The regulatory framework of Dubai Healthcare City (“DHCC”), a healthcare free zone in the Emirate of Dubai, has recently been reviewed.
The Dubai Healthcare City Authority has issued revised regulations covering a range of areas, including professional regulation, complementary healthcare, education and research, and protection of patient health information. In this article, we focus on changes to the regulation relating to the protection of patient health information in the DHCC context.
The DHCC Health Data Protection Regulation No. 7 of 2013 (the “Regulations”) repeals and replaces the DHCC Data Protection Regulation No. 7 of 2008 (the “2008 Regulations”).
Many of the changes found in the Regulations address drafting deficiencies in the 2008 Regulations. The Regulations now contain further defined terms, providing useful detail and clarification. By way of example, the Regulations now clarify the nature of the entities that are carrying on business within DHCC and that are required to comply with the Regulations. There are transitional provisions that provide for the 2008 Regulations to continue to apply to investigations and reviews that were commenced under the 2008 Regulations.
The following is a summary of the key differences we found in a comparison of the Regulations against the, now repealed, 2008 Regulations.
Responsibility for administration of Regulations
The 2008 Regulations provided for the establishment of the role of a Health Data Protection Ombudsman, responsible for the administration of the 2008 Regulations. There is no longer any reference to the role of Health Data Protection Ombudsman. Responsibility for administering the Regulations falls to the DHCC’s Board of Directors and the Executive Body of the Dubai Healthcare City Authority.
Responsibility for enforcement of Regulations
The compliance and enforcement functions, which were the responsibility of the Health Data Protection Ombudsman under the 2008 Regulations, now fall to the Centre for Healthcare Planning and Quality (“CPQ”), which is an independent regulatory body within DHCC. Under the Regulations, CPQ has additional powers to enable it to perform its compliance and enforcement role. These include the power to propose new rules, standards and policies in respect of the administration and application of the Regulations, including procedures for initiating and filing complaints, and establishing penalties for non-compliance with the Regulations. The CPQ is also able to audit licensees to ensure that their treatment of patient health data is compliant with the Regulations.
Additionally, an entity called the Central Governance Board is charged with educating patients and licensees with regard to the Regulations and patient health information issues, and for examining and reporting on such issues to the DHCC’s Executive Body.
Retention of patient health information
The Regulations specify periods for which certain types of patient health information needs to be retained. For adults, the general rule can be understood as ten years from the last entry in the records; for minors, the retention period is ten years from when the person reaches 18 years of age. The Regulations also refer to a 20 year retention period for ‘medico-legal cases’. While this term is not defined in the Regulations, we understand it as referring to malpractice claims, disputes or other contentious matters.
Limits on use and disclosure of patient health and identification information
The provisions relating to the use and disclosure of patient health information, and the disclosure of patient identification information, appear to have been heavily re-worked in the new Regulations. Despite this, the substance of these provisions remains largely the same as in the 2008 Regulations, although certain aspects appear to have been re-ordered for clarity.
Transfer of patient information
Under the Regulations, jurisdictions considered to provide an adequate level of protection are still those deemed adequate pursuant to the Dubai International Financial Centre’s Data Protection Law, or those that have written approval of the Central Governance Board (which has replaced the Health Data Protection Ombudsman in this regard).
Interestingly, the Regulations no longer contain a provision whereby personal information can be transferred to a jurisdiction not considered to provide an adequate level of protection to patient health data on the basis of a permit from the responsible authority. Under the 2008 Regulations, a permit from the Health Data Protection Ombudsman would have legitimised such a transfer.
So, while the Central Governance Board can identify jurisdictions that it considers to provide an adequate level of data protection, it does not appear to have the power to issue permits in respect of proposed transfers to jurisdictions not considered to provide an adequate level of protection.
The complaints procedure under the Regulations is significantly less prescriptive than the procedures set out under the 2008 Regulations. Much of the detail found in the 2008 Regulations has been culled, and the procedures for reviewing a complaint under the Regulations are as set out in the provisions of the DHCC Governing Regulation No. 1 of 2013, which is the over-arching governing regulation for DHCC.
Overall, the changes found in the Regulations are aimed at clarity, and are unlikely to have significant impact on the manner in which licensees operating in DHCC manage their patient health information obligations on a day to day basis.