All hospitals have three months to acquire new licenses to hold patient data.
In a notice on Tuesday, December 17, the Kenya Medical Practitioners and Dentists Council (KMPDC) directed all hospitals to apply for the Certificate of Data Handler within the first three months of next year.
CEO David Kariuki directed that, effective January 1, 2025, all new health facility registrations must include a valid Certificate of Data Handler/Processor issued by the Office of the Data Protection Commissioner (ODPC).
“Additionally, existing facilities must obtain this certification within three (3) months, by March 31, 2025,” Kariuki added. Non-compliance can result in fines of up to Ksh5 million, or 1 per cent of annual turnover.
Under the new laws, the government, through the ODPC, mandates that entities handling personal data register as data controllers or data processors.
This allows the government to determine the purpose and means of processing personal data, while a data processor handles data on behalf of the data controller.
In the new health scheme Taifa Care, the government, through a proposed Digital Health Information Management Regulations 2024, has integrated patient data across all counties and national hospitals.
In the regulations, all health facilities accredited by SHA will be required to store all patient data collected in the course of diagnosis and any other follow-up check in a National Health Data Bank.
Central to the new framework is the Enterprise Service Bus (ESB). However, there will be two data banks, the National Health Data Bank and the County Health Data Banks.
In the regulations, all health facilities accredited by SHA will be required to store all patient data collected in the course of diagnosis and any other follow-up check in a National Health Data Bank.
Thus, the directive from KMPDC is to align hospitals with other regulations and allow them to hold the data. “This requirement underscores the critical importance of safeguarding patient privacy, a fundamental aspect of ethical medical practice,” stated Kariuki in the notice.
According to the ODPC, there are three categories of registration fees, determined by annual turnover and number of employees. The micro and small entities pay a registration fee of Ksh 4,000, medium entities pay Ksh16,000, and large entities will fork out Ksh40,000.
However, entities with an annual turnover below Ksh5 million or fewer than 10 employees may be exempt from registration.
The application process for a Certificate of Registration takes 14 days. The certificate is valid for 24 months and is renewable.
