The Digital Health (Data Exchange Component) Regulations, 2025

Section 1. Citation. Section These Regulations may be cited as the Digital Health (Data Exchange Component) Regulations, 2025.

Section 2. Interpretation. Section In these Regulations, unless the context otherwise requires— “Act” means the Digital Health Act, 2023 (No. 15 of 2023); “Agency” means the Digital Health Agency established under section 5 of the Act; “aggregate health data” means health data consolidated and stored in a central system; “Board” means the Board of Directors of the Agency constituted under section 8 of the Act; “data exchange” means a secure sharing of health data between health providers, systems and institutions promoting coordinated healthcare in a secure manner; “data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller; “digital health solution” includes a digital health application, intervention, initiative, digital health technology, infrastructure, telehealth systems, electronic health information systems and provision of education and training support for e-Health initiatives; “enterprise service bus” means an architectural pattern whereby a centralized software component performs integrations between applications; transformations of data models, handles connectivity, message routin...

Section 3. Object of the Regulations Section establishment and implementation of the data exchange component of the System; and

Section 4. Enterprise service bus. Section 4(1) Pursuant to section 16(a) of the Act, the Information and Communication Technology environment of the System shall include an enterprise service bus. Section 4(2)(a) route messages between certified digital health solutions; Section 4(2)(b) monitor and control the routing of exchange of messages between certified digital health solutions; Section 4(2)(c) control onboarding and versioning of certified digital health solutions; Section 4(2)(d) monitor and eliminate redundant services; and Section 4(2)(e) event handling; Section 4(2)(e)(i) event handling; Section 4(2)(e)(ii) data transformation and mapping; Section 4(2)(e)(iii) message and event queuing and sequencing; Section 4(2)(e)(iv) security or exception handling; and Section 4(2)(e)(v) protocol conversion.

Section 5. Onboarding onto the enterprise service bus. Section 5(1) The Agency shall upon an application specified under regulation 6, onboard a health data controller as a user in the enterprise service bus. Section 5(2) A health data controller who was using or managing health data using a digital health solution shall be onboarded into the System within six months from the date of publication of these Regulations. Section 5(3) The Agency shall use a portal for purposes of onboarding health data controllers to the enterprise service bus.

Section 6. Application for onboarding to the enterprise service bus. Section 6(1) An application for onboarding as a user of the enterprise service bus shall be made to the Agency in Form DE 1 set out in the First Schedule. Section 6(2)(a) the particulars of a health data controller of a digital health solution including proof of registration with the Office of the Data Protection Commissioner; Section 6(2)(b) a data protection impact assessment report for the digital health solution; Section 6(2)(c) particulars of the organization of the health data controller; Section 6(2)(d) particulars of the developer of the digital health solution; Section 6(2)(e) particulars of the digital health solution being onboarded; Section 6(2)(f) a valid certificate of compliance issued upon the certification of the digital health solution; and Section 6(2)(g) proof of payment of the onboarding fees specified in the Third Schedule. Section 6(3) The Agency shall not onboard a health data controller onto the enterprise service bus unless the health data controller has a certified digital health solution. Section 6(4) Upon receipt of an application under subregulation (1), the Agency shall review the ap...

Section 7. Review and appeal. Section 7(1) An applicant dissatisfied with the decision of the Agency in relation to onboarding to the enterprise service bus may within seven days from the date of the decision of the Agency, apply to the Agency for a review. Section 7(2) A person aggrieved by the decision of the Agency under subregulation (1), may within fourteen days from the date of the decision of the Agency, appeal to the High Court.

Section 8. Record of health data controllers. Section 8(1) The Agency shall keep and maintain a record of health data controllers of the certified digital health solutions onboarded onto the enterprise service bus in accordance with regulation 6. Section 8(2)(a) organization, service delivery or healthcare management; Section 8(2)(b) the digital health solution being utilised by the health data controller; and Section 8(2)(c) enterprise user licence of the health data controller.

Section 9. Suspension from use of the enterprise service bus. Section 9(1)(a) health data controller is not using the access rights for the intended purpose; Section 9(1)(b) health data controller has facilitated unauthorized access to the enterprise service bus by a third party; Section 9(1)(c) digital health solution of the health data controller is not valid; Section 9(1)(d) health data controller fails to maintain the enterprise user licence; Section 9(1)(e) health data controller fails to pay the applicable agency fees specified in the Third Schedule; and Section 9(1)(f) health data controller has contravened the provisions of any relevant law and the contravention is reported to the Agency by the relevant body. Section 9(2) The Agency shall comply with the provisions of the Fair Administrative Action Act (Cap. 7J) when suspending a health data controller under subregulation (1). Section 9(3) The Agency shall upon suspending a health data controller under subregulation (1), block the health data controller from accessing the enterprise service bus. Section 9(4) A data controller who resolves all the compliance issues raised by the Agency under subregulation (3), may upon appli...

Section 10. Maintenance of health data banks. Section 10(1) The national health data bank and county health data bank established and designated under section 26(1)(a) of the Act, respectively, shall comprise of centralized information systems that shall collate minimum data set at client level and aggregate data processed by certified digital health solutions: Section 10(2) Any health data transmitted to the national health data bank or the county health data bank by a certified digital health solution shall be stored, reviewed, audited, updated and secured in accordance with the Act and these Regulations.

Section 11. Shared resources. Section 11(1) Pursuant to section 16(e) of the Act, the System shall consist of the shared resources which shall be maintained in accordance with this Part. Section 11(2) The users and consumers of the shared resources in the System shall pay the service fee specified in the Third Schedule for use of the System. Section 11(3) The shared resources is designated as critical information infrastructure and shall be accorded the security safeguards provided under the Computer Misuse and Cybercrimes Act (Cap. 79C) and the Data Protection Act (Cap. 411C). Section 11(4) The Agency shall utilize the existing relevant government and third party databases in the performance of its functions including the maintenance of shared resources under subregulation (1) for purposes of enhancing access and utilization of healthcare services.

Section 12. The national health data dictionary. Section 12(1) The System shall have the national health data dictionary which shall be the single source of reference of health terminology within the System. Section 12(2) A health data controller who has been onboarded as a user under regulation 6, shall use the national health data dictionary as the data reference dictionary within the System. Section 12(3)(a) ensure that the national health data dictionary is available, updated and comprehensive; Section 12(3)(b) enable a certified digital health solution to access and utilise the national health data dictionary; Section 12(3)(c) regularly inform stakeholders in the digital health sector on the key components of the national health data dictionary affecting health data terminology; and Section 12(3)(d) emerging concepts or domains; Section 12(3)(d)(i) emerging concepts or domains; Section 12(3)(d)(ii) the adoption of new standards; Section 12(3)(d)(iii) the existence of obsolete concepts or domains; Section 12(3)(d)(iv) data quality assessments; Section 12(3)(d)(v) the changes in security protocols; and Section 12(3)(d)(vi) continuous improvement concepts.

Section 13. The client registry. Section 13(1) There shall be a client registry in the System which shall be the single source of reference in the identification of clients seeking health services. Section 13(2)(a) enable certified digital health solutions to access and utilise the client registry; and Section 13(2)(b) provide for self-registration of an applicant in the client registry through the patient portal using Form DE 2 set out in the First Schedule. Section 13(3) A health data controller who has been onboarded onto the enterprise service bus under regulation 6 shall register a client through a certified digital health solution. Section 13(4)(a) a national identity card; Section 13(4)(a)(i) a national identity card; Section 13(4)(a)(ii) a valid passport; or Section 13(4)(a)(iii) a birth certificate in the case of a person under the age of eighteen years; Section 13(4)(b) a valid asylum-seeker pass; Section 13(4)(b)(i) a valid asylum-seeker pass; Section 13(4)(b)(ii) a valid movement pass; Section 13(4)(b)(iii) a valid letter of recognition; Section 13(4)(b)(iv) a valid refugee identification card; or Section 13(4)(b)(v) a valid conventional travel document. Section 13(5)(a...

Section 14. The facility registry. Section 14(1) There shall be a facility registry in the System which shall be the single source of reference of health facilities in Kenya. Section 14(2)(a) assign a Kenya Master Facility List Code to a health facility; and Section 14(2)(b) designate a portal in the facility registry where health data controllers may update their information including on the services offered and the infrastructure owned. Section 14(3)(a) geo-location details of the health facility; Section 14(3)(b) contact details of the health facility; Section 14(3)(c) regulatory details of the health facility; Section 14(3)(d) list of services offered by the health facility; Section 14(3)(e) infrastructure details of the health facility; and Section 14(3)(f) human resources responsible for health in the health facility. Section 14(4)(a) a certificate of registration of the health facility by the relevant regulatory body; Section 14(4)(b) a valid licence issued by the relevant regulatory body; Section 14(4)(c) an inspection report of the health facility; and Section 14(4)(d) a duly completed checklist of the health facility. Section 14(5) Every health data controller shall be re...

Section 15. The telemedicine health provider registry. Section 15(1) There shall be a telemedicine health provider registry in the System which shall contain a list of all e-health service providers and shall be the single source of reference in the provision of telemedicine in Kenya. Section 15(2) The Agency shall be responsible for the day-to-day management and maintenance of the telemedicine health provider registry. Section 15(3)(a) the certified digital health solution being utilised by the telemedicine health provider; Section 15(3)(b) particulars of the health data controller; Section 15(3)(c) regulatory details of the telemedicine health provider; Section 15(3)(d) a list of services offered by the telemedicine health provider; and Section 15(3)(e) proof of registration as a data controller or data processor with the Office of the Data Protection Commissioner. Section 15(4) The Agency shall, upon application by a telemedicine provider, issue a telemedicine provider code to a telemedicine health provider. Section 15(5)(a) use a digital health solution certified in accordance with the Act for service delivery; and Section 15(5)(b) prepare a report of the health data arising fr...

Section 16. The health worker registry. Section 16(1) There shall be a health worker registry in the System which shall be the single source of reference for all information related to health workers for purposes of health information exchange and accessing the System. Section 16(2)(a) personal details of a health worker; Section 16(2)(b) qualifications of a health worker; Section 16(2)(c) details of the relevant regulatory body that licensed or registered the health worker as provided by the regulatory body or the health data controller; and Section 16(2)(d) where applicable, valid practice licence details of the health worker. Section 16(3) The Agency shall maintain an up-to-date health worker registry integrated with the various information systems owned and maintained by the regulatory bodies. Section 16(4) A health worker shall, subject to proof of valid licensing by the relevant regulatory body, apply to the Agency for registration to access the health worker registry. Section 16(5) An application under subregulation (4) shall be made through the portal in Form DE 3 set out in the First Schedule. Section 16(6)(a) register the health worker in the health worker registry; and S...

Section 17. Product catalogue. Section 17(1) There shall be a product catalogue in the System which shall be the comprehensive register of all registered health products and technologies in the country including digitally enabled medical equipment. Section 17(2)(a) identification of a health product or technology by a unique product identifier in accordance with the prevailing policy; Section 17(2)(b) generic name or international non-proprietary name of the health product or technology; Section 17(2)(c) strength of a health product or technology; Section 17(2)(d) formulation of a health product or technology; Section 17(2)(e) route of administration of the health product or technology; Section 17(2)(f) class of the health product or technology; Section 17(2)(g) brand name of the health product or technology; and Section 17(2)(h) status of the health product or technology. Section 17(3) The health products and technologies in the product catalogue shall have a standardized unique health product and technology identifier issued by the Pharmacy and Poisons Board established under section 3 of the Pharmacy and Poisons Act (Cap. 244). Section 17(4) The Agency shall, in collaboration wi...

Section 18. The National Logistics Management Information Services Platform. Section 18(1) There shall be a National Logistics Management Information Services Platform in the System which shall be the main reference point in the reporting, tracking and tracing of quantities, statuses and location of all health products and technologies. Section 18(2)(a) administer the National Logistics Management Information Services Platform guided by the National Logistics Management Information Services standards; Section 18(2)(b) ensure that the National Logistics Management Information Services Platform provides information on health products and technologies to ensure health products and technologies conform to the standards of quality, safety and efficacy set by the Pharmacy and Poisons Board pursuant to section 3B(2)(b) and (d) of the Pharmacy and Poisons Act (Cap. 244); Section 18(2)(c) ensure that a person using or managing a logistics management information system to authenticate, track or trace a health product or technology conforms to the National Logistics Management Information Services standards; Section 18(2)(d) ensure that the National Logistics Management Information Services P...

Section 19. Shared health record. Section 19(1) There shall be a shared health record in the System which shall be the single source of reference for the medical history of patients in the System. Section 19(2)(a) maintain the Shared Health Record in the defined standard format containing the minimum data set for purposes of ensuring patient data portability, continuity of care, billing and settlement of claims; Section 19(2)(b) maintain a longitudinal record of every encounter from an application of a digital health solution. Section 19(2)(c) grant a client access to their personal Shared Health Record through the patient portal designated by the Agency; and Section 19(2)(d) audit the log of access shared by a certified digital health solution for purposes of enhancing compliance and evaluating trends in authorized and unauthorized access. Section 19(3)(a) query and update the shared health record for every encounter with a client; Section 19(3)(b) provide an electronic alert to a client where access to the shared health record is identified; and Section 19(3)(c) maintain an auditable log of all access that has taken place in the Shared Health Record indicating the users, data ent...

Section 20. Health Management Information Services Platform. Section 20(1) The Agency shall maintain the Health Management Information Services Platform in the System for reporting purposes. Section 20(2)(a) matters of public interest; Section 20(2)(b) summary statistics, dashboards and information on key metrics relevant on diseases and events of public health in Kenya; and Section 20(2)(c) select aggregate health data published in various formats for easy consumption by various stakeholders including the members of public. Section 20(3) A certified digital health solution shall submit a report on the minimum data set to the Agency. Section 20(4) A health data controller shall ensure that all providers under the jurisdiction of the health data controller comply with the specified reporting obligations for the Health Management Information Services Platform. Section 20(5) A health data controller who fails to submit reports to the Health Management Information Services Platform commits an offence and shall, on conviction, be liable to the penalty specified under section 59(2) of the Act. Section 20(6)(a) disease burden; Section 20(6)(b) public health events; Section 20(6)(c) diseas...

Section 21. Insurance and finance services in the System. Section 21(1) For purposes of insurance and finance services in the System, a digital health solution certified by the Agency shall provide comprehensive costing of the healthcare services provided to clients. Section 21(2) The claims management system of a health insurance provider shall, for purposes of identifying clients accessing healthcare services, reference the client registry. Section 21(3)(a) assess and certify the claims management systems of health insurance providers; Section 21(3)(b) provide access to the certified claims management systems of health insurance providers to an invoiced clinical encounter contained in the shared health record; and Section 21(3)(c) require the health insurance service provider to pay the service charge in the manner specified in the Third Schedule.

Section 22. Offences. Section Any person who violates any provision of these Regulations, commits an offence and shall on conviction to liable to the penalty specified under section 59(2) of the Act.