The Digital Health Bill, National Assembly Bills No. 57 Of 2023
Legislative progress
Introduced / Published: 1 Feb 2024
- ○ First Reading
- ○ Second Reading 26 Sep 2023
- ○ Committee of the Whole House 27 Sep 2023
- ○ Third Reading 27 Sep 2023
- ○ Presidential Assent
Stage dates are back-filled from publication records and Hansard, and refined by editors. Some dates may be approximate or not yet recorded.
Sponsor
United Democratic Alliance · Kikuyu Constituency
What Kenyans are saying
No published submissions on this Bill yet — be the first to have your say.
Notes
Source: https://www.parliament.go.ke/sites/default/files/2024-02/THE%20DIGITAL%20HEALTH%20BILL%2C%20NATIONAL%20ASSEMBLY%20BILLS%20NO.%2057%20OF%202023.pdf
The Bill (PDF)
↓ Download the Bill (PDF, 4.7 MB) Open in a new tab
Read the original document (4.7 MB)
Your browser can’t display the PDF inline. Download the Bill (PDF) instead.
Original document, hosted by Mzalendo. Source: parliament.go.ke.
Bill text
Read the Bill (OCR extract)
REPUBLICOFKENYA
PARLIAMENT
NATIONALASSEMBLYBILLS (BillNo.57of2023)
THEDIGITALHEALTHBILL,2023
(A Bill published in theKenya GazetteSupplement No.163of2023and passed by the National Assembly,with amendments,on September 27th 2023)
N.A./B/No.57/2023
Clause
PARTI-PRELIMINARY
- 1—Short title.
- 2—Interpretation.
- 3—Objectsof theAct.
- 4—Guiding principles.
PARTII-ESTABLISHMENTOFTHEDIGITAL HEALTHAGENCY
- 5—Establishmentof theDigitalHealthAgency.
- 6—Functions of the Agency.
- 7—Powers of theAgency.
- 8—Board of Directors.
- 9—Conductofbusinessand affairsof theBoard.
- 10—Committees of theBoard.
- 11—ChiefExecutiveOfficer.
- 12Qualificationfor appointment as aChiefExecutive Officer.
- 13-CorporationSecretary.
- 14Staff.
PARTIII-ESTABLISHMENTAND ADMINISTRATIONOFTHECOMPREHENSIVE INTEGRATEDHEALTHINFORMATIONSYSTEM
- 15-Establishmentofa comprehensiveintegratedhealth information system.
- 16—Components of the system.
- 17—Objectivesof the system.
- 18-Technical aspect of the system.
PARTIV-HEALTHDATAGOVERNANCE
- 19—Classificationofhealthdata
THEDIGITALHEALTHBILL,2023 ARRANGEMENTOFCLAUSES
- 20—Governing principles
- 21—Establishment health data governance framework.
- 22-Healthdatacustodian.
- 23—Health datause.
PARTV-CONFIDENTIALITY,PRIVACYAND SECURITYOFDATA
- 24Security,privacy and disclosure of data in the system.
- 25—Retentionanddisposal ofdatainthesystem.
- 26—Establishmentofhealthdatabanks.
- 27—Useof sensitivepersonal data.
- 28—Responsibilitiesofhealth databankcontroller.
- 29—Requestforinformationbyauthorizedperson
- 30—Disclosure ofsensitivepersonal data ofdeceased persons.
- 31-Consent.
- 32—Processingofpersonal datarelatingto aminorora person without capacity.
- 33—Duty toprotectsensitivepersonal data.
- 34Disposalofhealthinformation.
- 35—Breachofhealth data.
- 36—Health dataportability.
- 37—Refusal togrant access to sensitivepersonal data.
- 38-Precautionsonreleaseofsensitivepersonalhealth data.
- 39—Right torectificationorerasure.
PARTVI-E-HEALTHSERVICEDELIVERY
- 40—E-Health serviceasamodeofhealth service delivery.
- 41—Provisionofe-healthservices.
- 42—Principles andobjectives ofe-health.
- 43-E-health services.
- 44—Reporting.
PARTVII-E-WASTEMANAGEMENT
- 45—E-wastemanagement.
PARTVIII-HEALTHTOURISM
- 46Developmentofguidelinesonhealthtourism.
- 47-Disclosure ofsensitive personal data to organisationsoutsideKenya.
PARTIX-FINANCIALPROVISIONS
- 48—Funds of the Agency.
- 49—Financial year.
- 50—Annualestimates.
- 51—Accounts andAudit.
- 52—Annual report.
- 53—Bankaccount.
- 54InvestmentofFunds.
PARTX-MISCELLANEOUSPROVISIONS
- 55—Protectionfrompersonalliability.
- 56—Conflictofinterest.
- 57—Confidentiality.
- 58—Dutytocooperate.
- 59Offences.
- 60—Regulations.
- 61—Compliance toDataProtection Act,2019.
- 62—Transitional provision.
SCHEDULE-CONDUCTOFTHEBUSINESSAND AFFAIRSOFTHEBOARD
THEDIGITALHEALTHBILL,2023
ABillfor
- ANACTofParliamenttoprovidefortheestablishment of the Digital Health Agency;to provide a frameworkforprovisionofdigitalhealthservices; toestablish a comprehensive integrated digital health information system;and for connected purposes
ENACTEDbyParliamentofKenyaasfollows-
PARTI-PRELIMINARY
- 1.This Act may be cited as theDigital Health Act, Short title. 2023.
- 2.In thisAct,unless the context otherwise requires
"Agency"means the Digital Health Agency establishedundersection5;
"anonymization"means the removal of personal identifiersfrompersonaldataso that thedata subjectisno longeridentifiable;
"Board"means the Board of Directors of the Agency constituted under section8;
"Cabinet Secretary"means theCabinetSecretary for ministryresponsibleformattersrelatingtohealth;
"client" means an individual who uses, or has used,a health service,orinrelation towhomhealth data hasbeen created;
"consent"has the meaning assigned to it under the DataProtectionAct,2019;
"County Executive CommitteeMember"means the member ofcountyexecutive committee appointedand designatedtosupervisehealthservices;
"data"meansinformationwhich—
- (a)is processed by means of equipment operating automaticallyinresponsetoinstructionsgivenfor thatpurpose;
- (b)is recordedwithintentionthatitshouldbe processed bymeansof such equipment;
Interpretation.
No.24of2019.
- (c)isrecorded aspart of arelevantfilingsystem;
- (d)isrecordedinformationwhich isheldbyapublic entityanddoesnotfallwithinanyofparagraphs (a)to (d);
"data analysis"means the process of inspecting, cleaning,transforming,consolidation andmodellingofdata with thegoalofdiscoveringusefulinformation,extracting meaningful insights,suggesting conclusions and supporting decision making;
"data bank"means an organised collection of data designedtoefficientlystoreandretrievedatathatcanbe accessed,managedand updatedelectronicallytoallow userstoeasilysearchfor andaccess theinformation they need,to derive insights,make informed decisions and improveperformance;
No.24of2019.
"data commissioner"means the person appointed undersection6oftheDataProtectionAct,2019;
"data controller"means a natural or legal person, public authority,agency or other body which,alone or jointlywithothers,determines thepurposeandmeansof processingofpersonal data;
"data disposal"means the process of destroying manualorelectronicrecordsordatacompletelywithout beingused or accessed foran authorized purpose;
"data governance"means the overall management of the availability,usability,integrityandsecurityofdatausd in an organization;
"data integrity"means the overall completeness, accuracy andconsistencyofdata;
"data life cycle"means the stages through which data passes from its creation or acquisition to its eventual deletion orarchival;
"data management"means the development,execution andsupervision ofplans,policies,programs andpractices thatcontrol,protect,deliverandenhancethevalueofdata andinformationassets,andinvolvespolicyformulationand adherence to data management procedures such as reporting rates,harmonized andstandard data collection tools;
"data privacy"means the aspect of information technologythatdealswiththeabilityanorganizationor individualhastodeterminewhatdatainacomputersystem can besharedwiththirdpartiesforpurposesof thekeeping ofinformationprivateandsafe;
"data processor"means a natural or legal person, public authority,agency or other body which processes personal data onbehalfofthe data controller;
"data reporting"means the process of collection, submissionandorganisation ofdataintoinformational summariesinordertomonitorperformance;
"data retention"means the continued storage of an organization's data for compliance with nationalpolicy guidelinesandregulations;
"data security"meansprotectionofelectronichealth data,andspecificallythemeansusedtoprotecttheprivacy ofhealthinformationcontainedinelectronichealthdata thatsupportsprofessionalsin holding thatinformationin confidence;
""data storage"means the recording of information in a storagemedium orholdinginformationindigitalformat;
"data subject"means an identified or identifiable naturalpersonwhoisthe subjectofpersonal data;
"de-identification"means removing or hiding personal informationfromrecordsinsuch awaythattheremaining informationcannotbeused toidentifyanindividual;
"data verification"includes the authentication and validationofgathereddata,dataqualitychecks,auditofthe health datausingthedataqualityprotocols;
"digitalhealth"means thefieldof knowledge and practicethatisassociatedwiththedevelopmentanduseof digitaltechnologiestoimprovehealth;
"Director-General"means the Director-General for healthappointedundersection16of theHealthAct,2017;
"disclosure" meanssubmissionofrelevant information toan authorizedparty;
"e-Health'means the combined useof electronic communicationandinformationtechnologyinthehealth No.21of2017.
sectorincludingtelemedicine;
"e-Health ecosystem"means the combined application ofe-Health infrastructure,standards,technology,systems applications,investment,healthworkforceandgovernance that supportpatient-centredmodelsofhealthcare;
"e-Health platform"means an ecosystem of hardware, software and technologyusedtodelivere-Healthservices;
"electronichealth data"means an electronicrecord of personal healthrelatedinformation about anindividual and shall include-
- (a)information concerning the physical or mental health of theindividual;
- (b)informationconcerning anyhealthservice provided to the individual;
- (c)information concerning the donation by the individualof anybodypart or anybodily substance;
- (d)information derivedfromthetestingor examinationofabodypartorbodilysubstanceof the individual;
- (e)information that is collected in the course of providinghealth services to theindividual;or
- (f)informationrelatingtodetailsofthehealthfacility accessedbytheindividual;
"encryption"means the process of converting the content ofany readable data using technicalmeansinto coded form;
"enterprise class"refers to applications that are designedtoberobustandscalableacrossalarge organization,andcompatiblewithexisting databases and tools,customizablefortheneedsofspecificdepartments, powerfulenoughtoscaleupalongwiththeneedsofthe business using it,secure from outside threats and data leaks;
"enterprise service bus"means an architectural pattern wherebyacentralizedsoftwarecomponentperforms integrationsbetweenapplications;transformationsofdata models,handles connectivity,message routing,converts communication protocols and potentiallymanagesthe composition of multiple requests andmay make these integrationsand transformations available as a service interfaceforreusebynewapplications;
"e-waste"means waste resulting from electrical and electronic equipment including components and subassembliesthereof;
"guardian"means a guardian recognised under any lawfor thetimebeinginforce;
"health care professional"includes any person who hasobtained healthprofessionalqualifications andlicensed by therelevantregulatorybody;
"health care provider"has the meaning assigned toit undertheHealthAct,2017;
"health care services"has the meaning assigned to it under theHealthAct,2017;
"health data"means data related to the state of physicalormentalhealthofthedatasubjectandincludes recordsregarding the past,present orfuture state of the health,datacollectedin thecourse ofregistration foror provisionofhealthservicesordatawhichassociates the datasubjecttotheprovision ofspecifichealth services;
"health data controller"means a natural or legal person,publicauthority,agencyrotherbodywhich,alone orjointly withothers,determines thepurpose andmeans of processingof health data;
"health data custodian"means a person or organization thatpossesseslegalcustodyoverhealthdata;
"health data processor"means a person, public authority,agency or other body who is an authorised workertoprocesshealthdata;
"health facility"has the meaning assigned to it under theHealthAct,2017;
"health informatics"means the practice of acquiring studying andmanaginghealth data and applyingmedical conceptsin conjunctionwithhealthinformationtechnology systems to help health professionals provide better healthcare;
"health information bank"means an electronic databaseunder thecustodyandcontroloftheMinistryof Health that contains personal health information and is designatedbytheCabinetSecretaryasahealthinformation bank;
"healthinformation system"means ahealthecosystem designedtomanagehealthandhealthrelatedsystemdata thatprovides the foundations fordecision-making and includes a system that collects,collates, stores,manages, analyses,synthesises,transmit patient'sor client's electronichealthrecordanduseshealthandhealthrelated dataforoperationalmanagementorasystem supporting healthcare policy decisions;
"health records and information management"means thepractice of acquiring,analysing andprotecting digital andtraditionalmedicalinformationvitaltoproviding qualitypatientorclientcare;
"health records and information manager"means an officertrainedinhealthrecordsandinformation management andchargedwith the responsibilityof managing healthrecordsandhealthinformationforthe healthserviceswhichinclude
- (a)creating andenforcingpolicies foreffective data management;
- (b)clinical coding and classifications;
- (c)codingfor health insurance firms;
- (d)healthinformationmanagement;
- (e)health administrative data and medical data analytics andresearch;
- (f)appraisal of medical documentations and audits;
- (g)advice onmedical legal issues;
- (h)adviseonretrievaland disposal of Health and medicalrecords;
- (i)use of e-Health applications;
"health related data information"means the service deliveryandadministrativehealthdatacollected,analysed andsynthesisedfordecisionmakingin the health sector;
"health system"means an organization of people institutionsandresourcesthatdeliverhealthcareservices tomeetthehealthneedsof thepopulation,in accordance with established policies;
"health technology"means the applicationof organizedknowledge andskillsinthe formofdevices, medicine,vaccines,procedures and systems developed to solve ahealthproblem andimprove thequalityoflife;
"health tourism"means a situation where a patient travels across international borders to receive medical treatment;
"individual"means data subject;
"integrated e-Health information system"means a healthinformationsystem thatcollectshealthandhealth relateddatathataddresses theneedsofallusers for decisionmaking;
"Kenya Health Enterprise Architecture"means a blueprintthatguides the design,development and evolution ofthecomprehensiveintegratedhealthinformationsystem toalign investments in technology,information and processes that are cost-effective,sustainable,and aligned withtheKenyahealth sectorstrategicgoals;
"medical equipment data"means data relating to a medical equipment and contains manufacturer-provided informationandclient-createdinventoryinformationabout such equipmentandmayinclude exhaustdigital data and individualdatathatmaybeclassifiedas sensitivedata undertheDataProtectionAct,2019;
"m-Health"means the delivery ofmedical services using mobile technologies;
"personal data"means anyinformationrelating to an identified oridentifiablenatural person;
"personal data breach"meansabreachof security leading to the accidental or unlawful destruction,loss, alteration,unauthoriseddisclosureof,oraccessto,personal datatransmitted,storedorotherwiseprocessed;
"personal health data"means any information relating tothestateofphysicalormentalhealthofanidentifiedor identifiablepersonandincludesrecordsonthepast,present orfuturestateofthatperson'shealth;
"personalhealthinformation"meansdatarelated to thestateofphysicalormentalhealthofanindividualand includes information provided by the client,records regardingthepast,presentorfuture stateofthehealth,data collectedin thecourse ofregistrationfor,orprovisionof healthservices,ordatawhichassociatestheindividual to theprovision ofspecifichealth services;
"personally identifiablei information" means
informationthatcanbeusedtouniquelyidentify,contactor locate anindividual,orcanbeusedwith other sources to uniquelyidentifyaperson;
"private health services"meansprovisionofhealth national or county governments and includes health care servicesprovidedbyindividuals,faith-basedorganizations, non-governmentalorganizations andprivate for profit healthinstitutions;
"processing"means any operation or sets of operationswhichisperformedonpersonaldataoronsets ofpersonaldatawhetherornotbyautomatedmeans including-—
- (a)collection,recording,organisation or structuring;
- (b)storage,adaptation oralteration;
- (c)retrieval,consultation or use;
- (d)disclosure by transmission,dissemination or otherwisemakingavailable;or
- (e)alignment or combination,restriction,erasure or destruction.
"pseudo-anonymization"meanstheprocessingof personal data in such amanner that thepersonal data can nolongerbeattributedtoaspecificindividualwithoutthe useof additional information,andsuch additional informationiskeptseparatelyandissubjecttotechnical andorganisationalmeasurestoensurethatthepersonaldata isnotattributedtoanidentifiedoridentifiablenatural person;
"publichealth services"meanshealth services owned andofferedbythenationalandcountygovernments;
"referral"means the process by which a given health facility transfers a client service,specimen and.client parameterstoanotherfacilitytoassumeresponsibilityfor consultation,revieworfurthermanagement;
"researchforhealth"includes research which seeks to contributetotheextensionofknowledgeinanyhealth relatedfield,suchasthatconcerned withthebiological, clinical,psychological or social processesinhumanbeings improvedmethodsfortheprovisionofhealthservices; humanpathology;thecausesofdisease;theeffectsofthe environmentonthehumanbody;thedevelopmentornew applicationof pharmaceuticals,medicinesandother preventative,therapeuticor curative agents;or the development ofnewapplicationsof healthtechnology;
"system"means the comprehensiveintegratedhealth informationsystem establishedundersection15;
"system integration"refers to the mergingor combiningoftwoormorecomponentsorconfiguration itemsintoahigherlevelsystemelementandensuringthat thelogicalandphysicalinterfacesaresatisfied andthatthe integratedsystemsatisfiesitsintended purpose;
"system interoperability"refers to the capability to communicate, execute programs or transfer data among variousfunctionalunitssuchthattheuserneedslittleorno knowledgeoftheuniquecharacteristicsofthoseunits;
"telehealth"means theuseofelectronicinformation and telecommunications technologies including videoconferencing,theinternet,store-and-forwardimaging, streaming media,andterrestrial Iandwireless communications,to support long-distance clinical health care,patient and professional health-related education, publichealth andhealthadministration;
"telemedicine"refers to theprovision ofhealth care servicesandsharingofmedicalknowledgeoverdistance using telecommunications and includes consultative, diagnostic,and treatment services;and
"third party"means natural or legal person, public authority,agencyorotherbody,otherthan thedata subject, data controller,data processor or persons who,under the directauthorityofthedatacontrollerordataprocessor,are authorisedtoprocesspersonaldata.
- 3.The objects of thisAct are to
- (a)establish theDigital Health Agency;
- (b)establish and maintain a comprehensive integrated healthinformation system;
- (c)promote innovation and the safe,efficient and effectiveuseoftechnologyforhealthcare, including for continuity of care,emergency and disasterpreparednessanddisease surveillance;
- (d)establisharegulatoryframeworkforthee-Health ecosystem datalifecycle;
- (e)provideforprivacy,confidentiality,and security of health data;
- (f)develop standards for the provision ofm-Health, telemedicine,ande-learning;
- (g)establish aregulatoryframework fore-waste management;and
- (h)provide for thesafe andsecure transferof personal, identifiable health data and client's medicalrecordstoandfromhealthfacilitieswithin and outsideKenya.
- 4.In implementing the Act, all persons shall be guidedbythefollowingprinciples-
- (a)health data is a strategicnational asset;
- (b)safeguard of the privacy,confidentiality and securityofhealthdataforinformation sharingand use;
- (c)digitalhealth shallfacilitatedatasharinganduse forinformed decision-making at all levels;and
- (d)thedigitalhealthecosystemshallservethehealth sector andfacilitate in aprogressive and equitable manner,thehighest attainable standardofhealth.
PARTII-ESTABLISHMENTOFTHEDIGITAL HEALTHAGENCY
- 5.(1)There is established anAgency tobeknown as theDigital HealthAgency.
- (2) The Agency shall be a body corporate with perpetual succession and a common seal and shall,in its corporate name,be capable of
Guiding principles.
Establishment of theDigital Health Agency.
- (a)suing and beingsued;
- (b)taking,purchasing or otherwise acquiring,holding chargingand disposingofmovable andimmovable property;
- (c)receiving,investing,borrowingmoney;and
- (d)doing or performing such other things or acts necessary for the proper performance of its functionsunderthisAct.
- 6.The Agency shall
- (a)develop, operationalise andmaintain the ComprehensiveIntegratedHealthInformation System tomanagethecoredigital systemsand the infrastructure required for itsseamless health information exchange;
- (b)establish registries,in consultation with other statutoryauthorities,atappropriatelevelstocreate single source of truthinrespectof clients,health facilities,healthcareproviders,healthproducts and technologies;
- (c)promoteadoptionofbestpracticesandstandards for digital health thatfacilitate data exchange;
- (d)establishasystemof shareableandportable personal health records,based on best practices and standards;
- (e)ensurehealth data portability;
- (f)facilitatecollection andanalysisofdatatoinform policy andresearchin thehealth sector;
- (g)promote thedevelopmentofenterprise-classhealth application systems;
- (h)strengthen existinghealthinformationsystems by ensuring theirconformitywiththeprescribed standards andintegration with the comprehensive integratedhealthinformation system;
- (i)developandimplementtheinfrastructurefor health data exchangeofhealthinformationina securedmanner;
- (j)maintain,in collaboration with the counties and
Functions of the Agency.
other statutory authorities,the technological infrastructurenecessaryforthecoredigitalhealth services;
- (k)support the developmentandimplementationof standardsforenhanced interoperability;
- (l)undertake resource mobilization for implementationof healthdigitizationinthe country;
- (m)certifydigitalhealth solutionsbasedon best practices and standards;
- (n)advisetheCabinetSecretaryonmattersrelated to digital health;and
- (o)perform any otherfunctionfor thebetter carrying outoffunctionsunder thisAct.
- 7.(1) The Board shall be responsible for the management and administration of theAgency.
- (2)Withoutprejudicetothegeneralityofthe foregoing,theAgency shall havepower to—
- (a)manage,control and administer the assets of the Agency in such manner and for such purpose as bestpromotestheobjectsforwhichtheAgencyis establishedinaccordancewiththePublic Procurement andAssetsDisposalAct,2022:
Provided that the Agency shall not charge or disposeofanyimmovablepropertywithoutthe prior approval of theNational Assembly;
- (b)enter intoassociation with suchotherbodiesor organizations,within or outside Kenya,asit may considerdesirableorappropriateand in furtheranceofthepurposeforwhich theAgencyis established;and
- (c)invest the funds of the Agencynotimmediately requiredforitspurposesin themannerprovidedin this Act.
- 8.(1) There shall bea Board ofDirectorsof the Agencywhich shall consist of
- (a)anon-executivechairperson who shall be
Powersof the Agency.
No.33of2015.
Boardof Directors.
appointed by thePresident;
- (b)thePrincipal SecretaryresponsibleforHealth ora representativedesignatedinwriting;
- (c)the Principal Secretary responsible for National Treasury or arepresentative designated inwriting;
- (d)the Principal Secretary responsible for Information,CommunicationandTechnology or a representative designatedinwriting;
- (e)the Data Commissioner or a representative designated in writing;
- (f)one person representing the private sector appointed by the CabinetSecretary;
- (g)threepersons,notbeingGovernors,nominatedby the CouncilofCountyGovernorswithknowledge andexperienceinmattersof digital health;and
- (h)theChiefExecutiveOfficer,whoshallbeanexofficiomemberoftheBoard.
(2)The Chairperson of theBoard and themembers appointed under subsection(1)(f) and(g) shall serve for a termofthreeyearsandshallbeeligibleforre-appointment foronefurthertermofthreeyears.
(3)In appointingpersons as members of the Board under subsection(1)(f)and(g),theCabinetSecretary shall ensure that theappointmentsaffordequalopportunityto men and women, youth,persons with disabilities, minorities and marginalized groups and ensure regional balance.
(4)Aperson appointed to theBoard under sub-section (1)(a),(f)and(g)shall ceasetobeamemberoftheBoardif the person-
- (a)resigns in writing addressed to the Cabinet Secretary;
- (b)is adjudged bankrupt;
- (c)isabsentfrom threeconsecutivemeetingswithout thepermission of the Chairperson;
- (d)isconvictedofacriminaloffenceandsentenced to imprisonmentforatermexceedingsixmonths;or
- (e)is unabletoperform thefunctionsofhisofficeby
reason ofmental orphysical infirmity.
(5)Despite subsection (4),theChairperson or the memberoftheBoardmayberemovedfor-
- (a)incompetence orneglectof duty;
- (b)grossmisconductwhetherin theperformanceof themembers'functionsorotherwise;or
- (c)violationoftheConstitution or anyotherwritten law.
(6)The Agency shall pay to the directors such remuneration,fees or allowancesfor expenses asmaybe determinedbytheCabinetSecretaryon theadviceofthe SalariesandRemunerationCommission.
(7)TheBoard may co-opt any other personwith necessary expertise as it may deem necessary to assist the Board in dischargingits duties andresponsibilities.
9.Exceptasprovidedin theSchedule,theBoardshall regulateitsownprocedure.
10.(1) The Board may,from time to time,establish such committeesas itconsidersnecessaryforthebetter carrying out of itsfunctionsunder thisAct.
(2)TheBoardmayco-optinto themembershipofa committee establishedundersub-section(1)such other personwhoseknowledgeand skillsarefoundnecessaryfor thefunctions of theAgency.
11.(1) The Board shall,through an open,transparent and competitive recruitment process,appoint a suitably qualifiedpersontobetheChiefExecutiveOfficerofthe Agency.
(2)Subject tothis Act,theChiefExecutive Officer shallbeappointedonsuchtermsandconditionsofservice asshallbedeterminedbytheBoardin theinstrumentof appointmentorotherwiseinwritingfromtimetotimein consultationwiththeSalariesandRemuneration Commission.
12.(1)Aperson shall be qualifiedforappointment as theChiefExecutiveOfficeroftheAgencyifthatperson—
- (a)hasaminimum ofamaster'sdegree froma
Conductof business and affairsof the Board. Committeesofthe Board.
ChiefExecutive Officer.
Qualificationfor appointment as ChiefExecutive Officer.
university recognized inKenya;
- (b)hasat leasttenyears'knowledgeandexperiencein health information science,data science,data governance,health informatics,digital health or anyotherrelevantfield;
- (c)hasservedinamanagement levelforaperiodof at leastfiveyears;
- (d)hasnotbeenconvictedofanoffence and isnot servingatermofimprisonment;and
- (e)meets therequirements of Chapter Six of the Constitution.
(2)TheChiefExecutiveOfficershall,subjecttothe directionsoftheBoard,beresponsiblefor thedayto day managementoftheaffairsandstaffoftheBoard.
(3)The Chief Executive Officer shall be the accountingofficer of theAgency.
(4)TheChiefExecutiveOfficershall holdofficefora periodof threeyearsandshallbeeligibleforreappointmentforonefurthertermofthreeyears.
13.(1)There shall bea Corporation Secretary who shallbecompetitivelyrecruitedandappointedbytheBoard on such terms as the Board may,on the advice of the SalariesandRemunerationCommission,determine.
(2)Apersonqualifies for appointmentasthe CorporationSecretaryof theAgencyif theperson—
- (a)holdsabachelor's degree in lawfroma university recognized inKenya;
- (b)is anAdvocate of theHigh Court ofKenya;
- (c)has at least five years'experienceasa corporationsecretary ora similar governance role;
- (d)isamemberingoodstandingoftheInstituteof CertifiedSecretaries ofKenya;and
- (e)meetstherequirementsofChapter Sixofthe Constitution.
- (3)TheCorporationSecretaryshall betheSecretaryto
Corporation Secretary.
theBoard andshall—
- (a)in consultation with the Chairperson of theBoard,issue notices formeetingsof the Board;
- (b)keep in custody,the records of the deliberations,decisions,and resolutions oftheBoard;
- (c)transmitdecisionsandresolutionsofthe BoardtotheChiefExecutiveOfficerfor execution,implementation andother relevant action;
- (d)provideguidance to theBoard on their duties and responsibilities on matters relatingtogovernance;and
- (e)perform such other duties as theBoard maydirect.
14.The Board may appoint such staff as may be necessaryfortheproper dischargeofthefunctions ofthe Agencyunder thisAct,upon such terms and conditions of serviceastheBoardmaydetermineupontheadviceofthe SalariesandRemunerationCommission.
PARTIII-THEESTABLISHMENTAND ADMINISTRATIONOFTHECOMPREHENSIVE INTEGRATEDHEALTHINFORMATIONSYSTEM
15.(1)Thereisestablisheda system tobeknown as the comprehensive integrated healthinformation system whichshall beadministeredbytheAgency.
(2)TheAgency shall,inconsultationwith the Cabinet Secretary,establish a frameworkfor administration and managementofthesystem andshall ensure ethe maintenanceof theintegrity andsecurityof thesystem.
(3)The system shall operateasapointofcollection, collation, analysis, reporting, storage,usage, sharing, retrievalorarchivalofdatarelatedtothestateofphysical ormentalhealthofthedata subjectandincludesrecords regarding the past,present or future state of the health, datacollectedinthecourseofregistrationfor,orprovision ofhealthservices,ordatawhich associates thedatasubject Staff Establishmentof an integrated healthinformation system.
totheprovisionofspecifichealthservices.
- 16.The system shall comprise of—
- (a)an Information and Communication Technology environment which consists of the underlying infrastructure,enterprise service bus,standards, data banks,data exchange,governance,actors and applications,internet enabled environment,and otherrelatedcomponents;
- (b) data collection, collation, analysis, reporting, storage,usage,sharing,retrieval,orarchival;
- (c)applications,infrastructure and tools,and best practices that enable access toand analysis of informationtoimproveandoptimisedecisionsand performance;
- (d) data quality assurance and audit;and
- (e)shared or common resources,including the national health data dictionary,client registry, facilityregistry,healthworkerregistry,thKenya Health Enterprise Architecture,product catalogue, interoperabilitylayer,logistics management informationservices,sharedhealthrecords,health managementinformationservices,andfinanceand insurance services.
- 17.The main objectives of the system shall be to
- (a)facilitate people-centred quality health service delivery;
- (b)facilitate data collection andreporting atall levels;
- (c)enable securehealth data sharingto ensure timely andinformedinterfacilityhealthservicedelivery;
- (d)facilitate dataprocessing anduse for informed decision-making at all levels,including-
- (i)at individual patient level;
- (ii)forpublichealth purposes;and
- (ii)for resource allocationand managementin thehealthsector;
- (e)safeguardtheprivacy,confidentiality,andsecurity ofhealthdataforinformationsharinganduse;
Componentsof the System.
Objectivesofthe system.
- (f)servethehealthsectorandfacilitateina progressive and equitablemanner realisation of universal health coverage,to achieve thehighest attainable standardof health;
- (g)ensure standardisation of health data management; and
- (h)facilitate thetracking and tracing of health products and technologies in the country.
18.(1)TheAgency shall adopt relevant internationally accepted standards,procedures,technical details,best practices,andformalitiesforeffectiveimplementationof the system.
- (2)Theprocessesand technical aspectsof thesystem shall beguidedbythefollowingprinciples-
- (a)confidentiality,security and privacy;
- (b)scalability and interoperability;
- (c)accuracy,responsiveness andreliability;
- (d)efficiency andeffectiveness;
- (e)redundancy;
- (f)transparency;
- (g)simplicity and accessibility;and
- (h) consistency in use.
PARTIV-HEALTHDATAGOVERNANCE
19.For thepurposesof this Act,health data shall be classifiedinto thefollowingcategories-
- (a) sensitive personal level health data;
- (b)de-identified,pseudo-anonymizedoranonymized individual-level health data;
- (c)administrative data;
- (d)aggregate health data;
- (e)medical equipment data;and
- (f)research for health data.
- 20.(1)Health data shall begoverned by the following
Technical aspect of the system.
Classificationof health data.
Governing principles.
principles-
- (a)improvementof clienthealth,safeguardof individuals andcommunities againstharm and violations;
- (b)data security throughout the entire datalife-cycle;
- (c)equity andaccountability;
- (d)privacy and confidentiality;and
- (e)accuracy and reliability.
- 21.(1) The Cabinet Secretary shall,in consultation with the Director-General,establish a health data governanceframework.
- (2)Withoutprejudicetothegeneralityofsubsection (1)theCabinetSecretary shall—
- (a)developguidelinestopromoteeffectiveuseof legacy dataincluding data migration;
- (b)establishstandardsforintegration,interoperability andexchange of health data;
- (c)ensure regular update and availabilityof the national health data dictionary for utilization within the system;
- (d)establish standards for and conduct routine data quality checks in the system;
- (e)ensurethesecurityandaccountabilityofdatafor the systemwhilepromoting appropriate data use and sharing;
- (f)provide guidanceontheintegrationand interoperabilityofallhealthinformationsystems into the systempersetstandards;and
- (g)require allhealthdata controllers andprocessors to reportdesignatedhealth data in accordancewith ministryofhealthin theapprovedandprescribed formats andplatforms.
- 22.TheAgency shall be thecustodian forall health data in Kenya.
Establishment of health data govemance framework.
Health data custodian.
- 23.(1)The CabinetSecretary shall ensure thatHealth Health data use. datais usedforpublicgood.
- (2)TheAgencyshall providehealthdata to theCabinet ecretaryforrelevantaction.
PARTVCONFIDENTIALITY,PRIVACYAND SECURITYOFDATA
- 24.(1)TheCabinetSecretary shall beresponsiblefor theconfidentiality,privacyandsecurityofall sensitive personal data held in thesystem.
- (2)Sensitivepersonaldataheldinthesystemshallnot be disclosed to a thirdpartyunless——
- (a)the data subject is unable togiveinformed consent for thedisclosureandsuchconsentisgivenbya person authorised by the data subjectinwritingto grant consent;
- (b)thedisclosure has beenauthorisedbythe implementationofwrittenlawortheenforcement ofacourtorder;
- (c)a health service without informed consent as authorisedbywrittenlaworcourtorderisbeing provided;
- (d) the data subjectisbeingtreated in an emergency situation;
- (e)failure to treat the data subject,or a group of people which includes the data subject,would result in a seriousrisktopublichealth;or
- (f)a delayinprovidingahealth service to thedata subjectmayresultin deathorirreversible damage tothehealthofthedata subjectand thedata subject has not expressly,by implication or by conductrefused thatservice.
- (3)The CabinetSecretary shall beresponsiblefor the privacyof thedataheldin thesystem duringall thedata life cycle stages.
No.29of2019.
- (4)Where the dataheldin the system dataisintended tobe usedforresearch andplanning,the CabinetSecretary shall bethedatacontrollerforthepurposesofsection53of
Security,privacy anddisclosureof data in the system.
theDataProtectionAct,2019.
- (5)TheCabinetSecretaryshallestablishthesecurity measures in the system toprotect sensitivepersonal data including-
- (a)personalised authentication and log-in credentials;
- (b)role based user rights;
- (c)audit trailsfor all activitieswithin the system;
- (d)digital andphysical security of the system;and
- (e)anencryptedbackup thatis subjectto thesecurity measuresherein.
- 25.(1) Dataheld in thesystem shall bemaintainedfor aminimumperiodoftwentyyears.
(2)Dataheld in the systemmaybemaintained fora periodexceeding that specified in subsection(1)where—
- (a)it isrequired or authorised bylaw;
- (b)it is authorised by the data subject;or
- (c)it isreasonablynecessaryfor a lawfulpurpose;
- (d)forhistorical,statistical orresearchpurposes.
- (3)Wheretheperiodforthemaintenanceofthedata heldinthesystemisnotextendedundersubsection(2),the data shall be securedbyde-identification,anonymization, pseudo-anonymization or archiving,or establishing such technical and organisational securitymeasures as the CabinetSecretarymaydetermine tobenecessary.
- 26.(1)TheCabinetSecretaryshall-
- (a)establishanational health databank and designate countyhealthdatabanks;
- (b)storethehealthdatasubmittedtothesysteminthe national health databank;and
- (c)establishseamlessintegration andinteroperability ofthenationalhealthdatabankwithotherrelevant databases.
- (2)TheCountyExecutive CommitteeMember shall
- (a)establish countyhealth databanks;
Retention and disposal ofdatain system.
Establishment of health databanks.
- (b)store thehealthdatasubmitted tothesystemin the countyhealthdatabank;and
- (c)establish seamlessintegration andinteroperability ofthecountyhealthdatabankwithotherrelevant databases anddatabanks.
No.21of2017.
(3)Thehealthinformationdatabasesanddatabanks referred to in subsections (1)and(2) shall be established at thedifferentlevelsofhealthcaredeliveryspecifiedunder section25oftheHealthAct,2017.
(4)A data controller shall transmit health data containing sensitivepersonaldatatothenationalhealth informationdatabankandcountyhealthinformationdata bankinasecure andencryptedform.
(5)A data controller shallmaintain recordsof the healthdata containingsensitivepersonal data transmitted to thenational healthinformation databankandcountyhealth informationdatabankundersubsection(4).
27.Thehealth data thatis contained inahealth data bank shall be applied to Use of sensitive personal data.
- (a)identifyaperson who needs or is receivinga health service;
- (b)providehealth services to,orfacilitate the care of or treatment of,a person;
- (c)identifyahealthserviceproviderwhoisproviding ahealth service;
- (d)identify aperson offeringhealth insurance;
- (e)assess and address public healthneeds;
- (f)conduct disease surveillance,research and innovation;
- (g)engage in health system planning,management, evaluation or improvement,including health service development,management,delivery, monitoring and evaluationincludingsurveys;
- (h)assessthesafetyandeffectivenessofhealth services;and
- (i)continuous enhancement of thesystem.
- 28.Theresponsibilityof thedatacontrollerofahealth databankshall beto—
- (a)take reasonablemeasures to ensure thatno agent or the data controller or processor collects,uses, discloses,retains or disposes of sensitive personal dataunlessitisin accordancewith thelaw;and
- (b)remainresponsibleforanysensitivepersonaldata that is collected,used,disclosed,retained or disposedofbythedatacontroller'sorprocessor's agents,regardless ofwhether or not the collection, use,disclosure,retentionordisposalwascarriedout in accordancewith thisActorotherlaw.
- 29.Apersonauthorised bythedatacontrollerto enter sensitive personal data into the system shall ensure compliancewithsection30(2)ofthisAct.
Responsibilitiesof health data bank controller.
Request for informationby authorized person.
Disclosureof sensitive personal data of deceased persons.
Consent.
30.(1)A data controller may disclose sensitive personal data about a person who is deceased,or is reasonablysuspectedtobedeceasedwhen-
- (a) identifying the person;
- (b)informingaperson towhom itisreasonable to informin thecircumstancesof;or
- (c)investigating thecause of death.
- (2)Arequestunder subsection(1)shall bemade as providedundertherelevantlaw.
31.(1)Ahealthcareprovidershall ensure that heor she hasobtained consent toprocesssensitivepersonal data.
(2)Subsection (1)shall notapply where a health service isbeingprovided-
- (a)for publichealth inaccordancewith thePublic HealthAct;and
- (b) in compliance with anyother statutory requirements.
- (3)When processing personal data,a healthcare provider shall-
- (a)ensure confidentialityof theinformationofthe client;
- (b)provide promptand accurate datanecessary for
treatment of thepatient;
- (c)complywiththedutytonotifythedatasubjectin accordancewiththeDataProtectionAct,2019;
- (4)Adatasubjectwhohasissuedaconsent to theuse ordisclosureofpersonaldatamaywithdrawtheirconsent atanytimebynotifyingthehealthcareprovider.
- 32.Wherea data subjectisaminororforanyother reasondoesnothavethecapacitytoissueinformedwritten consent,theparent,anappointedguardianornextfriendof the patient shall,for purposes of subsection (1),act on behalf of,and in the best interest of,the patient in accordancewiththelaw.
- 33.(1) A data controller shall protect sensitive personal ldata and adopt reasonable administrative, technical andphysical safeguards to ensure the privacy, confidentiality,security,accuracy andintegrityof thedata.
- (2)A data controller shallestablishcontrols that governpersonswhomayusesensitivepersonaldataand suchdatashallnotbeusedunless-
- (a)theidentityof theperson seeking touse the informationis verified;
- (b)thedataprocessoris authorized touseit,and
- (c)the proposed use is authorised under this Act.
- 34.TheCabinetSecretaryshalldevelopregulations for thedisposal ofsensitivepersonal data.
- 35.(1)A person commits an offence if,in relation to healthdata,theperson-
- (a)tampers with the data;
- (b) abuses a privilege;
- (c)disclosesinauthentic access to the data;
- (d)improperly disposes ofunnecessary but sensitive data;
- (e) loses data;
- (f)steals data;or
- (g)sharessensitivepersonal data to anunauthorised
No.24of 2019.
Processingof personal data relating toaminor oraperson without capacity.
Duty toprotect sensitive personal data.
Disposal of health information.
Breachof health data.
party.
(2)Apersonwhocommitsanoffenceunder subsection(1)shallbeliable,onconviction,toafine not exceedingonemillion shillingsor to imprisonmentfora termnotexceedingfifteenyears,or toboth.
(3)Wherea personcommits an offenceunder subsection(1)withrespecttosensitivepersonaldata,that person shall beliable,onconviction,to thepenaltiesunder section73oftheDataProtectionAct,2019.
36.(1)Subject to this Act,a person has a right,on request,to examine andreceivea copyof his or her personal healthinformationmaintainedby a data controller.
(2)Arequest under subsection (1)shall bemade in writingtotherelevanthealthfacilityorhealthinformation bank.
(3)Thehealth datacontroller shall complywith the provisionsof section38of theData Protection Actin enablingaccess andportabilityofpersonalhealthrecords.
37.Aperson in chargeofahealth databankmay refuse to grant access to a third party,all or part ofa person's sensitive data or health information if it is reasonabletobelievethat
- (a)access is restricted by a court process,order or judgement;
- (b)anotherlawprohibitsdisclosure;
- (c)theinformation was collectedor created in the course of an inspection,investigation or similar procedurenotyetconcluded;
- (d)accessmaylead to theidentificationofaperson whoprovidedinformationintherecordtothe custodian in circumstances in which confidentialitywasexpected;or
- (e)accessmayresult inthereleaseofanotherperson's personalhealth data.
38.(1)Ahealth databankandhealth data controller, shall- No.24of2019.
HealthData Portability.
No.24 of2019.
Refusal to grant access to sensitive personal data.
Precautions on releaseof sensitivepersonal health data.
- (a)besatisfied as to theidentityof thepersonmaking the request;and
- (b)takereasonable steps to ensure thatanypersonal health informationintended for a personis receivedonlybythatpersonor-
- (i)where the data subject is a minor,bya person whohasparentalauthorityorbyaguardian;
- (ii)where thedatasubjecthasamentalorother disability,byaperson dulyauthorised toactas theirguardianoradministrator;or
- (i)inanyothercase,byapersondulyauthorised bythedatasubjectorbyacourtorder.
(2)Ahealthdatacontrollershallnotdisclose,forthe purposeofmarket research,personalhealth information thatiscontainedinahealthdatainformationbank.
39.A health data bankorahealth provider may,upon request by the data subject—
- (a)rectify,withoutundue delay,personal data inits possession or under its control that is inaccurate, outdated,incompleteormisleading;or
- (b)erase or destroy,without undue delay,personal datathatthehealthdatabankorhealthprovideris no longer authorised to retain,or personal data whichis irrelevant,excessive or obtained unlawfully.
PARTVI-E-HEALTHSERVICEDELIVERY
- 40.(1) E-Health shall be arecognizedmodel of health service delivery.
- (2)E-Health Services shall be complementary to existinghealthcareservicedeliverymodalities.
41.(l) The e-Health service shall be provided through--
- (a)telemedicine;
- (b)electronic health records;
- (c)m-health;
Right to rectificationor erasure.
e-Health as a modeofhealth service delivery.
Provision ofeHealth services.
- (d)e-learning;
- (e)telehealth;and
- (f)any otherrecognizede-health service.
- (2)An entityprovidinge-health servicesshall be
- (a)ahealthcareproviderholdingavalidlicence issued by arelevantregulatorybody;
- (b)ahealthcareproviderholding avalidlicencefrom an equivalentregulatory authority outside Kenya but shall berecognizedby the local regulatory authority;
- (c)a healthfacilitylicenced to offere-health services by therelevantregulatorybody;or
- (d)forforeign facilities,belicencedby an equivalent regulatory authority recognized inKenya.
- (3)TheCabinetSecretaryshalldevelopstandardsand guidelinesfor thee-Healthplatform.
Principles and objectives ofeHealth.
- 42.(1) The e-Health service shall be an integral part of healthservicedeliverytobenefitpeoplein amannerthatis ethical,safe,secure,reliable,equitable and sustainable.
- (2)Theobjectivesofe-Health shall beto
- (a)promotepatient-centredhealth care services;
- (b)ensure equitable accesstoqualityhealth care services using Information and Communication Technology;
- (c)promote the integrationof e-healthintothe healthcare system;
- (d)facilitate theintegration ofe-health solutions;and
- (e)promotetheuseofe-health solutions.
- 43.(1) In the provision of e-health services to a client,E-health services. a healthcareprovider shall
- (a)providetheclientwith all theinformationforthe managementofhisorherhealth;
- (b)ensure the client can access their own health records where necessary;
- (c)ensure the client's data is managed as prescribed in thelaw;
- (d)ensurethe highest possiblequalityofcare is delivered;
- (e)ensure that the agents of the e-health service provider adhere totheprovisionsof thisAct;
- (f)ensuretheplatformusedisinteroperablewith the system;
- (g)ensure thatwhene-healthservicedeliveryinvolves aminor,the consent oftheparent or an appointed guardian shall be obtained;and
- (h)ensure thatwhene-healthservicedeliveryinvolves amentallyill person,the consentof an appointed guardianornextfriendof thepatientisobtained.
(2)Theuseofe-health serviceplatforms to share the informationofapatientincludingimagesandlabresults forconsultationandtrainingshalladhere to thestandards prescribedby law.
44.In thedeliveryofe-health services,it shall bethe responsibilityof thee-health serviceprovider tomeet their reportingobligationsin accordancewith theprovisionsof this Act.
PARTVII-E-WASTEMANAGEMENT
- 45.(1)The Cabinet Secretary shall—
- (a)in consultation with county governments and relevantlead agencies,developguidelinesfor the safehandlinganddisposalofallhealthsector relatede-wastematerial;and
- (b)in consultation withrelevant stakeholders,develop an e-waste management system for the health sector.
- (2)The e-waste management system referred to in subsection(1)above,shall—
- (a)comprise an appropriate mechanism for segregation of e-waste at source,collection, transportation and processing;
- (b)promotereuseandlifetimeextension;
Reporting.
E-waste management.
- (c)promote activities aimedatresourcerecovery and recyclingofe-wastematerialsintousefulproducts;
- (d)embrace thebest available technologies and practices in e-waste management;and
- (e)promotesustainabie emodels for e-waste management through public-privatepartnerships.
PARTVIII-HEALTHTOURISM
46.(1)TheCabinetSecretaryshall takeallnecessary measurestosafeguard thetransferofaclient'smedical records to andfromfacilitiesoutsideKenya.
(2)A data controller,whobeinga custodian of,and who transfers outside Kenya,biological specimens,health images,human tissues andorgans of aKenyancitizen shall ensureconfidentialityofpersonal healthinformation:
Providedthatwheresuch transferisforpurposesofhealth researchorpost-mortem,theDatacontrollershall-
- (a)provide areport totheDirector-General for Health stating the findings;
- (b)not sharethehealthinformation without notifyingtheCabinetSecretary;and
- ()seekguidancefrom theCabinet Secretaryin the manner the health information shall be stored, processed and destroyed."
(3)TheCabinetSecretaryshall inconsultationwith the County Governments,and relevant lead agencies, developguidelinesonhealthtourism.
47.Personalhealthinformationmayonlybesharedto anyperson outsideKenya for thepurposes of health tourism.
PARTIX-FINANCIALPROVISIONS
- 48.(1) The fundsof theAgency shall consist of—
- (a)monies appropriatedby theNational Assemblyfor the purposes of the Agency;
- (b) such monies or assets asmay accrue to theAgency inthecourseoftheexerciseofitspowersorinthe performance ofitsfunctions under thisAct;
- (c)such levyfees for services renderedbythe
Developmentof guidelines on healthtourism.
Disclosure of sensitivepersonal datato organizations outsideKenya.
Fundsof the Agency.
Agency;
- (d)monies fromanyothersourceprovided,donated lentorgiven asagrant totheAgency;and
- (e)anyotherfundsdesignatedfororaccruingtothe Agencybyvirtueof theoperationof law.
(2)There shall be paid out of thefunds of theAgency, allexpenditure incurred,administrative expenses or for suchotherpurposesasmaybenecessary for thedischarge of thefunctions of theAgencyintheexerciseofitspowers ortheperformanceofitsfunctionsunderthisAct.
49.The financial year of the Agencyshallbe the periodoftwelvemonthsendingonthe thirtiethdayof Junein each year.
50.(1)Before the commencement of each financial year,the ChiefExecutive Officer shallcause tobeprepared estimatesoftherevenueandexpenditureoftheAgencyfor thatyear.
(2) The annual estimates shall makeprovision for all theestimatedexpenditureof theAgencyforthefinancial year concerned andinparticular shall providefor
- (a)payment of salaries,allowances,gratuities, pensions and other charges in respect of the membersof theBoard andAgency;
- (b)maintenanceof buildings and groundsof the Agency; and
- (c)funding oftraining,research and development of activitiesinrelation totheorganization and functioning of theAgency.
(3)The annual estimates shall be approved by the Boardbeforethecommencementof thefinancialyearto which theyrelate,and shallbe submittedby theChief ExecutiveOfficerfortablingintheNationalAssembly.
(4)The annual estimates,once approved by the Board,shallnotbeamendedbeforebeing tabledin the NationalAssembly.
(5)No expenditure shallbeincurredfor thepurposes ofthe Agency except in accordance with the annual estimates approvedundersubsection(3).
Financial year.
Annual estimates.
51.(1)The Board shall cause tobekeptall proper auditbooksandrecordsof accountsoftheincome, expenditure,assetsandliabilitiesof theAgency.
(2)The accountsof theAgency shall beaudited and reported upon in accordance with the Public Finance ManagementAct,2012and thePublicAuditAct,2015.
52.(1)At the end of each financial year,the Chief Executive Officer shall prepare an annualreport on the activities ofAgency.
(2)Theannualreportshall besubmittedfortablingin theNationalAssemblynotlaterthanonemonthafterthe submissionoftheAuditor-General'sreport.
(3)The annualreport shall contain—
- (a) the financial statements of theAgency;
- (b)a descriptionof theactivitiesandoutcomesof functioning of theAgency;and
- (c)any other information that the Agency may considerrelevant.
53.The ChiefExecutive Officer may,in accordance withthelawrelatingtothemanagementofpublicfinance, openbankaccountsonbehalfoftheAgencywith the approvalof theBoard and theNationalTreasury andshall, as the accounting officer,beresponsiblefortheproper management of thefinances of theAgency.
54.(1) All monies in the Agency which are not immediatelyrequiredtobeappliedforthepurposesofthis Actshallbeinvested-
- (a)insuchinvestmentinareputablebankontheadvice oftheCentralBankofKenya,beinganinvestment inwhich trustfunds,orpart thereof,areauthorized by law tobeinvested;and
- (b)ingovernmentsecuritiesasmaybeapprovedby the National Treasury.
(2)Allinvestmentsmadeunderthissectionshallbe held in thenameof theAgency.
PARTX-MISCELLANEOUSPROVISIONS
Boardmember,or anyofficer,employee oragentofthe Accounts and audit.
Annual report.
Bank account.
Investmentof Funds.
personal liability.
Agency shall,if thematter or thing is done in goodfaith and for the purposes ofexecuting any provisions of this Act,renderthe Chairperson,Boardmember,oranyofficer, employee or agentof the Agency or anyperson acting under the direction of those personspersonallyliable for anyaction,claim ordemand arisingfrom thesame.
- 56.(1)The Chairperson or a member of the Board, whohasadirectorindirectpersonalinterestinamatter beingconsideredortobeconsideredbytheBoard,shallas soon as reasonablypracticable after the relevantfacts concerning the matter have come to their knowledge, disclosethenatureofsuchinterest.
- (2)A disclosure ofinterest made under subsection(1) shallberecordedintheminutesof themeetingandthe chairperson or member shall not take part inthe consideration or discussion on or voteduring any deliberationsonthematter.
- (3)Apersonwhofailstomaketherequisitedisclosure underthissectioncommitsanoffence.
- (4)AmemberoftheBoard shall recusethemselves from proceedingsbeforetheBoard in whichtheyhave apparentorperceivedconflictofinterest.
- 57.(1)Amember of theBoardorstaffof theAgency maynotwithout theconsentinwritinggiven by,or on behalf of,the Board,publish or disclose toany person otherthaninthecourseoftheperson'sduties,thecontents ofany document,communication or informationwhich relatesto,andwhich has come totheperson'sknowledge in thecourseoftheperson'sdutiesunder thisAct.
- (2)Thelimitationon disclosure referred to under subsection (i) shall not be construed to prevent the disclosureofcriminalactivitybyamemberoftheBoard orstaffoftheAgency.
- 58.A person responsible for a matter in question before theBoard shall co-operatewith theBoard and shall in particular
- (a)respond to anyinquiry made by theBoard;
- (b)furnishtheBoardwithareportinrespectofthe
Conflictof interest.
Confidentiality.
Duty to cooperate.
question raised;and
- ()provideanyotherinformation thattheBoardmay requireintheperformance ofitsfunctionsunder theConstitution,thisActorinanyother written law.
- 59.(1)Apersonwho-
- (a)obstructs,hinders or threatens a member,an officer,employee oragentof theBoardacting under thisAct;
- (b)disregardsan orderoftheBoard;
- (c)submits false or misleading information tothe Board;or
- (d)makes a false representation to,or knowingly misleadsamember,an officer,employee or agent ofBoard actingunderthisAct,
commitsanoffenceand isliable,onconviction,toa fineof notless than one million shillingsor to imprisonmentfora termofnotless than twoyears,orto both.
- (2)Anypersonwhoviolatesorfailstocomplywith provided,commitsanoffence,andis liableon conviction toafine notexceedingone million shillings orto imprisonmentfora term notexceeding twoyears,or to both.
- 60.The Cabinet Secretary may,in consultationwith the Agency and the county governments,develop regulationsprovidingfor-
- (a)health information management policies and procedures;
- (b) the use of e-Health applications and technologies, medical devices andinnovations;
- ()dataquality anddataprotection audits;and
- (d)theestablishmentandimplementationofthedata exchangecomponentaspertheKenya Health
Offences.
Regulations.
EnterpriseArchitecture.
- 61.Any person processing personal data under this Actshall complywith theDataProtectionAct,2019.
- 62.A person,whobeing a data controller or data processorofhealth data orwhohasbeen handlinghealth informationbefore thecommencementof thisAct,shall, within sixmonths of the commencementofthisAct, complywiththerequirementsofthisAct.
Compliance to the DataProtection Act,2019.
Transitional provision.
SCHEDULE (s.9)
- 1.TheBoard shall meet asoften asmaybenecessary forthedispatchofitsbusinessbutthereshallbeatleast fourmeetingsof theBoardin anyfinancialyear.
Meetings.
Electionofvice chairperson.
- 2.At the first meeting,the Board elects a vicechairperson amongsttheirnumberwhoshall beapersonof oppositegender.
- 3.Ameetingof theBoard shall beheldon such date and atsuch timeandplace astheBoardmaydetermine.
Time and place of meetings.
- 4.The chairperson shall, on the written application of Special meetings. one-thirdof themembers,convenea special meetingof the Board.
- 5.The quorum for the conduct of business ataQuorum. meetingoftheBoardshallbe thechairperson andanyfour members.
Voting
- 6.The Chairperson shall preside at everymeetingof theBoard atwhich thechairperson shall bepresent andin the absence of the chairperson at a meeting,the vicechairpersonshallpresideandin theabsenceofboth the chairpersonandthevice-chairperson,thememberspresent shallelectoneoftheirnumberwhohas,withrespecttothat meeting and thebusiness transacted thereat,have all the powersofthechairperson.
- 7.Unless a unanimous decision isreached,a decision onanymatterbeforetheBoardshallbebyconcurrenceofa majorityofallthememberspresentandvotingatthe meeting.
- 8.Subject to paragraph 5,no proceedings of the Boardshallbeinvalidbyreasononlyofavacancyamong themembersthereof.
- 9.Unless otherwiseprovided by or under any law,all instrumentsmadebyanddecisionsoftheBoardshallbe signifiedunderthehandoftheChairperson.
Decisions of the Board.
Vacancy.
Significationof instrumentsand decisions of the Board.
I certifythat thisprintedimpressionisatruecopyoftheBill passedbythe NationalAssemblyon the27thSeptember,2023.
ClerkoftheNationalAssembly
Endorsedforpresentationto theSenateinaccordancewiththeprovisions ofStandingOrder142oftheNationalAssemblyStandingOrders.
SpeakeroftheNarttonalAssembly
Machine-extracted text (Docling (OCR + layout), extracted 2 Jul 2026) from a scanned document — may contain recognition errors.
Source: parliament.go.ke (parliament.go.ke active listing). Last updated 3 Jul 2026.