The Health Data Law regulates the processing of electronic health data originating in the UAE, including patient names, consultation, diagnosis and treatment data, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and lab results (Health Data).
The law also introduces familiar data privacy and protection concepts:
- Accuracy – Healthcare Service Providers must ensure that the Health Data they process is accurate and reliable;
- Purpose limitation – Health Data must not be used other than for the purpose of the provision of health services, except with the prior consent of the patient;
- Consent to disclosure – Health Service Providers cannot disclose patient data to any third party without the prior consent of the patient or as permitted by law; and
- Security measures – Health Data must be kept safe from unauthorised damage, amendment, alteration, deletion or addition using appropriate security measures.
Article 4 of the Health Data Law mandates that all Health Service Providers that use ICT on Health Data ensure that such information will be kept confidential and will not be shared without authorisation. In terms of security, the law is faithful to the principles of the GDPR, requiring the ‘validity and credibility’ of the Health Data to be ensured by keeping it safe from ‘non-authorised damage, amendment, alteration, deletion or addition.’
The law also requires Health Service Providers to ensure the availability of Health Data and facilitate the access to it by those authorised to have such access. This includes allowing access only to those authorised personnel who understand the need for patient confidentiality.
In keeping with international data protection standards and best practices, the Health Data Law requires entities to introduce technical, operational and organisational procedures to ensure the integrity and security of Health Data.
One of the most impactful aspects of this new law will be the general prohibition on transferring health data outside the UAE unless authorised by the relevant health authority in coordination with the government ministry (Article 13). This provision represents a codification of the long-time informal regulatory policy that Health Data must be processed and stored inside the UAE.
From a practical perspective, the requirement will have a significant impact on businesses currently relying on data storage solutions or data processors outside the UAE (e.g. via cloud or hosting services). Article 13 will equally impact those providers currently offering such services into the UAE.
Whilst some relief may be provided (as the law envisages certain exceptions to this data localisation requirements), this will only come down the line in subsequent ministerial resolutions or the implementing regulations.
Under Article 20, Health Data must be retained for as long as it is required but in any event not less than 25 years from the date on which the last procedure on the patient was conducted. The Health Data Law departs from the GDPR in this respect, with the latter requiring personal data be kept for no longer than is necessary for the purposes for which the personal data are processed. This represents a significant compliance burden for Health Service Providers who must ensure that they have the capabilities and data storage systems to comply.
Centrally controlled healthcare IT system
A centralised Health Data management system, controlled by the Ministry of Health and Prevention, will be developed. The system will house the Health Data collected by Health Service Providers and will enable them to access and exchange this data in a uniform and secure way, subject to any controls determined by government.
Exceptions to disclosure restrictions
Under Article 16, Health Service Providers may use or disclose Health Data without the consent of the patient:
- to allow insurance companies and other entities funding the medical services to verify financial entitlements;
- for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with);
- for public health preventive and treatment measures;
- to comply with a request from a competent judicial authority; or
- to comply with a request from the relevant health authority for public health purposes including inspections.
The law contains a regime of sanctions for non-compliance including disciplinary actions and monetary fines which may be imposed by a disciplinary committed within each health authority. These sanctions may be imposed, for example, for violating the data localisation rules.
Specifically, sanctions include:
- the potential suspension or withdrawal of the licence to use the central IT system;
- a formal notice or warning from the relevant health authority; and/or
- fines ranging from AED 1,000 to AED 1,000,000.