UAE Health Data Law update

Following the controversial Health Data Law (UAE Federal Law No.2 of 2019), and the follow-up resolution (Cabinet Resolution No.32 of 2020), the UAE Federal Government has now added another piece to the health data protection regime in the form of Ministerial Decision No. 51/2021(the "Decision").

In short, the Decision clarifies concepts used in the Health Data Law pertaining to restrictions on the collection, processing and transfer of health data by a broad range of entities (Health Service Providers) across the UAE, and sets out certain important exemptions.

Background

The Heath Data Law defines "Health Data" broadly as all electronic data originating in the UAE regardless of its form. Upon its initial publication, it provided only a basic framework of rules under an ambitious objective to adopt international best practices, leaving practical guidance for the interpretation and application of (as well as blanket exemptions from) the Health Data transfer restrictions to future ministerial decisions.

The Decision represents the latest release in a series of developments with respect to the use of technology in the UAE healthcare sector. For background, please see our previous notes concerning the Health Data Law, and the subsequent Cabinet Resolution No.32 of 2020 (the Resolution).

Follow-up Regulations to the Health Data Law

When the Health Data Law was enacted, there were two important areas where it was particularly apparent that further clarification would be needed through future ministerial decisions: (1) more details with respect to the establishment of the centralised healthcare system (the Central Healthcare IT System), and (2) the exceptions that would apply to the general prohibition on the transfer of Health Data outside the UAE.

The Resolution addressed the former point. Among other things, the Resolution, released in June of 2020, prohibits the unauthorised use of the Central Healthcare IT System, restricts the disclosure of Health Data without the approval of patients and sets out some practical control requirements to ensure the security and accuracy of Health Data stored electronically. Also, in the spirit of providing data subjects with more control over their personal data, the Resolution provides patients with the right to withdraw from the Central Healthcare IT System. Nonetheless, the Resolution did not provide any practical guidance in respect of joining the Central Healthcare IT System and left important terms, like "patient privacy", undefined and open to interpretation. The Decision addresses the latter gap identified above.

Noteworthy provisions of the Decision

To aid with interpretation, a new defined term "health services provided inside the state" is introduced and defined as "any health work or procedure taken by any health facility operating inside the state, whether within the scope of diagnoses, prevention, treatment, rehabilitation or health monitoring". Naturally, without accompanying definitions for "health work or procedure" and "health facility" it is difficult to say with any certainty which healthcare facilities and what activities will be captured by this new term and, therefore, subject to the data localisation requirement.

Notable exemptions

The Decision goes on to restate the prohibition on extraterritorial data transfers initially introduced by the Health Data Law, with the addition of ten new enumerated exemptions to the general restriction. Certain exemptions appropriately take into account the realities of operating in the healthcare sector in an increasingly digital economy. For example, manufacturers of wearable devices and health app developers can now take comfort as "information and data on the devices and the simple medical tools and the like, which are used by the public for personal use and lead to the registration of simple medical data" are exempt from the data transfer prohibition. However, health organizations that do not fall within this exemption but, nonetheless, have outsourced IT departments based in other jurisdictions, or rely on cloud solutions hosted outside the UAE, may need to reconsider their data transfer practices.

Other exemptions include, data used within the scope of the provisioning of health services online, subject to certain conditions being satisfied. "Data required by the insurance companies and the claims administration institutions" is also exempt from the data localisation requirement. This particular exemption is, however, conditional. For example, no data identifying a patient may be transferred and data must be encrypted before it is transferred using the best encryption and highest security standards. Further, data and information which is transferred internationally must still be stored inside the UAE.

Recipient and health authority approvals

One overarching theme of the regime is recipient/patient control over international transfers of their data. Indeed, more than half of the exemptions require that the organizations obtain approval from the health service recipient as a condition of relying on the exemption. The Decision provides that, where approval is required the Federal Decree Law No. 4/2016 on medical liability (the Medical Liability Law) shall apply. However, the mandate for obtaining approvals in the Medical Liability Law pertain generally to consents collected in the context of medical procedures and treatments and speak to matters like legal capacity to give consent. It is not clear if using the same consent regime is suitable in the context of data handled in a digitalised healthcare system. Practically speaking, there will certainly be circumstances where implied (opt-out) consent may be appropriate, but this is not something the Decision seems to contemplate.  Therefore, until additional guidance is available, the conservative approach is to opt for programs that rely on express written consent, granted it is often more arduous as compared to the alternative.

There are also exemptions that appear driven by public interest considerations. An example of which is the exemption for "information and data used in the framework of scientific research" provided that, among other things, each research is separately approved by the concerned health authority. There is also a general exemption for "any other health information or data which the health authority approves its transfer". How these approvals will be sought and administered remains an open matter.

Final remarks

This highly anticipated Decision has done much in terms providing some rational and pragmatic exemptions to the general strict data localisation requirement, although we are awaiting further guidance from the Ministry on some important points such as how the required approvals from the health authority and recipients/patients will be managed. An immediate task for organizations in the healthcare sector who transfer data abroad will be to consider carefully which, if any, of the exemptions apply, and ensure all related conditions for relying on such exemption(s) are sufficiently satisfied.

This Decision is an important component to the UAE's ongoing efforts to regulate personal data in accordance with best international standards without a generally applicable cross-sector federal data protection law as a foundation. Regulation in this field is a difficult balancing act, because onerous and unclear laws and regulations carry the risk of disincentivizing private sector investment. UAE authorities are, therefore, taking careful steps fleshing out the specific rules to avoid unintentionally undermining their digital ambitions which include sophisticated telemedicine and digital health propositions emerging strongly in other markets.