Home / Knowledge Hub / Events

Healthcare, the Metaverse and UAE Health Data Law

In this article, we explore some of the opportunities that the metaverse presents for the delivery of healthcare to patients. As the underlying technology develops, the way that patient data is generated and manipulated will inevitably see some significant changes. For providers, this means that there are some potentially important legal implications that should be kept in mind throughout the design and development process.  

What is the Metaverse and why is it important?
There is no universal definition of what is meant by the term ‘metaverse’, but it can be thought of as a further evolution of the internet and the way that people interact with developing information technology through an immersive, 3 dimensional virtual world, where data can be exchanged, goods and services can be purchased in a way that the user experiences as being closer to in-person interactions than using a simple computer screen interface.

Perhaps the most common picture is that of gaming and entertainment, in a world of what is known as extended reality, but we are already seeing extended reality being used in some therapeutic areas (such as psychotherapy), together with the use of blockchain technology for the storage and manipulation of patient data.

The idea of a metaverse is the interconnection of these virtual worlds, creating a single space that can be navigated at will, just as one moves around different parts of a shopping mall or a town or city in the real world, depending on what the person wishes to do. The prospect of moving between virtual therapy suites offering a range of different services by a variety of skilled practitioners in a virtual treatment centre is just one example of where the healthcare sector is heading in this respect.

Extended reality is only the beginning of the next phase of development of this technology, which is on a rapid upward curve that shows every sign of accelerating further over the coming years. In healthcare, the future potential of this technology in healthcare is rapidly becoming clear. For example:

    • patients and providers can be better connected irrespective of their location, increasing equality of access in areas where there is a shortage of clinicians physically present
    • potential for significant quality enhancements and more specific treatments
    • potential for a vastly expanded range of interventions over conventional telemedicine technologies, such as healthcare smartphone apps and remote monitoring
    • costs of service provision and training of clinicians can be reduced, with positive implications for both payers and the insured
    • a considerable range of new opportunities for gathering, manipulating and storing an entirely new class of patient data

There are many more aspects of this technology that that are set to transform the provider/patient relationship, but it is the final point above – the resulting patient data – that both developers and regulators alike will need to consider carefully in order that the greatest benefits to patients may be delivered, safely, whilst maintaining data security and achieving better outcomes for patients. 

So what’s the problem?
By its very nature, the metaverse is a global phenomenon and one of the key advantages for healthcare providers and payers is the potential for cost saving by having practitioners providing services from locations where it is more cost-effective for them to operate.

This gives rise to the question of patient data being transmitted across international borders, possibly involving the use of blockchain technology, meaning that patient health-related data might find itself in numerous countries in immutable databases across the relevant blockchain network. The nature of blockchain being immutable itself raises the question of what a patient can do to withdraw consent regarding the use of health data, or to request that it be transferred somewhere else.

For stakeholders in the UAE, this gives rise to some tricky questions about the manipulation of health data and this is explored below.

What the law says
Federal Law No. 2 of 2019 (the Health Data Law) in conjunction with Ministerial Resolution 51/2021 (the Resolution) sets out the rules regarding the cross-border transfer of health-related data, including telemedicine.

Until the Resolution came into force, the Health Data Law had previously prohibited international transfers of health-related data, and providers generally either avoided making any such transfers, or took a risk-based approach based on certain techniques that often purported not to constitute an international transfer of data (noting however that the Health Data Law is deemed to apply to overseas remote access to UAE patient data).

Article 2 of the Resolution contains an important set of 10 exceptions, perhaps the two potentially most relevant exceptions for these purposes being at clauses 9 and 10.

Clause 9 contains a limited permission:

    • The concerned physician shall be allowed to access the system for a determined duration in order to access the information and data deemed necessary only;
    • In case there is a need to send a specific report or medical imaging, then the determined report or image shall only be submitted to the concerned physician; and
    • The patient shall give written consent.

Clause 10 also allows:

    • The information and data related to the person who himself request to transfer them outside the State or to receive them for use abroad, provided that the facility or entity possessing such information or data receive an official request in this regard from the concerned person or his legal representative.
Clause 10 is in turn subject to the further requirements of Article 3, which requires (among other things):

    • The information shall only be shared with the concerned entity and persons.

As the increasing involvement of the metaverse in healthcare is relatively novel, these exceptions were understandably not drafted with a new class of evolved metaverse-generated health data and the manner of its storage and use in mind.

Even at a cursory glance, it seems clear that the above exceptions are unlikely to accommodate developers’ broader ambitions, not least given that personal data generated during a metaverse session may not always be relevant to the intended subject matter of the session and may be difficult to extract.

Were the data then to be stored and managed in a blockchain, these immutable, secure databases sit on a network of shared ledgers which also appear to be outside the contemplation of current regulation, again not least when it comes to the issues around consent and transfer instructions previously noted. 

What’s the solution?
The above gives rise to many questions about how the relationship between users of data (insurers, clinicians, regulators, etc.) and suppliers of data (patients) might most effectively be managed and regulated in the face of rapid technological change to deliver on the strategic aims of regulation.

Should a developer wait and see how others approach the issues? Or develop systems with a more modest level of functionality while remaining compliant with current regulation? Or do nothing and simply wait for regulation to change? Or apply a risk-based approach that many took in respect of more conventional health data prior to the coming into force of the Resolution? None of these are satisfactory positions for a developer seeking to invest in technology to achieve a competitive advantage.

Innovation in the metaverse and its application to healthcare is set to be a global phenomenon and has already achieved considerable momentum. Regulators worldwide face comparable challenges in protecting the supply side of data whilst encouraging innovation in its usage, in one of the most rapidly growing areas of economic activity.

Developers should always be mindful of how regulation may affect the output of their innovations, but regulation is also evolving worldwide in response. A large part of the solution to early success being achieved lies in stakeholders and regulators communicating effectively with each other, so that innovation is nurtured in a way that respects the critically important principles relating to the protection of patient data.

Meanwhile, if you haven’t experienced the metaverse, I would recommend buying or borrowing a headset and seeing what it’s all about!

Written by James Clarke, Of Counsel 


James Clarke is a UK qualified lawyer who has been a partner in leading healthcare and life sciences sector specialist law firms for over 14 years and a sector specialist for over 23 years. In legal practice, James led a team of corporate and commercial lawyers specialising in healthcare and life sciences in a global City of London based law firm, providing a broad range of services to the healthcare and life sciences sectors both domestically and internationally. James also has extensive experience of working as a specialist project consultant to the sector. 

Related Insights
Got a question or enquiry? Contact us