As the UAE continues its ascent towards fully digitising all government services, significant progress has been made in the healthcare sector. From a regulatory standpoint, it is interesting therefore to observe the development of the regulations surrounding medical data in the UAE.
It is well established that the UAE does not have dedicated federal data protection legislation. Instead, several elements of data protection can be found in various federal laws including Federal Law No. 9 of 1987 as amended also known as the UAE Penal Code, Federal Law No. 5 of 1985 as amended also known as the UAE Civil Transactions Law, Federal Law No. 8 of 1984 also known as the UAE Labour Law, and the UAE Constitution.
Focusing on medical data specifically, Federal Law No. 7 of 1975 also known as the Practice of Human Medicine Law and several other UAE Ministry of Health Decisions outline the importance of medical data and restricts any divulging of medical records unless requested by the patient themselves.
Emirate specific regulatory bodies have begun drafting more defined medical data legislation. The Health Authority of Abu Dhabi (“HAAD”) has issued the HAAD Data Standards and Procedures in January 2008 with a most recent revision in April 2014. The HAAD regulation outlines the policies and procedures which are required to be followed when handling Confidential Health Information (“CHI”) focusing on four areas:
- The necessary and authorised access to CHI;
- The unauthorised access to CHI;
- The storage of CHI; and
- The transmission of CHI.
The HAAD regulation further outlines situations which consist of health insurance fraud and the steps to take when and if health insurance fraud occurs.
In order to continue to encourage improvement and development of the data protection standards, HAAD has created a Data Standards Panel whose role is to “review and recommend to HAAD changes and additions to electronic data exchange standards, such as transactions, codes and business rules”.
The Dubai Health Authority (“DHA”) has also issued several regulations which address the protection of medical data. The Home Healthcare Regulation issued in 2012 outlines procedure healthcare facilities must follow with respect to healthcare records and their management. Similarly, the Health Record Guidelines outline the essential requirements which healthcare facilities must implement with regards to health records including record keeping, retention of health records and destruction of health records.
The DHA has also created the Health Data and Information Analysis department whose role is to improve the manner and method that health data is handled and exchanged as well as to “focus on transparency and confidentiality” between patients and healthcare providers.
Both HAAD and the DHA have implemented the right building blocks in the development of medical data regulation to protect patients in the UAE. Through the Data Standards Panel in Abu Dhabi and the Health Data and Information Analysis, we will continue to see improvements in these requirements as well as regulatory bodies which are serious about ensuring that healthcare facilities abide by such legislation.
With the advent of Emirate specific health regulators, the UAE federal government should follow suit and implement certain minimum standards of data protection required by healthcare facilities throughout the UAE. Although regulatory bodies like the HAAD and the DHA have added much needed regulation to the industry, it can be confusing for entities operating in both Abu Dhabi and Dubai to navigate the regulations from each Emirate in order to remain compliant. Uniform regulation on the subject would greatly assist reducing such possible confusing while increasing efficiency at healthcare facilities who will be able to follow one model of requirements in relation to medical data.
As the healthcare continues to evolve and integrate contemporary technologies, regulations in the UAE must follow suit in order to continually protect patient medical data. One such technology is the advent of telemedicine which involves providing medical treatment to individuals who are not able to consult a doctor in person. Telemedicine poses obvious privacy concerns as patient data is transmitted over wireless networks and may be intercepted by parties other than the healthcare facility in question. In keeping with their previously described initiatives, both the HAAD and the DHA have already implemented standards by which medical facilities and medical professionals must abide should they use telemedicine in their respective Emirates.
Technology will continue to play a part in the medical industry and it is important that UAE legislation both Federal and Emirate specific maintain a close eye to protect the privacy and confidentiality of medical data.