A modern healthcare system requires reliable data, and clear standards and procedures for using and transferring such data.
Reliable data, along with clear standards and procedures, leads to improved knowledge, efficiency and quality in the delivery of healthcare. In this article, we look at the general approach to data in a healthcare context in both Abu Dhabi and Dubai, with a particular focus on data protection aspects.
HAAD Data Standards and Procedures
Health Authority – Abu Dhabi (HAAD) is responsible for the healthcare sector in the Emirate of Abu Dhabi. HAAD has identified data transparency and better public information as fundamental to ensuring the efficient delivery of healthcare. It has issued the ‘HAAD Data Standards and Procedures’ (the ‘Standards’, dated 24 January 2008 and most recently reviewed on 14 April 2014) to provide governance structures and regulatory parameters for the collection, use, and publication of health data - subject to obligations to respect privacy and confidentiality.
The Standards provide for the establishment of a Data Standards Panel. This panel has representatives of HAAD, as well as healthcare providers and insurers. The panel is responsible for reviewing and recommending changes to electronic data exchange standards, for providing direction with regard to technical standards and implementation, and for communicating data-related developments to relevant parties.
The Standards are primarily focused on technical considerations relating to data in a healthcare context in Abu Dhabi. They address aspects including the applicable codes to use for specific data elements, the permissibility of electronic data storage, and the appropriate guidelines and specifications for implementing, maintaining and improving information security.
Along with compliance with HAAD’s data standards, code standards and electronic data exchange standards, the Standards also specify that electronic data exchange between health providers and insurance companies be subject to an effective ‘Electronic Partners Agreement’ - a default version of which has been made available by HAAD.
The Standards contain specific guidance with regard to confidentiality. This includes confidentiality in the context of patient health information, as well as confidentiality in the context of commercially sensitive information that it may be necessary to communicate between different parties.
The Standards require all partners to develop, institute and periodically update standard operating policies and procedures that protect confidential health information, and to educate staff about such policies and procedures. The policies and procedures need to be available for inspection, and their use must be demonstrable on request. While the Standards refer to HAAD making default policies and procedures available, at the time of writing we were unable to determine whether such default documentation has been made available.
Within the Standards, there is specific guidance on the following confidentiality-related aspects:
- Necessary and authorized access: Access to confidential health information must be limited to only the minimum necessary personnel, and there must be a means to authenticate authorized users of such information.
- Unauthorized access: Confidential health information must be kept from unauthorized access, and in the event of any data breach HAAD must be notified (including with specific detail relating to the breach, and any subsequent unlawful disclosure). There must be a published sanctions policy, and this must be communicated to staff.
- Storage and transmission of confidential health information: Policies and procedures for protecting stored confidential health information, and for transmitting confidential health data (including data encryption), need to be developed and implemented.
In December 2012, HAAD issued a number of policy manuals intended to define its own responsibilities, as well as those of public and private healthcare providers, healthcare professionals and insurance companies. These policy manuals, and related standards, provide a framework – including minimum acceptable levels – with which HAAD, and all healthcare providers, professionals and insurance companies operating in Abu Dhabi, need to comply.
The four HAAD policies are:
- the Healthcare Regulator Policy,
- the Healthcare Provider Policy,
- the Healthcare Professional Policy, and
- the Healthcare Insurer Policy.
While not their core focus, each of these policies contains provisions that touch on patient information, and data protection considerations relating to such personal information.
The Healthcare Regulator Policy confirms that, as the regulator, HAAD is empowered to define, approve and communicate the Standards, and that the Standards may make provision for all matters relating to the collection, management, reporting and exchange of healthcare data. Along with other aspects reflected in the Standards, the examples referenced in the Healthcare Regulator Policy include the requirement to obtain a patient’s informed consent before collecting healthcare data, and the right of patients to be granted full access, upon request and within a reasonable timeframe, to their own healthcare information.
The Healthcare Provider Policy, the Healthcare Professional Policy, and the Healthcare Insurer Policy all reflect duties relating to data management and confidentiality. These include:
- a duty to ensure compliance at all times with HAAD regulatory requirements relating to the right of patients to access their own information;
- a duty to treat as confidential all information in relation to patients; and
- a duty to refrain from releasing patient information unless permitted to do so by HAAD, or pursuant to the applicable HAAD policy.
HAAD has also issued a Charter of Patient Rights and Responsibilities, and this 2008 document also touches on the protection of patient information. Amongst other rights and expectations, the Charter states that patients have the right to privacy of both person and information, including the following rights and expectations:
- the right to privacy during treatment,
- the right to access their medical records and medical information,
- the right to have all clinical and pharmaceutical records kept fully updated and documented,
- the right to have personal details and records kept fully confidential and protected from loss and misuse, and
- the right to have all staff with whom they interact maintain a high degree of professionalism and confidentiality.
In an earlier edition of Law Update[r1] (February 2014) we made the observation that underpinning the use of personal data in a healthcare context is trust. Patients need to be able to trust their healthcare providers and medical practitioners. In the absence of trust, patients are less likely to regularly use the same providers or practitioners, and more likely to withhold personal information or provide personal information that is inaccurate. Where there is no trust, patient data becomes less reliable, and treatment outcomes may suffer as treatment decisions are based on incomplete or incorrect information. In this type of environment, healthcare operations are less efficient, and reputations suffer as providers or practitioners are seen as responsible for less-than-ideal outcomes. Where personal data is unreliable, public health suffers as researchers and policy-makers base their theories and projections on incorrect assumptions, and resources are used inefficiently.
The various HAAD policies, and the Standards, need to be read together to better understand the scope of obligations relating to patient data placed on those participating in the provision of healthcare in Abu Dhabi, but it is fair to say that the approach taken by HAAD in respect of personal information goes some way to establishing a climate of trust in the context of the provision of healthcare services in Abu Dhabi.
The Dubai Health Authority (DHA) is responsible for the healthcare sector in the Emirate of Dubai. The DHA also appreciates the importance of having data and information that supports the delivery of quality healthcare. This is reflected in the DHA’s Hospital Regulation 2012, which includes regulations relating to health records and the management of healthcare information. As one would expect, the Health Records requirements include a clear obligation to ensure that patient information is treated as confidential and protected from loss, tampering, alteration, destruction, and unauthorized or inadvertent disclosure.
The DHA has also established a department, within its Health Policy and Strategy Sector, to improve access to high quality health information, and to facilitate the efficient flow of information amongst health sector stakeholders - the DHA, healthcare providers, insurers and patients. The Health Data and Information Analysis Department is responsible for creating processes that harmonise standards in the field of healthcare information in Dubai, enabling and improving interoperability of healthcare systems and the exchange of healthcare data, while ensuring information security and privacy concerns are addressed.
The Health Data and Information Analysis Department has indicated that its aim is to ensure that patients are able to control what information is collected about them, and how it is used, who is able to access it and for what purposes, and how such information is maintained. Further information as to the manner in which such privacy concerns will be addressed is keenly awaited.