The Digital Health Bill, 2023 (National Assembly No. 57) Of 2023

← Back to Bill Tracker

2023 National Assembly 13th [Bills Tracker NA Bill No. 57 of 2023] 8/09/2023 | 13/09/2023 | 163 | 14/09/2023 | 26/09/2023 Committee Stage: 27/09/2023 | 27/09/2023 | Passed; forwarded to the Senate for consideration on 2/10/2023; passed by the Senate without amendments on 12/10/2023 | 19/10/2023

Legislative progress

Introduced / Published: 1 Sep 2023

  1. First Reading date not recorded
  2. Second Reading date not recorded
  3. Committee of the Whole House date not recorded
  4. Third Reading date not recorded
  5. Presidential Assent

Current status: [Bills Tracker NA Bill No. 57 of 2023] 8/09/2023 | 13/09/2023 | 163 | 14/09/2023 | 26/09/2023 Committee Stage: 27/09/2023 | 27/09/2023 | Passed; forwarded to the Senate for consideration on 2/10/2023; passed by the Senate without amendments on 12/10/2023 | 19/10/2023

Stage dates are back-filled from publication records and Hansard, and refined by editors. Some dates may be approximate or not yet recorded.

Share your views on this Bill

What Kenyans are saying

No published submissions on this Bill yet — be the first to have your say.

Share your views on this Bill →

Notes

Source: https://www.parliament.go.ke/sites/default/files/2023-09/THE%20DIGITAL%20HEALTH%20BILL%2C%202023%20%28NATIONAL%20ASSEMBLY%20NO.%2057%29-1.pdf

The Bill (PDF)

↓ Download the Bill (PDF, 10.2 MB) Open in a new tab

Read the original document (10.2 MB)

Your browser can’t display the PDF inline. Download the Bill (PDF) instead.

Original document, hosted by Mzalendo. Source: parliament.go.ke.

Bill text

Read the Bill (OCR extract)

SPECIAL ISSUE

Kenya Gazette Supplement No.163(National Assembly Bills No.57)

REPUBLICOFKENYA

KENYA GAZETTESUPPLEMENT

NATIONALASSEMBLY BILLS,2023

NAIROBL,8thSeptember,2023

CONTENT

Bill for Introduction into the National Assembly-

The Digital HealthBill,2023

PAGE

1629

Clause

PARTI-PRELIMINARY

  • 1-Short title.
  • 2-Interpretation.
  • 3-Objects of the Act.
  • 4-Guiding principles.

PART II-ESTABLISHMENT OF THEDIGITAL HEALTHAGENCY

  • 5-Establishment of the Digital Health Agency
  • 6-Functions of the Agency
  • 7-Powers of the Agency
  • 8-Board of Directors
  • 9-Conduct of business and affairs of theBoard.
  • 10-Committees of theBoard.
  • I1-Chief Executive Officer.
  • 12-Qualification for appointment as a Chief Executive
  • Officer.
  • 13-Corporation Secretary.

14-Staff.

PART III-FINANCIAL PROVISIONS

15-Funds of the Agency

16-Financial year.

17-Annual estimates

18-Accounts and Audit

  • 19-Annual report.
  • 20-Bank account.

THE DIGITALHEALTH BILL2023 ARRANGEMENT OF CLAUSES

PARTIV-ESTABLISHMENTAND ADMINISTRATIONOFTHECOMPREHENSIVE INTEGRATEDHEALTHINFORMATIONSYSTEM

  • 21-Establishment ofa comprehensive integrated health information system.
  • 22-Components of the system.
  • 23-Objectives of the system.
  • 24-Technical aspect of the system

PARTV-HEALTHDATA GOVERNANCE

  • 25-Classification of health data.
  • 26-Governing principles.
  • 27-Establishmentofhealth data governance framework.
  • 28-Health data custodian.
  • 29-Health data use.

PARTVI-CONFIDENTIALITY,PRIVACYAND

SECURITYOFDATA

  • 30-Security.privacy and disclosure of data in the
  • system.
  • 31-Retention and disposal of data in the system.
  • 32-Establishmentofhealth data banks.
  • 33-Use ofsensitive personal data.
  • 34-Responsibilities of health data bankcontroller.
  • 35-Request for information by authorized person
  • 36-Disclosure of sensitive personal data of deceased
  • person.
  • 37-Consent.
  • 38-Processing ofpersonal data relating to aminor ora person without capacity.
  • 39-Duty to protect sensitive personal data.
  • 40-Disposal ofhealth information.
  • 41-Breach of sensitivepersonal data.
  • 42-Health data portability.
  • 43-Refusal to grant access to sensitive personal data.
  • 44-Precautions on release of sensitive personal health
  • data.
  • 45-Right to rectification or erasure.

PARTVII-E-HEALTHSERVICEDELIVERY

  • 46-E-Health service.
  • 47-Provision ofe-health services.
  • 48-Principles and objectives of e-health services.
  • 49-E-health services.
  • 50-Reporting.

PARTVIII-E-WASTEMANAGEMENT

  • 51-E-waste management.

PARTIX-HEALTH TOURISM

  • 52-Development ofguidelines on health tourism.
  • 53-Disclosure ofsensitive personal data organisations outside Kenya.

PARTX-MISCELLANEOUSPROVISIONS

  • 54-Protection from personal liability.

55-Oath ofoffice.

56-Conflict of interest.

57-Confidentiality.

  • 58-Duty tocooperate.

59-Offences.

  • 60-Regulations.
  • 61-Compliance toDataProtectionAct,2019.

SCHEDULE-CONDUCT OFTHEBUSINESSAND

AFFAIRSOFTHEBOARD

  • to

THEDIGITALHEALTH BILL,2023

A Bill for

AN ACT of Parliament to provide for the establishment of the Digital Health Agency; to provide a framework for provision of digital health services; to establish a comprehensive integrated digital health information system;and for connected purposes

ENACTED byParliamentofKenya as follows-

PARTI-PRELIMINARY

Short title.

Interpretation.

  • 1.This Act may be cited as the Digital Health Act,
  • 2023.
  • 2.In this Act,unless the context otherwise requires-

"Agency" meansthe Digital HealthAgency established under section 5;

"anonymization"means the removal of personal identifiers from personal data so that the data subject is no longer identifiable;

"Board"means the Board of Directors of the Agency constituted under section 8;

"Cabinet Secretary"means the Cabinet Secretary for

ministry responsible formatters relating to health;

"client"means an individual who uses, or has used, a health service,or in relation to whom health data has been

created;

"consent"has the meaning assigned to it under the Data Protection Act,2019;

"County Executive Committee Member"means the member of county executive comittee appointed and designated to supervise health services;

"data"means information which-

  • (a) is processed by means of equipment operating automatically in response to instructions given for that purpose;
  • (b) is recorded with intention that it should be processed by means of such equipment;

No.24of2019.

  • (c)is recorded aspart of a relevant filing system;
  • (d) is recorded information which is held by a public
  • (a)to (d);

"data analysis"means the process of inspecting, cleaning,transforming,consolidationandmodellingof data with the goal of discovering useful information,extracting meaningful insights,suggesting conclusions and supporting

decision making;

"data bank"means an organised collection of data designed to efficiently store and retrieve data that can be accessed,managed and updated electronically to allow users to easily search for and access the information they need,to derive insights,make informed decisions and improve performance;

"data commissioner"means the person appointed under section 6 of theDataProtection Act,2019;

"data controller"means a natural or legal person, public authority,agency or other body which,alone or jointly with others,determines the purpose and means of processing ofpersonal data;

"data disposal" means the process of destroying manual or electronic records or data completely without being used or accessed for an authorized purpose;

"data governance"means the overall management of the availability,usability,integrityand security ofdata used in an organization;

"data integrity" means the overall completeness, accuracy and consistency of data;

"data life cycle"means the stages through which data passes from its creation or acquisition to its eventual deletion or archival;

"data management"means the development,execution and supervision of plans,policies,programs and practices that control,protect,deliver and enhance the value of data and information assets,and involvespolicy formulation and adherence to data management tprocedures such as reporting rates,harmonized and standard data collection

tools;

No.24of2019.

""uata privacy"means the aspect of information technology that deals with the ability an organization or

individual has to determinewhat data in a computer system can be sharedwith third parties for purposes of thekeeping ofinformationprivate and safe;

"data processor" means a natural or legal person,

public authority,agency or other body which processes personal data on behalf of the data controller;

"data reporting" means the process of collection, submission and organisation of data into informational summariesin order tomonitorperformance;

"data retention"means the continued storage of an

organization's data for compliance with national policy guidelines and regulations;

"data security"means protection of electronic health data,and specifically the means used to protect the privacy of health information contained in electronic health data that supports professionals in holding that information in confidence;

"data storage"means the recording of information in a storagemedium orholding information in digital format;

"data subject"means an identified or identifiable

natural person who is the subject ofpersonal data;

"data verification"includes the authentication and validation of gathered data,data quality checks,audit of the

health data using the data quality protocols;

"digital health"means the field of knowledge and practice that is associated with the development and use of digital technologies to improve health;

"Director-Generalmeans the Director-General for

health appointed under section 16 of theHealth Act,2017;

"disclosure" means submission of relevant information to an authorized party;

"e-Health' means the combined use of electronic communication and information technology in the health sector including telemedicine;

"e-Health ecosystem"means the combined application ofe-Health infrastructure,standards,technology,systems No.21of2017.

applications,investment,health workforce and governance

that support patient-centred models of healthcare;

"e-Health platform"means an ecosystem of hardware, software and technology used to deliver e-Health services;

"electronic health data"means an electronic record of personal health related information about an individual and

shall include-

  • (a) information concerning the physical or mental
  • health of the individual;
  • (b)information concerning any health service provided to the individual;
  • (c)information concerning the donation by the individual of any body part or any bodily
  • substance;
  • (d)information derivedfrom thetesting
  • or examination of a bodypart or bodily substance of the individual;
  • (e) information that is collected in the course of
  • providing health services to the individual;or
  • (f) information relating to details of the health facility
  • accessed by the individual;

"encryption"means the process of converting the content of any readable data using technical means into

coded form;

"enterprise class"refers to applications that are designed to be robust and scalable across a large organization,and compatible with existing databases and tools,customizable for the needs of specific departments, powerful enough to scale up along with the needs of the business using it, secure from outside threats and data leaks;

"enterprise service bus" means an architectural pattern

whereby a centralized software component performs integrations between applications;transformations of data models,handles connectivity,message routing,converts communication protocols and potentially manages the composition of multiple requests and may make these integrations and transformations available as a service interface for reuse by new applications;

"e-waste"means waste resulting from electrical and electronic equipment including components and sub-

assemblies thereof;

"guardian"means a guardian recognised under any law for the time being in force;

"health care professionalincludes any person who has obtained health professional qualifications and licensed by the relevant regulatorybody;

"health care provider"means a person who provides health care services and includes a health care professional;

"health careservices" means the prevention, promotion,management or alleviation of disease,illness, injury,and other physical and mental impairments in individuals,delivered by health care professionals through the health care system's routine health services,or its emergency health services;

"health data"means data related to the state of physical or mental health of the data subject and includes records regarding the past,present or future state of the health,data collected in the course of registration for or provision of health services or data which associates the data subject to theprovision of specific health services;

"health data controller"means a natural or legal person,public authority,agency or other body which,alone or jointly with others,determines the purpose and means of processing of health data;

"health data processor"means a person,public authority,agency or other body who is an authorised worker toprocess health data;

"health facility"means the whole or part of a public or private institution,building or place,whether for profit or not, that is operated or designed to provide in-patient or out-patient treatment, diagnostic or therapeutic interventions, nursing, rehabilitative, palliative, convalescent,preventative or other health service;

"health informatics"means the practice of acquiring studying and managing health data and applying medical concepts in conjunction with health information technology systems to help health professionals provide better

healthcare;

"healthinformation bank" means an electronic database under the custody and control of the Ministry of designated by the Cabinet Secretary as a health information

Health that contains personal health information and is bank;

"health information systemmeans a health ecosystem designed to manage health and health related system data that provides the foundations for decision-making and includes a system that collects,collates,stores,manages, analyses,synthesises, transmitpatient'sorclient's electronic health record and uses health and health related data for operational management or a system supporting healthcare policy decisions;

"health records and information management"means

the practice of acquiring,analysing and protecting digital and traditional medical information vital to providing quality patient or client care;

"health records and information manager"means an officer trained inhealth records and information management and charged with the responsibility of managing health records and health information for the health services which include-

  • (a) creating and enforcing policies for effective data
  • management;
  • (b) clinical coding and classifications;
  • (c) coding for health insurance firms;
  • (d) health information management;
  • (e)health administrative data and medical data
  • analytics and research;
  • (f) appraisal ofmedical documentations and audits;
  • (g)advice on medical legal issues;
  • (h) advise on retrieval and disposal of Health and
  • medical records;
  • (i) use oi e Health applications;

"health related data informationmeans the service delivery and administrative health data coliccted.analysed and synthesised for decision making in the health sector,

"health system"means an organization of people, institutions and resources that deliver health care services to meet the health needs of the population,in accordance with established policies;

"health technology" means the application of organized knowledge and skills in the form of devices, medicine,vaccines,procedures and systems developed to solve a healthproblem and improve the quality of life;

"health tourism"means a situation where a patient travels voluntarily across international borders to receive medical treatment;

"individual" means data subject;

"integrated e-Health information system"means a

health information system that collects health and health related data that addresses the needs of all users for decision making;

"Kenya Health Enterprise Architecture"

meansa blueprint that guides the design,development and evolution of the comprehensive integrated health information system to align investments in technology.information and processes that are cost-effective,sustainable,and aligned with the Kenya health sector strategicgoals;

"m-Health"means the delivery of medical services

using mobile technologies;

"personal data" means any information relating to an identified or identifiable natural person;

"personal data breach"means a breach of security

leading to the accidental or unlawful destruction,loss, alteration,unauthorised disclosure of,or access to,personal data transmitted,stored or otherwiseprocessed;

"personal health information"means data related to the state ofphysical ormental health ofan individual and includes information provided by the client,records regarding the past,present or future state of the health,data collected in the course of registration for,or provision of health services,or data which associates the individual to the provision of specific health services;

"personally identifiable information" means information that can be used to uniquelyidentify,contact or locate an individual,or can be used with other sources to uniquely identify a person;

private health services"means provision of health services by a health facility that is not owned by the national or county governments and includes health care servicesprovided by individuals,faith-based organizations, non-governmental organizations and private for profit health institutions;

"processing meansany operationorsetsof operations which is performed on personal data or on sets of personal data whether or not by automated means including-

  • (a)collection,recording,organisation or structuring;
  • (b) storage,adaptation or alteration;
  • (c)retrieval,consultation or use;
  • (d) disclosureby transmission, dissemination or otherwise makingavailable;or
  • (e) alignment or combination,restriction,erasure or
  • destruction.

"pseudonymisationmeans the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information,and such additional information is keptseparately andis subjecttotechnical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person:

"public health servicesmeans health services owned and offered by the national and county governments;

"referralmeans the process by which a given heaith facility transfers a client service,specimen and client parameters to another facility to assume responsibility for consultation,review or further management;

"research for health"includes research which seeks to contribute to the extension of knowledge in any health related field,such as that concerned with the biological, clinicai,psychological or social processes in human beings improved methods for the provision of health services; human pathology; the causes oi disease;the effects of the

environment on the human body:the development or new application of pharmaceuticals,medicines andother preventative, therapeutic orcurative agents,or the development ofnew applications of health technology;

"system"means the comprehensive integrated health

information system establishedunder section 21;

"system integration"referstothemergingor combining of two or more components or configuration items into a higher level system elementand ensuring that the logical andphysical interfaces are satisfied and that the integrated system satisfies itsintended purpose;

"system interoperability"refers to the capability to communicate,execute programs or transfer data among various functional units such that the user needs little or no knowledge of the unique characteristics of those units;

"telemedicinerefers to the provision of health care services and sharing of medical knowledge over distance using telecommunications and includes consultative, diagnostic,and treatment services;and

third party"means natural or legal person,public

authority,agency or other body,other than the data subject, data controller,data processor or persons who,under the direct authority of the data controller or data processor,are authorised to processpersonal data.

  • 3.The objects of thisAct are to-
  • (a) establish the Digital Health Agency;
  • (b) establish and maintain a comprehensive integrated health information system;
  • (c)promote innovation and the safe,efficient and including for continuity of care,emergency and
  • effective use of technology for healthcare, disaster preparedness and disease surveillance;
  • (d)establish a regulatory framework for the e-Health ecosystem data life cycle;
  • (e)provide for privacy,confidentiality,and security of health data;
  • (f) develop standards for the provision of m-Health
  • telemedicine,and e-learning;
  • (g)establish a regulatory framework for e-waste
  • management:and

Objecis of the Act.

  • (h)provide for the safe and secure transfer of personal,identifiable health data and client's medical records to and from health facilities outsideKenya.
  • 4.In implementing the Act,all persons shall be guided by the followingprinciples-
  • (a)health data is a strategic national asset;
  • (b) safeguard of the privacy.confidentiality and security ofhealth data for information sharingand use;
  • (c)digital health shall facilitate data sharing and use for informed decision-making at all levels;and
  • (d) the digital health ecosystem shall serve the health sector and facilitate in a progressive and equitable manner,thehighestattainable standard of health.

PARTI-ESTABLISHMENT OF THEDIGITAL HEALTHAGENCY

  • 5.(l) There is established an Agency to be known as
  • theDigital Health Agency.
  • (2) The Agency shall be a body corporate with perpetual succession and a common seal and shall,in its corporate name,be capable of-
  • (a) suing and being sued;
  • (b) taking,purchasing or otherwise acquiring,holding charging and disposing of movable and immovable property;
  • (c)receiving,investing,borrowing money;and
  • (d) doing or performing such other things or acts necessary for the proper performance of its functions under this Act.
  • 6.The Agency shall-
  • (a) develop, operationalise and maintain the Comprehensive Integrated HealthInformation System to manage the core digital systems and the infrastructure required for its seamless health information exchange;

Guiding principles.

Establishment of

the Digital Health Agency.

Functions of.the

Agency.

  • (b)establish registries,in consultation with other statutory authorities,at appropriate levels to create
  • single source of truth in respect of clients,health facilities,healthcare providers,health products and technologies;
  • (c)promote adoption of bost practices and standards for digital health that facilitate data exchange;
  • (d)establish a system of shareable and portable
  • personal health records,based on best practices and standards;
  • (e)ensure health data portability;
  • (ffacilitate collection and analysis of data to inform
  • policy and research in the health sector;
  • (g)promote the development ofenterprise-class health application systems;
  • (h) strengthen existing healih information systems by ensuring their conformity with the prescribed standards and integration with the comprehensive
  • integrated health information system;
  • (i)develop and implement the infrastructure for health data exchange of health information in a
  • secured manner;
  • (j) maintain,in collaboration with the counties and other statutory authorities,the technologica infrastructure necessary for the core digital health services;
  • (k) support the development and implementation of
  • standards for enhanced interoperability:
  • (l)undertake resource mobilization for implementation of health digitization in the
  • country;
  • (m)certify digital health solutions based on best
  • practices and standards;
  • (n) advise the Cabinet Secretary on matters related to
  • digital health;and
  • (o) perform any other function for the better carrying out of functions under this Act.
  • 7.(1)The Board shall be responsible for the management and administration of the Agency.
  • (2)Without prejudice to the generality of the foregoing,the Agency shall have power to-
  • (a) manage,control and administer the assets of the Agency in such manner and for such purpose as best promotes the objects for which the Authority isestablished in accordance with the Public Procurement and Assets Disposal Act,2022:

Provided that the Agency shall not charge or dispose of any immovable property without the prior approval of the Cabinet Secretary:

  • (b)enter into association with such other bodies or organizations,within or outside Kenya,as it may consider desirable orappropriate andin furtherance of the purpose for which the Agency is established;and
  • (c)invest the funds of the Agency not immediately required for its puposes in the manner provided in
  • this Act.
  • 8.(l) There shall be a Board of Directors of the
  • Agency which shall consist of-
  • (a)anon-executivechairperson whoshall be competitively recruited and appointed by the
  • President;
  • (b) the Principal Secretary responsible for Health or a representative designated in writing;
  • (c)the Principal Secretary responsible for National Treasury or a representative designated in writing;
  • (d)the Principal Secretary responsible for Information,Communication and Technology or a representative designated in writing;
  • (e) the Data Commissioner ora representative
  • designated in writing;
  • (f) one person nominated by the Council of County
  • Governors;
  • personrepresentingtheprivatesector
  • (g)one appointed by the Cabinet Secretary;

Powers of the Ageney.

No.33of2015

Board of Directors.

  • (h)two persons,not being publicofficers,appointed by the Cabinet Secretary by virtue of their knowledge and experience in digital health;and
  • (i)the Chief Executive Officer,who shall be an exofficiomember of theBoard.
  • (2) The Chairperson of the Board and the members appointed under subsection (1)(a),(g) and (h) shall serve for a term of three years and shall be eligible for re appointmentfor one further term of threeyears.
  • (3)In appointing persons as members of the Board under subsection (1)(g)and (h),the Cabinet Secretary shall ensure that the appointments afford equal opportunity to men and women,youth,persons with disabilities, minorities and marginalized groups and ensure regional balance.
  • (4)A person appointed to the Board under sub-section (1)(a),(g)and (h) shall cease to be a member of the Board if theperson-
  • (a)resigns in writing addressed to the Cabinet Secretary;
  • (b) is adjudged bankrupt;
  • (c) is absent from three consecutive meetings without
  • thepermission of the Chairperson;
  • (d) is convicted of a criminal offence and sentenced to imprisonmentfora term exceeding sixmonths;or
  • (e)is unable to perform the functions of his office by
  • reason of mental or physical infirmity.
  • (5) Despite subsection (4),the Chairperson or the member of the Board may beremoved for-
  • (a) incompetence orneglect of duty;
  • (b)gross misconduct whether in the performance of
  • the members'functions or otherwise;or
  • (c)violation of the Constitution or any other written law.
  • (6) The Agency shall pay to the directors such remuneration,fees or allowances for expenses as may be determined by the Cabinet Secretary on the advice of the
  • Salaries and Remuneration Commission.
  • (7) The Board may co-opt any other person with necessary expertise as it may deem necessary to assist the Board in discharging its duties and responsibilities.
  • 9.Except asprovided in the Schedule,the Board shall
  • regulate its ownprocedure.
  • 10.(1) The Board may,from time to time,establish such committees as it considers necessary for the better
  • carrying out of its functions under this Act.
  • (2)The Board may co-opt into the membership of a committee established under sub-section (l) such other personwhoseknowledge and skills are found necessary for the functions of the Agency.
  • 11.(1) There shall be a Chief Executive Officer who
  • shall be appointed by theBoard.
  • (2) Subject to this Act, the Chief Executive Officer shall be appointed on such terms and conditions of service as shall be determined by the Board in the instrument of appointment or otherwise in writing from time to time.
  • 12.(1)A person shall be qualified for appointment as the Chief Executive Officer of the Authority if that person-
  • (a) has a minimum of a bachelor's degree from a university recognized in Kenya;
  • (b) has at least ten years'knowledge and experience in health information science,data science,data governance,health informatics,digital health or any otherrelevant field;
  • (c)has not been convicted of an offence and is not
  • serving a term of imprisonment:and
  • (d)meets the requirements of Chapter Six of the
  • Constitution.
  • (2) The Chief Executive Officer shall,subject to the directions of the Board,be responsible for the day to day managemeit of the affairs and staff of the Board.
  • (3) The Chief Executive Officer shall hold office for a period of three years and shall be eligible for reappointment for one further term of three years.

business and affairs ofthe Board. Committees of the

Conductof Board.

Chief Executive Officer.

Qualification for appointment as Chief Executive

Officer.

  • 13.(1) There shall be a Corporation Secretary who
  • shall be competitively recruited and appointed by the Board on such terms as the Board may,on the advice of the Salariesand Remuneration Commission,determine
  • 14.The Board may appoint such staff as may be
  • necessary for the proper discharge of the functions of the Agency under this Act,upon such terms and conditions of service as the Board may determine in consultation with the Salaries and Remuneration Commission.

PART III-FINANCIALPROVISIONS

  • 15.(1) The funds of the Agency shall consist of-
  • (a)monies appropriated by the National Assembly for the purposes of the Agency;
  • (b) such monies or assets as may accrue to the Agency in the course of the exercise of itspowers or in the performance of its functions under this Aet;
  • (c)monies from any other source provided,donated, lent or given as a grant to the Agency;and
  • (d) any other funds designated for or accruing to the Agency by virtue of the operation of law.
  • (2) There shall be paid out of the funds of the Agency, all expenditure incurred,administrative expenses or for such other purposes as may be necessary for the discharge of the functions of the Agency in the exercise of its powers or the performance ofitsfunctions under this Act.

16. The financial year of the Agency shall be the period of twelve months ending on the thirtieth day of June in each year.

  • 17.(l) Before the commencement of each financial
  • year, the Chief Executive Officershall cause to be prepared estimates of the revenue and expenditure of the Agency for that year,
  • (2) The annual estimates shall make provision for all the estimated expenditure of the Agency for the financial
  • year concerned and in particular shall provide for-
  • (a)payment ofsalaries,allowances,gratuities, pensions and other charges in respect of the members of the Board and Agency;

Corporation Secretary,

Staff.

Fundsof the Ageney.

Financial year.

Annual estimates

  • (b)maintenance of buildings and grounds of the
  • Agency;and
  • (c)funding of training,research and development of activities in relation to the organization and functioning of the Agency.
  • (3)The annual estimates shall be approved by the Board before the commencement of the financial year to which they relate,and shall be submitted by the Chief Executive Officer for tabling in the National Assembly.
  • (4)The annual estimates,once approved by the Board,shall not be amended before being tabled in the National Assembly
  • (5) No expenditure shall be incurred for the purposes ofthe Agency except in accordance with the annual estimates approved under subsection (3).
  • 18.(1) The Board shall cause to be kept all proper audit books and records of accounts of the income, expenditure,assets and liabilities of theAgency.
  • (2) The accounts of the Agency shall be audited and reported upon in accordance with the Public Finance Management Act.2012 and the Public Audit Act,2015.
  • 19.(l) At the end of each financial year,the Chief Executive Officer shall prepare an annual report on the activities of Agency.
  • (2)The annual report shall be submitted for tabling in the National Assembly not later than one month after the submission of the Auditor-General's report.
  • (3) The annual report shall contain-
  • (a) the financial statements of the Agency;
  • (b)a description of the activities and outcomes of
  • functioning of the Agency:and
  • (c)any other information that the Agency may
  • consider relevant.
  • 20.The Chief Executive Officer may,im accordance with the lawrelating to the management ofpublic finance, open bank accounts on behalf of the Agency and shall,as the accounting officer,be responsible for the proper management of the finances of the Agency.

Accounts and audit.

Annual report.

Bank account.

PARTIV-THEESTABLISHMENTAND ADMINISTRATION OF THE COMPREHENSIVE

INTEGRATEDHEALTHINFORMATIONSYSTEM

  • 21.(l) There is established a system to be known as the comprehensive integrated health information system which shall be adminstered by the Agency.
  • (2) The Agency shall,in consultation with the Cabinet Secretary,establish a framework for administration and
  • management of the system and shall ensure the maintenance of the integrity and security of the system.
  • (3)The system shall operate as a point of collection,
  • collation,analysis,reporting, storage,usage,sharing, retrieval orarchival ofdatarelated to thestateofphysical ormental health of the data subject and includes records regarding the past,present or future state of the health, data collected in the course ofregistration for,or provision of health services,or data which associates the data subject to theprovision of specifichealth services.
  • 22.The system shall comprise of
  • (a) an Information and Communication Technology data banks,data exchange,governance,actors and
  • environment which consists of the underlying infrastructure,enterprise service bus, standards, applications,internet enabled environment,and other related components;
  • (b) data collection,collation,analysis,reporting,
  • storage,usage,sharing,retrieval,or archival;
  • (c)applications,infrastructure and tools,and best
  • practices that enable access to and analysis of information to improve and optimise decisions and performance;
  • (d) data quality assurance and audit;and
  • (e) shared or common resources,including the
  • national health data dictionary,client registry, facility registry,health worker registry,the Kenya Health Enterprise Architecture,product catalogue, interoperabilitylayer,logistics management information services,shared health records,health managementinformation services,and finance and insurance services.

Establishmentof an integrated health information system.

Components of the System.

  • 23.Themain objectives of the system shall be to-
  • (a)facilitate people-centred quality health service
  • delivery;
  • (b)facilitate data collection and reporting at all levels;
  • (c)enable secure health data sharing to ensure timely and informed interfacility health service delivery;
  • (d)facilitate data processing and use for informed decision-making at all levels,including-
  • (i)at individual patient level;
  • (ii)for public health purposes;and
  • (ii) for resource allocation and management in
  • the health sector;
  • (e)safeguard theprivacy,confidentiality,and security ofhealth data for information sharing and use;
  • (f serve the health sector and facilitate in a progressive and equitable manner realisation of universal health coverage,to achieve the highest attainable standard of health;and
  • (g)ensure standardisation of health data management.
  • 24.(1) The Agency shall adoptrelevant internationally accepted standards,procedures,technical details,best practices,and formalities for effective implementation of the system.
  • (2) The processes and technical aspects of the system shall be guided by the followingprinciples-
  • (a) confidentiality,security and privacy;
  • (b) scalability and interoperability;
  • (c)accuracy,responsiveness and reliability;
  • (d) efficiency and effectiveness;
  • (e)redundancy;
  • (f) transparency;
  • (g) simplicity and accessibility;and
  • (h) consistency in use.

Objectives of the system.

Technical aspect

of the system.

PARTV-HEALTHDATA GOVERNANCE

  • 25.For the purposes of this Aet,health data shall be classified into thefollowing categories-
  • (a) sensitive personal level health data;
  • (b)administrative data;
  • (c)aggregate health data;
  • (d)medical equipment data;and
  • (e)research for health data.
  • 26.(l)Health data shall be governed by the following principles-
  • (a)improvementof client health,safeguard of
  • individuals and communities against harm and violations;
  • (b) data security throughout the entire data life-cycle;
  • (c)equity and accountability;
  • (d)privacy and confidentiality;and
  • (e) accuracy and reliability
  • 27.(1) The Cabinet Secretary shall,in consultation withthe Director-General,establish ahealthdata
  • governance framework.
  • (2)Without prejudice to the generality of subsection (1)the Cabinet Secretary shall-
  • (a) develop guidelines to promote effective use of
  • legacy data including data migration:
  • (b) establish standards for integration,interoperability
  • and exchange of health data:
  • national health data dictionary for utilization within the system;
  • (d) establish standards for and conduct routine data
  • quality checks in the system;
  • (e)ensure the security and accountability of data for
  • the system while promoting appropriate data use and sharing;

Classitication of health data.

Governing

principles.

Establishment of health data governance framework.

  • (f)provideguidanceonthe integration and interoperability of all health information systems into the system per set standards;and
  • (g)require all health data controllers and processors to
  • report designated health data in accordance with ministry of health in the approved and prescribed formats and platforms.

28. The Agency shall be the custodian for all health

  • data in Kenya.
  • 29.(1) The Cabinet Secretary shall ensure that Health data is used for public good.
  • (2)The Agency shall provide health data to the Cabinet ecretary forrelevant action.

PARTVI-CONFIDENTIALITY,PRIVACYAND SECURITYOFDATA

  • 30.(1) The Cabinet Secretary shall be responsible for
  • the confidentiality,privacy and security of all sensitive personal data held in the system.
  • (2)Sensitive personal data held in the system shall not be disclosed toa third party unless-
  • (a) the data subject is unable to give informed consent for the disclosure and such consent is given bya person authorised by the data subject in writing to grant consent;
  • (b)the disclosure has been authorised by the implementation of written law or the enforcement
  • ofa court order;
  • (c)a health service without informed consent as authorised by written law or court order is being provided;
  • (d) the data subject is being treated in an emergency situation;
  • (e)failure to treat the data subject,or a group of people which includes the data subject,would result in a serious risk to public health;or
  • (fa delay in providing a health service to the data subject may result in death or irreversible damage

Health data custodian.

Health data use.

Security,privacy and disclosure of data in the system.

tothe health of the data subject and the data subject has not expressly,by implication or by conduct refused that service.

  • (3) The Cabinet Secretary shall be-responsible for the privacy of the data held in the system during all the data life cycle stages.
  • (4) Where the data held in the system data is intended to be used for research and planning,the Cabinet Secretary shall be the data controller for thepurposes of section 53 of the Data Protection Act,2019.

3. (5)The Cabinet Secretary shall establish the security measures in the system to protect sensitive personal data including- 4. (a)personalised authentication and log-in credentials; 5. (b)role based user rights; 6. ()audit trails for all activities within the system; 7. (d) digital and physical security of the system;and 8. (e)an encrypted backup that is subject to the security 9. measures herein. 10. 31.(1) Data held in the system shall be maintained for aminimum period of twentyyears.

  • (2) Data held in the system may be maintained for a period exceeding that specified in subsection (1) where-

12. (a) it is required or authorised by law; 13. (b) it is authorised by the data subject;or 14. (c)for historical,statistical or research purposes. 15. (3) Where the period for the maintenance of the data held in the system is not extended under subsection (2),the data shall be secured by de-identification,anonymization, pseudo-anonymization or archiving,or establishing such technical and organisational security measures as the Cabinet Secretary may determine to be necessary. 16. 32.(1) The Cabinet Secretary shall- 17. (a)establish a national health data bank and designate county health data banks;

No.29of2019.

Retention and disposal of data in system.

Establishment of

health data banks.

  • (b)store thehealth data submitted to the systemin the national health data bank;and
  • (c) establish seamless integration and interoperability of thenational health data bankwith otherrelevant
  • databases.
  • (2)The CountyExecutive CommitteeMember shall-
  • (a)establish county health data banks;
  • (b) store the health data submitted to the system in the county health data bank;and
  • (c)establish seamless integration and interoperability of the county health data bankwith otherrelevant databases and data banks.
  • (3) The health information databases and data banks
  • referred to in subsections (1) and (2) shall be established at the different levels of healthcare delivery specified under section 25of theHealth Act,2017.
  • (4) A data controller shall transmit health data
  • containing sensitive personal data to the national health information data bank and countyhealth information data bank in a secure and encrypted form.
  • (5)A data controller shall maintain records of the health data containing sensitive personal data transmitted to thenational health information data bank and county health information data bankunder subsection (4).
  • 33.The health data that is contained in a health data
  • bank shall be applied to-
  • (a) identify a person who needs or is receiving a
  • health services;
  • (b)provide health services to,or facilitate the care of or treatment of,a person;
  • (c)identify a health service provider who is providing a health service;
  • (d) identify a person offering health insurance;
  • (e) assess and address public health needs;
  • (f)conductdisease surveillance,researchand innovation;

No.21of2017.

Use of sensitive

personal data.

  • (g)engage in health system planning,management, evaluation orimprovement,including health servicedevelopment, management,delivery, monitoring and evaluation including surveys;
  • (h)assess the safety and effectiveness of health services;and
  • (i) continuous enhancement of the system
  • 34.Theresponsibility of the data controller of a health data bank shall be to-
  • (a)take reasonable measures to ensure that no agent or the data controller or processor collects,uses, discloses,retains or disposes of sensitive personal data unless it is in accordance with the law;and
  • (b)remain responsible for any sensitive personal data that is collected,used,disclosed,retained or disposed of by the data controller's or processor's agents,regardless of whether or not the collection, use,disclosure,retention or disposal was carried out in accordance with this Act or other law.
  • 35.A person authorised by the data controller to enter compliance with section 30(2) of this Act.
  • 36.(1) A data controller may disclose sensitive personal data about a person who is deceased,or is
  • reasonably suspected to be deceased when-
  • (a) identifying the person;
  • (b) informing a person to whom it is reasonable to inform in the circumstances of,or
  • (c)investigating the cause of death.
  • (2)A request under subsection (l) shall be made as provided under the relevant law.
  • 37.(1) A healthcare provider shall ensure that he or she has obtained consent to process sensitive personal data.
  • (2) Subsection (l) shall not apply where a health service is being provided-
  • (a) for public health in accordance with the Public Health Act;and

Responsibilitiesof health data bank controler.

Request for information by authorized person.

Disclosure of sensitive personal data of deceased persons,

Consent.

  • compliance other statutory
  • (b) in with any requirements.
  • (3) When processing personal data,a healthcare provider shall-
  • (a) ensure confidentiality of the information of the
  • client;
  • (b)provide prompt and accurate data necessary for treatment of the patient;
  • (c) comply with the duty to notify the data subject in
  • accordance with the Data Protection Act,2019;
  • (4) A data subject who has issued a consent to the use or disclosure ofpersonal data may withdraw their consent at any timebynotifyingthehealth careprovider.
  • 38.Where a data subject is a minor or for any other reason doesnot have the capacity to issue informed written consent,the parent,an appointed guardian ornext friend of the patient shall,for purposes of subsection (1),act on behalf of,and in the best interest of,the patient in accordance with the law.
  • 39.(l) A data controller shall protect sensitive personal data and adopt reasonable administrative, technical and physical safeguards to ensure the privacy, confidentiality,security,accuracy and integrity of the date.
  • (2) A data controller shall establish controls that govern persons who may use sensitive personal data and such data shall not be used unless-
  • (a) the identity of the person seeking to use the information is verified;
  • (b) the data processor is authorized to use it,and
  • (c) the proposed use is authorised under this Act.
  • 40.(l) The Cabinet Secretary shall develop regulationsfor the disposal ofsensitivepersonal data.
  • 41.(1) A person commits an offence if,in relation to aggregate data,medical equipment data or data related to
  • health research,the person-
  • (a) tampers with the data;

No.24of2019.

Processingof personal data relating to a minor ora person without capacity.

Duty toprotect sensitive personal data.

Disposal of health information.

Breach of sensitive personal

data.

  • (b) abuses a privilege;
  • (c) discloses inauthentic access to the data;
  • (d) improperly disposes of unnecessary but sensitive
  • data;
  • (e) loses data;
  • (f) steals data;or
  • (g)unintentionally shares sensitive personal data to an unauthorised party.
  • (2)A person who commits an offence under
  • subsection (l) shall be liable,on conviction,to a fine not exceeding five hundred thousand shillingsor to imprisonment for a term not exceeding fifteen years,or to both.
  • (3) Where a person commits an offence under
  • subsection (l) with respect to sensitive personal data,that person shall be liable,on conviction,to the penalties under section 73 of the Data Protection Act,2019.
  • 42.(1) Subject to this Act,a person has a right,on
  • request,to examine and receive a copy of his or her personal health information maintained by a data controller.
  • (2)A request under subsection (1) shall be made in writing to the relevant health facility or health information
  • bank.
  • (3) The health data controller shall comply with the
  • provisions of section 38 of the Data Protection Act in enabling access andportability of personal health records.
  • 43.A person in charge of a health data bank may refuse to grant access to a third party,all or part of a
  • person's sensitive data or health information if it is reasonable to believe that-
  • (a) access is restricted by a court process, order or judgement;
  • (b) another law prohibits disclosure;
  • (c) the information was collected or created in the course of an inspection,investigation or similar procedure not yet concluded;

No.24of2019.

Health Data Portability.

No.24of2019.

Refusal to grant

access to sensitive personal data.

  • (d) access may lead to the identification of a person who provided information in the record to the custodian in circumstances in which confidentiality was expected;or
  • (e) access may result in the release of another persons personal health data.
  • 44.(1)A health data bank and health data controller, before releasing any personal health data to any person,
  • shall-
  • (a) be satisfied as to the identity of the person making the request;and
  • (b) take reasonable steps to ensure that any personal health information intended for a person is received only by that person or-
  • (i) where the data subject is a minor,by a person who hasparental authority orby a guardian;
  • (ii) where the data subject has a mental or other disability,by a person duly authorised to act as their guardian or administrator;or
  • (ii) in any other case,by a person duly authorised by the data subject or by a court order.
  • (2)A health data controller shall not disclose,for the purpose of market research,personal health information that is contained in a health data information bank.
  • 45.A health data bank or a health provider may,upon
  • request by the data subject-
  • (a) rectify,without undue delay,personal data in its possession or under its control that is inaccurate, outdated,incomplete or misleading;or
  • (b) erase or destroy,without undue delay,personal data that the health data bank or health provider is no longer authorised to retain,or personal data whichis irrelevant,excessiveorobtained
  • unlawfully.

PARTVII-E-HEALTH SERVICEDELIVERY

  • 46.(1) E-Health shall be a recognized model of health
  • service delivery.

Precautions on release.of sensitive personal health data.

rectification or

Rightto erasure.

e-Health as a mode of health

service delivery.

  • (2) E-Health Services shall be complementary to existinghealthcare service deliverymodalities.

2. 47.(1) The e-Health service shall be provided through- 3. (a) telemedicine; 4. (b)electronic health records; 5. (c)m-health; 6. (d)e-learning; 7. (e)telehealth;and 8. (f) any other recognized e-health service.

  • (2) An entity providing e-health services shall be-

10. (a)a healthcare provider holding a valid licence 11. issued by a relevant regulatory body; 12. (b)a healthcare provider holding a valid licence from an equivalent regulatory authority outside Kenya but shall be recognized by the local regulatory authority; 13. (c)a health facility licenced to offer e-health services by therelevant regulatory body;or 14. (d)for foreign facilities,be licenced by an equivalent regulatory authority recognized in Kenya.

  • (3) The Cabinet Secretary shall develop standards and

16. guidelines for the e-Health platform. 17. 48.(1) the e-Health service shall be an integral part of health service delivery to benefit people in a manner that is ethical,safe,secure,reliable,equitable and sustainable. 18. (2)The objectives of e-Health shall be to- 19. (a)promote patient-centred health care services; 20. (b) ensure equitable access to quality health care services using Information and Communication 21. Technology; 22. ()promote the integration of e-health into the healthcare system;

Provision of eHealth services.

Principles and objectives ofeHealth.

  • (d) facilitate the integration of e-health solutions; and
  • (e)promote the use of e-health solutions.
  • E-health services.
  • 49.(1) In the provision of e-health services to a client, a healthcare provider shall-
  • (a)provide the client with all the information for the management of his or her health;
  • (b) ensure the client can access their own health
  • records where necessary;
  • (c) ensure the client's data is managed as prescribed in
  • the law;
  • (d) ensure the highest possible quality of care is delivered;
  • (e) ensure that the agents of the e-health service provider adhere to theprovisions of this Act;
  • (f) ensure the platform used is interoperable with the system;
  • (g) ensure that when e-health service delivery involves a minor,the consent of the guardian shall be obtained;and
  • (h) ensure that when e-health service delivery involves a mentally ill person,the consent of a guardian is
  • obtained.
  • (2) The use of e-health service platforms to share the information of a patient including images and lab results for consultation and training shall adhere to the standards prescribed by law.
  • 50.In the delivery of e-health services,it shall be the responsibility of the e-health service provider to meet their reporting obligations in accordance with the provisions of this Act.

PARTVIII-E-WASTEMANAGEMENT

51.(1) The Cabinet Secretary shall-

  • (a) in consultation with county governments and relevant lead agencies,develop guidelines for the safe handling and disposal of all health sector related e-waste material;and

Reporting.

E-waste

management.

  • (b) in consultation with relevant stakeholders,develop an e-waste management system for the health
  • sector.
  • (2) The e-waste management system referred to in
  • subsection (l) above,shall-
  • (a)comprise an appropriate mechanism for segregation of e-waste at source,collection, transportation and processing;
  • (b)promote reuse and lifetime extension;
  • (c)promote activities aimed at resource recovery and recycling ofe-waste materials into useful products;
  • (d) embrace the best available technologies and practices in e-waste management:and
  • (e)promote sustainable models for e-waste management through public-private partnerships.

PARTIX-HEALTHTOURISM

  • 52.(l) The Cabinet Secretary shall take all necessary
  • measures to safeguard the transfer of a client's medical records to and from facilities outsideKenya.
  • (2)A data controller who,being the custodian of,and who transfers outside Kenya,biological specimens,health images,human tissues and organs of a Kenyan citizen,
  • shall-
  • (a)ensure
  • confidentiality ofpersonal health information;
  • (b)provide a report to the Director-General stating the findings;
  • (c)not share the health information without notifying the Cabinet Secretary;and
  • (d) seek guidance from the Cabinet Secretary in the manner the health information shall be stored, processed and destroyed.
  • 53.Personal health information may only be shared to any person outside Kenya for the purposes of health
  • tourism.

PARTX-MISCELLANEOUSPROVISIONS

  • 54.No matter or thing done by the Chairperson,a Board member,or any officer,employee or agent of the

Development of guidelines on health tourism.

Disclosure of

sensitive personal data to organizations outside Kenya.

Protection from personal liability.

Agency shall,if the matter or thing is done in good faith and for the purposes of executing any provisions of this Act,render the Chairperson,Board member,or any officer, employee or agent of the Agency or any person acting under the direction of those persons personally liable for any action,claim or demand arising from the same.

  • 55.The members of the Board shall on appointment, subscribe to an oath ofoffice.
  • 56.(1) The Chairperson or a member of the Board, who has a direct or indirect personal interest in a matter being considered or to be considered by the Board,shall as soon as reasonably practicable after the relevant facts concerning the matter have come to their knowledge, disclose the nature of such interest.
  • (2) A disclosure of interest made under subsection (1) shall be recorded in the minutes of the meeting and the chairperson or member shall not take part in the consideration or discussion on or vote during any deliberations on the matter.
  • (3) A person who fails to make the requisite disclosure under this section commits an offence.
  • (4) A member of the Board shall recuse themselves from proceedings before the Board in which they have apparent or perceived conflict of interest.
  • 57.(l) A member of the Board or staff of the Agency may not without the consent in writing given by,or on behalf of, the Board,publish or disclose to any person otherwise than in the course of the person's duties, the contents of any document,communication or information which relates to,and which has come to the person's knowledge in the course of the person's duties under this Act.
  • (2) The limitation on disclosure referred to under subsection (l) shall not be construed to prevent the disclosure of criminal activity by a member of the Board or staff of the Agency.
  • 58.A person responsible for a matter in question before the Board shall co-operate with the Board and shall in particular-

Oath of office.

Conflictof

interest.

Confidentiality.

Duty to cooperate.

  • (a) respond to any inquiry made by the Board;
  • (b) furnish the Board with a report in respect of the
  • question raised;and
  • (c)provide any other information that the Board may
  • require in the performance of its functions under the Constitution, this Act or in any other written law.
  • 59.(1) A person who-
  • (a)obstructs,hinders or threatens a member,an officer,employee or agent of the Board acting under this Act;
  • (b) disregards an order of the Board;
  • ()submits false or misleading information to the
  • Board;or
  • (d) makes a false representation to,or knowingly
  • misleads a member,an officer,employee or agent of Board acting under this Act,

commits an offence and is liable,on conviction,to a fine of not less than two hundred thousand shillings or to imprisonment for a term of not less than one year,or to both.

  • (2) Any person who violates or fails to comply with provided,commits an offence,and is liable on conviction to a fine not exceeding two hundred and fifty thousand shillings or to imprisonment for a term not exceeding six

2. months,or to both. 3. 60.The Cabinet Secretary may,in consulation with 4. theAgency and the county governments,develop regulations providing for- 5. (a)health information management policies and 6. procedures; 7. (b) the use of e-Health applications and technologies, medical devices and innovations; 8. (c) data quality and data protection audits;and

Offences.

Regulations.

  • (d)theestablishment and implementation of the data exchange component as per the Kenya Health Enterprise Architecture.
  • 61.Any person processing personal data under this
  • Act shall comply with the DataProtectionAct,2019.

Compliance to the DataProtection Act,2019.

SCHEDULE

CONDUGTOFBUSINESS AND AFFAIRSCF THEBOARD

  • 1.The Board shall meet as often as may be necessary for the dispatch of its business but there shall be at least fourmeetings of theBoard in any financial year.
  • 2.At the first meeting, the Board elects a vicechairperson amongst their number who shall be a person of opposite gender.
  • 3.A meeting of the Board shall be held on such date and at such time and place as theBoard may determine.

Meetings.

Election of vice-

chairperson,

Time and place of ineetings,

Special meetings.

  • 4.The chairperson shall,on the written application of
  • one-third of the members,convene a special meeting of the Board.
  • 5.The quorum for the conduct of business at a meeting of the Board shall be the chairperson and any four members.
  • 6.The Chairperson shall preside at every meeting of the Board at which the chairperson shall be present and in the absence of the chairperson at a meeting,the vicechairperson shall preside and in the absence of both the chairperson and the vice-chairperson,the members present shall elect one of theirnumber who has,with respect to that meeting and the business transacted thereat,have all the powers of the chairperson.

7. Unless a unanimous decision is reached,a decision on any matter before theBoard shall be by concurrence of a majority of all the members present and voting at the

  • meeting.
  • 8.Subject to paragraph 5,no proceedings of the Board shall be invalid by reason only of a vacancy among the members thereof.
  • 9.Unless otherwise provided by or under any law,all instruments made by and decisions of the Board shall be signified under the hand of the Chairperson.

Quorum.

Voting.

Decisions of the

Board.

Vacaney.

Signification of instruments and decisions of the Board.

MEMORANDUM OFOBJECTS AND REASONS

Statement of objects and reasons for the Bill

The Bill seeks to provide for a framework for provision of digital

health services;to establish a comprehensive integrated digital health information system,data governance and protection of personal health information,service delivery through digital health interventions,e-waste disposal,health tourism,

Part I of the Bill (Clause 1-4) provides for preliminary matters

including the short title of the Bill;the interpretation;objects of the Act and guiding principles.

Part II of the Bill (Clause 5-14) provides for the Digital Health Agency.

Part IlI of the Bill (Clause 15-20)provides for financial provisions.

Part IV of the Bill (Clause 21-24) provides for the establishment and administration of the comprehensive integrated health information system,

Part V of the Bill (Clause 25-29) provides for health data governance.

Part VI of the Bill (Clause 30-45)- provides for confidentiality,

privacy and security of data.

Part VII of the Bill (Clause 46-50) provides for e-health service delivery.

Part VIll of the Bill (Clause Sl) provides for e-waste management.

Part IX of the Bill (Clause 52 and 53)provides for health tourism.

Part X of the Bill (Clause 54-61) provides for miscellaneous provisions.

Statement on the delegation of legislative powers and limitation of fundamental rights and freedoms

This Bill delegates legislative powers and does not limit fundamental

rights and freedoms.

Statement on whether the Bill concerns county governments

The Bill concerns county governments in terms of Article 110(1)(a) of the Constitution as it contains provisions affecting the functions and powers of county governments set out in the Fourth Schedule to the Constitution.

Digital health services shall be applicable to all levels of health service provision,including the county health services as provided in Paragraph 2of Part 2of theFourth Schedule to theConstitution.

Statement as to whether the Bill is a money Bill within the meaning of Article 114 of the Constitution

The enactmentof this Bill may occasion additional expenditure of publicfunds.

Dated the4th September,2023.

KIMANIICHUNG'WAH, Leaderof theMajorityParty.

Machine-extracted text (Docling (OCR + layout), extracted 2 Jul 2026) from a scanned document — may contain recognition errors.

Source: parliament.go.ke (parliament.go.ke active listing). Last updated 3 Jul 2026.