Skip links

The Digital Health Bill 2023 for Kenya

“An Overview of the Game-Changer Law and the Patient’s Data Privacy Provisions”

By Njoki Kimemia, Legal and Data Protection, South-End Tech Limited

The Cabinet of the Republic on Kenya, on Tuesday 29, August 2023 considered and approved crucial Bills that promote healthcare, for transmission to Parliament, as follows:

  • The Primary Health Care Bill, 2023;
  • The Digital Health Bill, 2023;
  • The Facility Improvement Financing Bill, 2023; and
  •  The Social Health Insurance Bill, 2023.

These  Bills usher in a paradigm in the legal and institutional framework for healthcare in Kenya by repealing the current National Health Insurance Fund and establishing in its place the following funds: Primary Healthcare Fund; Social Health Insurance Fund; and Emergency, Chronic and Critical Illness Fund.

The Digital Health Bill addresses the existing legal and regulatory gaps in the framework for the e-Health ecosystem and its data lifecycle; enabling the development of standards towards the provision of m-health, telemedicine, and e-learning in healthcare. This new architecture is expected to provide a framework for improved health outcomes and financial protection of families in fidelity to the State’s solemn duty to guarantee the health and welfare of all her citizens.

The Digital Health Bill 2023 is set to be a game-changer in Kenya’s healthcare sector. This Bill aims to revolutionize the way healthcare is provided by incorporating digital solutions and ensuring the protection of patient data. With its implementation, Kenya is poised to become a leader in digital health innovation in Africa.

Here are some of the Highlights of the bill:

  1. Guiding Principles:
    1. Health data is considered a strategic national asset.
    1. Privacy, confidentiality, accuracy, accountability and security of health data must be safeguarded.
    1. Digital health should enable data sharing for informed decision-making.
    1. The digital health ecosystem should improve the standard of health progressively.
  2. Health Data Classification: Health data is categorized into sensitive personal data, administrative data, aggregate data, medical equipment data and research data.
  3. Custodianship of Health Data:
    1. The Cabinet Secretary oversees national health data.
    1. County Executive Committee Members oversee county health data.
    1. Health data should be used for public good, not commercial purposes.
  • Confidentiality, Privacy, and Security:
    • The Cabinet Secretary is responsible for confidentiality, privacy, and security of sensitive personal data.
    • Sensitive data can be disclosed with consent, legal authorization, in emergencies, or to protect public health.
    • Privacy is maintained throughout the data life cycle.
    • Cabinet Secretary manages data security measures, including authentication, access controls, and encryption.
    • Data retention is for a minimum of 20 years, with provisions for extensions and secure disposal.
  • Health Data Banks:a secure and centralized electronic health record system
    • National and county health data banks are established for seamless data integration. This system will enable healthcare providers to access patient information in real-time, leading to more efficient and coordinated care.
    • Data controllers transmit sensitive data securely to these banks and that all patient data is kept confidential and secure.
  • Data Transfer and Interoperability
  • Standardizing data formats and protocols, will facilitate the seamless exchange of health information across different healthcare facilities.
  • This interoperability will enable healthcare providers to have a comprehensive view of a patient’s medical history, regardless of where they seek treatment. This, in turn, will lead to improved diagnosis, treatment, and continuity of care.
  • Use of Sensitive Personal Data: Health data banks use data for health services, provider identification, public health needs, research, planning, safety assessment, and system enhancement.
  • Responsibilities of Data Controllers: Data controllers ensure proper data collection, use, disclosure, retention, and disposal, while remaining responsible for their agents’ actions.
  • Consent and Control:
    • Informed written consent is required for processing sensitive personal data.
    • Exceptions apply for emergency care and serious threats to public health.
    • Consent when the patient is a minor or special needs.
    • Patients can withdraw consent.
  • Data Protection and Breach Offenses:
    • Data controllers must protect data and take reasonable safeguards.
    • Offenses related to tampering, abuse, disclosure, or mishandling of data carry penalties.
  • Rights of Data Subjects:
    • Individuals have the right to access and receive copies of their personal health information.
    • Disclosure of sensitive personal data of deceased persons in permitted circumstances.
    • Refusal to grant access is possible under certain circumstances.
  • Rectification and Erasure: Data subjects have the right to rectify inaccurate data or request erasure of data no longer relevant or lawfully obtained.

Overall, the Digital Health Bill 2023  emphasizes the secure handling of health data, ensuring privacy and promoting informed data usage in Kenya’s healthcare system, aligned with the Data Protection Act 2019

We are going to serialize the Digital Health Bill 2023 as part of our support for sensitization and public awareness of the Bill as it goes for enactment in Parliament. Watch out for our upcoming webinars and blogs on the same.


South-End Tech Limited TEAM

Please do not hesitate to contact us for your Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email

This website uses cookies to improve your web experience. Privacy Policy