The Healthcare Data Protection Law in the UAE
In April 2016, The General Data Protection Regulation (GDPR), was agreed upon by the European Parliament and Council, which replaces the Data Protection Directive 95/46/ec in Spring 2018 is said to be the first law regulating the protection of EU (European Union) citizens' data and gives a draft of e-Privacy Regulation.
The Middle East has also felt the need to introduce local data protection and regulations regarding privacy. The data protection regimes in the UAE Free Zones, are inspired by the privacy regulations and data protection guidelines and principles contained in the Data Protection Directive of 1995 and OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, 1980.
A specific federal data protection law has been absent in the UAE, until now. In February 2019, the President of the United Arab Emirates issues the Federal Law No 2 of 2019, also known as the Health Data Law. This law regulates the use of information technology and communications (ITC), particularly in the healthcare sector. The Healthcare Data Law is also said to be the first federal legislation which directly communicates data protection principles. The law introduces data protection concepts that are similar to that of the GDPR, such as:
Consent to disclosure
This law applies to all entities that operate in the UAE and Free Zones which provide healthcare facilities like, healthcare IT, healthcare insurance and other direct and indirect services in the healthcare sector or sectors that engage in activities that involve the handling of electronic health care data (Health Service Providers).
Key components of the law
This law helps to regulate the handling of electronic health data that originate in the UAE, which includes patient names, diagnosis, consultation, medical scan images, lab results and treatment data. Data privacy and protection concepts introduced include accuracy of the Health Data, purpose limitation of Health Data, consent to disclose a patient's Health Data to a third party and security measures are taken to ensure the safety of the Health Data.
The Health Data Law helps ensure that all information acquired will be kept confidential and refrain from sharing health data without proper authorisation. It stays faithful to the principles of the GDPR by avoiding the data from "amendments, alteration, deletion, addition or non-authorised damage”.
One of the most significant aspects of this new law is the general prohibition on the transfer of health data outside the UAE unless authorised by the health authority in coordination with the government.
Under this law, the preservation of Health data is for as long as 25 years from the date of the last procedure conducted on the patient.
Centrally controlled healthcare data management system
This law includes a centralised system of Health Data management which is controlled by the Ministry of Health and Prevention. Access and exchange of data are done uniformly and securely.
Exceptions to disclosure restrictions
This part of the law provides for exceptional cases where the consent of the patient for the disclosure of his Health Data can be without his permission. The exceptions include insurance companies, for scientific research, for public health preventive and treatment measures
This law contains several penalties for the non-compliance of the law which provides for disciplinary actions and monetary fines which are imposed by a disciplinary committee within the concerned health authorities.
Website blocking for licensing or advertisement violations
The Ministry of Health is entitled by this law to instruct federal or local health authorities to proceed with blocking of websites, either inside or outside of the UAE on non-compliance with the regulations that apply to healthcare advertising or that which provides healthcare information without a permit from the UAE Ministry of Health.
The law will come into force by May 2019, but which will only amount to a basic framework to set initial rules and to establish a central IT system. Furthermore, implementation of regulations that provide details about its applications will be followed up by August 2019, which will then bring about clarity in areas relating to the rules and process for registering to access the integrated Health Data management system and exceptions to the data localisation requirements.