Health data in the UAE – everything you need to know about the Health Data Law

In February 2019, the President of the United Arab Emirates issued Federal Law No. 2 of 2019 (Health Data Law). This law regulates the use of information and communications technology (ICT) in the healthcare sector for the entire UAE, including the free zones. It came into force in May 2019 and aims to allow the UAE Ministry of Health and Prevention (the Ministry) to collect, analyse, and maintain health information at state level in the UAE.

The Health Data Law also ensures that ICT standards and practices adopted in the UAE meet the level of standards used by counterparts internationally and guarantees the security and safety of health data. This has meant the introduction of similar core concepts to those found in the General Data Protection Regulation (GDPR) under EU law – for example, security measures and consent for data disclosure, purpose limitation for data processing, and data accuracy requirements.

Here, we provide a rundown of how the Health Data Law works, what information it protects, and whether there are any exemptions to its data localisation requirement.

What are key aspects of the Health Data Law?

The Health Data Law provides for the establishment of a centralised data exchange system under the Ministry's control, to manage the collection and exchange of health data by and between relevant authorities and other concerned parties. Users can access and exchange data in a controlled, secure, and uniform way, and the intention is for the system to eventually include all patient files in the UAE. 

Cabinet Resolution No. 32 of 2020 concerning the Executive Regulation of the Health Data Law, which came into force in October 2020, includes additional details regarding how authorised users join the centralised system, what their duties and responsibilities are, and how they need to store health data. Important aspects of this legislation include:

• high levels of data confidentiality are required
• businesses need to implement data encryption and/or patient consent for processing activities and are required to keep accurate data and to record all processing activities
• patients have the right to withdraw their files from the central system, and
• The Ministry is empowered to audit businesses' regulatory compliance where patient data storage is concerned.

In terms of time frames, the Health Data Law specifies a minimum data retention period of 25 years (possibly longer where appropriate) from the date that the last health procedure was performed on the patient. This is very different to the data storage requirements under GDPR. 

Various outstanding matters regarding the central system and other aspects of health data protection still need to be addressed in greater detail. Even so, the Health Data Law makes it obligatory for businesses that deal with health data to introduce operational, organisational, and technical procedures to ensure the security and integrity of their health data – including the security of data accessibility for authorised users.

Like other international general data protection regimes and the data protection frameworks applicable in the financial free zones of the UAE (ie the DIFC and ADGM), the Health Data Law sets out several criteria that must be observed when processing health data. Businesses must:

• ensure that health data they process is accurate and reliable (accuracy requirement)
• keep health data safe from any unauthorised modification, damage, deletion or other alteration using appropriate security measures (data security requirement)
• only use health data for the provision of the health service for which it was obtained, except where the patient consents to alternative use (purpose limitation concept)
• obtain the patient’s consent prior to disclosure of the patient’s data to a third party in the absence of a permission for disclosure under the laws of the UAE (disclosure restrictions concept).

The Health Data Law recognises limited exceptions to the disclosure restrictions concept. Businesses may use health data without the patient’s consent:

• for scientific research, provided the patient’s identity remains undisclosed, and applicable scientific research standards and guidelines are complied with
• to assist insurance companies and health services payers with the verification of financial claims
• when responding to a request from a competent judicial authority
• when addressing a request from the relevant health authority for public health purposes, or 
• for public health preventive and treatment measures.

A major concern for many international operating service providers is the data localisation requirement included in the Health Data Law. It prevents businesses from storing, processing, generating, or transferring health data outside the UAE, unless the activity has been approved by a resolution of a concerned health authority or the Ministry. Breaching this requirement can result in a penalty between AED 500,000 and AED 700,000.

What information is protected and who must comply?

The scope of health data protected by the Health Data Law is very wide. It includes all electronic data related to health and originating in the UAE, regardless of its form or whether its related to health facilities, health authorities, insurance facilities, or beneficiaries of health services. Examples of health data protected by the Health Data Law are patient names, data collected in a consultation or connected to diagnosis and treatment, and alpha-numerical identifiers. As a result, the Health Data Law is not only relevant to healthcare services providers or health insurers, but also to businesses that provide healthcare IT and other indirect services related to the healthcare sector, or that handle electronic health data.

Are there exceptions from the data localisation requirement?

For a long time, there was no resolution or additional executive regulation to address potential exceptions. It wasn't until April 2021 – when Ministry Resolution No. 51 of 2021 concerning cases where health data and information may be stored or transferred outside the UAE was issued – that legislation was brought in to allow for some exceptions to the data localisation requirement (we understand this legislation came into effect on 16 May 2021).

Under Resolution No.51, you are permitted to undertake some international health data transfers in several scenarios, including when the health data:

• relates to patients who are being treated outside the UAE, within the limits of the necessary treatment procedures
• relates to samples that are sent to laboratories outside the UAE
• is used as part of scientific research, in compliance with the UAE laws and provided the relevant research is approved separately by the concerned health authority
• needs to be transferred outside the UAE by insurers and claims management companies within the scope of their procedures to provide health insurance coverage, provided the patient’s consent has been obtained
• is requested by competent organisations that cooperate with the UAE, provided the transfer is made within the limits of the purpose of requesting such data
• is utilised by simple medical devices and tools etc designed for personal use which require users to supply simple medical data, such as blood pressure, blood sugar, or oxygen saturation rate (eg fitness apps and connected personal devices)
• is related to the prevention, treatment, or diagnosis of a patient that may cause side, reverse, or negative reactions (or similar cases), within the limits and conditions of good pharmacovigilance practices
• is used within the scope of providing telehealth services, provided certain conditions are met and the patient’s consent has been obtained
• belongs to individuals who personally request the transfer or receipt of their own data for use outside the UAE, provided that the facility that keeps the data receives an official request from this individual or their legal representative.

Businesses that transfer health data under any of these exceptions are still subject to strict controls involving one or more of the following requirements:

• written patient consent
• the approval of the relevant health authority
• data encryption using best practice standards
• anonymisation measures, and/or
• disclosure limitations when sharing data with third parties.

Even where the transfer of the health data outside the UAE is permitted, a copy of the data must always be stored inside the UAE. What's more, for many business activities the Health Data Law continues to stipulate that health data must be stored on UAE-based servers (in-line with other existing laws) and control access and processing activities must be comply with the Health Data Law. 

Businesses that need to transfer health data outside the UAE that can't take advantage of Resolution No.51's exemptions aren't entirely out of luck, however – they can still contact the relevant health authorities directly to request the necessary permissions.

Here to help

Please reach out to a member of our team to discuss how we can support you with your discussions with the authorities, or if you'd like any other advice about the health data protection regime in the UAE.