Kenya Patient Summary FHIR Implementation Guide
0.1.0 - ci-build
KE
Kenya Patient Summary FHIR Implementation Guide
0.1.0 - ci-build
KE
Kenya Patient Summary FHIR Implementation Guide, published by Digital Health Agency of Kenya. This guide is not an authorized publication; it is the continuous build for version 0.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IntelliSOFT-Consulting/Kenya-Patient-Summary-FHIR-IG/ and changes regularly. See the Directory of published versions
Provides the general attributes and features of the digital system to ensure usability, security, interoperability, and technical compliance. Non-functional requirements do not define what the system does, but rather how the system performs its functions.
| Requirement ID | Category | Non-functional Requirement |
|---|---|---|
| Security – Confidentiality | ||
| KPS.NFXNREQ.1 | Security – confidentiality | Provide password-protected access for authorized users only. |
| KPS.NFXNREQ.2 | Security – confidentiality | Ensure confidentiality and privacy of personal health information in compliance with the Kenya Data Protection Act 2019. |
| KPS.NFXNREQ.3 | Security – confidentiality | Restrict access to patient data to only those users with the appropriate role-based permissions. |
| KPS.NFXNREQ.4 | Security – confidentiality | Encrypt all patient data at rest and in transit using AES-256 and TLS 1.2 or higher respectively. |
| Security – Authentication | ||
| KPS.NFXNREQ.5 | Security – authentication | Require multi-factor authentication (MFA) for all users accessing patient summary data outside of the facility network. |
| KPS.NFXNREQ.6 | Security – authentication | Notify the user to change their password upon first login. |
| KPS.NFXNREQ.7 | Security – authentication | Enforce complex password requirements: minimum 8 characters, including uppercase, lowercase, number, and special character. |
| KPS.NFXNREQ.8 | Security – authentication | Automatically lock inactive sessions after 15 minutes of inactivity. |
| KPS.NFXNREQ.9 | Security – authentication | Support OAuth 2.0 / SMART on FHIR for system-to-system and user-facing authentication. |
| Security – Audit Trail and Logs | ||
| KPS.NFXNREQ.10 | Security – audit trail and logs | Log all user logins and logouts with timestamp, user ID, and IP address. |
| KPS.NFXNREQ.11 | Security – audit trail and logs | Log all create, read, update, and delete (CRUD) operations on patient records, including the user who performed them. |
| KPS.NFXNREQ.12 | Security – audit trail and logs | Retain audit logs for a minimum of 7 years, in compliance with the Kenya Medical Records Act. |
| KPS.NFXNREQ.13 | Security – audit trail and logs | Ensure audit logs are immutable and accessible only to designated audit personnel and regulators. |
| Security – User Management | ||
| KPS.NFXNREQ.14 | Security – user management | Implement role-based access control (RBAC) aligned to the KPS Generic Personas (e.g., nurse, clinician, clerical staff, pharmacist). |
| KPS.NFXNREQ.15 | Security – user management | Allow system administrators to create, modify, suspend, and deactivate user accounts. |
| KPS.NFXNREQ.16 | Security – user management | Ensure that deactivated user accounts cannot access the system. |
| Interoperability | ||
| KPS.NFXNREQ.17 | Interoperability | Support data exchange using HL7 FHIR R4 APIs in conformance with this Implementation Guide. |
| KPS.NFXNREQ.18 | Interoperability | Integrate with the Kenya Health Information Exchange (HIE) for sharing of patient summary data across facilities. |
| KPS.NFXNREQ.19 | Interoperability | Integrate with the national Client Registry for patient identity resolution and de-duplication. |
| KPS.NFXNREQ.20 | Interoperability | Integrate with the Shared Health Record (SHR) to push and pull patient summary updates at the end of each encounter. |
| KPS.NFXNREQ.21 | Interoperability | Support terminology binding to SNOMED CT, ICD-11, LOINC, and Kenya-specific code systems as defined in this IG. |
| Availability and Reliability | ||
| KPS.NFXNREQ.22 | Availability | Support offline functionality so health workers can continue recording data when internet connectivity is unavailable; data must sync automatically when connectivity is restored. |
| KPS.NFXNREQ.23 | Availability | Maintain system availability of at least 99.5% uptime during business hours, excluding planned maintenance windows. |
| KPS.NFXNREQ.24 | Reliability | Implement automated data backup at least once every 24 hours, with disaster recovery procedures documented and tested. |
| Performance | ||
| KPS.NFXNREQ.25 | Performance | Patient summary pages must load within 3 seconds on a standard 3G mobile connection. |
| KPS.NFXNREQ.26 | Performance | FHIR API responses must complete within 5 seconds for standard queries under typical load conditions. |
| Usability | ||
| KPS.NFXNREQ.27 | Usability | The system must be accessible on mobile devices (smartphones and tablets) used by community health workers. |
| KPS.NFXNREQ.28 | Usability | Support English and Swahili language interfaces. |
| KPS.NFXNREQ.29 | Usability | Comply with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA for accessibility. |
| Data Integrity | ||
| KPS.NFXNREQ.30 | Data integrity | Validate all mandatory fields before allowing record submission, with clear user-facing error messages. |
| KPS.NFXNREQ.31 | Data integrity | Prevent overwriting of historical clinical records; all updates must be versioned and traceable. |
| KPS.NFXNREQ.32 | Data integrity | All FHIR resources must include a meta.lastUpdated timestamp and source system identifier. |