Health information is widely regarded as highly sensitive data because it can reveal deeply personal details, such as reproductive health choices, diagnosis or mental health history, which may expose them to stigma or discrimination. In Nigeria, the National Health Act underscores the importance of protecting such information by providing that all data concerning a health service user, including details about their health status, treatment, or stay in a health establishment must remain confidential.
Under the National Health Act, no person may disclose a user’s health information except in specific circumstances: when the user gives written consent; when disclosure is mandated by a court order or other applicable law; when a parent or guardian requests the information for a minor; or when nondisclosure would pose a serious threat to public health. The Act further provides that a healthcare provider may access a user’s health records for purposes of treatment or research, but only with the user’s consent. Additionally, healthcare providers are required to establish adequate control measures to prevent unauthorized access to health records, ensuring that sensitive information remains secure.
The Nigerian Data Protection Act further strengthens the protection of health data by imposing clear obligations on health-care establishments. Under the law, personal data must be collected and processed only for specified and legitimate purposes. When it comes to sensitive health data, health providers must obtain explicit consent, unless another lawful basis applies (such as in a clinical, legal, or public-interest context). The Act also mandates data minimization and purpose limitation, meaning that only the information necessary for diagnosis or treatment may be gathered and it may not be repurposed later for unrelated uses.
To further safeguard patient privacy, healthcare institutions are required to implement technical and organisational security controls, issue transparent privacy notices, and respect patient rights such as access and correction of their data. The law also mandates that they document decisions about data processing, detect and assess breaches, and notify affected parties when a breach poses a risk of harm.
However, these legal safeguards may not be enough in the context of rapidly evolving technology. In particular, telemedicine, remote monitoring, cloud-hosted electronic health records, and mobile health (mHealth) apps currently operate in a regulatory grey area as there are few sector-specific rules governing data flows, vendor due diligence, or data residency. Meanwhile, health apps in Nigeria are increasingly using artificial intelligence (AI) to deliver care — and this raises new risks. According to the Nigeria Artificial Intelligence in Healthcare Market Analysis, the AI healthcare market is projected to grow from $0.01 billion in 2022 to $0.13 billion by 2030, reflecting a compound annual growth rate (CAGR) of 46.22 percent.
Globally, governments are rethinking how to safeguard health privacy in an era where generative AI is increasingly embedded in medical services. Many jurisdictions are placing a strong emphasis on transparency requirements for organisations that deploy generative AI in healthcare settings. These rules may also create indirect obligations for developers higher up the technology chain, pushing them to design AI features and systems that meet healthcare-specific privacy and safety expectations from the outset.
Beyond transparency, regulators are advancing a second pillar of human oversight. Emerging frameworks require healthcare providers to ensure that AI-supported interactions are subject to meaningful human review and intervention, especially where medical decisions or patient safety are concerned. Regulators have also specified that healthcare organisations must clearly disclose when generative AI is being used in provider-patient communications. Such disclosures may take the form of visual or verbal notices delivered before, during, or after an interaction, ensuring that patients understand when they are engaging with AI rather than a human clinician
Importantly, and as part of a broader attempt to strengthen governance in the digital health space, the National Assembly is reviewing the Nigeria Digital Health Services Bill 2025, a legislative effort designed to introduce clearer rules on data protection, licensing procedures, and the smooth exchange of information across digital health systems. The proposed law seeks to strengthen data-governance practices within the health sector and ensure that patient information is consistently safeguarded. It reiterates that all digital health providers must adhere to the Nigeria Data Protection Act 2023. The Bill is intended to serve as an overarching legal framework for Nigeria’s quickly expanding digital health landscape as it applies to all public and private health institutions that rely on digital tools to deliver care. This includes telemedicine services, mobile health platforms, digital diagnostic tools, and AI-enabled clinical systems. The bill also captures technology developers and suppliers involved in building or operating digital health solutions, ensuring that every actor within the digital health value chain falls under the same regulatory umbrella.
A key component of the bill is its focus on interoperability. Digital health providers will be required to ensure that their platforms can link with existing national health-information infrastructure, particularly electronic health records (EHRs). To support this, the Ministry of Health will issue the technical and operational standards necessary to achieve interoperable, secure, and efficient data exchange.
The bill also strengthens patient protections within digital health environments. It expressly recognises patients’ rights to confidentiality, to receive understandable information about their care, and to give informed consent before their data is processed or shared. At the same time, patients are expected to provide truthful and accurate health information to enable proper diagnosis and treatment. Additionally, the bill empowers individuals by giving them the right to review, correct, or request the deletion of any digital health data held by service providers, reinforcing trust and accountability across the system.
In considering the Bill, lawmakers should also examine the possibility of a health-specific framework for secure data exchange among public and private hospitals, diagnostic laboratories, HMOs, and research institutions. Such a framework is essential for ensuring that patient information can move safely across the health ecosystem without exposing individuals to unnecessary risks. Additionally, there is a need for health-tailored consent models and governance structures for research, data analytics, and AI training. These should provide clear safeguards that protect patients’ rights while still allowing responsible innovation in medical research and technology development.
The Bill should also establish explicit rules for the secondary use of health data including research, public-health surveillance, and AI development. These rules should strike an appropriate balance between enabling scientific advancement and maintaining strict privacy protections for patients.
893
