In brief:

  • The Health Data Protection Law will come into effect in May 2019
  • Entities processing data relating to healthcare must comply with the new legislation
  • Major changes include a data localisation element and the introduction of the establishment of central system to store, exchange and collect healthcare data and the imposition of fines for breaches of up to AED 1million

A new law has been published and is due to come into force in May 2019, which aims to regulate the collection, processing and transfer of electronic health data originating in the United Arab Emirates (“UAE”). The UAE Federal Law No. (2) of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (the “Health Data Protection Law”) will affect all entities operating in the UAE (including onshore, Dubai Healthcare City and the Free Zones) that provide services relating to healthcare, health insurance and healthcare information technology.

Entities processing data that relates to patient names, consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and lab results will have to comply with the Health Data Protection Law. Entities offering services directly or indirectly relating to the healthcare sector, or engaged in activities that involve handling of electronic health data will also need to comply.

Entities affected by the Health Data Protection Law could be vast when considering how quickly the health and medical technology market is growing. Technology that you can place in your pocket or on your wrist is effectively transforming mobile devices into virtual healthcare support networks. Entities operating a healthcare app which, for example, might harvest data relating to fitness, lifestyle, stress levels and even sleep patterns in the UAE, will need to adhere to the requirements of the Health Data Protection Law.

In an article we published in October 2017 we discussed important Telehealth Regulations that had been introduced to set out minimum standards and requirements for the provision of telehealth services across Dubai. The new Health Data Protection Law is the next step in legislation striving for the further protection of such sensitive data across the UAE.

A major change introduced by the Health Data Protection Law is the general prohibition on the transfer of health data outside the UAE, unless authorisation to do so has been obtained by the relevant health authority. The Health Data Protection Law also promulgates the concept of a central system to store, exchange and collect healthcare data and information to be established and managed by the UAE Ministry of Health and Prevention.

The Health Data Protection Law also includes some familiar data protection concepts, such as requirements of purpose limitation, accuracy, security measures and consent to disclosure. In addition to penal sanctions, the Health Data Protection Law imposes fines for breaches of up to AED 1million.

Regulation of healthcare data isn’t a new concept in the UAE. This type of activity has been regulated for many years by Law No. (7) of 1975 concerning the Practice of Human Medicine Profession and the Ministry of Health Code of Conduct 1988 concerning the collection of health data and the Ministry of Health Code of Conduct 1988, which imposes obligations of confidentiality on healthcare practitioners beyond those contained in the Constitution, the Penal Code, and the Civil Code (among several other Federal Laws). Dubai Healthcare City maintains its own data protection system under Regulation No. (7) of 2013, which are generally consistent with data protection laws from other jurisdictions (specifically, the former EU Data Protection Directive and the UK Data Protection Act).Specific UAE healthcare laws won’t be repealed in their entirety, but any provision contrary to or inconsistent with the provisions of the Health Data Protection Law will be repealed.

As the Health Data Protection Law was published very recently, in February 2019, the scope of the impact of its requirements remains to be seen. It will come into force in May 2019 however; the scope of its application will not be known until the implementing regulations are issued. These are expected by August 2019.

For the healthcare industry, and technology relating to healthcare, to have continued success, individual users of these services must be able to trust in how the industry is regulated. Clearly there are important data privacy implications where personal data relating to an individual’s health is collected and processed on such a large scale. This is an indication that the law is developing in order to provide further protection to individuals and their personal data in an ever evolving world of technology.