United Arab Emirates: New law regulating data in the health sector

The United Arab Emirates (UAE) federal government has issued Federal Law No. 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields (“ICT Health Law”).

The objectives of this law are to:

  • ensure the optimal use of ICT in health fields;
  • ensure safety and security of health data and information.

It is to be supplemented by implementing regulations, which are yet to be published.

The following are some key features of the ICT Health Law.

Broad application

The law uses two broad definitions which are central to its application. These are:

  • Competent Entity – “Any entity in the State providing medical services, health insurance or national health insurance services, brokerage services, claims management services or electronic services in the medical field of any entity related, whether directly or indirectly, to the implementation of the provisions hereof”; and
  • Health Information – “The health information that were processed and were given a visual, audible or readable indication, and that may be attributed to the health sector, whether related to the health or insurance facilities or entities or to the health services beneficiaries”.

The ICT Health Law therefore appears to have a very broad application within the UAE.  As it is a federal law, and explicitly applies to free zones, then where there is an inconsistency between the ICT Health Law and an emirate level or free zone law, the ICT Health Law will apply to the extent of the inconsistency.  This raises questions about the treatment of data coming from, for example, the Dubai Health Care City (“DHCC”), as well as from other free zones with personal data laws, such as the Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Markets, particularly around the transfer of data out of those free zones to other countries, as discussed in the following section.

Data Localisation

The ICT Health Law imposes a general prohibition on the transfer, storage, generation or processing of Health Information and data related to the provision of health services in the UAE to countries outside the UAE.  As noted above, Health Information is given a broad meaning, covering all data that “may be attributed to the health sector”.

This should be contrasted with the DHCC’s Data Health Protection Regulation, which does allow transfers of patient health information to countries which the DIFC has determined to have an adequate level of jurisdiction, or where the transfer is authorised by the patient or otherwise necessary for the on-going provision of healthcare services to the patient.  None of these exceptions are expressly catered for in the ICT Health Law.

The ICT Health Law does, however, provide for an exception where the relevant health authority and the Ministry of Health and Prevention have agreed on certain cases where the transfer, storage, generation or processing of the health information outside the UAE may be allowed.  It is not yet clear whether such approvals will be made on a case-by-case basis, or whether this will be in the form of a list of permitted types of transfers, or whether the same exceptions will apply across each health authority in each emirate.

Failure to comply with the requirements of the ICT Health Law in respect of data localization is punishable by a fine of between AED 500,000 – 700,000 (approximately USD 136,000 – 190,500).

Given that many health care service providers and health sector participants will already be using cloud based systems it is not clear to us if the Ministry or relevant health authorities are planning to enforce this immediately, or if there will be some grace period.

Confidentiality and restrictions on use of health data

In addition to existing patient confidentiality rules in the UAE, the ICT Health Law also imposes an obligation on those “circulating” information about a patient to keep it confidential and to only use it for health purposes, unless the written consent of the patient has been obtained for such use or disclosure. However, an exception to this is set out in the law where the patient information is to be used for scientific and clinical research purposes, provided that the identity of patients is not disclosed and that the ethics and rules of scientific research are respected.

Minimum Retention Period

The ICT Health Law also sets out retention requirements in relation to health information. Article 20 of the Law specifies that health information should be kept for a period commensurate to the purpose to which they relate, but that this period should be no less than 25 years from the date the last health procedure was carried out on the person to whom the information relates. This is longer than retention periods in other medical laws in the UAE, and longer than current civil and criminal limitation of liability periods in the UAE.

Data Exchange

Finally, the ICT Health Law also seeks to create a centralized health data exchange which will be coordinated by the Ministry of Health and Prevention. Certain actors in the healthcare sector will be required to participate in the exchange and may be required to share certain of the Health Information they obtain from patients with the exchange.

It is not yet clear what data will be required to be shared, nor what is the framework which will apply for doing so.  It is expected that further information in respect of the centralized data exchange will be set out in the implementing regulations.

Key Takeaways

The ICT Health Law is an important law that may have a profound impact on how health care is currently provided for in the UAE, as well as how innovation in the sector, such as tele-health, might be fostered.  In particular,  its implementation will be of particular importance to those in the health sector that are using or providing cloud and IT services based outside of the UAE.

For further information, please contact Eamon Holley (Partner, Dubai) or Ben Nolan (Associate, Dubai).