UAE-Federal Law No. 2 of 2019 to Protect Health Data

Guiding Principle

On 6 February 2019, the United Arab Emirates has issued Federal Law No. 2 of 2019, Concerning the Use of the Information and Communication Technology in the Area of Health (“ICT Health Law”). The ICT Health Law applies to all methods and uses of information and communication technology (“ICT”) in the UAE healthcare sector, including free zones. The text of the Law has been published in the Federal Gazette on 14 February 2019 and will come into force three months from publication.

The law is the first Federal data/privacy law of its kind in the United Arab Emirates albeit limited to healthcare data.

The law prescribes 31 articles and its application is wide both in terms of geographical spread and industry sectors. The law covers the entire United Arab Emirates (UAE) including its Free Zones and will impact on many sectors including local healthcare regulators in the different Emirates as well as all sectors dealing with healthcare data/information.

Under the law the Ministry of Health & Prevention (“Ministry”) sets out to establish a central electronic health data and information exchange (“HIE”) to facilitate confidential access, collection and exchange of health data and information within the UAE. The health authorities in each local emirate are empowered to establish the rules, standards and controls for their own electronic data and health information systems, such as the methods of operation, exchange of data and information and their protection, as well as access to and copying of data and information.

However, the health authorities in the UAE must join the central HIE, in accordance with the regulations and procedures that are to be specified in the subsequent executive regulations. The executive regulations are to be issued within six months of the publication of this law.

Article (5) creates a Central System for data population between the Ministry of Health & Prevention, Health Authorities and all those involved with healthcare data/information, i.e. healthcare data/information processors.

A. The basic features of this law

  1. Aims to raise the minimum bar for protection of health data and to introduce certain concepts which are on a par with best international practice in information law;
  2. Continues the legislative trend towards localization of sensitive categories of data;
  3. Paves the way for centralized health data capture and analysis to support public health initiatives conducted by the UAE Ministry of Health.

The Ministry, in coordination with the local emirate health authorities, is to develop and implement a national strategic plan relating to the use of ICT in healthcare, as well as setting mandatory procedures for using ICT. One of the goals is to ensure compatibility and interoperability between information systems to procure valid, reliable, and accessible health data and information. The executive regulation will further set out the conditions and controls of storing health data and information within the UAE.

The Law will have far reaching consequences for UAE healthcare services and IT industries insofar as it places strict obligations for the processing and control of health data and information in the UAE. Many business and organizations will need to carry out data information audits to stress test their current systems and control to meet compliance with the new requirements.

B. Scope of law enforcement
The law applies to all entities operating in the UAE, whether onshore or from one of its free zones (including Dubai Healthcare City), which provide:

  • healthcare services;
  • health insurance services (including insurance brokers or providers of related administrative services);
  • healthcare IT services; or
  • any other services, directly or indirectly, related to the healthcare sector, or engaged in activities that involve handling of electronic health data.

C. Prohibition on storage of health data outside of the UAE
The law formalizes the longtime informal regulatory policy that health data must be processed and stored inside the UAE. Critically it provides that such data may not be transferred outside of the UAE, except where an exception is issued by the relevant heath authority. The law also prohibits the creation of health data outside of the UAE which relates to health services provided inside the UAE. Accordingly, cloud solutions hosted out of country, outsourcing of IT services to overseas locations, remote IT support from other departments within multi-national Healthcare Service Providers and remote collection and monitoring of patient information within the UAE, such as heart rate, sleep patterns, or steps walked, from outside the UAE through apps and wearables may be significantly impacted.

D. Retention period
Health information and data must be maintained through ICT for a period of 25 years from the last healthcare interaction of the concerned patient.

E. Regulation of health data
The law regulates the processing of all electronic health data regardless of its form, including names of patients, information collected during consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology (CPT) codes, images produced by medical imaging technology, and lab results among other types of data.

F. Centralized data management system
A new centralized data management system (DMS) will be established and operated by the UAE Ministry of Health to facilitate access to, storage and exchange of health data. Healthcare Service Providers are required to register to access the DMS and identify all members of personnel who are authorized to access it.

G. The exceptions of the general rules
The exceptions of the general rules which a patient’s information may be used or disclosed without the patient’s consent are:

  • for scientific research (provided that the identity of the patient is not disclosed);
  • at the request of a competent judicial authority;
  • to allow insurance companies and other entities funding the medical services to verify financial entitlement;
  • for public health preventive and treatment measures, for example. in the case of a public health crisis; or
  • at the request of the relevant health authority for public health purposes including inspections.

H. Website blocking for advertisement or licensing violations
Article (18) permits the Ministry of Health & Prevention to instruct Ministries and Health Authorities to block websites whether in the UAE or abroad where those websites are in violation of the guidelines/standards and without the appropriate licenses and authorisations.

I. The penalties for non-compliance
As well as certain penal sanctions for breach of key requirements, such as the data localization obligations, the law sets out a number of overarching disciplinary sanctions for breach of its provisions. Articles (22) to (26) deals with violations, penalties and disciplinary sanctions, where financial penalties can range up to one million Dirhams. The penalties and sanctions in the Law are without prejudice to other violations on other laws including the UAE Penal Code.

J. Conclusion
Important changes are coming for anyone who collects, processes or transfers electronic health data originating in the UAE. Besides a host of new data protection measures and new rules around use of a centralized database managed by the United Arab Emirates (UAE) Ministry of Health, a general prohibition on transferring health data outside the UAE may have a significant impact on healthcare service providers and life sciences companies operating locally. Cloud based health solutions which involve collection, storage and processing of health data, such as wearables and health monitoring apps, may be particularly affected. While the full extent of the new requirements is still not clear, it is imperative for companies operating in the sector to carefully monitor developments.

Author: Tarek Jairwdeh

Senior Lawyer