
LAWS OF KENYA
DIGITAL HEALTH ACT
NO. 15 OF 2023
- Published in Kenya Gazette Vol. CXXV—No. 249 on 24 November 2023
- Assented to on 19 October 2023
- Commenced on 2 November 2023
Part I – PRELIMINARY
1. Short title
This Act may be cited as the Digital Health Act, 2023.2. Interpretation
In this Act, unless the context otherwise requires—"Agency" means the Digital Health Agency established under section 5;"anonymization" means the removal of personal identifiers from personal data so that the data subject is no longer identifiable;"Board" means the Board of Directors of the Agency constituted under section 8;"Cabinet Secretary" means the Cabinet Secretary for ministry responsible for matters relating to health;"client" means an individual who uses, or has used, a health service, or in relation to whom health data has been created;"consent" has the meaning assigned to it under the Data Protection Act (Cap. 411C);"County Executive Committee Member" means the member of county executive committee appointed and designated to supervise health services;"data" means information which—(a)is processed by means of equipment operating automatically in response to instructions given for that purpose;(b)is recorded with intention that it should be processed by means of such equipment;(c)is recorded as part of a relevant filing system;(d)is recorded information which is held by a public entity and does not fall within any of paragraphs (a) to (d);"data analysis" means the process of inspecting, cleaning, transforming, consolidation and modelling of data with the goal of discovering useful information, extracting meaningful insights, suggesting conclusions and supporting decision making;"data bank" means an organised collection of data designed to efficiently store and retrieve data that can be accessed, managed and updated electronically to allow users to easily search for and access the information they need, to derive insights, make informed decisions and improve performance;"data commissioner" means the person appointed under section 6 of the Data Protection Act (Cap. 411C);"data controller" means a natural or legal person, public authority, agency or other body which, alone jointly with others, determines the purpose and means of processing of personal data; or"data disposal" means the process of destroying manual or electronic records or data completely without being used or accessed for an authorized purpose;"data governance" means the overall management of the availability, usability, integrity and security of data used in an organization;"data integrity" means the overall completeness, accuracy and consistency of data;"data life cycle" means the stages through which data passes from its creation or acquisition to its eventual deletion or archival;"data management" means the development, execution and supervision of plans, policies, programs and practices that control, protect, deliver and enhance the value of data and information assets, and involves policy formulation and adherence to data management procedures such as reporting rates, harmonized and standard data collection tools;"data privacy" means the aspect of information technology that deals with the ability an organization or individual has to detemine what data in a computer system can be shared with third parties for purposes of the keeping of information private and safe;"data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;"data reporting" means the process of collection, submission and organisation of data into informational summaries in order to monitor performance;"data retention" means the continued storage of an organization’s data for compliance with national policy guidelines and regulations;"data security" means protection of electronic health data, and specifically the means used to protect the privacy of health information contained in electronic health data that supports professionals in holding that information in confidence;"data storage" means the recording of information in a storage medium or holding information in digital format;"data subject" means an identified or identifiable natural person who is the subject of personal data;"de-identification" means removing or hiding personal information from records in such a way that the remaining information cannot be used to identify an individual;"data verification" includes the authentication and validation of gathered data, data quality checks, audit of the health data using the data quality protocols;"digital health" means the field of knowledge and practice that is associated with the development and use of digital technologies to improve health;"Director-General" means the Director-General for health appointed under section 16 of the Health Act (Cap. 241);"disclosure" means submission of relevant information to an authorized party;"e-Health" means the combined use of electronic communication and information technology in the health sector including telemedicine;"e-Health ecosystem" means the combined application of e-Health infrastructure, standards, technology, systems applications, investment, health workforce and governance that support patient-centred models of healthcare;"e-Health platform" means an ecosystem of hardware, software and technology used to deliver e-Health services;"electronic health data" means an electronic record of personal health related information about an individual and shall include—(a)information concerning the physical or mental health of the individual;(b)information concerning any health service provided to the individual;(c)information concerning the donation by the individual of any body part or any bodily substance;(d)information derived from the testing or examination of a body part or bodily substance of the individual;(e)information that is collected in the course of providing health services to the individual; or(f)information relating to details of the health facility accessed by the individual;"encryption" means the process of converting the content of any readable data using technical means into coded form;"enterprise class" refers to applications that are designed to be robust and scalable across a large organization, and compatible with existing databases and tools, customizable for the needs of specific departments, powerful enough to scale up along with the needs of the business using it, secure from outside threats and data leaks;"enterprise service bus" means an architectural pattern whereby a centralized software component performs integrations between applications; transformations of data models, handles connectivity, message routing, converts communication protocols and potentially manages the composition of multiple requests and may make these integrations and transformations available as a service interface for reuse by new applications;"e-waste" means waste resulting from electrical and electronic equipment including components and sub-assemblies thereof;"guardian" means a guardian recognised under any law for the time being in force;"health care professional" includes any person who has obtained health professional qualifications and licensed by the relevant regulatory body;"health care provider" has the meaning assigned to it under the Health Act (Cap. 241);"health care services" has the meaning assigned to it under the Health Act (Cap. 241);"health data" means data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for or provision of health services or data which associates the data subject to the provision of specific health services;"health data controller" means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of health data;"health data custodian" means a person or organization that possesses legal custody over health data;"health data processor" means a person, public authority, agency or other body who is an authorised worker to process health data;"health facility" has the meaning assigned to it under the Health Act (Cap. 241);"health informatics" means the practice of acquiring, studying and managing health data and applying medical concepts in conjunction with health information technology systems to help health professionals provide better healthcare;"health information bank" means an electronic database under the custody and control of the Ministry of Health that contains personal health information and is designated by the Cabinet Secretary as a health information bank;"health information system" means a health ecosystem designed to manage health and health related system data that provides the foundations for decision-making and includes a system that collects, collates, stores, manages, analyses, synthesises, transmit patient's or client’s electronic health record and uses health and health related data for operational management or a system supporting healthcare policy decisions;"health records and information management" means the practice of acquiring, analysing and protecting digital and traditional medical information vital to providing quality patient or client care;"health records and information manager" means an officer trained in health records and information management and charged with the responsibility of managing health records and health information for the health services which include—(a)creating and enforcing policies for effective data management;(b)clinical coding and classifications;(c)coding for health insurance firms;(d)health information management;(e)health administrative data and medical data analytics and research;(f)appraisal of medical documentations and audits;(g)advice on medical legal issues;(h)advise on retrieval and disposal of Health and medical records;(i)use of e-Health applications;"health related data information" means the service delivery and administrative health data collected, analysed and synthesised for decision making in the health sector;"health system" means an organization of people, institutions and resources that deliver health care services to meet the health needs of the population, in accordance with established policies;"health technology" means the application of organized knowledge and skills in the form of devices, medicine, vaccines, procedures and systems developed to solve a health problem and improve the quality of life;"health tourism" means a situation where a patient travels across international borders to receive medical treatment;"individual" means data subject;"integrated e-Health information system" means a health information system that collects health and health related data that addresses the needs of all users for decision making;"Kenya Health Enterprise Architecture" means a blueprint that guides the design, development and evolution of the comprehensive integrated health information system to align investments, in technology, information and processes that are cost-effective, sustainable, and aligned with the Kenya health sector strategic goals;"medical equipment data" means data relating to a medical equipment and contains manufacturer-provided information and client-created inventory information about such equipment and may include exhaust digital data and individual data that may be classified as sensitive data under the Data Protection Act (Cap. 411C);"m-Health" means the delivery of medical services using mobile technologies;"personal data" means any information relating to an identified or identifiable natural person;"personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;"personal health data" means any information relating to the state of physical or mental health of an identified or identifiable person and includes records on the past, present or future state of that person’s health;"personal health information" means data related to the state of physical or mental health of an individual and includes information provided by the client, records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the individual to the provision of specific health services;"personally identifiable information" means information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person;"private health services" means provision of health services by a health facility that is not owned by the national or county governments and includes health care services provided by individuals, faith-based organizations, non-governmental organizations and private for profit health institutions;"processing" means any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means including—(a)collection, recording, organisation or structuring;(b)storage, adaptation or alteration;(c)retrieval, consultation or use;(d)disclosure by transmission, dissemination or otherwise making available; or(e)alignment or combination, restriction, erasure or destruction."pseudo-anonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, and such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;"public health services" means health services owned and offered by the national and county governments;"referral" means the process by which a given health facility transfers a client service, specimen and client parameters to another facility to assume responsibility for consultation, review or further management;"research for health" includes research which seeks to contribute to the extension of knowledge in any health related field, such as that concerned with the biological, clinical, psychological or social processes in human beings improved methods for the provision of health services; human pathology; the causes of disease; the effects of the environment on the human body; the development or new application of pharmaceuticals, medicines and other preventative, therapeutic or curative agents; or the development of new applications of health technology;"system" means the comprehensive integrated health information system established under section 15;"system integration" refers to the merging or combining of two or more components or configuration items into a higher level system element and ensuring that the logical and physical interfaces are satisfied and that the integrated system satisfies its intended purpose;"system interoperability" refers to the capability to communicate, execute programs or transfer data among various functional units such that the user needs little or no knowledge of the unique characteristics of those units;"telehealth" means the use of electronic information and telecommunications technologies including video conferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications, to support long-distance clinical health care, patient and professional health-related education, public health and health administration;"telemedicine" refers to the provision of health care services and sharing of medical knowledge over distance using telecommunications and includes consultative, diagnostic, and treatment services; and"third party" means natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.3. Objects of the Act
The objects of this Act are to—4. Guiding principles
In implementing the Act, all persons shall be guided by the following principles—Part II – ESTABLISHMENT OF THE DIGITAL HEALTH AGENCY
5. Establishment of the Digital Health Agency
6. Functions of the Agency
The Agency shall—7. Powers of the Agency
8. Board of Directors
9. Conduct of business and affairs of the Board
Except as provided in the Schedule, the Board shall regulate its own procedure.10. Committees of the Board
11. Chief Executive Officer
12. Qualification for appointment as Chief Executive Officer
13. Corporation Secretary
14. Staff
The Board may appoint such staff as may be necessary for the proper discharge of the functions of the Agency under this Act, upon such terms and conditions of service as the Board may determine upon the advice of the Salaries and Remuneration Commission.Part III – THE ESTABLISHMENT AND ADMINISTRATION OF THE COMPREHENSIVE INTEGRATED HEALTH INFORMATION SYSTEM
15. Establishment of a comprehensive integrated health information system
16. Components of the System
The system shall comprise of—17. Objectives of the system
The main objectives of the system shall be to-18. Technical aspect of the system
Part IV – HEALTH DATA GOVERNANCE
19. Classification of health data
For the purposes of this Act, health data shall be classified into the following categories-20. Governing principles.
21. Establishment of health data governance framework
22. Health data custodian
The Agency shall be the custodian for all health data in Kenya.23. Health data use
Part V – CONFIDENTIALITY, PRIVACY AND SECURITY OF DATA
24. Security, privacy and disclosure of data in the system
25. Retention and disposal of data in system
26. Establishment of health data banks
27. Use of sensitive personal data
The health data that is contained in a health data bank shall be applied to—28. Responsibilities of health data bank controller
The responsibility of the data controller of a health data bank shall be to—29. Request for information by authorized person
A person authorised by the data controller to enter sensitive personal data into the system shall ensure compliance with section 24(2) of this Act.30. Disclosure of sensitive personal data deceased persons
31. Consent
32. Processing of personal data relating to a minor or a person without capacity
Where a data subject is a minor or for any other reason does not have the capacity to issue informed written consent, the parent, an appointed guardian or next friend of the patient shall, for purposes of section 31 (1), act on behalf of, and in the best interest of, the patient in accordance with the law.33. Duty to protect sensitive personal data
34. Disposal of health information
The Cabinet Secretary shall develop regulations for the disposal of sensitive personal data.35. Breach of health data
36. Health Data Portability
37. Refusal to grant access to sensitive personal data
A person in charge of a health data bank may refuse to grant access to a third party, all or part of a person’s sensitive data or health information if it is reasonable to believe that—38. Precautions on release of sensitive personal health data
39. Right to rectification or erasure
A health data bank or a health provider may, upon request by the data subject—Part VI – E-HEALTH SERVICE DELIVERY
40. E-Health as a mode of health service delivery
41. Provision of e-Health services
42. Principles and objectives of e-health
43. E-health services
44. Reporting
In the delivery of e-health services, it shall be the responsibility of the e-health service provider to meet their reporting obligations in accordance with the provisions of this Act.Part VII – E-WASTE MANAGEMENT
45. E-waste management
Part VIII – HEALTH TOURISM
46. Development of guidelines on health tourism
47. Disclosure of sensitive personal data to organizations outside Kenya.
Personal health information may only be shared to any person outside Kenya for the purposes of health tourism.Part IX – FINANCIAL PROVISIONS
48. Funds of the Agency
49. Financial year
The financial year of the Agency shall be the period of twelve months ending on the thirtieth day of June in each year.50. Annual estimates
51. Accounts and Audit
52. Annual report
53. Bank account
The Chief Executive Officer may, in accordance with the law relating to the management of public finance, open bank accounts on behalf of the Agency with the approval of the Board and the National Treasury and shall, as the accounting officer, be responsible for the proper management of the finances of the Agency.54. Investment of Funds
Part X – MISCELLANEOUS PROVISIONS
55. Protection from personal liability
No matter or thing done by the Chairperson, a Board member, or any officer, employee or agent of the Agency shall, if the matter or thing is done in good faith and for the purposes of executing any provisions of this Act, render the Chairperson, Board member, or any officer, employee or agent of the Agency or any person acting under the direction of those persons personally liable for any action, claim or demand arising from the same.56. Conflict of interest
57. Confidentiality
58. Duty to cooperate
A person responsible for a matter in question before the Board shall co-operate with the Board and shall in particular—59. Offences
60. Regulations
The Cabinet Secretary may, in consultation with the Agency and the county governments, develop regulations providing for—61. Compliance to the Data Protection Act (Cap. 411C)
Any person processing personal data under this Act shall comply with the Data Protection Act (Cap. 411C).62. Transitional provision
A person, who being a data controller or data processor of health data or who has been handling health information before the commencement of this Act, shall, within six months of the commencement of this Act, comply with the requirements of this Act.History of this document
24 November 2023 this version
02 November 2023
Commenced
19 October 2023
Assented to
Cited documents 6
Act 6
1. | Public Finance Management Act | 676 citations |
2. | Public Procurement and Asset Disposal Act | 352 citations |
3. | Public Audit Act | 116 citations |
4. | Data Protection Act | 96 citations |
5. | Public Health Act | 96 citations |
6. | Health Act | 73 citations |
Documents citing this one 2
Gazette 2
1. | Kenya Gazette Vol. CXXVI-No. 32 | |
2. | Kenya Gazette Vol. CXXVI-No. 64 |