Kenya has pledged its dedication to attaining Universal Health Coverage by 2030 through the utilization of digital technology and the effective management of health data. The digitization of healthcare in Kenya holds the potential to substantially enhance health outcomes by tackling issues such as unequal access to healthcare services, the difficulty health professionals face in obtaining pertinent health data, the scarcity of healthcare personnel, the exorbitant costs associated with healthcare access, and patient’s ability to access their medical records, prescriptions, and medical information, among other challenges.
Section 104 of the Health Act 2017 mandates the Cabinet Secretary Ministry of Health to within three years ensure the enactment of an e-health legislation that provides for among other things (a) administration of health information banks including interoperability framework, data interchange and security; (b) collection and use of personal health information; (c)management of disclosure of personal health information; (d) protection of privacy; (e) business continuity, emergency and disaster preparedness; (f) health service delivery through M-health, E-learning and telemedicine; (g) E-waste disposal; and (h) health tourism.
On 29th August 2023, the Cabinet considered and approved four Bills for transmission to Parliament, all of which were in furtherance of the administration’s pledge to accelerate Kenya’s attainment of Universal Health Coverage (UHC). The Digital Health Bill was among the approved bills.
On 14th September 2023, pursuant to Standing Order 127 (1) of the National Assembly Standing Orders, the Digital Health Bill 2023 (National Assembly Bill, No. 57 of 2023) was read for the first time before parliament. The 10-part bill provides for the establishment of the Digital Health Agency; a framework for provision of digital health services: establishes a comprehensive integrated digital health information system and for connected purposes.
The bill once enacted is set to operate under the following key guiding principles. It considers health data as a strategic national asset. It also promotes privacy, confidentiality, and security of data for information sharing and use. An additional object is that digital health shall facilitate data sharing and use informed decision making in its operation at all levels. Lastly, the digital health ecosystem is mandated to serve the health sector and facilitate in a progressive and equitable manner, the highest attainable standard of health.
The Agency and the establishment and administration of the Comprehensive Integrated Health Information System
A Digital Health Agency is established with the core mandate to develop, operationalize and maintain a Comprehensive Integrated Health Information System. The system will manage the core digital health systems and the infrastructure relevant for seamless health information exchange. The Agency will ensure information registries are created, protected data exchange, data analysis, health application systems and infrastructure that are fit for purpose, efficient interoperability standards, certification of digital health solutions, and resource mobilization for sustainability and it will provide an advisory role to the Cabinet Secretary for Health on matters digital health.
The Comprehensive Integrated Health Information System objectives will be to facilitate health service delivery that is centered on people. It will facilitate timely data collection, processing, and reporting at all levels and ensure the security of that data. Additionally, the system will facilitate resource allocation and management of the health sector ensuring a progressive and equitable realization of universal health coverage and the highest attainable standard of health.
Health Data Governance, Confidentiality, Privacy and Security of Data
The Digital Health Bill classifies data into 5 categories including sensitive personal data, administrative data, aggregate health data, medical equipment data and research for health data. All these categories shall be handled based on principles of improvement of client health and safeguarding of communities and individuals. Governance of data shall also ensure security throughout the data lifecycle, equity, accountability, privacy and confidentiality, accuracy and reliability of data.
The Bill additionally tasks the Cabinet Secretary for Health to develop a Health data governance framework that will address the intricate details of handling health data. The Cabinet Secretary is responsible for ensuring that data confidentiality, privacy and security is upheld in the system. The bill provides instances whereby personal health data may be disclosed to a third party. It highlights instances where consent has been rightfully delegated to a third party due to incapacity of the data subject, authorization to disclose granted by law, emergency involving a data subject, failure to treat a data subject will pose a risk to the health of the data subject or to public health.
E-Health Service Delivery
The Bill recognizes E-Health as a mode of health service delivery and that it is complementary to existing healthcare service delivery modalities. It outlines the service delivery through telemedicine, electronic health records, m-health, e-learning and telehealth.
Entities providing e-health must hold a valid license either locally issued or issued by an equivalent regulatory body and approved by the local regulatory body. The entity shall be a health facility licensed to offer e-health services as well.
Access to the data subject’s e-health records is maintained as a right when necessary and consent of the guardian of a mentally ill patient is sought if the case requires.
Guidelines for safe handling and disposal of all health sector-related e-waste material shall be developed by the Cabinet Secretary and such guidelines shall include appropriate mechanisms for segregation, collection, transportation, and processing of the waste.
In the case of health tourism, the data controller who transfers outside Kenya biological specimens, health images, human tissues and organs of a Kenyan citizen shall ensure confidentiality, provide a report of findings to the Director-General, notify the Cabinet Secretary of the intention to share information and to seek guidance from the Cabinet Secretary on the way the health information shall be stored.
The bill creates the opportunity to have regulations that further provide for health information management, use of health applications and technologies, medical devices and innovations. It also provides for regulations on data quality and protection audits and lastly, establishment and implementation of the component of exchange of data.
The bill maintains the importance of data protection and emphasizes on overall compliance with the Data Protection Act of 2019.
The Digital Health bill has attempted to address issues of innovation, data security and emphasis on interoperability of systems to ensure all protection and service angles are covered. It however remains subject to question on several angles especially when it comes to high standards of healthcare service which should be its main mandate.
Transform Health Kenya Coalition’s Memorandum to the National Assembly on the Digital Health Bill 2023
In compliance with Article 118 (1) (b) of the Kenyan Constitution, the National Assembly Departmental Committee on Health invited members of the public to submit memoranda on the Digital Health Bill. The Transform Health Kenya Coalition collected views from its members and friends and submitted a memorandum highlighting key comments for improvement of the bill. Some of the issues highlighted are as follows:
- Complex Technical Language:
The bill uses complex technical language which makes it difficult for the average person to understand. Legislation related to digital health should be accessible to the public to ensure transparency and citizen engagement.
- Data Handling and Misuse:
More information on data handling, particularly addressing concerns related to data misuse should be provided. It’s crucial to have clear provisions and guidelines within the Bill to prevent unauthorized access, sharing, or misuse of health data, and to outline the consequences for such actions.
- Customer Care Response Line:
The question on whether there will be a customer care response line to address people’s concerns or issues related to the Comprehensive Integrated Health Information System is pertinent. This is an essential aspect of ensuring efficient service provision, as it allows individuals to seek assistance or report accessibility issues.
- Privacy and Confidentiality (Section 30):
There is question on the clarity of Section 30 (1) and (3) of the Bill, which pertains to the Cabinet Secretary’s mandate to ensure privacy and confidentiality. There is need for more explicit language and guidelines on how this responsibility will be fulfilled, as vague provisions can lead to uncertainty in enforcement.
- Composition of the Board and criteria for choice
A concern is raised about the composition of the Board responsible for overseeing the proposed agency. It underscores the importance of appointing qualified individuals with minimal political influence to ensure the effective governance of health data.
- Role of County Government:
There is absence of information regarding the role of county governments and the potential impact of the Bill on counties. It’s crucial to clearly define the responsibilities and roles of county governments in the implementation of the Bill.
- Governance Principles for Health Data:
There is need for more detail and clarity on the governance principles governing the management of health data. The Bill lists general blanket principles without contextualizing then to health data. Clear guidelines on how health data should be collected, stored, shared, and protected are essential to maintain trust and security.
- Ambiguity in Breach of Sensitive Data (Section 41):
There is ambiguity in Section 41 (1) of the Bill, specifically regarding what constitutes a “breach,” “tampering,” “abuse of privilege,” and the definition of “privilege” in handling health data. Further clarification and definitions are essential to ensure a common understanding of these terms and to establish the legal boundaries for handling health data. The Act needs to further highlight the consequences to these actions.
- Data Retention and Disposal Guidelines
While specifying a minimum retention period is a critical step in ensuring that health data is available for legitimate purposes, it is equally important to address the proper disposal of data once it is no longer needed.
Challenges with Ambiguity: The submission highlights the potential challenge of ambiguity in the Bill regarding data disposal. If the legislation does not provide explicit and well-defined guidelines on how data should be disposed of after the retention period, it could lead to inadvertent data retention. This situation poses significant risks to individual privacy and data security, as data that should no longer be stored may continue to exist in digital archives.
Privacy Breaches: Inadvertent data retention can have severe consequences, as it increases the risk of privacy breaches. Unauthorized access to retained data can result in the exposure of sensitive health information, which can be exploited for malicious purposes, including identity theft, fraud, or harassment. Clear guidelines for data disposal are essential to mitigate these risks and ensure that individuals’ health data is adequately protected.
Regulations for Data Disposal: To address this issue, the submission suggests that the Bill should pave the way for the introduction of regulations that provide specific, actionable guidelines for the secure disposal of health data. These regulations should outline the methods and technologies to be used for data erasure, ensuring that data is irreversibly destroyed or anonymized when it reaches the end of its retention period. We hope that this will come out clearly in the Health Data Governance framework.
- Enhancing Security Measures
While the Bill acknowledges the importance of security, there is a need for more comprehensive guidance on implementing modern technological safeguards to protect health data effectively.
The bill generally attempts to fulfill the mandate as expected in section 104 of the Health Act. There is however need to ensure the abovementioned loose strings are tied for the legislation to adequately guide digital health transformation in Kenya.