The Digital Health (Health Information Management Procedures) Regulations, 2025

Section 1. Citation Section These Regulations may be cited as the Digital Health (Health Information Management Procedures) Regulations, 2025.

Section 2. Interpretation Section ensure safe management of health information; and

Section 4. Notification of registration Section 4(1) A health data controller or health data processor shall upon registration with the Office of the Data Protection Commissioner, notify the Agency in writing of such registration indicating the category of health data held by the health data controller or health data processor within seven days from the date of registration as a data controller or data processor. Section 4(2) Upon receipt of the notice under subregulation (1), the Agency shall enter the details of the health data controller and health data processor in the register of health data controllers and health data processors.

Section 5. Data custodianship Section 5(1)(a) maintain a register of all health data controllers and health data processors; Section 5(1)(b) maintain a record of health data held by the health data controllers and health data processors; Section 5(1)(c) ensure that health data controllers submit health data to the Agency in the applicable format; Section 5(1)(d) maintain the National Health Data Bank; Section 5(1)(e) provide access to the relevant health data to authorized health data controllers and health data processors in the applicable manner; Section 5(1)(f) retain health data held in the System for a minimum of twenty years or as specified in the Act; Section 5(1)(g) implement security measures in the management of the System including firewalls, encryption and access controls to protect health data from unauthorized access, modification or disclosure; Section 5(1)(h) maintain a public portal for health data controllers and health data processors to access templates and standard operating procedures on the management of health data; and Section 5(1)(i) maintain a public portal for select aggregate health data published in the set formats for easy consumption by the relevant...

Section 6. Information Security Operations Centre Section The Agency shall coordinate the collection and analysis of information security threats through the Health Sector Information Security Operations Centre and the Health Facility Information Security Operations Centres and report to the Cabinet Secretary.

Section 7. Capability of an Information Security Operations Centre Section real time event monitoring, analysis, log collection and aggregation;

Section 8. Health Sector Information Security Operations Centre Section 8(1) A Health Sector Information Security Operations Centre shall be the health sector focal point for monitoring, detecting, preventing, responding, investigating and attribution of information security threats in the health sector. Section 8(2)(a) monitor, detect, prevent, respond and investigate information security threats, that are specific to the health sector; Section 8(2)(b) have visibility of threats and incidents that occur in the health facility information security operations centre; Section 8(2)(c) have the requisite capability to monitor, detect, prevent, respond and investigate information security threats within the health sector; Section 8(2)(d) receive real-time information on information security threats and incidents from the health facility information operation centre; Section 8(2)(e) promote threat and information sharing; Section 8(2)(f) network detection and response; Section 8(2)(g) promote incidence response coordination; Section 8(2)(h) utilize threat surveillance from internal and external sources to enhance its situational awareness and response capabilities; Section 8(2)(i) develo...

Section 9. Health Facility Information Security Operations Centre Section 9(1) A Health Facility Information Security Operations Centre shall be responsible for monitoring, detecting, preventing, responding and investigating of information security threats, in a health facility. Section 9(2)(a) provide real-time information on cyber threats and incidents to the Health Sector Information Security Operations Centre; Section 9(2)(b) have the requisite capability to detect, monitor, prohibit, prevent, respond and investigate cyber threats, computer and cybercrimes in the concerned organization; Section 9(2)(c) be responsible for incidence detection, analysis and response in the health facility; Section 9(2)(d) report to the Health Sector Information Security Operations Centre all information security incidents detected in the health facility; Section 9(2)(e) undertake capacity building programs, research and development activities on information security threats and incidents in the health facility; and Section 9(2)(f) utilize threat surveillance from internal and external sources to enhance its situational awareness and response capabilities.

Section 10. Record of health data processors Section A health data controller shall maintain a record of health data processors that it has engaged and provide role-based access to the health data processors in the System.

Section 11. Notification of a health data breach Section 11(1) A data subject, health data controller, health data processor or a third party may report any health data breach to the Chief Executive Officer in Form HMIS 1 set out in the First Schedule. Section 11(2)(a) in the case of a breach, notify the Chief Executive Officer of the breach within forty-eight hours of becoming aware of such breach, in Form HMIS 1 set out in the First Schedule; and Section 11(2)(b) corrective measure taken; Section 11(2)(b)(i) corrective measure taken; Section 11(2)(b)(ii) mitigation action adopted; and Section 11(2)(b)(iii) timelines for the rectification of the breach. Section 11(3) A health data controller or a health data processor who fails to notify the Chief Executive Officer of a health data breach in accordance with subregulation (2), commits an offence and is liable, on conviction to the penalty specified under section 35(2) and (3) of the Act, where applicable.

Section 12. Security of sensitive personal data Section ensure that personalized authentication and log-in where—

Section 13. Health data privacy Section 13(1) The Agency shall ensure health data in the System is protected throughout the health data life-cycle. Section 13(2) A person or entity shall not access health data unless authorized by the client or the health data controller to whom the data relates to.

Section 14. Restriction on access Section extract a copy of all their data in the applicable format and transmit the data to the Agency;

Section 15. Archiving of health data Section 15(1)(a) a data subject is dead and such death has been confirmed by a copy of a death certificate or a decree declaring the presumption of the death of the data subject; and Section 15(1)(b) a heath data record of the data subject has been inactive for a minimum of twenty years. Section 15(2) The twenty-year period specified under section 25(1) of the Act for the retention and archival of health data held in the System shall commence from the date of the last update of a health data record of the data subject who is presumed to be living. Section 15(3) A data subject shall receive an electronic notification on the twentieth year on the archiving of their health data and unless the data subject expressly requests for the halting of the process in writing, the health data shall be archived after seven days from the date of the notice to archive health data. Section 15(4) Heath data of a deceased data subject shall, upon confirmation of the death of a data subject be archived after the lapse of a period of eight years from the date of confirmation of the death of that data subject. Section 15(5) A health data controller who intends to stop...

Section 16. Migration of health data Section 16(1) An institution that immediately before the coming into force of these Regulations was using a digital health solution for the management of health data shall, within twenty-four months upon the operationalization of the County Health Data Banks, transfer its legacy data to the County Health Data Banks. Section 16(2) The Agency shall manage the migration of legacy data to the System in accordance with the applicable protocols and formats. Section 16(3)(a) migrate the data to compliant systems or the National Data Health Bank; and Section 16(3)(b) store or archive the data as required under the Act and these Regulations. Section 16(4) A health data controller or health data processor who fails to migrate legacy data as required under this regulation, commits an offence and shall on conviction be liable to the penalty specified under section 59(2) of the Act.

Section 17. Access to health data from the system Section 17(1) A person may request for health data in the System in Form HMIS 2 set out in the First Schedule. Section 17(2) A request for access under subregulation (1) shall be granted where the requester complies with data sharing requirements as may be defined by the health data controller or the Agency. Section 17(3)(a) the execution of a data sharing agreement between the health data controller and the person making the health data request; and Section 17(3)(b) consent by the data subject to whom the requested health data relates to and such consent shall be demonstrated by a data subject in writing and the data subject shall specify that they understand what they are doing. Section 17(4)(a) an approval issued by a duly registered Institutional Review Board established under section 3 of the National Commission for Science, Technology and Innovation Act (Cap. 511); Section 17(4)(b) a licence issued by National Commission for Science, Technology and Innovation established under section 3 of the Science, Technology and Innovation Act (Cap. 511); and Section 17(4)(c) in the case of health data in the National Health Data Bank, th...

Section 18. Access to health data by a data subject Section 18(1) A data subject may have access to health data from the patient portal. Section 18(2) A data subject under subregulation (1) may in a secure manner, share the Shared Health Record or file an extract of their Shared Health Record through the patient portal in accordance with these Regulations. Section 18(3)(a) setting an expiry date; Section 18(3)(b) creating an access code or password; and Section 18(3)(c) limiting the number of times that the access link may be accessed. Section 18(4) On the completion of healthcare services sought outside Kenya, a client under this regulation shall, with the guidance of the referring healthcare provider, update their medical record to reflect the treatment sought or any other healthcare service received outside the country. Section 18(5) A data subject shall take the necessary precautionary measures to prevent the access of their Shared Health Record by an unauthorized person. Section 18(6) The Agency shall monitor and track the transfer of medical records, biological specimens, health images, human tissues and organs of a client outside Kenya through the System.

Section 19. Health data sharing Section 19(1) A person may make a request for health data in writing to the Agency. Section 19(2) A request under subregulation (1) shall be accompanied by a statement on the purpose for which the data is requested. Section 19(3) Upon receipt of the of the request under subregulation (1), the Agency shall undertake verification mechanisms to determine whether the request for data meets the requirements of this regulation. Section 19(4) Where the Agency is satisfied with the verification under subregulation (3), the Agency shall communicate its decision to the applicant within forty-eight hours from the date of the decision. Section 19(5)(a) decline the request for health data; or Section 19(5)(b) require the applicant to enter into the data sharing agreement with the data controller; and Section 19(5)(b)(i) require the applicant to enter into the data sharing agreement with the data controller; and Section 19(5)(b)(ii) grant the applicant access level to the system. Section 19(6)(a) be used for the purpose for which the health data was requested; Section 19(6)(b) be used for a period specified in the authorization by the health data controller; Secti...

Section 20. Correction of health personal data Section 20(1) A data subject may in writing request the health data controller to correct inaccurate, outdated, incomplete or misleading health data. Section 20(2) The request under subregulation (1) shall specify the health personal data that is to be corrected and how such information is inaccurate, out of date, incomplete or misleading. Section 20(3) Upon receipt of the request under subregulation (1), a health data controller shall, correct the health data of the data subject, within seventy-two hours.

Section 21. Use of sensitive health data Section 21(1) A health data controller shall ensure that personal data used for purposes specified under section 27(f), (g), (h) and (i) of the Act is accessed in a de-identified form. Section 21(2)(a) making a request in writing to the Agency; and Section 21(2)(b) paying the fees specified in the Second Schedule. Section 21(3) The Agency shall consider a request under subregulation (2) and communicate its decision to the applicant within fourteen days from the date of the request. Section 21(4) A person who uses sensitive personal data contrary to these Regulations, commits an offence and shall on conviction be liable to the penalty specified under section 35 of the Act. Section 21(5) In making a determination under subregulation (3), the Agency shall be guided by the provisions of the Fair Administrative Action Act (Cap. 7).

Section 22. Disclosure of sensitive personal data of deceased persons Section 22(1) A person may request a health data controller for disclosure of sensitive personal data of a deceased person. Section 22(2)(a) identifying a person; Section 22(2)(b) informing the next of kin in the circumstances; or Section 22(2)(c) investigating a cause of death. Section 22(3) A person aggrieved by a decision of the heath data controller under this regulation may within seven days from the date of the decision of the heath data controller appeal to the Agency. Section 22(4) A person aggrieved by the decision of the Agency under this regulation may appeal to the High court.

Section 23. Sensitive personal data in emergencies Section through a multi-factor authentication process governed by the policy of the health data controller of the digital health solution; and

Section 24. Disclosure of personal health data for market research Section A health data controller who discloses personal health data for market research purposes, commits an offence and shall, on conviction, be liable to the penalty specified under section 59 (2) of the Act.

Section 25. Consideration before disclosure Section requiring official identification documents;

Section 26. Obligations of a health data controller Section develop a health data-sharing plan;

Section 27. Lodging of a complaint Section 27(1) A data subject or any person aggrieved on any decision under the Act and these Regulations may lodge a complaint with the Agency. Section 27(2) A complaint under subregulation (1) may be lodged in Form HMIS 3 set out in the First Schedule. Section 27(3) A complaint under subregulation (1) may be lodged through mail or electronic means, including email, web posting or a complaint management information system. Section 27(4)(a) a complainant; or Section 27(4)(b) a person acting on behalf of the complainant. Section 27(5) The Agency shall acknowledge receipt of the complaint within seven days of receipt of the complaint under subregulation (1). Section 27(6) The Agency shall consider the complaint under subregulation (1), within thirty days from the date of the lodging of the complaint. Section 27(7) The complaint under subregulation (1) shall be lodged free of charge.

Section 28. Register of complaints Section 28(1) The Agency shall keep and maintain an up to date register of complaints. Section 28(2) An entry into the register of complaints shall state the particulars of the complainant and the complaint filed with the Agency. Section 28(3) The Agency shall protect the identity of the complainant where the request to protect the identity is sought by the complainant.

Section 29. Admission of a complaint Section admit the complaint; or

Section 30. Investigation of a complaint Section 30(1)(a) issue summons requiring the attendance of any person at a specified date, time and place for examination. Section 30(1)(b) require any person to produce any document or information from a person or institution; Section 30(1)(c) administer an oath or affirmation on any person during the proceedings; Section 30(1)(d) examine any person in relation to a complaint; and Section 30(1)(e) upon obtaining warrants from the court, enter into any establishment or premises and conduct a search and may seize any material relevant to the investigation. Section 30(2) Upon completion of the investigation, the Agency shall prepare an investigation report. Section 30(3) In conducting investigations under this regulation, the Agency shall comply with the provisions of the Fair Administrative Action Act (Cap. 7J).

Section 31. Discontinuation of a complaint Section 31(1) The Agency may discontinue a complaint where the complainant refuses or fails, neglects to communicate with the Agency without a justifiable cause. Section 31(2) The Agency shall provide reasons for discontinuation on any of the grounds specified under subregulation (1) and shall, in writing, notify the complainant and respondent within fourteen days from the date the decision to discontinue a complaint is made. Section 31(3) Where a complaint has been discontinued pursuant to these Regulations, a complainant may re-institute a complaint upon providing grounds for the restitution of the complaint to the Agency.

Section 32. Withdrawal of a complaint Section 32(1) A complainant may at any stage during consideration of a complaint withdraw a complaint but before a determination is made. Section 32(2) A withdrawn complaint under subregulation (1) may be re-lodged, within six months from the date of withdrawal of such complaint. Section 32(3) A complaint re-lodged under this regulation shall be processed in accordance with the provisions of this Part.

Section 33. Outcome of investigations Section 33(1) The Agency shall upon the conclusion of the investigation, make a determination based on the findings of the investigations. Section 33(2)(a) nature of the complaint; Section 33(2)(b) summary of the facts and evidence adduced; Section 33(2)(c) decision of the Agency and reasons for the decision; and Section 33(2)(d) any remedy to which the complaint is entitled. Section 33(3) The Agency shall within seven days from the date of such determination, communicate the decision under subregulation (2) to the parties, in writing.

Section 34. Appeals Section A person aggrieved by a decision of the Agency under this part, may within fourteen days from the date of the decision of the Agency, appeal to the High Court.

Section 35. Exemption of complaints related to personal data Section A data subject who is aggrieved by a decision of any person under the Data Protection Act, shall lodge a complaint with the Data Commissioner in accordance section 56 of the Data Protection Act (Cap. 411C).

Section 36. Certification of digital health solutions Section 36(1) Pursuant to section 6(m), the Agency shall certify a digital health solution including e-health and telemedicine platforms in accordance with the Certification Framework. Section 36(2)(a) manage the certification process; Section 36(2)(b) ensure that health data controllers and digital health solutions comply with the Certification Framework; Section 36(2)(c) ensure that the Certification Framework is aligned to digital health standards and guidelines developed and published by the Cabinet Secretary; and Section 36(2)(d) disseminate the Certification Framework including the digital standards and guidelines. Section 36(3) The Agency may, in collaboration with the relevant institutions, set up and certify laboratory-based testing environments for the purposes of assessing the conformity of digital health solutions with the Certification Framework.

Section 37. E-health Section 37(1) A healthcare provider or a health facility shall not use a digital health solution in the provision of healthcare services, unless the digital health solution has been certified by the Agency. Section 37(2)(a) use a digital health solution certified by the Agency for service delivery; and Section 37(2)(b) adhere to the digital and physical security requirements in the Certification Framework. Section 37(3)(a) certify all e-health and telemedicine platforms in accordance with the Certification Framework; and Section 37(3)(b) give user access to the System to a health data controller of a certified digital health solution.

Section 38. Application for certification Section 38(1) A digital health solution provider shall apply for the certification of a digital health solution to the Agency in the Form HMIS 4 set out in the First Schedule. Section 38(2) A digital health solution provider shall, prior to applying for certification under subregulation (1), undertake self-attestation on the digital health solution and prepare a self-attestation report. Section 38(3)(a) a self-attestation report; Section 38(3)(b) certificates of incorporation the applicant; Section 38(3)(c) particulars of the health data controller; Section 38(3)(d) a system manual and requirements specification of the digital health solution; Section 38(3)(e) evidence of registration with the Office of the Data Protection Commissioner as a data controller and data processor; Section 38(3)(f) the Data Protection Impact Assessment Report of the digital health solution prepared in accordance with the Data Protection Act (Cap. 411C); Section 38(3)(g) the security, privacy and confidentiality policy of the digital health solution provider; Section 38(3)(h) proof of payment of the certification fees set out in the Second Schedule; Section 38(3)(...

Section 39. Considerations for certification Section functionality as set out in the Certification Framework including the system and data quality;

Section 40. Testing Section 40(1) The Agency shall schedule and test the digital health solution submitted to the Agency for certification. Section 40(2) Upon completion of testing under subregulation (1), the Agency shall prepare a testing report and notify the digital health solution provider of the results of the testing within five days from the date of the adoption of the testing report by the Board. Section 40(3) The Agency may specify in the testing report prepared under subregulation (2) the non-compliance issues that the digital health provider may be required to comply with. Section 40(4) A digital health solution provider may, after receiving the testing report take corrective action as required under subregulation (3) and submit evidence of the corrective actions taken to comply with the requirements given by the Agency under subregulation (3). Section 40(5) Where the Agency is satisfied that the corrective action taken by the digital health solution provider addresses the compliance action specified in the testing report the Agency shall issue a certificate of compliance for the digital health solution. Section 40(6) Where the Agency determines that the corrective acti...

Section 41. Validity of a certificate Section 41(1) A certificate of compliance issued under regulation 40, shall be valid for two years from the date of issuance. Section 41(2) A digital health solution provider shall, upon the expiry of the period under subregulation (1), apply for re-certification in the manner set out in these Regulations.

Section 42. Monitoring of compliance by the Agency Section 42(1)(a) review the data quality assessments submitted by health data controllers to ensure compliance with the digital health standards and guidelines; and Section 42(1)(b) schedule and conduct annual audits and checks, using the tools and procedures in the Data Quality Assessment Standards, to assess adherence and compliance to Data Quality Protocols by the System and the certified digital health solutions. Section 42(2) A digital health solution provider or health data controller shall comply with a change in the digital health standards and guidelines within six months from date of the change. Section 42(3) The Cabinet Secretary shall, in consultation with the Agency, continuously revise and update Data Quality Protocols.

Section 43.Ad hocaudit Section 43(1)(a) perform the necessary updates and bug fixes; Section 43(1)(b) ensure that the certified digital health solution documents any change logs; Section 43(1)(c) ensure that data generated through the certified digital health solution is accurate, timely, complete, consistent, valid and in conformity to the needs of the health sector; Section 43(1)(d) perform regular data quality assessments of their systems using standards, protocols and tools defined by the Agency and maintain records of the assessments for review by the Agency; Section 43(1)(e) notify the Agency in the event of system changes affecting security, functionality, reporting or interoperability of the digital health solution upon which the Agency shall conduct a fresh audit of the digital health solution; and Section 43(1)(f) notify the Agency, in the event of system breaches, on the nature of the breach and the solution implemented to resolve the breach. Section 43(2)(a) assess compliance with certification requirements; and Section 43(2)(b) verify corrective actions in the event of non-conformity with the certification requirements.

Section 44. Revocation of certification Section 44(1)(a) the digital health solution provider or health data controller fails to adhere to the conditions set out in the certificate issued under regulation 40(9); Section 44(1)(b) a major system security breach has occurred on health data; or Section 44(1)(c) a digital health solution provider fails to notify the Chief Executive Officer of a data breach in accordance with regulation 11. Section 44(2) Where a digital health solution provider is dissatisfied by the decision of the Agency under subregulation (1), the digital health solution provider may apply to the Agency for a review of the decision. Section 44(3) The Agency shall consider the application for review under subregulation (2), within fourteen days from the date of the application. Section 44(4) A person aggrieved by the decision of the Agency under subregulation (3), may seek a remedy from the High Court. Section 44(5) In making the revocation under subregulation (1), the Agency shall comply with the provisions of the Fair Administrative Actions Act (Cap. 7J).

Section 45. Transitional and saving provisions Section 45(1) A digital health solution provider who, subject to subregulation (2) and (3), immediately before the commencement of these Regulations was providing a digital health solution shall continue to provide that digital health solution. Section 45(2) A digital health solution provider referred to under subregulation (1) shall make an application in the Form HMIS 4 set out in the First Schedule within six months of the coming into force of these Regulations for the certification of a digital health solution to the Agency in accordance with regulation 38. Section 45(3) Where the Board rejects an application for certification of a digital health solution, the digital health solution provider shall cease to provide that digital health solution from the date of the rejection of the application.