Facility admin checklist

Privacy controls every facility should operationalise

Effective May 22, 2026. Use this checklist to turn the privacy notice and terms into daily administrative controls for hospital admins, branch admins, compliance leads, records officers, and data protection contacts.

Facility terms version ANECATE-HOSPITAL-HOSPITAL-DATA-PRIVACY-KE-v2-2026-05-22

Governance documents to keep ready

1. 1Facility privacy notice and patient consent wording, reviewed for Kenyan law and facility workflows.
2. 2Record of processing activities covering patient registration, clinical care, pharmacy, lab, radiology, billing, claims, referrals, messaging, reporting, support, and backups.
3. 3Retention schedule for clinical, billing, claims, audit, HR, support, messaging, and backup records.
4. 4Data sharing register for insurers, SHA, referral facilities, external labs, radiology providers, payment providers, messaging providers, regulators, and support processors.
5. 5Incident and breach response procedure with ODPC and patient notification decision steps.

Admin access controls

1. 1Create named accounts only; do not allow shared reception, ward, lab, pharmacy, or admin accounts.
2. 2Assign roles by department, branch, and task, then remove any role that is not needed.
3. 3Review active users, inactive users, branch assignment, exports, and privileged admin access at least monthly.
4. 4Remove or suspend access immediately after resignation, transfer, suspension, contract end, suspected misuse, or credential compromise.
5. 5Keep evidence of who approved each admin, clinician, receptionist, lab, radiology, pharmacy, billing, and support account.

Patient consent and rights workflow

1. 1Show or read the patient notice before registration, public booking, legacy import communication, or consent capture where required.
2. 2Record the accepted policy version, consent method, staff user, date, and any signed document or representative details.
3. 3Have a clear route for access, correction, withdrawal, restriction, portability, erasure, and complaints requests.
4. 4Escalate minor, child, guardian, mental capacity, emergency, sexual and reproductive health, or court-order cases to the facility's responsible officer.
5. 5Do not refuse emergency care just because ordinary consent wording has not yet been completed; document the lawful emergency basis.

Breach response runbook

1. 1Contain the incident first: disable exposed accounts, rotate credentials, stop unauthorised exports, recover printouts, and preserve logs.
2. 2Classify the incident: wrong-patient access, lost device, exposed password, leaked document, misdirected message, unauthorised export, malware, or vendor breach.
3. 3Assess harm: health sensitivity, number of patients, exposed identifiers, financial data, vulnerable patients, public disclosure, and likelihood of misuse.
4. 4Decide and record whether ODPC notification, patient notification, payer notification, professional escalation, police report, or legal advice is required.
5. 5Close with corrective action: access changes, training, configuration changes, processor action, patient support, and lessons learned.

High-risk processing checks

1. 1Perform a data protection impact assessment before broad biometric use, large-scale health data analytics, new AI decision support, major integrations, new cross-border transfers, or new patient messaging programmes.
2. 2Review whether the facility needs ODPC registration or updates for its controller or processor category.
3. 3Confirm whether primary or secondary healthcare data must be hosted, mirrored, or otherwise safeguarded in Kenya before cross-border transfer.
4. 4Use anonymised or pseudonymised data for training, analytics, migration testing, and support wherever possible.
5. 5Do not launch direct marketing or market research using identifiable patient health data unless a lawful basis and explicit safeguards are documented.