New regulation on the use of ICT in healthcare in the UAE
Additional regulations concerning the use of technology in the UAE healthcare sector (Cabinet Resolution No.32 of 2020) still leaves many questions unanswered.
Following the enactment of the health data protection law (UAE Federal Law No.2 of 2019) in May 2019, the UAE Federal Government has published additional regulations concerning the use of technology in the UAE healthcare sector in the form of Cabinet Resolution No.32 of 2020. However, this latest development still leaves many questions unanswered.
Background
This update follows our earlier note concerning UAE Federal Law No. 2 of 2019 (the Health Data Law).
To recap, the Health Data Law was enacted in May 2019 and introduced noteworthy obligations around the collection, processing and transfer of health data by a broad range of entities within the UAE, including healthcare providers, medical insurance providers, healthcare IT providers and providers of direct and/or indirect services to the healthcare sector. These obligations apply to relevant entities (Health Service Providers) across the UAE.
The UAE currently has no federally applicable cross-sector data protection law, and therefore, risk analysis of data processing compliance has required sector-specific review. The Health Data Law has reinforced this and applied a broad meaning to health data, defining it as all electronic data originating in the UAE regardless of its form, including alpha-numerical identifiers, common procedural technology (CPT) codes, diagnosis and treatment, images produced by medical imaging technology, information collected during consultation, lab results and names of patients (Health Data).
Whilst the Health Data Law sought to protect Health Data in line with international best practice, it amounted to only a basic framework of rules, leaving Health Service Providers with many questions around the application of these rules in practice. For instance, the Health Data Law introduced a general prohibition on the transfer of Health Data outside the UAE, however, no clarity was provided on the available exceptions to this prohibition. Similarly, the Health Data Law provided for the establishment of a central healthcare IT system (the Central Healthcare IT System) for the purposes of storing, exchanging and collecting Health Data but offered no guidance on how Healthcare Service Providers would sign up to the Central Healthcare IT System.
Much needed clarity was expected through ancillary, follow-up legislation. The UAE Federal Government has now published Cabinet Resolution No.32 of 2020 Concerning the Executive Regulation of the Federal Law No.2 of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (the Resolution).
Development
It is not controversial to say that the Resolution does not address the key open points from the Health Data Law. The focus of the Resolution is the Central Healthcare IT System which was introduced in the Health Data Law.
The Resolution provides that no person may use the Central Healthcare IT System unless authorised to do so by the health authorities or relevant entities on an as-needed basis. Those Health Service Providers granted access to the Central Healthcare IT System must "adhere to the deadline specified for it to join the Central Database...". However, beyond this, the Resolution gives no further practical guidance in respect of joining the Central Healthcare IT System.
Those with access to the Central Healthcare IT System must not disclose Health Data without the consent of the patient or unless permitted by law. In the event of an emergency where consent cannot be obtained, Healthcare Services Providers may examine a patient's Health Data for healthcare purposes.
The Resolution also sets out some practical controls that users of the Central Healthcare IT System must comply with to ensure the security and accuracy of Health Data stored electronically. For example, it is prohibited to send any Health Data over email or any other electronic means unless it is sent in encrypted form.
Additionally, the Resolution states that the Central Healthcare IT System should include all patient files in the UAE. However, a patient may choose to withdraw from the Central Healthcare IT System. Where this is the case, the relevant Health Data may remain on the Central Healthcare IT System so long as the data can be kept unidentified, which we would interpret to mean anonymised.
Although the Resolution provides clarity in places, as with original Health Data Law, it also leads to further questions. For example, the Resolution allows for Health Data to be retained beyond the preservation period for research and public health purposes, provided that patient privacy is maintained. However, without further guidance, we cannot be sure on what patient privacy means in this context. A conservative approach would therefore be to anonymise any Health Data retained for research and public health purposes.
Final remarks
The UAE community is still looking for clarity on issues introduced in the Health Data Law.
Certainty around data regulation in the UAE is a gating issue for increased adoption of the use of emerging technology, for which the UAE has great ambitions. The accelerated roadmaps for healthcare sector deployment of Blockchain, Smart Cities, IoT, AI, sophisticated telemedicine and digital health initiatives are all being negatively impacted by the current uncertainty. While we await clarification, the processing of Health Data in the UAE needs to be approached with caution.
