the level of eHealth regulation is much lower than in the ready countries, the other countries will need more time to review and develop their eHealth regulatory processes, organisations and resources. This could take at least three years.

11. The eHealth regulation workshops

The two workshops, the first in Botswana, the second in Ghana, had three major objectives:

1. Provide countries and RECs with an overview of the eHSA Programme and a description of the study on regulatory aspects and RRM

2. Enable participants to consider how they will go about preparing action plans and setting priorities to develop and introduce eHealth regulation, such as legislation, regulations and regulatory bodies needed to set out on a development path for their eHealth regulation

3. Promote a uniform approach to eHealth regulation among regional stakeholders, RECs and countries that advances their policies and strategies.

The first eHealth regulation workshop was for Botswana, Mauritius, Mozambique and Namibia. The second was for Ghana, Kenya, Rwanda, Senegal and Uganda.

In Botswana, WHO-AFRO’s participation made a valuable contribution. Country representatives raised the important aspect of realistic time frames. Botswana reminded participants that it can take from five to ten years to develop and pass legislation.

Whilst each countries eHealth environment is unique, there are common challenges for eHealth regulation, such as:

eHealth security

Lack of regulatory body

Lack of resources

Lack of eHealth specific legislation



Skills shortage

Sustainability.

Country suggestions for moving forward:

Regional cooperation

Establish a learning network.

In Ghana, AUC participation provided a valuable contribution. It provided critical oversight and insight into the AU’s eHealth plans and strategies and provided a clear way forward for countries and the Greenfield Management Solutions (GMS) consortium alike. The AUC participants emphasised the need for political support, without which the study and the eHSA programme would have little impact.

The AUC participants agreed to share the study outcomes with the heads of states at their next meeting in Addis Ababa. This top town approach will place eHealth regulation as a priority on the agenda of all AU member states and make member states accountable to each other as well as the AUC in terms of their eHealth regulation development and its contribution to overall eHealth strategy.

Countries agreed that structured regional cooperation will be vital in order to strengthen eHealth development and implementation.

The importance of a business model and business case behind eHealth regulation was raised by both international stakeholders and countries alike. This would encourage investment by private companies and ensure sustainability in the long run and contribute to:

A deeper understanding of the study on regulatory aspects and the overall eHSA programme

An insight into their eHealth regulation status and ranking

An understanding of the RRM and an appreciation of how they can use the RRM to strengthen their eHealth regulatory environment

The need to collaborate with stakeholders, such as ministries of justice and ministries of technology

Ensuring realism of the medium-term timescale needed to begin to develop eHealth regulation

Countries starting to prepare action plans and narratives for their next steps

New eHealth initiatives that may require a review of their regulations – this is a continuous process.

At both workshops, countries’ responses were encouraging and the enthusiasm with which delegates engaged with the study team was constructive. GMS will continue to work with countries to help them develop regulation action plans to strengthen their eHealth regulatory environment.

The study team will also work closely with the international stakeholders that attended the workshops: the AUC, WHO-AFRO, NEPAD Agency and the AfDB. Their support is crucial for continued success and dissemination, and will ensure that the practical benefits which the study and eHSA programme has to offer are realised.



12. Conclusions

There are three critical findings from the study. The first is that eHealth regulation in the SSA countries lags behind the good practice countries by some 45%. The second is that ten SSA countries, about 21%, are closer to good practice countries and are more ready for eHealth regulation than the other SSA countries. Third, at the eHealth regulation workshop it was determined that these ready countries need about five years to assemble eHealth regulation priorities, processes, organisations, resources and legislation. Taking all three findings together, it shows that eHealth regulation is a long-term initiative for SSA.

Developing eHealth regulation that addresses these findings is not a short-term activity. It needs to be sustainable for the long-term. There is a clear momentum emerging among the ready countries to adopt eHealth regulation. Countries are willing to collaborate, which, when coupled with the commitment of the AUC, WHO-AFRO and NEPAD to support eHealth regulation as part of their own strategies, has led to the appearance of considerable constructive potential. Examples of activities required to unfold this potential include:

Prepare robust cases for eHealth regulation

Set eHealth priorities

Share materials on legislation and regulations

Compare experiences on compliance reviews

Develop skills, capacity and capabilities

Share progress with other countries.

To support this, GMS is establishing a web based platform for sharing information about eHealth in Africa, which will be developed and sustained in the short term by GMS non-profit partner, TinTree International eHealth Leadership and Development Network at www.ehna.org.

http://www.ehna.org/

Documents

Study on Regulatory Aspects - ESA Business Applications Regulatory Study... · CISSP Certified Information Systems Security Professional ... International relations initiatives