New Health Data Protection Law in the UAE

Healthcare and patient data regulation in the ME is changing. This article discusses the new law introducing noteworthy obligations around the collection, processing and transfer of Health Data.

Summary

Healthcare and patient data regulation in the Middle East is changing. Across the GCC states, there are several domestic legislative initiatives which recognize the importance of data controller and processor obligations, particularly with regard to sensitive personal data.

In the UAE, a new health data protection law (UAE Federal Law No.2 of 2019) (the Health Data Law) was enacted in May 2019 which introduces noteworthy obligations around the collection, processing and transfer of Health Data (as defined below) by a broad range of entities, including healthcare providers, medical insurance providers, healthcare IT providers and providers of direct and/or indirect services to the healthcare sector (eg outsourced services, including cloud services) located onshore, in Dubai Healthcare City and in the Free Zones (Health Service Providers).

Health Data is defined broadly to include all electronic data originating in the UAE regardless of its form, including alpha-numerical identifiers, common procedural technology (CPT) codes, diagnosis and treatment, images produced by medical imaging technology, information collected during consultation, lab results and names of patients (Health Data).

The new Health Data Law seeks to protect Health Data in line with international best practice, as well as enabling the UAE’s Ministry of Health (MOH) both greater control over the sensitive data of its residents (as opposed to potentially putting it at risk in other jurisdictions) and a greater ability to collect and analyse Health Data in order to improve public health initiatives.

Most notable provisions of the Health Data Law

  1. Data Localisation: the Health Data Law imparts a general prohibition on the transfer of Health Data outside the UAE. Health authorities may, in coordination with the MOH, issue exceptions to this general prohibition, thus permitting cross-border transfers in limited circumstances. However, it is not yet clear what these exceptions might be - we expect further clarity in this area once the implementing regulations are issued (expected August 2019). The introduction of this general prohibition is potentially relevant to any business that currently transfers Health Data out of the UAE. Examples of this would include when using outsourced IT departments based in other jurisdictions, or where a business is using a cloud solution that is hosted outside of the UAE (eg wearables manufacturers or health app developers that collect UAE-based customers’ Health Data may have to reconsider where this Health Data is collected and stored). In any event, digital healthcare initiatives involving UAE data led by international healthcare sector players will now need to more carefully consider cross border data flows.

  2. Establishment of a central healthcare IT system: a new centralised healthcare system will be created and managed by the MOH, the role of which is to store, exchange and collect the Health Data (the Central Healthcare IT System). Healthcare Service Providers will be required to sign up to this Central Healthcare IT System but at the present time there is no guidance as to how this may be achieved. Further detail is expected through the implementing regulations.

  3. Data Processing: The Health Law imposes a number of minimum standards for the processing Health Data:
    1. Purpose limitation: Health Data must not be used other than for the purpose of the provision of health services, except with the prior consent of the patient.
    2. Accuracy: Healthcare Service Providers must ensure that the Health Data they process is accurate and reliable.
    3. Security measures: Health Data must be kept safe from unauthorised damage, amendment, alteration, deletion or addition using appropriate security measures.
    4. Consent to disclosure: Health Service Providers cannot disclose patient data to any third party without the prior consent of the patient or as permitted by law.

      The Data Processing concepts mirror elements of EU’s General Data Protection Regulation (GDPR) which has created debate on the scope of some of these concepts: if we take “purpose limitation” as an example, it will be interesting to see how strictly this limitation will be read in a UAE context. If considered through a GDPR lens, guidance on this would be to have detailed and granular information around purpose; however, the healthcare industry may hope for greater latitude within the implementing regulations to give controllers and processors more flexibility and not hinder big data initiatives from the relevant Health Data.
  4. Data Retention: Health Data is required to be retained for 25 years from the data on which the last procedure on the patient was conducted, or as long as necessary (if longer). It should be noted that whilst many elements of the Health Data Law align significantly with the GDPR, the data retention requirement under the Health Data Law differs in requiring an arbitrary minimum retention period, whereas the GDPR merely requires retention for no longer than is necessary for the purposes for which it is being processed.

  5. Exceptions to the requirement for patient’s consent to disclosure:
    1. For scientific research (provided data is anonymised).
    2. At the request of the relevant health authority for public health purposes.
    3. For public health preventative and treatment measures (eg public health crisis).
    4. At the request of the competent judicial authority.
    5. To enable medical insurance providers to verify financial entitlement to services.
  6. Sanctions: imposed by disciplinary committees within each health authority, the Health Data Law provides for an array of penalties for non-compliance, ranging from penal sanctions in circumstances where there has been a breach of certain key provisions such as those relating the localisation of Health Data, to formal notices, warnings, fines of up to AED 1m and suspension or termination of the licence the defaulting party to use the Central Healthcare IT System.

  7. Data Security: Health Service Providers are required under the Health Data Law to ensure that Health Data is kept confidential and is not shared without authorisation. They must also ensure the availability of such Health Data to those persons that are authorised to have access to it. In line with international best practice in data protection standards, the Health Data Law requires Health Service Providers to introduce technical, operational and organisational procedures to ensure the integrity and security of the Health Data.

Impact

Much of the detail around the obligations in the Health Data law is expected to be in the implementing regulations.

In the meantime, the healthcare industry should note that patient data and other categories of data which are conventionally regarded internationally as sensitive personal data need to be considered more carefully in the Middle East than in previous times.

There is clearly a tailwind which is pushing Middle East jurisdictions towards more regulation of personal data. It will be critical for such regulation to be appropriate for the specific markets while at the same time draw upon international laws. An imbalance in the approach may have the effect of not being able to fully capitalize on the opportunities that the region is poised to embrace through increased cloud adoption, emerging technologies including Artificial Intelligence, connected devices (IoT), and emerging solutions in MedTech and InsureTech.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.