The UAE passed Federal Law No 2/2019 (ICT Health Law) which regulates the use of information and communications technology in the UAE's health industry. It also establishes a centralised system to manage health information.
When does it come into effect?
ICT Health Law came into effect in May 2019. It's implementing regulations were followed in Cabinet Decision No 32/2020 in April 2020 and then Ministerial Decision No 51/2020, in April 2021.
What is health data?
The law defines health data broadly as health information that is given a "visual, audible or readable indication, and that may be attributed to the health sector, whether related to the health or insurance facilities or to the health services beneficiaries." This suggests that information such as patient names, dates of birth and other information collected in the process of consultations and other medical procedures will fall within the scope of 'health data'.
Can health data be shared out of the UAE?
As the law provides for a data localisation requirement, it does not allow the transfer, storage, or processing of health information in relation to the UAE to be done outside the nation. This is unless the matter falls under one of the allowed exemptions, including those added by Ministerial Decision No 51/2021. The list of exemptions now includes, but is not limited to, the treatment of overseas patients and medical samples.
Can health data be shared in general?
Under the new law, health data should not be used for non-health purposes unless it falls under one of the exceptions provided by the law. For instance, it could be shared if the patient has provided written consent, or if health insurance companies require that information to approve financial benefits that the patient would then receive. It also allows health data to be used for scientific research purposes, provided that sensitive information about the patient, such as their name and date of birth, remains undisclosed.
What requirements need to be met when dealing with health data?
When processing and transferring health data, the data must be kept confidential and only circulated if the required authorisation has been given. This means consent for disclosure from the patient and in some cases, the Ministry of Health and Prevention. The integrity of the data must be maintained by ensuring that it is safe from any unauthorised alterations and deletions as well as destruction. The law further provides that its use must be limited to the provision of services for which it was obtained.
Non-compliance and breach of the requirements set out in the ICT Health Law may result in financial penalties and disciplinary sanctions. As some free zones have their own data protection laws, entities in the health industry will also have to comply with those in addition to the ICT Health Law.
What is the aim of a centralised system?
The centralised data system was established under the Ministry of Health and Prevention's management. This system aims to manage the collection and exchange of health data between relevant authorities and concerned parties such as medical insurance providers.
Who does it impact?
Entities that work in the health industry, including healthcare workers and service providers, will most likely be affected by the ICT Health Law. This does not just include hospitals but may likely include healthcare IT systems suppliers and medical insurance providers too. This also includes those operating in the UAE's free zone.
What is the impact?
In conclusion, the new law and its regulations clearly reflect the importance of technology in the health sector going forward. The ICT Health Law's data localisation requirement means that healthcare service providers will need to rethink their data collection systems so as to comply with the data localisation requirement. Nevertheless, entities that are likely to be impacted can find comfort in Ministerial Decision 51/2021 as it widens the list of exemptions for which data can be transferred out of the UAE. As the law is still new, it is unclear how it will work in practice and so caution should still be exercised. However, it does provide a great opportunity for more innovation with respect to data and information technology within the health industry.
