Anecate Hospital terms and conditions

Terms for facility users, patients, and patient data workflows

Effective May 22, 2026. These terms apply to hospital owners, hospital admins, branch admins, doctors, nurses, radiology, laboratory, reception, billing, pharmacy, records, support teams, patients, and authorised representatives who use or submit information through Anecate Hospital.

Read privacy noticePatient noticeFacility checklistAdmin activationStaff activation

These terms are designed as strong operational terms for a Kenyan healthcare system. They reduce legal and privacy risk, but they do not replace facility-specific legal review, professional licensing duties, patient consent forms, service charters, or written processor contracts.

Facility terms

ANECATE-HOSPITAL-HOSPITAL-DATA-PRIVACY-KE-v2-2026-05-22

Staff terms

ANECATE-HOSPITAL-STAFF-DATA-SECURITY-KE-v2-2026-05-22

Patient terms

ANECATE-HOSPITAL-PATIENT-PRIVACY-KE-v2-2026-05-22

Acceptance and scope

These terms apply to facility owners, hospital admins, branch admins, doctors, clinical officers, nurses, radiology teams, laboratory teams, reception, billing, pharmacy, records, support users, patients, patient representatives, and anyone who accesses or submits information through Anecate Hospital.

  1. 1By using Anecate Hospital, the user agrees to follow these terms, facility policy, professional duties, and applicable Kenyan law.
  2. 2A facility must ensure its users are trained, authorised, supervised, and removed from access when authorisation ends.
  3. 3A patient or representative who submits a booking, registration, consent, or request agrees that the facility may process the data for the stated healthcare and related purposes.
  4. 4These terms do not replace a facility's professional duties, employment policies, clinical protocols, service charters, insurance rules, or statutory notices.

Patient safety and clinical responsibility

  1. 1Anecate Hospital supports workflows but does not replace professional clinical judgement, emergency triage, diagnosis, prescribing responsibility, patient counselling, or statutory reporting decisions.
  2. 2Clinicians and authorised healthcare workers must verify patient identity, clinical context, allergy status, results, orders, medication details, and relevant history before acting.
  3. 3Users must not rely on incomplete, stale, imported, or unverified data without applying professional judgement and documenting any material uncertainty.
  4. 4Automated suggestions, templates, summaries, alerts, or analytics must be reviewed by an authorised human before they influence care, billing, claims, or patient communication.

Account security

  1. 1Each user must use their own account. Shared accounts, borrowed passwords, unattended sessions, and ghost users are prohibited.
  2. 2Users must choose strong passwords, protect OTPs and authentication devices, and report compromise immediately.
  3. 3Admins must disable or adjust access after resignation, termination, transfer, leave, suspension, contract end, role change, branch change, or suspected misuse.
  4. 4Anecate Hospital or the facility may suspend access to protect patients, preserve evidence, prevent misuse, or comply with law.

Prohibited conduct

  1. 1No user may sell, leak, trade, publish, gossip about, or use patient information for personal, political, employment, marketing, debt-shaming, family, media, or social purposes.
  2. 2No user may bypass access controls, tamper with audit trails, impersonate another user, hide a breach, alter clinical records dishonestly, or falsify consent.
  3. 3No user may upload malicious files, abuse APIs, scrape data, bulk export without authority, overload the service, or connect unauthorised tools to patient data.
  4. 4No user may disclose patient data on WhatsApp, SMS, email, printout, screenshot, call, referral note, or support ticket beyond what is necessary and authorised for the task.

Facility administration duties

  1. 1Facility admins must maintain accurate facility, branch, department, role, employee, practitioner, service, price, payer, pharmacy, lab, radiology, and reporting configuration.
  2. 2Facility admins must review audit and compliance reports, investigate suspicious access, preserve evidence, and escalate serious incidents.
  3. 3Facility admins must ensure patient notices, consent wording, complaints handling, and health-records request procedures are available to patients in a language and manner they can understand.
  4. 4Facility admins must ensure exports, printouts, backups, and integrations are approved, logged, secured, and retained or destroyed according to policy.

Payments, billing, and claims

  1. 1Billing and claims users must use accurate patient, service, payer, invoice, receipt, and claim information and must correct errors through approved facility processes.
  2. 2Users must not create false invoices, false claims, duplicate claims, inflated services, unauthorised refunds, hidden discounts, or misleading reports.
  3. 3Financial, insurance, SHA, and payment records may be retained for audit, tax, accounting, dispute, payer, and statutory purposes even after a clinical episode closes.

Support, maintenance, and processors

  1. 1Anecate Hospital support access must be limited to authorised troubleshooting, maintenance, security, migration, training, or implementation work.
  2. 2Support users must minimise patient identifiers, avoid unnecessary downloads, and follow confidentiality duties.
  3. 3Third-party processors, hosting providers, messaging providers, payment providers, analytics services, and integration partners must be authorised and governed by appropriate contractual and security controls.

Suspension, audit, and enforcement

  1. 1Anecate Hospital or the facility may restrict, suspend, or revoke accounts where there is suspected misuse, legal risk, unpaid service obligations, role mismatch, compromised credentials, or patient safety concern.
  2. 2The facility and Anecate Hospital may keep audit evidence for security, compliance, dispute resolution, legal defence, professional reporting, and regulatory requests.
  3. 3A user who violates these terms may face facility discipline, account removal, professional body reporting, civil claims, regulatory penalties, or criminal investigation.

Facility data protection terms

The facility owner, hospital admin, or authorised operator accepts these terms before patient data is created, imported, stored, or used in the workspace.

  1. 1The facility is accountable for patient records it creates, imports, approves, views, shares, exports, prints, or keeps in Anecate Hospital.
  2. 2Patient information may be processed only for healthcare, appointments, billing, claims, referrals, lawful reporting, facility administration, security, audit, continuity of care, or another documented lawful basis.
  3. 3Health data, identity data, contact data, insurance or SHA claim data, financial records, images, lab results, radiology reports, prescriptions, notes, and referrals must be treated as confidential patient information.
  4. 4The facility must give patients or authorised representatives a clear privacy notice before collecting data, unless an emergency, public health duty, court order, or other written law allows urgent processing.
  5. 5The facility must obtain patient consent where required, record the consent or lawful basis, and respect withdrawal of consent where the law allows withdrawal without blocking necessary care, reporting, claims, legal defence, or record retention.
  6. 6The facility must configure least-privilege access, keep staff roles accurate, review access regularly, and remove access promptly when staff leave, change role, transfer branch, or no longer need the system.
  7. 7The facility must not sell patient data, use health data for direct marketing, disclose patient data for market research, or share identifiable data with third parties unless consent, contract, court order, public health duty, referral need, claim processing, or another written law permits it.
  8. 8The facility must protect devices, reception counters, shared workstations, printouts, backups, exported files, WhatsApp or SMS communication, and physical files so patient information is not exposed to unauthorised persons.
  9. 9The facility must keep retention schedules, audit trails, data-sharing records, incident logs, access reviews, and consent evidence sufficient to demonstrate compliance to patients, regulators, auditors, and courts.
  10. 10The facility must report suspected breaches, lost credentials, wrong patient access, unauthorised exports, leaked printouts, missing devices, or suspicious account activity immediately and cooperate with containment, ODPC notification, patient notification, and lawful investigation.

Patient registration terms

These terms are used when a patient or authorised representative gives privacy and care-related consent before a patient record is stored.

  1. 1The patient or authorised representative has been told who is collecting the information, why it is needed, and which facility will use the record for care and related administration.
  2. 2The patient record may be used for identification, care, appointments, triage, clinical notes, lab and radiology requests, prescriptions, pharmacy, billing, claims, referrals, discharge, follow-up, lawful reporting, audit, and approved hospital operations.
  3. 3The record may include identity, contact, next-of-kin, demographic, clinical, medication, allergy, vital signs, laboratory, radiology, diagnosis, procedure, billing, insurance, claim, consent, and audit information.
  4. 4Only authorised facility users may view or update the patient record, and only where their role requires it for care, administration, claims, reporting, audit, security, or another permitted purpose.
  5. 5The facility and Anecate Hospital must protect the record using role-based access, authentication controls, audit logs, secure storage, staff accountability, and incident response.
  6. 6The patient may ask the facility how the record is used, request access to their health information, ask for inaccurate data to be corrected, request portability where technically possible, object or restrict processing where legally available, and complain if privacy is mishandled.
  7. 7Some records may be retained or shared even after a request to withdraw consent where retention or sharing is required for care continuity, legal obligations, public health, claims, audit, defence of legal claims, or another written law.
  8. 8Information about minors or patients without capacity must be handled through a parent, guardian, next friend, authorised representative, or court order as applicable, and always in the patient's best interests.
  9. 9If consent and the applicable terms are not accepted and no other lawful basis is documented, the patient registration must not be saved in Anecate Hospital except where emergency care or written law permits necessary processing.

Workspace user terms

These terms apply to every staff, admin, clinical, diagnostic, reception, billing, pharmacy, and support user account.

  1. 1I will access patient and facility information only for the role, branch, department, patient, visit, request, or task that the facility has authorised me to handle.
  2. 2I will not browse patient records out of curiosity, search for relatives or public figures without a care reason, or use another person's account to view records.
  3. 3I will not sell, leak, copy, photograph, screen-record, export, print, disclose, discuss, or post patient information outside authorised facility work.
  4. 4I will keep my password, OTPs, email, phone number, tokens, passkeys, and authentication devices private and under my control.
  5. 5I will not save passwords on shared, public, borrowed, ward, reception, theatre, radiology, lab, pharmacy, or unattended devices, and I will sign out or lock the workstation when I step away.
  6. 6I will verify patient identity before registering, ordering, prescribing, dispensing, reporting, billing, releasing results, sharing discharge documents, or handing out printed records.
  7. 7I will use only approved facility channels for patient communication, referrals, claims, exports, and support requests, and I will minimise the patient data included in each message.
  8. 8I will report wrong access, exposed passwords, lost devices, suspicious activity, misdirected messages, leaked printouts, or any suspected breach immediately.
  9. 9I will tell hospital administration when I leave the facility, my contract ends, I move branch or department, or my access should be changed, suspended, or removed.
  10. 10I understand that misuse of patient data may lead to account suspension, employment discipline, professional reporting, civil liability, regulatory enforcement, or criminal consequences under applicable law.

Role-specific duties

What each user group must protect

Hospital owner, hospital admin, and branch admin

Owns governance, configuration, staff access, consent readiness, incident response, and facility compliance evidence.

  • Approve only users who are employed, contracted, licensed, supervised, or otherwise authorised by the facility.
  • Assign the lowest role that allows the user to perform their work, then review access regularly.
  • Keep patient notices, complaints routes, retention schedules, breach contacts, data-sharing approvals, and processor records current.
  • Investigate suspicious access, failed access reviews, unexplained exports, and reports of patient privacy concerns without delay.

Doctors, clinical officers, nurses, theatre, maternity, dental, and ward teams

Uses patient records for direct care, orders, notes, prescriptions, procedures, discharge, handover, and follow-up.

  • Verify the patient and visit context before entering notes, orders, diagnoses, prescriptions, or discharge information.
  • Use patient data only for care or authorised clinical administration, not curiosity, training shortcuts, or informal sharing.
  • Keep clinical notes accurate, professional, timely, and attributable to the correct user.
  • Escalate wrong-patient entries, result mismatches, medication concerns, and privacy incidents immediately.

Radiology users

Handles imaging requests, modality worklists, image/report context, result release, and imaging-related patient information.

  • Confirm patient identity, request details, pregnancy or safety notes where relevant, and correct study context before imaging or reporting.
  • Release radiology reports only through authorised facility channels and to authorised clinicians, patients, or representatives.
  • Avoid exporting images, reports, or screenshots unless the facility has approved the purpose and recipient.
  • Report mismatched images, wrong-patient studies, unauthorised image access, or improper disclosure immediately.

Laboratory users

Handles lab orders, sample collection, results entry, validation, release, rejection, and quality evidence.

  • Confirm patient identity, sample label, order, specimen, and collection context before processing or result entry.
  • Release results only after authorised review according to facility policy and professional standards.
  • Do not alter results dishonestly, backdate work, or disclose results through unofficial channels.
  • Escalate critical results, wrong samples, mismatches, contamination concerns, and privacy incidents promptly.

Reception, registration, appointments, and front office

Collects patient identity and contact details, records consent, books appointments, manages queues, and handles patient-facing documents.

  • Read or show the privacy notice and terms before recording patient consent where required.
  • Verify patient identity and avoid announcing sensitive health details where other patients or visitors can hear.
  • Keep public-booking, QR intake, printouts, phone calls, and counter screens private from unauthorised viewers.
  • Do not create duplicate, false, or guessed patient records when identity details are uncertain; follow facility verification procedures.

Billing, cashier, finance, insurance, and claims users

Handles invoices, payments, receipts, claims, payer communication, refunds, reports, and financial audit evidence.

  • Use financial and claim data only for authorised billing, payer, audit, reporting, or account reconciliation tasks.
  • Minimise clinical detail in payer or payment communication unless it is necessary for the claim or required by law.
  • Protect receipts, claim attachments, ID numbers, policy numbers, payment references, and patient account screens.
  • Report suspected fraud, duplicate billing, wrong patient billing, unauthorised refunds, or leaked financial information.

Pharmacy, chemist, procurement, and inventory users

Handles medicines, prescriptions, dispensing, stock movement, supplier records, purchase workflows, and medication-related patient data.

  • Verify patient, prescription, medicine, dose, quantity, allergy, payer, and dispensing context before issuing medication.
  • Do not disclose prescriptions or diagnoses to unauthorised persons at the counter or through unofficial messages.
  • Keep controlled, high-risk, returned, expired, and patient-linked stock actions traceable.
  • Escalate medication errors, wrong-patient dispensing, suspicious prescriptions, stock fraud, and privacy incidents.

Patients and authorised representatives

Uses public booking, consent, registration, document request, and care communication workflows.

  • Provide accurate identity, contact, emergency, insurance, and visit information.
  • Use patient-facing links only for the intended patient or a patient you are authorised to represent.
  • Protect confirmation codes, booking links, receipts, discharge documents, and other records shared with you.
  • Raise correction, access, consent, or privacy concerns through the facility's published route.

Anecate Hospital support, implementation, and technical users

May support configuration, troubleshooting, migration, training, security monitoring, and maintenance under authorised instructions.

  • Access production data only when authorised and necessary for the support or security task.
  • Use test, anonymised, pseudonymised, or minimum necessary data wherever possible.
  • Keep support evidence, logs, exports, screenshots, and tickets free of unnecessary patient identifiers.
  • Report any support-side security or privacy issue immediately and cooperate with containment and audit.