The following article was originally published for BSA in the Oath Magazine
and can be downloaded here:UAE Health Data Law.
Healthcare data, and information, and its development in terms of how this data/information is protected, is a fast-evolving growth area, challenging both industry and consumers alike in the United Arab Emirates, i.e., where does one start to look for the law?
Historically, the legal frameworks for processing and protection of healthcare data/information have been fragmented in terms of industry sectors and operational jurisdictions, i.e., location of the business in a free zone. Healthcare information and data is regulated in the United Arab Emirates through various legal and regulatory frameworks, including Federal provisions under the Ministry of Health & Prevention (the “Ministry”) and locally, through the respective health authorities, including the Department of Health Abu Dhabi (Department of Health), Dubai Health Authority (DHA) and Sharjah Health Authority (collectively referred to as the “Health Authorities”). Healthcare information and data is also regulated in other legal structures, such as Dubai Healthcare City, through its established regulatory body, Dubai Healthcare City Authority. In addition, the other free zones add a layer of protection for the protection of health data and information, including the Dubai International Financial Centre (DIFC), through DIFC Law No. 5 of 2020, which is closely aligned with the EU’s General Data Protection Regulation (GDPR).
Federal Law No. (2) of 2019
Federal Law No. (2) of 2019 - Using IT and Telecommunications in the Healthcare Sector was promulgated by UAE Federal Government on 6 February 2019 (“ITC law”). ITC law, for all intents and purposes, is the first Federal data/privacy law of its kind in the United Arab Emirates, albeit limited to healthcare data. ITC law, (like the US statute, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II, which deals with privacy rules for the protection of healthcare data) is a timely welcome relief with implementing overriding Federal statutory provision to a very fragmented regulatory regime for healthcare data/information.
ITC law prescribes 31 Articles, and its application is wide both in terms of geographical spread and industry sectors. ITC law covers the entire United Arab Emirates (UAE), including the Free Zones and will impact many sectors including the Health Authorities in the different Emirates as well as all sectors dealing with healthcare data/information. ITC law applies to pharma companies, healthcare providers/facilities, medical insurance providers, insurance intermediaries dealing and placing medical insurance, third party medical claims administrators, technology companies in the healthcare space, and others dealing with healthcare data/information through technology platforms i.e., analytics of healthcare data/information.
Interestingly, and for the first time, Article (5) creates a Central System for data population between the Ministry, Health Authorities and all those involved with healthcare data/information, i.e., healthcare data/information processors. This is a welcome move by the UAE Government as we anticipate that where health data and information is captured and processed properly, this will benefit the UAE healthcare markets in terms of providing quality and accurate data to avoid potential frauds and better underwritings of health insurance risks for the market.
Storage of Healthcare Data
Articles (12) and (13) provide obligations around the storage of healthcare data/information within and outside the UAE, respectively. In terms of Article (13), health data/information may not be stored, processed, generated, or transferred outside UAE related to the health services provided within UAE, other than through resolution issued in favour of the healthcare data/information processors in coordination with the Ministry. Article (13) generated much debate and controversy as many organisations process health data/information outside the UAE. However, Ministerial Decision No. (51) of 2021 (the "Decision"), which has recently been passed provided certain exceptions/exemptions to Article (13), which was a welcome relief to many industry sectors dealing with healthcare data/information in the UAE. These are included in Article (2) of the Decision, which are:
- Data used in the framework of scientific research;
- Data required by an international organization cooperating with the UAE government;
- Data related to samples sent to laboratories outside the UAE;
- Data required by insurance companies and claim administration institutions;
- Data collected by devices and simple medical tools;
- Data used within the scope of the provision of health services online; and
- Data related to the prevention, treatment, or diagnosis of patients.
The Decision also provides that the data must be anonymous, encrypted, only shared with relevant authorised bodies, and transmitted securely in terms of scientific research. There are also exceptions for healthcare data/information collected through fitness and medical devices, such as wearables. In addition, the Decision, provide exceptions for the operation of telemedicine. However, these exceptions are conditional that written consent of the patient is given, viewing of medical records by the medical practitioner, carrying out the remote consultation is limited to a timeframe, and medical reports must be sent to the patient’s relevant medical practitioner.
With ICT law in place, this law will be the starting point for industry and consumers to start from, as it is a federal law applicable to all UAE sectors dealing with healthcare data/information. Other legal and statutory requirements may be of application in certain free zones, such as The DHCC Health Data Protection Regulation No. 7 of 2013 (Dubai Healthcare City) and DIFC Law No. 5 of 2020 (Dubai International Financial Centre).
The UAE now has a strong and robust statutory framework to protect healthcare data/information.
Authored by Simon Isgar, Partner and Head of Insurance/Reinsurance