Audio By Vocalize
It is barely the second quarter of the year, yet the Kenyan healthcare regulatory landscape is being redrawn.
Two documents released in 2026 will be major determinants of how pharmacies, clinics, hospitals, and businesses in the digital health space deploy AI in their operations. The AI Bill 2026 received its first reading in the Senate on April 2, 2026, while the lesser-known document, already in force, was issued by the Pharmacy and Poisons Board in February as guidelines for regulating medical device software in Kenya (MDSW). Together, they will define compliance for digital health in Kenya, though not necessarily in a single voice.
The AI Bill applies across every sector, from finance and public administration to security and agriculture. It establishes the office of the AI Commissioner, a new independent state office. The Bill classifies AI-assisted medical devices as high-risk AI. It creates obligations for pre-deployment risk assessments, human rights impact assessments, transparency, five-year data retention and performance metrics, annual compliance reporting to the AI Commissioner, and explicit consent requirements for AI-generated content. Penalties for breach can be as high as Sh5 million or two years’ imprisonment.
PPB guidelines, on the other hand, are a sectoral instrument used to safeguard the safety, quality, and performance of software in medical devices. The guidelines categorise regulated software into two: Software as a Medical Device (SaMD) and Software in Medical Device (SiMD). SaMD is standalone software intended for medical purposes, such as diagnostic apps, clinical decision support systems, and patient monitoring software, that operates without dedicated hardware. SiMD is embedded in hardware, e.g., algorithms in an MRI machine and firmware in a connected glucometer.
Registration is granted for five years, requires technical documentation, and carries fees ranging from $250 for a low-risk, locally manufactured product to $2500 for a category IV, foreign-manufactured, high-risk device. The guidelines include 10 principles of good machine learning practice, as well as specific submission requirements covering training data, model selection, performance validation, deployment workflow, and annual post-market performance reporting throughout the product’s lifecycle.
The two documents share a four-tiered classification system, but they use different axes. The AI Bill classifies based on potential harm to human rights, health, safety, and societal welfare. The guidelines classify based on medical use, the significance of the information provided, and the seriousness of the healthcare condition being addressed. It’s prudent to note that the classification might be the same, but the documentation requirements are not identical. A deployer must independently assess and document both regulators’ classifications.
There is significant overlap in operations and documentation between the two documents. For example, some of the technical documentation accompanying device registration includes compliance with international standards for software lifecycle processes, risk management, quality management systems, usability engineering, and information security. The AI Bill, when passed, will require additional information documentation on human rights impact assessment, transparency disclosures to users, records of bias mitigation, etc
Despite overlap with Cybersecurity, such as Data Protection Act compliance, a healthcare organisation that meets the specifics of the PPB’s guidelines will be more likely to comply with the AI Bill’s general requirements. However, the reverse is not true. The guidelines are more specific than the AI Bill, which is more general. The overlap in post-marketing monitoring creates a dual burden. The PPB guidelines require annual post-market performance reports, adverse event reporting, and safety corrective actions. AI-enabled devices with continuous learning capabilities will be subject to intensive monitoring requirements.
The AI Bill requires a separate annual compliance report to the AI Commissioner. The reporting cycles, formats, and authorities differ. There is no provision for unified reporting or regulatory cooperation between the PPB and the AI Commissioner’s office.
All the same, what do these facts mean for local healthcare businesses? For pharmacy retail and wholesale owners, compliance exposure can stem from a POS or an AI-powered inventory management system. Is the product registered as MSDW by the board? Once the AI Bill passes, you’ll also need to conduct your own risk assessment of the AI tool’s deployment in your context, maintain records of the system’s performance, and disclose to patients, in some form, that AI is involved in dispensing. These businesses should document their deployments clearly, retain proper records, and maintain an up-to-date compliance file. This is the competitive moat. Regulatory licenses are intangible assets.
For clinics, AI tools often employed in clinical settings fall under both regulatory bodies’ high-risk classification. I’d propose auditing every digital tool in active use that meets the MSDW’s definition under PPB guidelines and confirming its registration. Second, designate an AI compliance lead within the clinic to oversee regulatory work. Third, build a deployment file for each AI tool, including vendor documentation on performance and limitations, patient disclosure language, and internal validation evidence.