SHA Makes Accredited HMIS Integration Mandatory for All Healthcare Providers, Setting Three-Month Compliance Deadline with Decontracting as Consequence of Non-Compliance

Abstract
SHA has issued a directive making accredited HMIS integration a mandatory condition for contracting, contract renewal, and continued participation in SHA-funded schemes under the FY 2026/28 cycle. Facilities must obtain DHA certification for their HMIS, maintain electronic connectivity with SHA's Centralised Digital Platform, comply with national digital health standards, and adhere to the Data Protection Act. The directive is anchored in both SHA contracts and the Digital Health Act, 2023. SHA CEO Mercy Mwangangi has publicly stated that non-compliant providers will face decontracting within three months. For the estimated thousands of SHA-contracted facilities across Kenya, ranging from county hospitals to private clinics, this directive creates an immediate procurement, compliance, and data protection obligation. Health technology vendors, legal counsel advising healthcare providers, and data protection officers face parallel obligations arising from the directive's integration and certification requirements.
Introduction
SHA's directive moves HMIS compliance from a recommended practice to a hard contractual condition with a stated enforcement timeline. The consequence of non-compliance is explicit: ineligibility for new contracts, non-renewal of existing contracts, and removal from SHA-funded schemes. Given that SHA participation is effectively the primary revenue pathway for a significant portion of Kenya's healthcare facilities under the Social Health Insurance Fund, the directive is not a technical preference, it is a commercial survival requirement for providers whose patient base relies heavily on SHA-funded services.
The three-month integration deadline set by Mwangangi at a stakeholder meeting on 30 June 2026 compresses an implementation timeline that many smaller facilities, particularly rural clinics and lower-tier private providers, may find operationally difficult to meet. Installing an approved HMIS, obtaining DHA certification, connecting to SHA's Centralised Digital Platform, training staff, and resolving technical integration issues within that window requires both capital expenditure and technical capacity that is not uniformly available across Kenya's healthcare provider landscape.
Background
The directive draws its legal authority from two instruments. The Digital Health Act, 2023, establishes the framework for digital health infrastructure in Kenya, including the mandate for healthcare providers to maintain systems capable of collecting, processing, storing, and retrieving beneficiaries' medical records to national standards. The SHA contracts, issued under the Social Health Insurance Act, 2023, which restructured Kenya's national health insurance architecture replacing the National Hospital Insurance Fund with SHA, carry their own compliance obligations, with HMIS integration now embedded as a contractual condition rather than a separate recommendation.
The Data Protection Act, 2019, and its accompanying regulations govern how healthcare providers handle patient data within any HMIS they deploy, including storage, processing, and access controls. The Digital Health Agency is responsible for certifying HMIS platforms against national digital health standards before facilities can use them for SHA purposes. This creates a two-layer compliance obligation for providers: the system itself must be DHA-certified, and the facility's use of that system must comply with data protection requirements. These obligations sit alongside existing Ministry of Health standards for health information management, creating a layered regulatory environment that smaller providers may not have the legal or technical advisory capacity to navigate without external support.
Analysis
The commercial stakes of this directive are high enough that providers should treat the three-month deadline as a firm enforcement boundary rather than an aspirational target. Mwangangi's statement, that SHA will have "no option but to decontract non-compliant facilities," is the kind of specific, named consequence that creates legal exposure if the authority then fails to enforce it, which means enforcement is more likely, not less. Facilities that have been deferring HMIS investment on the assumption that SHA would extend timelines or soften requirements should reassess that assumption given the public clarity of this warning. Legal counsel advising SHA-contracted providers should treat this as a notice of a material contract condition change and advise clients to begin implementation planning and procurement now rather than waiting for a formal contract renewal cycle.
The data protection dimension is the compliance risk that is most likely to be overlooked in the rush to meet the HMIS certification and integration deadline. A facility that deploys a DHA-certified HMIS without adequate data governance, consent management, access controls, and staff training on data handling obligations is technically compliant with the SHA requirement but in breach of the Data Protection Act. The Office of the Data Protection Commissioner has been increasingly active in Kenya, and healthcare data breaches or unauthorized access events arising from poorly implemented HMIS deployments would attract regulatory attention independent of SHA's contracting framework. Data protection officers at healthcare facilities, and at health technology vendors supplying HMIS products to the sector, should treat the SHA directive as a trigger to conduct a full data protection impact assessment before going live on SHA's Centralised Digital Platform, not after.
For the health technology vendor market, the directive creates a concentrated procurement window. Every SHA-contracted facility that does not currently run a DHA-certified HMIS is now a buyer under time pressure, which is commercially significant for vendors with certified products and a potential compliance trap for facilities that select vendors on speed and price rather than on the adequacy of the vendor's DHA certification status, integration track record with SHA's platform, and data security controls. Facilities selecting an HMIS vendor under this directive should conduct basic vendor due diligence beyond the DHA certification certificate itself, since a certified product operated by a vendor with inadequate implementation support or security controls still leaves the facility exposed to both technical integration failure and downstream data protection liability.
Conclusion
SHA's HMIS directive is binding, time-limited, and carries a named enforcement consequence. Facilities that treat the three-month deadline as provisional or negotiable are carrying real decontracting risk. The compliance task is not just technical, it requires legal review of contracts, vendor due diligence, data protection assessment, and staff training, and the window to complete all of it is shorter than most procurement cycles for healthcare IT systems.
Citations
- 1.Social Health Insurance Act, 2023
- 2.Digital Health Act, 2023
- 3.Data Protection Act, No. 24 of 2019
- 4.Social Health Authority, directive issued by CEO Mercy Mwangangi, 30 June 2026
- 5.Digital Health Agency, HMIS certification standards and requirements (current version)
- 6.Office of the Data Protection Commissioner, general guidance on health data processing
