The Emerging Practice of Telemedicine and the Law: Kenya’s Stance
While access to quality healthcare is a constitutional right, limited access to healthcare facilities and lack of adequate personnel to address medical needs are active barriers to the access to healthcare for many Kenyans. In spite of a majority of Kenyans living in rural areas, the specialist-patient ratio is low in the rural areas and there are fewer healthcare facilities than in urban areas. Health facilities are also inaccessible to some Kenyans because of long distances to health facilities, lack of public transportation and poor road conditions. And now with the prevalence of the COVID-19 pandemic, access to healthcare is not any easier with some patients shying away from hospital visits for fear of contracting COVID-19.
Telemedicine could complement health facilities by safely meeting the needs of patients with other conditions as well as those that possibly have COVID-19 and enable a wider reach of healthcare services. Telemedicine is the remote provision of healthcare services, that would typically be hospital-based, through the use of information and communication technologies for the exchange of information for the diagnosis and treatment of patients. This can be done via video chats, phone calls, emails, text messages or transmission of images, between health professionals and patients or between health professionals. Telemedicine encompasses a wide variety of services including teleconsultation, teleradiology, teledermatology, telepsychiatry, telepathology, telemonitoring, among others.
This article gives readers an insight into of the telemedicine practice in Kenya, especially in the legal environment, and highlights some of the regulations that are binding to telemedicine providers in the contexts of privacy and data protection.
Telemedicine in Kenya
Telemedicine is a fairly new practice in Kenya. It is one of other unconventional methods that have been used in providing healthcare services in Kenya such as through mobile clinics, home visiting doctor services, air medical services and online pharmaceutical care–which bring healthcare services.
The Health Act of 2017 recognises e-health, which includes telemedicine, as a mode of health service. Challenges such as inadequate funding of e-health systems and innovations, illiteracy in ICT, lack of awareness, poor Internet connectivity and a weak regulatory framework have in the past limited the growth of telemedicine in Kenya. However, with the need to avoid physical contact during the COVID-19 pandemic, the past few months have seen an increase in telemedicine providers, some of which are aimed at detecting cases of COVID-19.
The Kenyan legal framework embraces the use of ICTs in the health sector, with enabling laws falling majorly in the health and ICT legal realms. Existing laws that regulate the practice include: The Health Act, the Pharmacy and Poisons Act, the Data Protection Act, the Consumer Protection Act, just to mention a few. In fragments, these laws regulate certain aspects of telemedicine. The telemedicine practice, nonetheless, lacks uniform standards to regulate the practical details such as: the health services that can be provided; when and how doctors can prescribe and; what would constitute informed consent by patients. As more telemedicine providers emerge, patients are being exposed to a practice that is not sufficiently regulated. However, the Cabinet Secretary in charge of healthcare was mandated to enact legislation on health service delivery in telemedicine within three years –this being the third year –after the enactment of the Health Act.
Data Protection and Privacy
Secure data processing is one key area that deserves keen attention in policy and the provision of telemedicine services. This is because telemedicine providers facilitate the transmission of sensitive health data to be able to contribute to the wellbeing of patients.
Health data is particularly sensitive as it may include of test results such as those of sexually transmitted diseases, history of diseases and treatments and history of drug use –some of which are capable of causing social stigma. This is one of the reasons why a certain level of confidentiality is expected from health professionals. If the collection, transmission and storage of health data is not well controlled, patients risk being exposed to certain privacy and security breaches such as improper disclosure that is without their consent or unauthorised access by third parties contrary to their constitutionally guaranteed rights of privacy and access to information.
The following are some of the existing rules that would apply to telemedicine providers in ensuring the protection and privacy of health data:
• Personal data relating to the health of a data subject are only to be processed by or under the responsibility of a health care provider; or by a person subject to the obligation of professional secrecy under the law under the Data Protection Act.
• Results regarding HIV status and related assessments are not to be disclosed, unless done in accordance with conditions laid out in the HIV/AIDS Prevention and Control Act.
• System and data security should be implemented by way of data encryption and passwords in health systems dealing with patients’ data to safeguard against unauthorised or accidental access from malicious people subject to the ICT standards and guidelines of the Ministry of Health.
• Applications should support end point encryption.
• Bodies designated as data controllers and data processors must register with the Office of the Data Commissioner under the Data Protection Act.
• Health records and information managers are to be trained, registered and licensed in accordance to the Health Records and Information Managers Act.
• Rights of data subjects as outlined in the Data Protection Act include the right to be informed of the use to which their personal data is to be put; to access their personal data in custody of data controller or data processor; to object to the processing of all or part of their personal data; to correction of false or misleading data and; to deletion of false or misleading data about them.
• Data controllers and data processors should not process personal data without the consent of data subjects to the processing for one or more specified purposes; or where the processing is necessary as spelled out in the Data Protection Act.
Telemedicine is a promising path in Kenya’s healthcare system that has the potential of easing access to healthcare safely and conveniently as healthcare systems aid in countering the COVID-19 pandemic and other medical conditions. While telemedicine could be beneficial to Kenyan patients, the determination of more rigorous standards and regulations needed to regulate the practice is pending. Meanwhile, positive steps have been taken to develop data protection and privacy laws.