Healthcare: Patient Records and Medical Compliance
Patient files, clinical evidence, medical-legal records, SHA submissions — handled with the privacy controls healthcare demands.
Healthcare: Patient Records and Medical Compliance
Patient data is the most sensitive document class in any economy. Kenyan healthcare providers — hospitals, clinics, diagnostic centres, pharmacies — must reconcile patient confidentiality, medical-legal obligations, SHA (Social Health Authority) claims processing, and KMPDC oversight.
Patient file structure
Each patient file is a tenant-scoped record with strict access controls:
- Patient demographics (name, ID, contact, next-of-kin)
- Consent forms (treatment, data sharing, research)
- Clinical encounters (linked to date and clinician)
- Investigations (lab, imaging, biopsy)
- Prescriptions and dispensing records
- Discharge summaries
- Medical-legal documents (where any)
Access is restricted to the patient's care team; comprehensive access requires explicit authorisation logged in the audit trail.
SHA claims
SHA claims documentation:
- Pre-authorisation requests
- Service delivery evidence
- Discharge summaries with diagnoses (ICD-coded)
- Itemised billing
- Patient acknowledgement of service received
Papyrus workflows route claims through clinical review, billing review, and SHA submission, with the audit log capturing every step.
KMPDC inspection readiness
KMPDC inspections probe:
- Practitioner registration documents (current)
- Facility licences
- Patient complaint records and resolution
- Adverse event reporting
- Continuing professional development records of staff
Each lives as a Papyrus document class with retention and review-cycle controls.
DPA and patient privacy
Patient data is sensitive personal data under the DPA. Papyrus's controls for healthcare tenants:
- All clinical documents classified
Restrictedby default - No external sharing of patient documents without explicit authorisation
- Access by non-care-team users requires justification logged in audit
- Patient DSARs fulfilled within 14 days (more conservative than DPA's 30)
- Consent for research data sharing tracked separately