On 6 February 2019, Federal Law No. 2 of 2019 was enacted in the UAE, which will regulate the collection, processing and transfer of electronic health data and may significantly impact healthcare service providers and life sciences companies operating locally. Cloud-based health solutions which collect, store and process health data may be particularly affected. While the full extent of the new requirements is still not clear, it is imperative for companies operating in the sector to carefully monitor developments.
The Law was published in the Federal Gazette on 14 February 2019 and will come into force three months from publication. The implementing regulations which will provide further details on its application are to be issued within six months from the date of publication.
Federal Law No. 2 of 2019 (the Law):
- aims to raise the minimum bar for protection of health data and to introduce certain concepts which are on a par with international best practice in information technology and privacy law;
- continues the legislative trend towards localization of sensitive categories of data; and
- paves the way for centralized health data capture and analysis to support public health initiatives conducted by the UAE Ministry of Health.
The Law applies to all entities operating in the UAE, whether onshore or from one of its free zones (including Dubai Healthcare City), which provide:
- healthcare service
- health insurance services (including insurance brokers or providers of related administrative services);
- healthcare IT services; or
- any other services, directly or indirectly, related to the healthcare sector, or engaged in activities that involve handling of electronic health data.
In this alert, we refer to these parties collectively as Healthcare Service Providers.
New requirements of the Law
1. Regulation of health data
The scope of the Law is broad: it regulates the processing of all electronic health data regardless of its form, including names of patients, information collected during consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology codes, images produced by medical imaging technology, and lab results, among other types of data.
2. Prohibition on storage of health data outside of the UAE
The Law provides that health data may not be transferred outside the UAE, subject to certain exceptions. The Law also prohibits the creation of health data outside of the UAE which relates to health services provided inside the UAE. Accordingly, cloud solutions hosted out of country, outsourcing of IT services to overseas locations, remote IT support from other departments within multi-national Healthcare Service Providers and remote collection and monitoring of patient information within the UAE, such as heart rate, sleep patterns, or steps, from outside the UAE through applications and wearables may be significantly impacted.
The Law envisages certain exceptions to the default data localization requirements, which will be set out in subsequent ministerial resolutions or in the implementing regulations.
3. Minimum standards for processing of health data
In addition to reinforcing the duty of Healthcare Service Providers to maintain the confidentiality of health data, the Law introduces a number of concepts similar to overseas data protection frameworks. For example:
- Purpose limitation: Patient information must not be used other than for the purpose of the provision of health services, except with the prior consent of the patient;
- Accuracy: Healthcare Service Providers must ensure that the health data processed is accurate and reliable;
- Security measures: Healthcare Service Providers must put in place measures to protect health data and to prevent its unauthorized processing, damage, alteration, deletion or amendment; and
- Non-disclosure/patient consent: The Law reiterates existing obligations not to disclose patient data to any third party without the prior consent of the patient.
4. Retention period
Health data must be retained for a minimum period of 25 years from the date on which the last procedure on the patient was conducted, or as long as is necessary, if longer.
5. Centralized data management system
A new centralized data management system (DMS) will be established and operated by the UAE Ministry of Health to facilitate access to, storage and exchange of health data. Healthcare Service Providers are required to register in order to access the DMS and identify all personnel who are authorized to access it.
6. Website blocking for advertisement or licensing violations
The UAE Ministry of Health is entitled to instruct the relevant local or federal health authorities to block any website, whether inside or outside of the UAE that does not comply with the regulations applicable to healthcare advertising or which provides healthcare information without a license or permission from the UAE Ministry of Health.
Exceptions to the general rule
The only circumstances in which a patient’s information may be used or disclosed without the patient’s consent are:
- to allow insurance companies and other entities funding the medical services to verify financial entitlement;
- for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with);
- for public health preventive and treatment measures, e.g. in the case of a public health crisis;
- at the request of a competent judicial authority; or
- at the request of the relevant health authority for public health purposes including inspections.
Data anonymization
The role of ‘big data’ in the prevention and early detection of serious conditions and in research and development has been an area of focus and collaboration among major players in the IT and healthcare sectors in recent years. The potential benefits of this practice will have to be weighed against the protection of each individual’s right to privacy. Where to draw the line in this assessment remains a topic of discussion between industry stakeholders and regulators. In January 2019, the European Data Protection Board issued its opinion on the European Commission’s draft Q&A on the interplay between data protection under the EU General Data Protection Regulation and clinical trials regulation. We will need to wait for the Law’s implementing regulations to see what position the UAE authorities will take on this sensitive issue.
What this new development mean for companies
The Law sets out a number of overarching penal and disciplinary sanctions for breach of its provisions. These sanctions range from warnings to fines of AED 1 million to cancellation of the company’s permit to use the DMS.
What companies should do
While the Law sets out the basic framework to establish DMS and to formally regulate the processing of health data, there are a number of important details that still need to be addressed by the implementing regulations and/or in further ministerial resolutions. These include, most notably, the rules and process for registration in order to access the DMS and the exemptions from data localization requirements. In adopting a cautious approach, we recommend that companies affected by the Law:
- conduct a data mapping exercise to identify what type of health data is held, where it is processed and which third parties it is shared with;
- where any of these third parties are based overseas, take steps to cease the transfer of health data to them or to anonymize / denonymize the health data transferred;
- for any health data which cannot be anonymized / denonymized due to the nature of the processing activities, source alternative third party service providers to conduct the processing of that data within the borders of the UAE;
- review contracts with third party service providers which process personal data and ensure that the contractual obligations for data processing and information security are sufficient to meet the new requirements of the law;
- consider imposing additional obligations on service providers to support compliance with the law, such as annual rights of audit; and
- add a step to the existing compliance sign-off process prior to adoption of new operational processes and business lines to ensure that no health data leaves the UAE and that the minimum statutory compliance standards are met.
Healthcare Service Providers are likely to be granted a grace period to achieve compliance with the Law. We will continue to monitor developments closely and will issue further alerts as subsequent regulations and resolutions are released.