UAE issues wide-ranging healthcare data privacy law

The Healthcare Data Law (in Arabic, 11-page / 171KB PDF[PM1]) came into force on 14 May 2019. It will regulate the processing of all electronic health data regardless of its form. Such data will include patients’ names, any information obtained during a consultation, diagnosis or treatment of a condition, patient identifying codes, lab results, and images produced by medical imaging technology such as x-rays. Patients’ data will have to be stored for at least 25 years.

The data will have to be processed and stored within the UAE, and it will be illegal to transfer it outside the UAE without obtaining an exception from a relevant healthcare authority. Anyone violating this provision will be fined between AED 500,000 and AED 700,000 (£104,000-£145,000).

The law also prohibits the creation of health data outside of the UAE relating to health services provided inside the country, which could affect providers using remote or cloud solutions to produce or store data.

The law sets out a number of circumstances in which a patient's information may be used or disclosed without the patient's consent, including situations where insurance companies or other firms funding medical services need to verify financial entitlement to treatment, or when data is requested by a judicial or health authority.

Dubai-based insurance expert Tom Bicknell of Pinsent Masons, the law firm behind Out-Law, said that the new law would have "wide-reaching implications for firms operating in the healthcare space, particularly in the technology and insurance sectors".

"The new law formally codifies the requirement to keep health data located in the UAE, with a prohibition on any storage or transfer of data outside of the country unless an exemption has been granted," he said. "This will have a significant impact on healthcare service providers operating in the UAE."

The Healthcare Data Law also sets out a framework for a new centralised data management system (DMS). The DMS will be operated by the UAE Ministry of Health and will enable storage, access to and the exchange of data across the UAE, although details of how the system will be run have not yet been published.

The Ministry of Health will be responsible for setting the standards and controls required to operate the system, as well as risk management of healthcare information and data. It will also have to produce a strategic plan on using information technology in the healthcare sector, and set mandatory mechanisms and procedures.

Firms violating the law could be subject to a range of sanctions, from a written notice or warning, to a fine of between AED 1,000 and AED 1 million, or removal or suspension of access to the DMS.

The law covers the whole of the UAE including the country's two financial free zones, the Dubai International Financial Centre and the Abu Dhabi Global Market.

It is expected that providers affected by the law will have a grace period to give them time to achieve compliance.

"It remains to be seen the full extent of the requirements – this new Healthcare Data Protection Law sets out the basic framework, which will be supplemented by further government regulations," said Marie Chowdhry of Pinsent Masons. "Healthcare service providers should monitor developments in this space closely to ensure they stay aligned to the requirements going forward."