In March of this year, the UAE issued Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in the Area of Health (the Healthcare Data Law), which governs the use of health data and information generated in the UAE. The law takes effect three months after issuance.
If Article 13 of the Healthcare Data Law takes effect as written, healthcare providers, consultants and insurers doing business in or with the UAE who continue to process and store outside the UAE health data and information generated in the UAE, must cease operating in such manner, and will be subject to penalties if they do not.
Health data and information
Under the Healthcare Data Law, health data and information is defined as data which is “characterized by a health feature, whether related to the health or insurance establishments or authorities or to the beneficiary of the health services”. Unpacking this definition reveals that it encompasses not only what one might typically expect, patient data, but also any data that relates to health care providers, insurers or health authorities.
Health data and information inside the UAE
The law presages major changes in the way healthcare data and information soon will be processed and stored in the UAE. For example, various articles of the Healthcare Data Law address aspects of a future central electronic system (the CES) administered by the UAE Ministry of Health and Prevention (the Ministry) that will store, exchange and collect health data and information in the UAE. However, despite such changes, some aspects of managing patient data remain unchanged from current practice. Under the Healthcare Data Law, written consent continues to suffice for processing patient data in the UAE. What constitutes patient consent can vary and may be determined in additional legislation. For example, in the Emirate of Abu Dhabi, patient consent is determined under the DOH Guidelines for Patient Consent.
Health data and information outside the UAE
The most controversial provision of the Healthcare Data Law is a general prohibition in its Article 13 on processing or storing outside the UAE health data and information relating to health services provided in the UAE (UAE Health Data). Many healthcare providers, consultants and insurers doing business in or with the UAE regularly process and store UAE Health Data outside the UAE, and that prohibition may force a drastic change in procedure. The only exception to the blanket prohibition is if an emirate health authority, after consultation with the Ministry, issues subsequent regulations permitting such processing and storage outside the UAE of UAE Health Data generated in such emirate.
A violation of Article 13 subjects the party to a fine of between AED500,000 (~US$135,000) and AED700,000 (~US$190,000). In addition, the relevant health authority is entitled to suspend or terminate the license of the offending entity to access the CES.
As is typical for new legislation, the Healthcare Data Law sets forth some high level provisions with the more practical aspects to be effected via supplementary legislation including implementing regulations, a resolution from the Ministry and emirate level regulations.
Action needed now
Absent ameliorating resolutions, healthcare providers, consultants and insurers doing business in or with the UAE and processing and storing UAE Health Data outside the UAE have only a short period to obtain advice and make compliant their behavior before they are potentially exposed to material financial penalties and potential prohibition from accessing the CES when it is established.