Important changes for anyone who collects, processes or transfers electronic health data originating in the UAE.
Besides a host of new data protection measures and new rules around use of a centralized database managed by the United Arab Emirates (UAE) Ministry of Health, a general prohibition on transferring health data outside the UAE has a significant impact on healthcare service providers and life sciences companies operating locally.
Cloud based health solutions which involve collection, storage and processing of health data, such as wearables and health monitoring apps, may be particularly affected. It is imperative for companies operating in the sector to carefully monitor developments.
On 6 February 2019, the President of the UAE issued Federal Law No. 2 of 2019 (the Law) which regulates the use of information technology and communications (ITC) in the healthcare sector. This Law:
• aims to raise the minimum bar for protection of health data and to introduce certain concepts which are on a par with best international practice in information law;
• supports the legislative trend towards localization of sensitive categories of data;
• paves the way for centralized health data capture and analysis to support public health initiatives conducted by the UAE Ministry of Health.
The Law was published in the Federal Gazette on 14 February 2019 and will come into force three months from publication. (May2019). The implementing regulations which will provide further details on its application are to be issued within six months from the date of publication.
The law is the first Federal data/privacy law of its kind in the United Arab Emirates albeit limited to healthcare data.
The law prescribes 31 articles and its application is wide both in terms of geographical spread and industry sectors. The law covers the entire United Arab Emirates (UAE) including its Free Zones and will impact on many sectors including local healthcare regulators in the different Emirates as well as all sectors dealing with healthcare data/information.
The health authorities in each local emirate are empowered to establish the rules, standards and controls for their own electronic data and health information systems, such as the methods of operation, exchange of data and information and their protection, as well as access to and copying of data and information
The Law applies to all entities operating in the UAE, whether onshore or from one of its free zones (including Dubai Healthcare City), which provide:
• healthcare services;
• health insurance services (including insurance brokers or providers of related administrative services);
• healthcare IT services; or
• any other services, directly or indirectly, related to the healthcare sector, or engaged in activities that involve handling of electronic health data.
1. Regulation of health data
The scope of the Law is broad – it regulates the processing of all electronic health data regardless of its form, including names of patients, information collected during consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology (CPT) codes, images produced by medical imaging technology, and lab results among other types of data.
2. Prohibition on storage of health data outside of the UAE
The Law formalizes the longtime informal regulatory policy that health data must be processed and stored inside the UAE. Critically it provides that such data may not be transferred outside of the UAE, except where an exception is issued by the relevant heath authority. The Law also prohibits the creation of health data outside of the UAE which relates to health services provided inside the UAE. Accordingly, cloud solutions hosted out of country, outsourcing of IT services to overseas locations, remote IT support from other departments within multi-national Healthcare Service Providers and remote collection and monitoring of patient information within the UAE, such as heart rate, sleep patterns, or steps walked, from outside the UAE through apps and wearables may be significantly impacted.
The Law envisages certain exceptions to the default data localization requirements. These will be set out in subsequent ministerial resolutions or the implementing regulations.
3. Minimum standards for processing of health data
In addition to reinforcing the duty of Healthcare Service Providers to maintain the confidentiality of health data, the Law introduces a number of concepts similar to overseas data protection frameworks. For example:
• Purpose limitation: Patient information must not be used other than for the purpose of the provision of health services, except with the prior consent of the patient;
• Accuracy: Healthcare Service Providers must ensure that the health data processed is accurate and reliable;
• Security measures: Healthcare Service Providers must put in place measures to protect health data and to prevent its unauthorized processing, damage, alteration, deletion or amendment; and
• Non-disclosure/patient consent: The Law reiterates existing obligations not to disclose patient data to any third party without the prior consent of the patient.
4. Retention period
Health data must be retained for a minimum period of 25 years from the date on which the last procedure on the patient was conducted, or as long as is necessary if longer.
5. Centralized data management system
A new centralized data management system (DMS) will be established and operated by the UAE Ministry of Health to facilitate access to, storage and exchange of health data. Healthcare Service Providers are required to register to access the DMS and identify all members of personnel who are authorized to access it.
6. Website blocking for advertisement or licensing violations
The UAE Ministry of Health is entitled to instruct the relevant local or federal health authorities to block any website, whether inside or outside of the UAE that does not comply with the regulations applicable to healthcare advertising or which provides healthcare information without a license or permission from the UAE Ministry of Health.
The only circumstances in which a patient’s information may be used or disclosed without the patient’s consent are:
• to allow insurance companies and other entities funding the medical services to verify financial entitlement;
• for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with);
• for public health preventive and treatment measures, for example. in the case of a public health crisis;
• at the request of a competent judicial authority; or
• at the request of the relevant health authority for public health purposes including inspections.
There is a delicate balance to be struck between the potential benefits of this practice and the protection of each individual’s right of privacy. Where to draw the line in this assessment remains a topic of discussion between industry stakeholders and regulators, particularly in light of high profile breaches in recent years such as the collaboration between the Royal Free London NHS Trust and Google Deep Mind to identify patients at risk of kidney disease, or in the context of using health data for secondary research purposes. In January 2019 the European Data Protection Board issued its opinion on the European Commission’s draft Q&A on the interplay between data protection under the EU General Data Protection Regulation and clinical trials regulation. Wewait for the Law’s implementing regulations to see what position the UAE authorities will take on this sensitive issue.
As well as certain penal sanctions for breach of key requirements, such as the data localization obligations, the Law sets out a number of overarching disciplinary sanctions for breach of its provisions. These sanctions range from warnings to fines of AED 1 million and/or cancelling the breaching company’s permit to use the DMS.
Typically, access to centralised systems – such as the planned healthcare system – is facilitated by open APIs (application programme interfaces) made available to third party suppliers of IT systems which access the system. Where those IT systems already exist and are in use (under contracts between healthcare providers and the suppliers), technical changes to the systems will be required.
Some businesses will need to revisit their business procedures to comply with the Law. We recommend that companies affected by the Law:
• Keep up to date with the executive regulations setting out further details
• Ensure IT systems are capable of interacting with the central IT system
• Complete necessary administrative steps to obtain access to the central IT system, such as registration / licensing requirements
• Have technical and organisational processes in place to ensure that all patient data is treated confidentiality, kept secure, kept accurate and uncorrupted, not used for other purposes and retained as required
• Not transfer or store any patient data outside the UAE unless authorised to do so by a resolution issued by the local health authority
• Conduct a data mapping exercise to identify what type of health data is held, where it is processed and with which third parties it is shared.
• Where such third parties are based overseas, take steps to cease the transfer of health data to them, or to anonymize / denonymize the health data transferred;
• for any health data which cannot be anonymized / denonymized due to the nature of the processing activities, source alternative third party service providers to conduct the processing of that data within the borders of the UAE
• review contracts with third party service providers which process personal data and ensure that the contractual obligations for data processing and information security are sufficient to meet the new requirements of the law
• consider contracting obligations on service providers to support compliance with the law, such as annual rights of audit;
• add a step to the existing compliance sign-off process prior to adoption of new operational processes and business lines to ensure that no health data leaves the UAE and that the minimum statutory compliance standards are met.
