A recent social media conversation sparked a debate in Kenya. The debate is on patient data privacy, data protection, and the taxman’s reach. The issue comes from a patient’s claim. They say a medical facility denied them treatment for not signing a consent form. The form would allow for unlimited sharing of their treatment data. They could share it with the Kenya Revenue Authority (KRA).
This turn of events shows the complexity of Kenya’s data and financial privacy and transparency laws. The current legal frameworks that enshrine these values are as follows:
- The Kenya Medical Practitioners and Dentists Board has a “Code of Ethics for Medical Practitioners”. It has rules on the relationship between a healthcare provider and a patient. Doctors are through law and ethics required to keep patient data confidential.
- The Data Protection Act, of 2019, consecrates a person’s right to control their data. It includes, as in the case above, the right of a patient to access, edit, and object to the processing of their medical information.
- The Finance Act of Kenya, 2023, allows the KRA to collect taxes as required. It lets them include patient info in tax receipts (e-TIMs). This change may overreach into patient privacy.
The contradiction is between the KDPA and the Finance Act. It shows what happens when laws are made in silos. They lack proper understanding and consultation by stakeholders. The Kenya Data Protection Act (DPA) requires consent to process data. However, the Finance Act seems to ignore this rule in the sharing of medical data.
On the global scene, there has been a struggle between governments’ need to access data for taxation purposes and patient privacy. But, exceptions occur. This happens when law efforts, like tax investigations, need to reveal sensitive patient data.
Countries like the US have the Health Insurance Portability and Accountability Act (HIPAA). It safeguards medical privacy. In the EU, they have the General Data Protection Regulation (GDPR). These regulations protect access to personal data. But, they permit exemptions to the rules for governments for “important public interest” reasons. These reasons might include tax collection.
Possible solutions can bridge the rift between these laws. They could amend the law to define what data KRA can access and for what purpose. Anonymizing patient data could also meet KRA’s requirement without breaching individual data privacy. Where specific, identifiable patient data is needed, allowing for patient consent could be an option.
Law enforcement and tax investigators need access to patient data. They need a court warrant to allow the access. The warrant must detail the extent and reach of access. It is similar to the US HIPAA. It can allow for the disclosure of private health information. The Kenya Medical Association (KMA) or another group can audit regularly. This can ensure they comply with patient data protection rules. Balancing data access and privacy in healthcare will foster trust and respect. It will do so between patients, healthcare workers, and the government.