Balancing a patient’s right to privacy and access to medical information for efficient healthcare delivery in Kenya


In the last two decades, advancements in Information and Communications Technologies (ICT) have seen health records increasingly move from basement storage rooms under the lock and key of healthcare facilities to digital clouds and hard drives; in a bid to increase accessibility, utility, improve the quality and convenience of patient care and encourage patient participation in their care.1 By leveraging these modern digital technologies, patients’ health data contained in health information systems are confronting new security and privacy threats.2

Health data which qualify as sensitive personal data under the Data Protection Act, 2019 require a heightened measure of confidentiality, privacy and security within the healthcare system.3 Medical records have similarly evolved from being by-products of transactions seen as a paper repository of information for clinical, research, administrative, and financial purposes to being regarded as national assets.4 It is on this basis that Kenya has enacted the Digital Health Act of 2023, to provide a framework for the provision of digital health services and establish a comprehensive, integrated digital health information system.Since the healthcare system in Kenya has been largely fragmented, with the public and private healthcare providers operating on different electronic health record systems lacking interoperability, this article hereby seeks to analyse the import of the Integrated Health Information system under the Digital Health Act 2023, the potential to transform communication within healthcare on multiple levels, and the impending the privacy and security risks that attach to the complexity of an electronic health information system.


The Digital Health Act, 2023

 The Digital Health Act, 2023 (‘the Act”) was assented to law on 19 October 2023 alongside the Primary Health Care Act, Facility Improvement Financing Act, and the Social Health Insurance Act to steer Kenya towards implementation of Universal Health Coverage (UHC) by 2030. The Act was enacted against the backdrop of Section 104 of the Health Act 2017, which mandates the Cabinet Secretary to put in place e-health legislation that provides for the administration of health information banks, including an interoperability framework, data interchange and security, among others.5

One of the core provisions in the Digital Health Act, and the focus of this article is the establishment of an Integrated Health Information System6 (“the System”) that operates as a point of collection, collation, analysis, reporting, storage, usage, sharing, retrieval or archival of data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services.7 The objectives for the establishment of this System are to facilitate people-centred quality health service delivery; facilitate data collection and reporting at all levels; enable secure health data sharing to ensure timely and informed interfacility health service delivery; serve the health sector and facilitate a progressive and equitable manner realization of universal health coverage, to achieve the highest attainable standard of health; and facilitate the tracking and tracing of health products and technologies in the country.8

Health Information System

To operationalise the system, Section 26 of the Act mandates the Cabinet Secretary and County Executive Committee Members to establish a National Health Data Bank and a designated county Health Data Bank, which shall store the health data submitted to the system by a Data Controller.9

The Digital Health Act has nonetheless been criticised for lack of provisions outlining the consequences of data misuse and breach; Part V of the Act mandates the Cabinet Secretary to provide confidentiality, privacy and security of data but does not give guidance on how the responsibility shall be fulfilled; and the Act does not define the roles of county governments despite the establishment of County Data Banks to store health data.

The new era of Electronic Health Records (EHR) Systems

Section 26 of the Social Health Insurance Act, 2023 mandates every Kenyan to register as a member of the Social Health Insurance Fund. The said registration has been set under the Act as a pre-condition for dealing with or accessing public services from the National Government, county government or national or county government entities. The import of this provision is that upon registration, the information collected by the Social Health Insurance Fund will be embedded into the Integrated Health Information System to enable access to healthcare services at different government facilities.

According to KELIN, this digitisation of healthcare in Kenya portends enhanced health outcomes by tackling issues such as unequal access to healthcare services, the difficulty health professionals face in obtaining pertinent health data, the scarcity of healthcare personnel, the exorbitant costs associated with healthcare access, and patient’s ability to access their medical records, prescriptions, and medical information.10 Recent studies have similarly suggested that the integration of health records promotes evidence-based medicine, record-keeping and mobility.11

An Electronic Health Record (EHR) system can be described as one that collects a patient’s information using digital means, stores the information in a digital format and in using a network-integrated system, the EHR system becomes embedded into the digital archive of an organization that has captured that record allowing for multiple points of access within the organization. In the case of different healthcare providers, the electronic records can be shared between health providers depending on the underlying data architecture of the HER system.

The Kenyan Integrated Health Information System shall foreseeably be a system that allows the compilation of one accurate patient health record per patient as well as tracking the patient’s treatment history regardless of whether the patient visits a private or public health care provider. Thesystem shall, therefore, allow the processing of patient’s personal as well as medical information. The categories of information to be processed in the Integrated Health Information System include sensitive personal data, administrative data, aggregate health data, medical equipment data and research for health data.

The use of EHR systems in countries such as the UK, Germany and Australia has evidenced laudable benefits such as interoperability of different providers to communicate and share resources, making evidence-based medical decisions, and analyzing trends in patient illnesses, which can assist in early detection. In the same breath, EHR systems have increased privacy and security risks to patients’ information. Various African countries in the implementation of electronic health systems have encountered challenges, including high costs of system implementation, the lack of infrastructure and hardware to support the electronic health system, poor IT competency and lack of training among health care staff who, in turn, end up reverting to prior ways of operation.13

Privacy and security concerns

 Article 31(c) of the 2010 Constitution of Kenya provides that every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed. Protection of human rights under the Bill of Rights and data protection are critical for the success of any digital health intervention.

The incessant privacy and security concerns over electronic health data have been linked to the increased use of mobile devices and smart technologies, medical identity theft, and data exchange between healthcare providers, organizations, physicians and patients.14 Any modern technology runs the risk of a cyber-attack or threat.

Another security concern is profiling of patients as the Integrated Health Information System may likely track patients as they move between primary, secondary or tertiary health care providers. Most of the time, an EHR system requires a relatively strong and robust infrastructure in the hospital in which it is being implemented, something that is not always available in tertiary health institutions in Kenya.

Section 24(5) of the Digital Health Act mandates the Cabinet Secretary to establish security measures in the system to protect sensitive personal data, including; personalized authentication and login credentials, role-based user rights, audit trails for all activities within the system, digital and physical security of the system, and an encrypted back up. With the implementation of the Digital Health Act and the Integrated Health Information System, patients’ medical information such as identification data, medical prognosis & diagnosis, radiology images, laboratory test results, immunization statuses, growth and development charts for infants and babies, progress notes, prescribed medication, billing information, health providers visited, and demographics all run the risk of security breaches despite the Act calling for a seamless integration and interoperability of the National Health Data Bank and other relevant databases.16

Access protocols on the Integrated Health Information System open up new security threats over the personal information held in the data banks. There are concerns about both people and entities’ access levels to patients’ EHRs. For example, a patient’s EHR might be fragmented and accessible from several sites (by visiting different doctors’ offices, hospitals, providers, etc.). Security defects in some of these systems could cause the disclosure of information to unauthorized persons or companies. From the foregoing, health data need protection against manipulations, unauthorized accesses and abuses, which includes taking into account privacy, trustworthiness, authentication, responsibility and availability issues.16

In the digital age, data security and privacy have been lauded as paramount, particularly for personal sensitive information such as health data. Each personal data processing activity is ideally required to fulfil three fundamental security goals: Confidentiality, Integrity and Availability (CIA). Regardless of the security measures provided under the Act, there is a need for a complete security program to maintain the integrity of the data with operational system audit trails. The integrity of the data shall ensure that the data in the system is accurate and cannot be manipulated. Effective implementation of privacy measures in the Integrated Health Information System shall require multi- disciplinary cooperation between healthcare providers, IT specialists, and regulatory bodies.


While the benefits of an Integrated Health Information System may outweigh the risks, electronic health records shall continue to pose a threat to violation of patients’ right to privacy, thus necessitating the need for policies, standards and strategies to address the system’s implementation. Upon implementation and to achieve the intended benefit, it is quite pivotal for the system to satisfy requirements in terms of data completeness, resilience to failure, high availability and consistency of security policy and standards. The information shared by a patient is a result of a clinical relationship that is deemed confidential and must at all times be protected from privacy violations.

In sum, embedding and controlling access to patients’ health information on the Integrated Health Information System shall be essential for the effective implementation of the system, but the same will not be sufficient to protect the confidentiality and address threats to patients’ privacy rights. Additional security measures, such as extensive training of health care providers who shall use the system and implementation of strong privacy and security policies, procedures and standards, must be put in place to secure the Patient’s information and right to privacy.