Managers of hospitals in Kenya have just over three months to secure the relevant license to aid them regulate the collection and management of critical patient data under the country’s new healthcare regime.

In a statement on Tuesday, the Kenya Medical Practitioners and Dentists Council (KMPDC) directed all existing hospitals to apply for the Certificate of Data Handler by the end of March next year.

KMPDC chief executive Dr. David Kariuki further directed that effective January 1, 2025, all new heath facility registrations “must include a valid Certificate of Data Handler/Processor” secured from the office of data commissioner.

Institutions that will be found in breach of this directive could suffer fines of up to KES5 million, or pay a charge of one percent of their annual turnover, Dr. Kariuki added.

"This requirement underscores the critical importance of safeguarding patient privacy, a fundamental aspect of ethical medical practice. By ensuring the responsible and lawful handling of personal data, health institutions not only adhere to regulatory standards but also strengthen patient trust and enhance safety,” the notice by Dr. Kariuki explained.

According to the Data Protection Act, 2019 all entities handling personal data in Kenya must register as data controllers or data processors. 

Currently, the Ministry of Health is seeking views from the public on proposed Digital Health Information Management Regulations, a new law that will see all health facilities accredited by the Social Health Authority required to store all patient data collected in the course of diagnosis and any other details emanating from follow-up checks in a National Health Data Bank. This database will be exclusively managed by government authorities.

Accordingly, third parties and SHA-accredited facilities will be gaining access, albeit at a fee, to the health data collected under the Social Health Insurance Fund as part of the government’s plan to monetize critical patient data.

According to the Office of the Data Protection Commissioner (ODPC), the application for the renewable Certificate of Registration takes 14 days and will be valid for two years.

Notably, there are three categories for the payment of registration fees, as determined by the number of employees and annual turnover of a particular facility. Accordingly, micro and small entities will pay a registration fee of KES4,000, medium entities pay KES16,000, while the large entities will part with KES40,000 for the permit.

However, health facilities making less than KES5 million or have a minimum of 10 employees may be exempted from registration.

[email protected]