Information and communication technology (‘ICT’) plays a critical role in supporting the delivery of quality healthcare service through the provision of new and efficient ways of accessing, communicating, using and storing health data.
The Federal Law No. 2 of 2019 on the Use of Information and Communications Technology in Healthcare (‘ICT Health Law’) regulates the use of ICT in the healthcare sector throughout the United Arab Emirates (‘UAE’) including in free zones with the following four aims of:
- ensuring the optimal use of information and communications technology in the health sector;
- ensuring that the bases, standards and practices adopted are in line with their internationally adopted counterparts;
- enabling the Ministry of Health and Prevention (‘Ministry’) to collect, analyse and maintain health information at the country level; and
- ensuring the security and safety of health data and information.
The ICT Health Law came into force in May 2019 and is fully effective, although not yet fully supplemented by implementing regulations, which are expected to be issued imminently.
Key features of the ICT Health Law
Definition of Health Data’
Health Data in the ICT Health Law is broadly defined as “health data processed and made apparent and evident whether visible, audible or readable, and which are of a health nature whether related to health facilities, health or insurance facilities or beneficiaries of health services”.
Central Electronic Health Data And Information Exchange
The new law contemplates the establishment of a centralised health data exchange (‘HIE’ or ‘Central System’) which is to be controlled by the Ministry. The HIE will keep the health data collected by health service providers and will enable them to access and exchange this data in an uniform and secure way, subject to any controls determined by government.
The implementing regulations (which, as of the authoring of this article, are yet to be issued) will set out the professional guides, the details as to which businesses are allowed to use the Central System, and any necessary administrative steps that need to be followed. The local Emirate health authorities are empowered to establish the rules, standards and controls for their own electronic data and health information exchange systems, such as the methods of operation, exchange of data and information and their protection, as well as access to and copying of data and information. In Abu Dhabi, the Department of Health (‘DOH’) has launched the Abu Dhabi Health information exchange ‘Malaffi’. In Dubai, the ‘Salama’ health information exchange is used.
National ICT Strategy
The Ministry, in co-ordination with the local Emirate health authorities, is to develop and implement a national strategic plan concerning the use of ICT in healthcare, as well as setting mandatory procedures for using ICT.
The ICT Health Law requires all health service providers that use ICT for health data to make certain that such information is kept confidential and is not shared without authorisation. The law also requires health service providers to ensure that the health data is available to the authorised parties and access given when needed.
In adherence with international data protection best practices, the ICT Health Law requires businesses to introduce technical, organisational, and operational procedures to ensure the security and integrity of Health Data.
Exceptions to Disclosure Restrictions
Under the ICT Health Law, health service providers may use or disclose Health Data without the consent of the patient:
- for scientific research, provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with;
- to allow insurance companies and other businesses funding the medical services to verify financial entitlements;
- when in accordance with a request from a competent judicial authority;
- when in accordance with a request from the relevant health authority for public health purposes including inspections; or
- for public health preventive and treatment measures.
The law regulates the processing of electronic health data originating in the UAE, including patient names, diagnosis, consultation and treatment data, and other such health data.
The law also introduces data privacy and protection concepts which include
- purpose limitation: except with the prior consent of the patient, health data should not be used other than for the purpose of the provision of health services;
- consent to disclosure: without the prior consent of the patient, or as permitted by law, health service providers cannot disclose patient data to any third party; and
- accuracy: healthcare service providers must make sure that the Health Data they process is accurate and reliable.
The ICT Health Law states that Health Data cannot be stored, processed, generated, or transferred outside of the UAE, unless the activity has been approved by a resolution of a health authority or the Ministry. To our knowledge, no such resolutions have yet been issued.
There is a penalty of no less than AED 500,000 and no more than AED 700,000 (approx. US$136,147 to US$ 190,605) for breach of this prohibition.
While there is some expectation that the local health authorities will accommodate requests where Health Data may be needed to be transferred outside of the UAE, early indications are that the scope for approvals will be very limited.
Going forwards, to comply with the ICT Health Law, it will be necessary for local operators to host data on local servers and to control access and processing activity in accordance with the law. In addition to the ICT Heath Law, there are also additional pieces of legislation that support this:
the executive regulations to the medical liability law, Cabinet Resolution No. 40 of 2019, include an appendix that issues controls and terms for providing ‘Remote Health Services’. Article 2.1(f) of the resolution requires “a server within the country for showing and keeping the information and back-up”;
Section CM 4.2 of the Abu Dhabi DOH Healthcare Information and Cyber Security Standard (‘ADHICS’) (which was issued prior to the ICT Health Law) states:
“The healthcare entity shall not use cloud services or infrastructure to store, process or share information that contains health information. The healthcare entity shall:
- ensure that healthcare information is not transmitted outside the UAE;
- identify and disconnect integration of systems that process, store or utilise health information with any of the entity’s systems that connect or utilise cloud services; and
- not share identified or de-identified health information with third parties, inclusive of counterparts and partners, unless authorised by the health sector regulator of Abu Dhabi.”
As it cannot be the intention of the Ministry that data localisation requirements should have a detrimental effect on the provision of healthcare to UAE residents, we recommend that any healthcare provider affected by localisation requirements should engage with the relevant local health authority (or Ministry) that has licensed its services to explain how the restrictions are affecting the delivery of services and seek approval for the management of its data. Of particular importance is the effect on the delivery of telehealth services, and the transfer of data to physicians and laboratories outside the country for very specialist clinical opinions, and to support telehealth providers already licensed in Abu Dhabi and Dubai under other regulations to continue being able to support local communities.
The ICT Health Law requires that Health Data must be kept for a minimum of 25 years from the date on which the last health procedure was performed on the patient. This period may be extended if it is proportionate with the need to keep such data.
For non-compliance, the law contains sanctions, including monetary fines and disciplinary actions, which may be imposed by a disciplinary committee within each health authority. Specifically, sanctions include:
- cancellation of the authorisation to use the Central System;
- temporary suspension (not exceeding five months) from the Central System;
- an oral and/or written warning; and/or
- additional fines between AED 1,000 and AED 1,000,000 (approx. US$270 and US$270,000).
The most contentious point of the ICT Health Law are the data localisation requirements. The Ministry has mandated that data must remain onshore. This, in itself, creates difficulties because, until recently, there were so few data centre services based in the country. We understand that there may be some softening to the requirement to host data on local servers, and that the use of local cloud-based systems will be permitted, if those services providers are licensed in the UAE (noting that this currently breaches the DOH requirement, with no indication of cloud approvals in Abu Dhabi). The Ministry indicated that approvals for the movement of data offshore would be permitted, but then delegated this responsibility to each of the established health authorities to issue resolutions, neither of which have yet done. It is understood that each health authority in Abu Dhabi and Dubai is waiting for the Ministry to issue its executive regulations before issuing resolutions of its own. Meanwhile, any operator sending data outside the country will remain in breach of the ICT Health Law. It is difficult to predict when the executive regulations will be issued. Strictly speaking, they should be issued six months after the law came into effect (which would mean November 2019). However, in practice, it is not unusual to take longer for example, the Ministry did not issue executive regulations to the medical liability law until earlier this year even though the medical liability law was passed in 2016. On the critical topic of data localisation in the healthcare context, which has the potential to affect patients’ access to overseas expertise, it is hoped that the executive regulations to the ICT Health Data Law are published imminently in order to prevent operators being left in limbo and potentially in breach of data localisation restrictions.
For the most part, the ICT Health Law is a welcome introduction. The requirement to establish health information systems and to centralise the hosting of Health Data will benefit patients, and should not be too burdensome for regulated operators to align information technology systems with those of the Ministry’s HIE, Malaffi, and Salama, so as to enable data to be uploaded on a continuous ‘as is’ basis. The data is then available to the Ministry and health authorities for use in research and population health management which, in turn, will feed into patient health plans being developed on a country-wide basis and eventually better control of the introduction of new services, specialities and sub-specialities that are fully aligned with population health needs. In parallel with this, the health regulators are working on wellness and prevention programmes, with the aim of keeping the population fit and healthy rather than only treating people when they are sick.