UPDATE: Developments in the Use of Information and Communications Technology in Healthcare
Today, reliable personal data is key for the modern healthcare sector. Healthcare data allows public health authorities, researchers, and healthcare providers to improve knowledge, efficiency, and quality, thereby resulting in better usage of limited resources. This, in turn, helps deliver improved healthcare solutions to patients.
Background: Prior to the enactment of The Federal Law No. 2 of 2019 on the Use of Information and Communications Technology in Healthcare (“ICT Health Law”), the UAE had limited public facilities, including the Abu Dhabi General Market and Dubai Healthcare City, practising active data protection regimes with a special focus on the patient’s personal and medical information. These regimes were inspired by the guidelines contained in the 1995 Data Protection Directive and the 1980 Organisation for Economic Co-operation and Development Guidelines on Trans-border Data Flows and Protection of Privacy, due to the lack of a specific law relating to data protection and privacy concerns in the UAE. However, certain provisions such as Article 379 of the Penal Code, relating to the disclosure of “secrets” without the consent of the person to whom the secret is related, or certain other existing laws regarding doctor/patient confidentiality were available sources/remedies.
With the European Union constantly advancing in the field of data protection, such as through the internationallyrecognized General Data Protection Regulations (GDPR), the enactment of the ICT Health Law is seen as a positive step by the UAE government towards future advancements in the field of data protection and privacy. The ICT Health Law is the first federal legislation in the UAE that directly addresses data protection principles for the protection of sensitive personal health-related data. The law came into effect in May 2019; however, certain regulations in support of this law have yet to be issued.
What is Health Data or Information?
Article 1 of the ICT Health Law defines Health Data broadly as:
- Data: Anything that may be stored, processed, generated, and transferred through Information and Communication Technology (ICT)
- Health Information: The health information that was processed and given a visual, audible, or readable indication, and that may be attributed to the health sector or entities or to health services beneficiaries.
- Health Information Circulation: The act of examining, exchanging, copying, photocopying, transferring, storing, disseminating, disclosing, or sending Health Data and information.
Who is impacted by the ICT Health Law?
The ICT Health Law is applicable to all entities that are operational in the UAE and the Free Zones that provide healthcare and related services.
How will Health Data be processed?
The ICT Health Law will regulate and process electronic health-related data such as patient names, consultations, diagnoses and treatments, alpha-numeric patient identifiers, common procedural technology codes, medical scan images, and lab results originating in the UAE. Such processed data will be subjected to a minimum standard based on these factors:
- Accuracy – Healthcare Service Providers must ensure that the data they process is accurate and reliable.
- Purpose limitation – Health Data must not be used for purposes other than that of health services, except with the prior consent of the patient.
- Consent to disclosure – Health Service Providers cannot disclose patient data to any third party without the prior consent of the patient or as permitted by law.
- Security measures – Health Data must be kept safe from unauthorised damage, amendment, alteration, deletion, or addition through the use of appropriate security measures.
Are there any exceptional circumstances?
Article 16 provides for certain exceptions, in which cases such Health Data may be disclosed without the prior consent of the patient:
- To enable insurance companies and other such entities funding the medical services to verify the requisite financial entitlements;
- For purposes of scientific research (provided that the identity of the patient is not disclosed and that applicable scientific research standards and guidelines are complied with);
- Upon the request of competent judicial authorities;
- For purposes of legal compliance with a request from a competent judicial authority;
- To comply with a request from the relevant Health Authority for public health purposes including inspections.
Key Factors of the New Law:
Data security: Article 4 of the Health Data Law mandates that all Health Service Providers must ensure confidentiality and protection of the information provided and refrain from sharing it without prior authorisation. Following international standards, the Health Data Law requires entities to introduce organisational, technical, and operational systems to safeguard the integrity of sensitive Health Data.
Data localisation: Article 13 highlights one of the most impactful aspects of this law, which is the prohibition of the transfer of Health Data outside the UAE jurisdiction unless one is authorised to do so by the relevant Health Authority in coordination with the Ministry. Accordingly, cloud solutions and cloud computing hosted outside the UAE or outsourced by entities in overseas locations acting as Healthcare Service Providers will face restrictions regarding the collection of patient information within the UAE. For example, heart rate, steps, or sleep patterns that are collected from outside the UAE through applications and wearables may be significantly impacted. This, in turn, can affect businesses. However, relief can be provided by obtaining approvals from the concerned authorities. There is a penalty of no less than AED 500,000 and no more than AED 700,000 for breach of this prohibition.
Data retention: Article 20 requires that Health Data be kept and maintained for as long as it is required but no less than 25 years from the date on which the last procedure on the patient was conducted.
Centrally controlled healthcare IT system: A Centralised Health Data Management System (“Central System”) controlled by the Ministry of Health and Prevention shall act as a regulator.
Key Compliance Requirements That Entities Affected by the ICT Health Law Can Undertake:
- Ensure that the entity’s IT system is capable and updated to interact with the Central System.
- Ensure that all administrative requirements for gaining access to the Central System are met, such as the requisite registration and license processes.
- Ensure that no patient Health Data is transferred outside the jurisdiction of the UAE unless permissions are obtained from the Ministry and requisite authorities.
- Install or update all requisite technical, operational, and organisational systems to ensure that all sensitive data is treated as per the confidentiality, security, and privacy standards of this law.
- Ensure that the stored data is not subject to corrupt or wrongful purposes.
- Ensure that all personnel who have access to sensitive Health Data recognize and understand the impact of the law and its penalties.
The law provides for heavy sanctions in the event of non-compliance, including disciplinary actions and monetary fines which may be imposed by a disciplinary committee within each Health Authority. These sanctions may be imposed, for example, for violating the data localisation rules. Specifically, sanctions include:
- The potential suspension or withdrawal of the licence to use the central IT system;
- A formal notice or warning from the relevant Health Authority; and/or
- Fines ranging from AED 1,000 to AED 1,000,000.
The law has raised the minimum bar for protection of Health Data by introducing certain practices into information technology and privacy laws. The ICT Health Law has adopted concepts that are on par with international standards such as the localization of sensitive data paving the way for a centralized Health Data system which can advance public health initiatives carried out by the UAE Ministry of Health. In conclusion, it can be seen that the UAE has adopted internationally accepted standards of data protection and privacy, which offers security to residents in this new technological era.