‍Introduction

The proposed Digital Health Services Bill, 2025, aims to establish a comprehensive legal framework for regulating the country's rapidly growing digital health sector. Having had its first reading before the House of Representatives on 19 March 2025, the bill is now awaiting its second reading. It aims to integrate digital technologies into the national healthcare system, establishing clear guidelines for service providers to improve access, quality, and efficiency of healthcare for all citizens. This review examines the key provisions of the draft legislation.

Scope and Application

The bill has a wide scope, applying to all public and private healthcare providers and institutions that use digital technologies to deliver services. This includes telemedicine platforms, mobile health applications, and systems leveraging artificial intelligence for patient care. It also covers any stakeholder involved in the development and deployment of digital health technologies within Nigeria, ensuring a broad regulatory net over the entire ecosystem.

Regulatory Oversight and Licensing

The Federal Ministry of Health is designated as the primary regulator responsible for implementing the bill. Its duties include developing standards, licensing and accrediting digital health service providers, and monitoring compliance with data privacy laws. A central provision of the bill is the mandatory licensing requirement; no individual or organisation can offer digital health services without obtaining a licence from the Ministry. These licences are subject to annual renewal and periodic review, creating a system of continuous oversight to ensure adherence to established standards.

Key Obligations for Service Providers

The bill imposes several critical obligations on digital health service providers, including:

• Data Protection and Security: All providers must comply with the Nigeria Data Protection Act, 2023. They are mandated to implement robust cybersecurity measures to safeguard patient data from unauthorised access and breaches.
• System Interoperability: To ensure seamless care, all digital health platforms must be compatible with existing national healthcare systems, including electronic health record (EHR) infrastructure. The Ministry of Health is responsible for developing the technical standards that facilitate this integration.
• Upholding Patient Rights: Providers must ensure the privacy and confidentiality of patient health data, provide accurate and timely information, and obtain explicit consent before sharing or using patient data for any purpose.

Patient Rights and Responsibilities

The bill formally codifies the rights of patients using digital health services. It guarantees their right to privacy, the right to receive clear information about their diagnosis and treatment, and the right to consent to the use of their data. In turn, it places a responsibility on patients to provide accurate health information, facilitating proper care. The bill empowers patients by granting them the right to access, correct, or request the deletion of their health data held by providers.

Intersection with Existing and Proposed Laws

The Digital Health Services Bill is not a standalone initiative, but rather the legislative culmination of over a decade of health policy development. It provides a much-needed regulatory framework for the ambitions outlined in earlier strategic documents. For instance, it operationalises the goals of the National e-Health Strategy (2011) by creating a formal structure for integrating electronic health records and telemedicine services. Furthermore, it directly supports the Nigerian Health Information System Policy (2014) by providing the legal mandate for the interoperability and data exchange required to link all health facility data sources. The bill also serves as a critical enabler for the National Health Policy (2016), which aims for Universal Health Coverage, by creating a regulated environment for digital tools that can expand healthcare access.

The bill’s most direct and explicit intersection is with the Nigeria Data Protection Act (NDPA), 2023. It mandates that all digital health providers must comply with the NDPA and explicitly states that penalties for data breaches will be in accordance with that Act. This alignment ensures a consistent data protection standard, thereby avoiding regulatory fragmentation. The Bill also complements the foundational principles of the National Health Act, 2014. While the 2014 Act establishes the fundamental rights of patients to information, confidentiality of their health records, and standards of care, this bill provides the specific digital context for enforcing those rights. It essentially modernises the application of the National Health Act by setting the rules for how patient data and rights are managed in an electronic environment.

Furthermore, the Bill operates within the broader framework of the Federal Competition and Consumer Protection Act (FCCPA), 2018. As patients are consumers of digital health services, the FCCPA provides an overarching layer of protection regarding service quality, fair contract terms, misleading advertising, and access to redress. The Digital Health Bill provides sector-specific rules, but the FCCPA empowers patients to seek recourse for service failures or unfair practices that are not explicitly covered by the health-specific legislation.

Looking forward, the bill shows synergy with the proposed National Digital Economy and E-Governance Bill, 2024. While the Health Bill is sector-specific, the E-Governance Bill’s provisions on the legal validity of electronic records and requirements for interoperable government infrastructure complement the objectives of the Health Bill. However, this overlap could also create regulatory complexity, as the Health Bill designates the Ministry of Health as its regulator, while the E-Governance Bill names the National Information Technology Development Agency (NITDA) as the primary authority for the digital economy. Clear coordination between these two bodies will be essential to harmonise standards and avoid imposing conflicting obligations on digital health operators.

Operational Implications for Digital Health Operators

For digital health operators, the bill introduces several practical requirements that will necessitate significant operational adjustments. The most immediate impact is the need to prepare for a formal licensing and compliance regime. Operators must anticipate the criteria the Federal Ministry of Health will establish and begin aligning their governance, technical, and service delivery frameworks accordingly. This includes preparing documentation, establishing internal controls, and ensuring services meet forthcoming quality and safety standards.

Functionally, the mandate for system interoperability is a critical technical hurdle. Operators will need to ensure their platforms can seamlessly exchange data with national healthcare systems and electronic health records. This may require substantial investment in re-architecting systems, adopting standardised data formats (like HL7/FHIR), and building secure APIs. Early engagement with the Ministry on the development of these technical standards will be crucial for a smooth transition.

From a data governance perspective, operators must move beyond baseline compliance and implement a robust privacy-by-design framework. This involves conducting data protection impact assessments DPIAs for all processing activities, ensuring transparent privacy policies, and establishing clear procedures for managing patient consent and handling data subject rights requests (access, correction, deletion) as required by both this bill and the NDPA. Ultimately, the significant penalties for non-compliance necessitate that risk management become a core business function. Operators will need to invest in cybersecurity infrastructure, regular staff training on data handling protocols, and potentially secure cyber insurance to mitigate financial and legal risks.

Penalties

To ensure compliance, the bill introduces significant penalties for violations. Operating an unlicensed digital health service can result in a fine of not less than N5,000,000 (approximately $3,350), imprisonment for up to five years, or both. For data breaches or the misuse of patient data, the bill refers to the penalties stipulated in the Nigeria Data Protection Act, ensuring alignment with the national data protection framework.

Conclusion

The Digital Health Services Bill, 2025, represents a crucial legislative step around the future of healthcare delivery in Nigeria. However, a potential long-term challenge lies in its framing, which centres on regulating "digital technologies" rather than applying technology-neutral principles to healthcare. The framework risks becoming quickly outdated as technology continues to evolve, with a focus on specific tools such as telemedicine and AI. A more resilient approach would be to regulate the act of providing healthcare, ensuring that core principles of patient safety, professional liability, and quality of care are consistently applied, regardless of the technology used. The success of this bill will therefore depend not only on the capacity of the Federal Ministry of Health but also on its ability to develop implementing regulations that are principles-based and outcome-focused, safeguarding patients without stifling the very innovation the bill seeks to promote.

‍