| Program code | HDRC |
| Level | Advanced (post-foundation specialisation) |
| Format | 10 weeks · part-time · cohort-based |
| Prerequisite | HEALTHCARE AI TRAINER & DATA ANNOTATION PROGRAM |
| Awarded by | Shevs Connect Institute (SCI) |
Introduction
Every annotation label, every model evaluation and every training dataset in healthcare AI is built on something profoundly sensitive: real people’s health information. Handling that data lawfully, securely and ethically is not an optional extra — it is the licence to operate. The Health Data Handling & Regulatory Compliance program trains specialists to manage protected health information responsibly across its entire lifecycle, from collection and consent through de-identification, storage, sharing and eventual deletion.
This program translates complex law and security practice into the concrete decisions an annotation or AI data professional actually faces. Learners study the global frameworks that shape the field — notably HIPAA and the GDPR — and then ground that knowledge in the Kenyan Data Protection Act 2019 and the wider African regulatory landscape, so graduates can operate compliantly both locally and for international partners. Practical modules cover de-identification of images and clinical text, security controls for annotation teams, and the compliance operations that keep an organisation audit-ready.
Delivered by Shevs Connect Institute (SCI), the program assumes completion of the HEALTHCARE AI TRAINER & DATA ANNOTATION PROGRAM. It is essential for anyone working on SCILabel or similar platforms, and for the data stewards, project leads and coordinators who must ensure healthcare AI work meets regulatory and ethical standards. Graduates leave able to build and run a credible compliance framework for a healthcare AI data operation.
| Complete this first
HEALTHCARE AI TRAINER & DATA ANNOTATION PROGRAM |
This specialist program is designed to be taken after the foundation program above. The foundation course establishes the core concepts and working practices that this program builds upon.
Learning Outcomes
On successful completion of this program, graduates will be able to:
- Identify what counts as health data and classify it correctly (PHI, PII and special-category data).
- Apply core data-governance principles across the AI data lifecycle.
- Explain lawful bases for processing and the role of informed consent in healthcare and research.
- Distinguish de-identification, anonymisation and pseudonymisation, and choose the right approach.
- De-identify medical images (including DICOM headers and burned-in text) and clinical free text.
- Summarise the key requirements of HIPAA and the GDPR for health data.
- Apply the Kenya Data Protection Act 2019 and understand the role of the Data Protection Commissioner.
- Implement practical security controls for annotation teams, including access control and encryption.
- Conduct a Data Protection Impact Assessment (DPIA) for an annotation project.
- Build a compliance program with policies, auditing and an incident-response plan.
Course Features
- Six in-depth modules totalling 60 structured lessons plus 5 major hands-on assignments.
- Clear, plain-language treatment of HIPAA, GDPR and the Kenya Data Protection Act 2019.
- Practical de-identification labs for both imaging and clinical text.
- Templates and worked examples for DPIAs, data inventories and incident response.
- A strong focus on the Kenyan and African context alongside global standards.
- A portfolio-ready capstone: a compliance framework for an annotation operation.
- Direct relevance to SCILabel governance and partner due-diligence requirements.
- A Certificate of Completion in Health Data Handling & Regulatory Compliance from Shevs Connect Institute.
Curriculum
- 6 Sections
- 60 Lessons
- 10 Weeks
- Section 1 —(Lesson1-10):Foundations of Health Data & GovernanceEstablish what health data is, why it matters, and the governance mindset that underpins everything else.10
- 1.11. What counts as health data: PHI, PII and special-category data
- 1.22. The value and sensitivity of health data
- 1.33. The data lifecycle in AI annotation projects
- 1.44. Key stakeholders: data subjects, controllers and processors
- 1.55. Principles of data governance
- 1.66. Data classification and building a data inventory
- 1.77. Roles and responsibilities (Data Protection Officer, data stewards)
- 1.88. Risk-based thinking for data handling
- 1.99. Common breaches and their consequences
- 1.1010. Building a culture of compliance
- Section 2 —(Lesson 11-20): Privacy, Consent & De-identificationLearn the privacy principles and the practical techniques that let health data be used safely.10
- 2.111. Privacy principles and data minimisation
- 2.212. Lawful bases for processing health datal
- 2.313. Informed consent in healthcare and research
- 2.414. Secondary use of data and re-consententification risk and statistical disclosure
- 2.515. De-identification, anonymisation and pseudonymisation compared
- 2.616. HIPAA Safe Harbor and expert determination
- 2.717. De-identifying medical images: DICOM headers and burned-in text
- 2.818. De-identifying clinical notes and free text
- 2.919. Re-identification risk and statistical disclosure
- 2.1020. Synthetic data as a privacy-protecting tool
- Section 3 —(Lesson 21-30): Global Regulatory FrameworksGet a working command of the international rules that shape healthcare AI data, led by HIPAA and the GDPR.10
- 3.121. An overview of the global regulatory landscape
- 3.222. HIPAA Privacy Rule essentials
- 3.323. HIPAA Security Rule essentials
- 3.424. Business Associate Agreements and the compliance chain
- 3.525. Breach notification under HIPAA
- 3.626. GDPR core principles and data-subject rights
- 3.727. GDPR rules for special-category (health) data
- 3.828. Cross-border data transfers
- 3.929. Medical-device and Software-as-a-Medical-Device basics
- 3.1030. Comparing frameworks and finding common ground
- Section 4 —(Lesson 31-40): Kenyan & African Data Protection LandscapeGround global principles in the laws that govern an annotation business operating from Kenya.10
- 4.131. The Kenya Data Protection Act 2019: an overview
- 4.232. The Office of the Data Protection Commissioner (ODPC)
- 4.333. Registration of data controllers and processors
- 4.434. Data-subject rights under Kenyan law
- 4.535. Consent and lawful processing of Kenyan health data
- 4.636. Cross-border transfer rules from Kenya
- 4.737. Data localisation and its practical implications
- 4.838. The African Union Malabo Convention and regional trends
- 4.939. Sector guidance for health and research in Kenya
- 4.1040. Compliance for an AI annotation business operating in Kenya
- Section 5 —( Lesson 41-50): Security, Access Control & the Data LifecycleProtect health data in practice with controls suited to distributed annotation team10
- 5.141. Information-security fundamentals: the CIA triad
- 5.242. Access-control models and least privilege
- 5.343. Authentication, multi-factor authentication and identity management
- 5.444. Encryption at rest and in transit
- 5.545. Secure annotation environments and safe remote work
- 5.646. Data retention and secure deletion
- 5.747. Logging, monitoring and audit trails
- 5.848. Vendor and third-party risk management
- 5.949. Secure data-sharing and transfer methods
- 5.1050. Practical security habits for annotation teams
- Section 6 -(Lesson 51-60): Compliance Operations, Auditing & Incident ResponseRun the day-to-day operations that keep an organisation compliant and ready when something goes wrong.10
- 6.151. Building a compliance program
- 6.252. Data Protection Impact Assessments (DPIAs)
- 6.353. Policies, standard operating procedures and staff training
- 6.454. Records of processing activities
- 6.555. Internal audits and ongoing compliance monitoring
- 6.656. Preparing for regulator inspections
- 6.757. Incident detection and classification
- 6.858. Breach response and notification workflows
- 6.959. Post-incident review and remediation
- 6.1060. Capstone planning: scoping a compliance framework project
