Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Jan 2023
LinkedIn Created with Sketch. Twitter Created with Sketch.

UAE: Health and Pharma Overview

Health and Pharmaceutical
MF3d / Signature collection / istockphoto.com

 1. INTRODUCTION

In the context of healthcare and pharmaceutical regulation, the United Arab Emirates ('UAE') is best understood as comprising two categories of jurisdiction. First, there are two financial free zones – the Dubai International Financial Centre ('DIFC') and the Abu Dhabi Global Market ('ADGM') – which fall outside the scope of this note. Second, there is the remainder of the UAE falling outside of the territories of the financial free zones. This second category is technically divided into two further parts. On the one hand, there are approximately three dozen further non-financial free zones and, on the other hand, there is onshore UAE, being all the land which falls outside of the financial free zones and the non-financial free zones. It is this second category that forms the subject matter of this note. To complicate matters further, the UAE is a federal state comprising seven emirates (Dubai, Abu Dhabi, Sharjah, Fujairah, Ras Al Khaimah, Ajman, and Umm Al-Quwain). In the context of healthcare and pharmaceutical regulation, this is important because individual emirates have slightly different regulatory frameworks. The information set out below is accurate as of 1 December 2022.

In the UAE, the protection and privacy of health-related personal data is governed by specific health data-related legislation. This legislation sets out a broad scope of what is considered health data, encompassing a wide spectrum of information across the health and pharma sectors. The protection of health data also falls within the remit of the UAE's criminal law, as is discussed below in Section 10 - Penalties. As the subject of this note is health data, which is excluded from the scope of the UAE's federal data protection legislation (i.e. the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection ('the PDPL')), we do not say anything further about it in this note.

The healthcare, medical, and pharmaceutical sectors in the UAE are governed more generally by an expansive series of laws, regulations, standards, and policies largely administered by the Ministry of Health and Prevention ('MOHAP') and the competent health authorities at local emirate level.

Beyond this, a separate health data protection regime exists in Dubai Healthcare City ('DHCC'), a non-financial free zone within the UAE that was established in 2002 as a hub for healthcare service providers. The DHCC has issued its own regulations that govern the protection of health data and are applicable to healthcare service providers within the territory of the DHCC. The protection of health data is further supplemented by an extensive regulatory framework that governs the provision of pharmaceutical and health-related services in the DHCC more generally.

1.1. LEGISLATION

The key laws, regulations, and decisions governing the healthcare, pharmaceutical, and medical sectors in the UAE and DHCC (including the protection and privacy of health data) are:

1.2. SUPERVISORY AUTHORITIES

The authorities responsible for supervising the health, medical and pharmaceutical sectors in the UAE are:

Sharjah Health Authority oversees healthcare in the emirate of Sharjah, while the MOHAP effectively governs the health authorities in the remaining UAE emirates. The Public Prosecution will also be relevant where a criminal complaint is filed against a party for a breach of the Penal Code and/or the Cybercrime Law.

The DHCC Board of Directors, the Centre for Healthcare Planning and Quality ('CPQ'), and the Executive Body of the DHA are responsible for ensuring the proper administration and enforcement of the DHCC HDPR and any rules, standards, and policies made thereunder.

1.3. GUIDELINES

1.4. DEFINITIONS

Relevant definitions under UAE laws, regulations, policies, guidelines, and standards:

  • 'Clinical Studies' means the studies or research monitoring of a specific medical product, that are conducted on groups of human beings, intended to study the absorption, metabolism, distribution and excretion of the product, in order to identify its main effects, side effects, or adverse reactions, with the objective of verifying the effectiveness, efficacy, quality, and safety of the medical product, within the uses approved in advance, according to the marketing authorisation which is granted to the medical product or for new uses or any other medicines under research and development.
  • 'Data' means anything that may be stored, processed, generated, and transferred through ICT, such as numbers, letters, codes, photos, and similar.
  • 'Health facility' means a facility that provides people with healthcare services, including prevention, treatment, and recovery, whether it is owned or managed by a physical or a legal person.
  • 'Health information' or 'health data' means the health information that is processed, given a visual, audible, or readable indication, and that may be attributed to the health sector, whether related to the health or insurance facilities or entities or to the health services beneficiaries.
  • 'Health record' is a single record of all data on an individual health status from birth to death.
  • 'Informed consent' means a subject's free and voluntary expression of their willingness to participate in a particular clinical trial, after having been informed of all aspects of the clinical trial that are relevant to the subject's decision to participate or, in case of minors and of incapacitated subjects, an authorisation or agreement from their legally designated representative to include them in the clinical trial.
  • 'Legally acceptable representative' means an individual or judicial or other person authorised according to the law of the UAE, to consent, on behalf of a prospective subject, to the subject's participation in the clinical trial.
  • 'Patient' means a natural or arbitrary person whose protected health information is or has been captured by the entity.
  • 'Pharmacist' means a person who holds at least a bachelor of pharmacy degree or the equivalent from a higher institution, college or university that is accredited in the UAE, and who is licensed to practise the profession of pharmacy in the UAE.
  • 'Pharmacy' means the institution, which is licensed to store, prepare, formulate, dispense, offer, or sell the medical products to the public directly, through fixed or mobile facility, either permanent or temporary.
  • 'Physician' means a medical doctor, including a dentist.
  • 'Research centre' means the pharmaceutical institution which is licensed to conduct the clinical research or bioavailability or bioequivalent, and studies related to the measurement of the levels of active substances in liquids and tissues.

Relevant definitions under DHCC regulations and standards:

  • 'Collect' means the obtaining of patient health information directly from the patient or from any other third parties; and collection and collected have corresponding meanings.
  • 'Document' and 'documentation' means information stored in any form of writing, code, or visual depiction and the manner in which such information is stored is irrelevant for the purpose of deeming the information to constitute a 'document' for the purpose of this definition. A 'document' includes summons, notice, order, or other legal process and registers, and for the purpose of the DHCC HDPR includes the reports from photographs, x-ray films, scans, recordings, and other such imaging.
  • 'Health services' means the healthcare and medical services provided by licensed healthcare professionals, licensed complementary and alternative medicine professionals and licensed healthcare operators, and includes, but is not limited to, diagnosis, treatment, advice, service, or goods provided in respect of the physical or mental health of a person.
  • 'Human biomedical research' means any systematic investigation, including research development, testing, and evaluation that involves the use of either an investigational product in human subjects, the use of identifiable human tissue or patient health information, with the objective of developing or contributing to generalisable knowledge.
  • 'Patient' means with respect to patient health information, the patient to whom such patient health information relates.
  • 'Patient health information' means information about a patient, whether spoken, written, or in the form of an electronic record, that is created or received by any licencee, that relates to the physical or mental health or condition of the patient, including the reports from any diagnostic procedures and information related to the payment for services.
  • 'Process' means any operation or set of operations which is performed on patient health information, whether or not by automatic means such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, erasure or destruction; and processed and processing have corresponding meanings.
  • 'Record' means all papers, records, recorded tapes, photographs, statistical tabulations, or other documentary materials or data, regardless of physical form or characteristics, including in written or electronic form.

2. CLINICAL RESEARCH AND CLINICAL TRIALS

UAE:

Scientific approval is required to conduct clinical trials and research in the UAE. The relevant authorities in this respect are the MOHAP and the Health Authorities. Ethical approval must also be obtained prior to commencing any clinical trial or research. A clinical trial or research may not be conducted on human participants unless the relevant Health Authority approvals have been obtained, medical examinations of the participants have been carried out and their written consents, acknowledging their understanding of the details of the clinical trial or research and associated risks, have been documented.

Clinical trials and research may only be carried out by certain accredited entities that obtain a licence from the relevant Health Authority. Such entities may include public and private hospitals, universities, specialised scientific research centres, or laboratories.

In accordance with the Guidelines for Conducting Clinical Trials with Investigational Products and Medical Devices, notification of completion or termination of the clinical trial must be made by the principal investigator in writing to the Abu Dhabi Research Ethics Committee. The notification of completion should be submitted within 90 calendar days from completion, while termination of the clinical trial should be notified within 15 calendar days from the decision to terminate.

DHCC:

The Research Regulation provides that only approved research operators that are holders of research permits may carry out approved research activities within the DHCC. In order to become an approved research operator, in-principle approvals from the DHCC Clinical Affairs Department, the Licensing Board, and the Academic and Research Council, as well a provisional approval letter from the DHCC Registry of Companies need to be obtained. An application for a research permit may then be submitted to the DHCC Registry of Companies.

To carry out human biomedical research, the proposed research must be reviewed and approved by the DHCC Research Ethics Review Committee from a scientific and ethical perspective. Where the human biomedical research involves a clinical trial, the trial must be recorded on an internationally recognised clinical trials register as determined by the DHCC Research Ethics Review Committee.

2.1. DATA COLLECTION AND RETENTION

UAE:

The UAE Health Data Laws set out general obligations with respect to the collection, processing, and storage of Health Data. When using ICT in health fields, all health data must be kept confidential and the circulation thereof will only be permitted in authorised cases. The validity, integrity, and credibility of the health data must be upheld by protecting it from destruction and unauthorised amendment, deletion, alteration, or addition. The availability of, and access to, the health data by authorised individuals must also be ensured. Beyond this, the Health Data Law sets out certain data retention requirements whereby health data must be retained for a minimum of 25 years.

The Clinical Trials Policy sets out that the designated site where an accredited entity carries out its clinical trial must be appropriate to collect participants' data and store it confidentially along with any experimental products and samples collected. Similarly, under the Policy Governing Research Involving Human Subjects, investigators must ensure the confidentiality of the health data of participants and must ensure that their security policies and procedures are sufficient to prevent any breach of such confidentiality. Moreover, investigators must ensure that all health data is recorded, handled, and stored in ways that allow its accurate reporting, interpretation, and verification.

DHCC:

All health data associated with human biomedical research must be recorded, handled, and stored in a way that allows accurate reporting, interpretation, and verification. Health data must also be processed and retained in a manner that is consistent with DHCC HDPR.

The DHCC HDPR sets out data protection principles, rights, and obligations that are similar in nature to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Specifically, participants must be informed prior to their health data being collected (or, where this is not practicable, at the point of collection), and health data must be collected lawfully and fairly. An investigator must ensure the security of the health data along with the system in which it is held, and safeguard it from loss, destruction, damage, tampering, theft, unauthorised access, use modification, disclosure, and other misuse. Health data of UAE nationals and expatriates must be retained for a period of ten years. The DHCC HDPR also sets out a general requirement that health data may only be used for the purpose for which it is collected. This requirement may be waived, however, where the health data is being used for research purposes as long as the health data is not published in a form that could reasonably be expected to identify the participant.

2.1.1. CONSENT

UAE:

In accordance with the Pharma Law and the Medical Liability Implementing Regulation, clinical trials or research may only be carried out on human participants where the consent of the participants has been obtained. Such consent must be in writing and must contain an acknowledgement of the participant's understanding of the details of the trial and the associated risks. Where the participant is a child, the consent of the parent/guardian is required.

This position is also set out in the Clinical Trial Policy whereby the availability of consent for the participation in the clinical trial is a requirement to proceed with it. The Policy Governing Research Involving Human Subjects and the Guidelines for Conducting Clinical Trials with Investigational Products and Medical Devices set out in detail the requirements for obtaining consent in the context of clinical trials and research. Specifically, the consent must be informed and must be collected in writing. The elements of informed consent must always be communicated to the participant and include at a minimum:

  • a statement of the purpose of the clinical trial or research, the intended duration, and a description of the relevant procedures to be carried out identifying any that are experimental;
  • a description of any treatment included in the clinical research or trial and the probability of random assignment to each treatment;
  • a description of any foreseeable risks or benefits;
  • if the research or trial involve a risk of harm, an explanation if any compensation or medical treatment is available in the event of injury;
  • a disclosure of any appropriate alternative procedures or courses of treatment;
  • a statement of the participant's responsibilities with respect to the clinical research or trial;
  • a statement describing how confidentiality will be maintained and how health data will be managed;
  • a statement concerning the access to the participant's health data that the Health Authorities or others may have;
  • the name and contact details of a person that the participant may contact for further information regarding the clinical research or trial;
  • a statement of the participant's rights; and
  • a statement that the participant's participation is voluntary and that refusal to participate or continue to participate will involve no penalty or loss of benefits to which the participant is otherwise entitled.

Where the clinical trial or research is being carried out on a minor, i.e. an individual who is under the age of 18, written informed consent should be obtained from both parents or legal guardian(s) of the minor. The minor should also be involved in the process, if they are capable of 'assenting', by having the study explained to them in age appropriate terms and then obtaining the minor's verbal assent. The investigator should take into consideration the declared wish of any minors who refuse to take part or to withdraw at any time from the clinical trial or research. Moreover, the assent of the minor, and the consent of the parents or of the legal guardian(s), may be withdrawn at any time without any penalty to the minor.

Where informed consent is being sought from an adult incapable of giving such consent, the consent may be obtained from a legally acceptable representative. The information given to the legally acceptable representative should enable them to understand:

  • the nature, objectives, benefits, implications, risks, and inconveniences of the clinical trial or research;
  • the participant's rights and measures regarding their protection, in particular their right to refuse to participate and the right to withdraw from the clinical trial or research at any time without any resulting penalty and without having to provide any justification; and
  • the conditions under which the clinical trial or research is to be conducted, including the expected duration of the participant's participation in the clinical trial or research and the possible treatment alternatives, including the follow-up measures if the participation of the participant in the clinical trial or research is discontinued.

The information provided to the legally acceptable representative should be comprehensive, concise, clear, relevant, and understandable to a layperson and be in their native language.

DHCC:

No human biomedical research may be initiated without the informed consent of each human participant. Informed consent must be obtained in accordance with the processes and procedures set out in the Research Accreditation and Code of Ethics issued by the DHCC Academic and Research Council.

2.1.2. DATA OBTAINED FROM THIRD PARTIES

UAE:

As described above, the UAE Health Data Laws require that all health data is kept confidential and the circulation thereof will only be permitted in authorised cases. The obligations regarding health data confidentiality may, however, be waived in such instances where the health data is required for scientific purposes and provided that the identity of the participant is not disclosed and that the ethics and rules of scientific research are respected. Moreover, health data stored on the central system established by the Health Data Law may be accessed by those entities that are authorised by the Health Authorities.

Furthermore, while the Health Data Law sets out a general prohibition with regards to the storing and transfer of health data outside of the UAE, the Health Data Transfer Regulation sets out a relevant exception. Health data may be transferred to another entity outside of the UAE, where the health data is used in the scope of scientific research. Health data relating to samples sent to laboratories abroad may also be shared outside the UAE, provided that the health data will not be shared beyond the recipient entity, the health data is being shared on a need-to-know basis, and that certain conditions around encryption and participant consent are met.

The provisions of the Policy Governing Research Involving Human Subjects on the sharing of health data for the purposes of clinical trials and research align with those set out in the UAE Health Data Laws. The Standard on Patient Healthcare Data Privacy also stipulates that the requirement for consent may be waived in such instances where disclosure of health data is required for the purposes of scientific and clinical research, provided that the patient's identity is not disclosed and that the ethics and rules of scientific research are followed.

DHCC:

The Research Regulation provides that a human participant's health data shall only be disclosed in accordance with the DHCC HDPR. To this end, the DHCC HDPR provides that health data may be disclosed for research purposes (for which the DHCC Research Ethics Review Committee, or any other competent ethics committee has given approval), provided that the health data is not published in such a way that the participant to whom the health data relates, could reasonably be identified. Any disclosure of health data made under the DHCC HDPR will only be permitted to the extent necessary for the particular purpose and the participant, or their legally acceptable representative, must be made aware of the disclosure as soon as practicable. The provisions of the DHCC HDPR apply to both verbal and written disclosures.

3. PHARMACOVIGILANCE

UAE:

The Pharma Law stipulates that any licensed pharmacist must notify the MOHAP or competent Health Authority of any occurrence of any unexpected or serious side effect, unexpected adverse reaction or serious adverse event of a medical product within 15 days from such occurrence or knowledge. Both licensed pharmacists and physicians must notify the MOHAP and competent Health Authority of the presence of any suspected communicable disease.

The Healthcare Regulator Manual reiterates the obligation of healthcare service providers, including both pharmacists and physicians, to promptly notify the ADDH of any adverse effects to medical products and to provide the ADDH with all relevant information in accordance with the Standard on Reporting Suspected Adverse Drug Reactions and Adverse Events following Immunisation. These standards set out ongoing obligations for healthcare service providers to monitor for such adverse effects as well as specific requirements regarding the manner of reporting and relevant timeframes, e.g. a serious adverse reaction must be reported as soon as possible and in any event, no later than 24 hours of becoming aware of the reaction. The ADDH maintains a database of all actual and suspected adverse events relating to the use of medical products in Abu Dhabi, monitoring pharmacovigilance generally through its Pharmacovigilance Centre.

DHCC:

The DHCC Pharmacy Standards stipulate that each licensed pharmacy must appoint and maintain adequate numbers of qualified licensed pharmacists and licensed pharmacy technicians to ensure reliable and consistent services in pharmacies located in the DHCC. The pharmacist in charge is required to establish and maintain a system for pharmacovigilance, including reporting and investigating medication errors at any stage of the pharmacy processes and establish and maintain a system for reporting adverse events, including reporting an investigation.

4. BIOBANKING

UAE:

The Cord Blood and Stem Cell Storage Decision requires that any cord blood and stem cells storage centres that are involved in the collection, testing, processing, preservation, storage, distribution, import, export, and implementation of procedures related to cord blood and stem cells, and other nuclei cells derived from blood-forming cells such as bone marrow, peripheral blood, and cord blood, must be licensed to operate as such in the UAE. Cord blood and stem cells storage centres must put organisational structures and operating procedures in place that are appropriate to the activities for which they are authorised to carry out. Cord blood and stem cells storage centres must carry out their activities according to the highest standards of quality and safety, in order to ensure the highest levels of health protection in society and must obtain an accreditation from one of the internationally recognised, accredited organisations set out in the Cord Blood and Stem Cell Storage Decision.

Cord blood and stem cells storage centres must maintain records of all their activities, including the types and quantities of cells that were introduced, tested, preserved, stored, distributed, and disposed of, in addition to sources and destinations of the cells prepared for human treatment purposes. Cord blood and stem cells storage centres must also take all necessary measures to ensure the protection of such records and the health data they maintain, ensuring confidentiality of the health data and that the data and records they hold are kept up-to-date and secure.

Where any element of a biobank is maintained digitally, the provisions of the UAE Health Data Laws will also apply. Accordingly, the operators of such biobanks will be required to ensure the confidentiality and security of the health data in accordance with the provisions of the UAE Health Data Laws, as well as limiting access to it and adhering to the 25-year minimum data retention obligations. Biobank operators will also be restricted with respect to the transferring of health data contained in the biobank outside of the UAE, unless a limited exception applies.

DHCC:

The Standard for Clinical Laboratory Services sets out specific requirements for the managing and storing of physical samples and specimens by licensed hospital laboratories, diagnostic clinical, or medical laboratories and licensed non-diagnostic medical laboratories. All laboratories must develop detailed Standard Operating Procedures ('SOPs') which should include all laboratory analytical and operational procedures according to the scope of services provided by the facility. Where the laboratory manages samples, specimens, and biological materials, the SOPs should specifically include information on:

  • specimen collection, labelling, and transport;
  • specimen/sample receiving and processing (detailed test by test);
  • specimen/sample handling, preparation, and storage;
  • sample retention and disposal;
  • minimising the risk of interchange of samples and subsamples; and
  • minimising risk to ensure the safety of the specimen, collector, carrier, the general public, and the receiving laboratory.

Each laboratory must provide suitable infrastructure according to its services, for instance, appropriate specimen or sample storage facilities, including cold storage.

A healthcare operator that is licensed to provide clinical laboratory services must also provide patients and families with information regarding their rights and responsibilities, as well as obtaining informed consent where relevant.

Under the DHCC HDPR, 'records' include all papers, records, recorded tapes, photographs, statistical tabulations, or other documentary materials or data, regardless of physical form or characteristics, including in written or electronic form. Maintaining a biobank will therefore require compliance with the provisions of the DHCC HDPR generally, as described below in Section 5 - Data Management.

5. DATA MANAGEMENT

UAE:

The Medical Liability Implementing Regulation states that a physician must record any procedure carried out on a patient, indicating the type, date, and timing thereof in a detailed medical report in the patient's medical file. Both the medical report and medical file must be made available to the patient and delivered to them upon request.

The Pharma Law sets out an obligation for clinical pharmacists to share the records and health data of patients with their treating physicians. Similarly, the Medical Liability Implementing Regulation also sets out specific conditions regarding the disclosure of health data. A physician, healthcare service provider or health entity may access and/or disclose a patient's health data in the following circumstances:

  • a written application is submitted by the healthcare service provider and such health data is provided for the purpose of protecting public health;
  • the health data to be disclosed is precise;
  • the health data to be disclosed shall be necessary for the accomplishment of any activity or programme within the scope of the activities of the healthcare service provider;
  • such health data will not be used for any purpose other than the one determined in the letter of the health entity; or
  • such health data will not be shared with non-specialists.

As noted above, the UAE Health Data Laws require all health data to be kept secure and confidential, that it be subject only to necessary and authorised access, and that the validity, credibility, and integrity of the health data be maintained. These principles must also be up held throughout the entirety of the mandatory data retention period of 25 years. These requirements are further clarified in the Guidelines for Managing Health Records.

The Guidelines for Managing Health Records set out information on the management, storing, access, release, protection, retention, and destruction of health records containing health data. Health records should be stored in such a way as to ensure easy retrieval and should be accessible to the relevant parties involved in the patient's treatment and to the patient themselves. Health records should be stored securely in the healthcare facility in appropriate physical or digital environments to protect them from loss, damage, unauthorised use or theft. Healthcare facilities should monitor staff who have access to health records, nominate a 'data guardian' to ensure all necessary protections are in place, and are fit for purpose from internal and external breaches. Health data should also be anonymised and pseudonymised where possible to reduce the risk of health data being manipulated in the event of a data breach. Moreover, the healthcare facility should have in place policies and procedures for health record security, protection, confidentiality, handling, storing, archiving and destruction. The data retention periods set out in the Guidelines for Managing Health Records accord with the Health Data Law.

The Standard on Patient Healthcare Data Privacy is applicable to all healthcare service providers licensed and operating in the emirate of Abu Dhabi and sets out similar guidance as the Guidelines for Managing Health Records. Moreover, the ADDH Abu Dhabi Healthcare Information and Cybersecurity Standard sets out further details on the information that varying healthcare policies must contain, including policies on third party security, information system acquisition, development and maintenance, and information security incident management.

DHCC:

In accordance with the DHCC HDPR, health data may only be collected for a lawful purpose connected with the provision of healthcare services and where the collection is necessary to achieve that purpose. The collection must be fair and must not unreasonably intrude on the personal affairs of the patient. Moreover, healthcare service provides must inform patients of the collection prior to, or at the point of, collection. This information must include the purpose of the collection, the intended recipients, the name and address of the healthcare service provider, whether the supply of the health data is voluntary or mandatory, and the consequences for the patient if the health data is not provided along with their rights.

Healthcare service providers are responsible for the security of the information systems and networks on which health data is stored and must incorporate security as an essential element of their information systems. Generally, health data may only be used for the purpose for which it was collected.

The DHCC HDPR sets out specific exceptions to this, including where the patient consents to the alternate use, the use is directly related to the original purpose, or where it is necessary to prevent or lessen serious threat or harm to the patient. In a similar vein, the DHCC HDPR also imposes limits on the disclosure of health data, with a number of exceptions, including where the disclosure is to another healthcare service provider that is providing, or will be providing, healthcare services to the patient.

Health data of UAE nationals and expatriates must be retained for a period of ten years and healthcare service providers are required to appoint a data protection officer. Finally, the DHCC HDPR also recognises a patient's right of access to and correction of their health data.

6. OUTSOURCING

UAE:

The relevant Health Authority may grant access to the central system to any competent healthcare service provider established in the UAE. The central system facilitates the exchange and transfer of health data between the Health Authorities and licensed healthcare service providers admitted to use it. In accordance with the Medical Liability Implementing Regulation, the Health Authorities are also authorised to grant access to the central system to individuals providing outsourced services. Where access to the central system has been granted, outsourcing providers must comply with the obligations for its use generally applicable to all those admitted to the central system. These obligations include, among others:

  • maintaining the confidentiality of the health data contained in the central system and not revealing or disclosing it to any third party without the patient's consent or that of their legally acceptable representative
  • in the event of an emergency where it is not possible to obtain the consent of the patient, healthcare service providers shall examine the patient's file for the purpose of providing that patient with necessary healthcare and giving an explanation for the reason for examining the file;
  • healthcare service providers must not leave a patient's file open on a computer monitor while it is not in use, instead the file must be shut down;
  • any suspicious activities that may affect the confidentiality of health data must be reported
  • no email or other means of electronic communication containing patients' health data may be sent unless encrypted;
  • health data contained in the central system must be accurate and kept up-to-date and where such health data is modified, the reason for modification must be entered and the modified information must be saved along with the date of modification and e-signature of the person who carried out the modification in order to track the modifications;
  • all necessary steps must be taken to protect health data from loss, misuse, unauthorised access, disclosure, modification, or destruction;
  • the user authorised to access the central system must have their own username and password and such username and password may not be revealed; and
  • complying with the rules surrounding the saving of health data to the central system.

Where outsourcing providers process health data in the course of providing their services, they will also be bound by the general obligations regarding the management of that health data as described above at Section 5 – Data Management. Beyond this, the Standard on Patient Healthcare Data Privacy requires any healthcare service provider that engages an outsourcing provider to put in place appropriate contractual agreements where such outsourcing provider will be handling health data, as well as notifying patients of the disclosure of their health data and obtaining their consent if necessary. Contractual safeguards must also be put in place where healthcare service providers outsource the development of healthcare-related software.

DHCC:

The DHCC HDPR does not set out specific requirements with the respect to the engagement of outsourcing providers by healthcare service providers.

7. DATA TRANSFERS

UAE:

Health data transfers and exchanges that take place within the UAE through the central system must comply with the requirements described above at Section 6 – Outsourcing.

With respect to cross-border health data transfers, the Health Data Law sets out a general prohibition on the processing, storing, and generating of health data outside of the UAE. This general prohibition is subject to certain exemptions set out in the Health Data Transfer Regulation.

For instance, cross-border health data transfers may take place where:

  • the health data is required for the treatment of a patient outside of the UAE;
  • the health data relates to samples sent to laboratories outside of the UAE;
  • the health data is to be used for the purposes of scientific research;
  • the health data is required by an insurance company or claims management company for the purpose of providing health insurance coverage or related services, following the approval of the patient being granted;
  • the health data is required by a competent authority cooperating with the UAE,
  • the health data is required by simple personal use medical devices that register basic health data such as blood pressure, blood sugar, blood oxygen saturation, etc.;
  • the health data is required in related to the prevention, treatment, or diagnosis of the patient, and which may lead to side or negative effects or the like, as per the controls and conditions of good pharmacovigilance practices;
  • the health data is used in the scope of providing remote medical services, subject to certain conditions; and
  • the transfer of the health data has been requested by the patient for use abroad, provided that the healthcare service provider receives an official request to this effect directly from the patient or their legally acceptable representative.

Where health data is transferred in accordance with one of the above listed exemptions, it will also be subject to certain additional controls. Such controls include written patient consent, that the health data will only be shared with the intended recipient on a need-to-know basis and that the health data will be encrypted using the highest industry encryption standards. Where health data is shared for the purposes of scientific research or is required by a competent authority cooperating with the UAE, the health data must only be shared in an undefined format. In certain instances, a copy of the health data will also need to be retained in the UAE, irrespective of the presence of a legal basis on which the transfer and/or storage of the health data is permitted to take place.

Healthcare service providers involved in health data transfers must have requisite agreements in place governing health data exchanges as well as having appropriate health data sharing procedures.

DHCC:

The DHCC HDPR establishes an extensive list of circumstances in which health data may be disclosed within the DHCC. This includes, among other things, where: (i) the disclosure is to the patient or with the patient's consent; (ii) the disclosure is directly related to the purpose for which the health data was collected; (iii) the disclosure is necessary to lessen an immediate threat to public health or safety, the patient's life, or the life of another individual; (iv) the disclosure is necessary for the provision of emergency medical treatment; (v) the disclosure is necessary for patient discharges or transfers; (vi) the disclosure is necessary for statistical and research purposes; (vii) the disclosure is necessary for identifying suitability to be involved in health education; and (viii) the disclosure is otherwise required by law. Any such disclosure is only permitted to the extent required for the particular purpose and the patient, or their legally acceptable representative, must be notified of it.

A transfer of health data to a third party located in a jurisdiction outside of the DHCC may only occur where:

  • an adequate level of protection for health data is ensured by the laws and regulations to which that third party is subject;
  • where the patient has provided consent to the transfer; and
  • where it is necessary for the ongoing provision of healthcare services to the patient.

According to the DHCC HDPR, a jurisdiction will be considered to have an adequate level of protection if that jurisdiction has the written approval of the DHCC Central Governance Board or is listed as an acceptable jurisdiction under the DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law'). The DIFC has determined that certain jurisdictions provide adequate levels of data protection; such jurisdictions have data protection laws that are broadly in line with those of the EU. Accordingly, the DIFC lists the EU Member States and the countries of the EEA, along with Andorra, Israel, Switzerland, Argentina, the Faroe Islands, Guernsey, Japan, Republic of Korea, the ADGM, the United Kingdom, Canada, the Isle of Man, New Zealand, and Singapore, as being adequate.

The DHCC HDPR does not make provision for the transfer of health data to jurisdictions without adequate levels of data protection.

8. BREACH NOTIFICATION

UAE:

A general duty is applied to healthcare service providers using and accessing the central system to report any suspicious activities that may affect the confidentiality of health data. In addition, the Standard on Healthcare Data Privacy provides that healthcare service providers must communicate any breach and harmful effects caused by the use or disclosure of health data by their staff, trainees, vendors, third party contractors, or business associates to the Health Authority within 24 hours of becoming aware of it. Such notification timing and procedure must be set out in healthcare service providers' incident response management plans. Healthcare service providers must also thoroughly investigate a breach upon becoming aware of it. A record of the investigation and its corresponding documentation must also be systematically organised and retained such that it can be reported to the Health Authority if needed.

DHCC:

There are no specific health data breach notification requirements under the DHCC HDPR; however, security incidents must be notified to the Customer Protection Unit on a periodic basis.

9. DATA SUBJECT RIGHTS

UAE:

The UAE Health Data Laws recognise a general right to confidentiality, noting that health data must be kept secure to prevent unauthorised access, destruction, amendment, alteration, deletion, or addition to it. The Guidelines for Managing Health Records also provide that, in order to ensure a patient's right of confidentiality, health data records should be destroyed or disposed of by shredding, incineration, electronic deletion, or another equally effective protective measure. A right of access is also recognised, whereby patients, or their legal acceptable representatives, are entitled to receive a copy of their medical reports, or a copy of previous reports, as well a right to selective disclosure of their Health Data (in certain circumstances). The Standard on Patient Healthcare Data Privacy also requires healthcare service providers to make available to patients a privacy policy that details their rights, including their right to complain to the ADDH if they believe their health data privacy rights have been violated.

DHCC:

The DHCC HDPR sets out a limited number of patient rights, including the right to be informed, right of access, and right of correction. A healthcare service provider is obliged to take steps to inform a patient where their health data is being processed, including the purpose of the processing, with whom the health data will be shared, the name and address of the healthcare service provider, and the patient's right to access and correction of their health data, among other things. Patients also have a right to access their health data and to promptly obtain a copy of it, free of charge, from the respective healthcare service provider no later than ten working days from the date that the request was received. The right of access may, however, be subject to limitations under certain circumstances. A healthcare service provider is also obliged to take reasonable steps to correct health data at the request of the patient and to ensure that it is accurate, up-to-date, complete, and not misleading.

10. PENALTIES

UAE:

Penalties under the UAE Health Data Laws range from sanctions such as oral and written warnings, fines of up to AED 1 million (approx. €246,320), to temporary suspensions from the use of the central system for not less than six months and complete revocations of access to the central system. Similarly, the Human Medicine Profession Law prescribes disciplinary penalties for violations of the law from written notices/warnings, to fines of up to AED 1 million (approx. €246,320) and suspension or revocation of licences to practice medicine in the UAE. The Pharma Law also sets out penalties of up to five years' imprisonment and/or fines of up to AED 500,000 (approx. €123,160) for certain violations of provisions relating to clinical trials and research.

Relevant penalties for violations of data protection requirements are also prescribed by the UAE's Cybercrime Law and the Penal Code.

The Penal Code recognises a general right to privacy, the breach of which may result in a term of imprisonment in the most extreme cases. Moreover, the Cybercrime Law provides that any person that obtains, acquires, modifies, damages, discloses, leaks, cancels, deletes, copies, publishes, or re-publishes electronic personal data or information without authorisation by using information technology or information technology methods will be guilty of a criminal offence, resulting in a fine of up to AED 3 million (approx. €739,000) and/or a sentence of not less than five years' imprisonment. A breach involving health data will be treated as an aggravating factor. It should be noted, however, that such criminal penalties will most likely only be triggered in the most severe cases.

DHCC:

The CPQ is responsible for the compliance and enforcement of the DHCC HDPR. An action that interferes with certain health data principles enshrined in the DHCC HDPR which causes loss, detriment, damage or injury to a patient, adversely affects the rights, benefits, privileges, obligations, or interests of the patient or results in significant humiliation, significant loss of dignity, or significant injury to the feelings of that patient will be considered a breach of the DHCC HDPR. Such breaches may result in fines of up to AED 5,000 (approx. €1,230). Repeated violations of the DHCC HDPR will result in the imposition of additional fines or freezing of the services provided by a licensed healthcare service provider.

11. OTHER AREAS OF INTEREST

UAE:

The Health Data Transfer Regulation permits health data transfers outside of the UAE for the provision of remote healthcare services. In such instances, the following safeguards must be put in place:

  • the concerned physician shall be allowed to access the central system for a determined duration in order to access the health data deemed necessary for the provision of the remote healthcare services; and
  • in case there is a need to send a scientific report or medical image, the determined report or image must be submitted to the concerned physician only.

The patient, or their legally acceptable representative, must issue a formal request to the healthcare service provider for a transfer of the health data to the healthcare service provider outside of the UAE.

The Medical Liability Implementing Regulation also sets out an extensive list of requirements with respect to the provision of remote healthcare services. Such requirements include, among others:

  • obtaining a licence from the relevant Health Authority allowing the provision of such services;
  • ensuring the availability of a fully operational technical network to provide the remote health services in accordance with the standards indicated by the Health Authority, including ensuring sufficient band frequency, providing alternative methods of communication between the healthcare service provider and the patient, maintaining a reserve power system, complying with the highest quality standards regarding telephone and call recording systems used by the healthcare service provider, and providing the necessary technological devices for the registration and documentation of the remoted healthcare service;
  • providing qualified human resources to deliver the remote healthcare service;
  • maintaining appropriate insurance coverage for any medical errors resulting from or due to the provision of the remote healthcare service;
  • maintaining the necessary means for archiving and storing the patient information and health data collected through the provision of the remote healthcare service;
  • providing a system for the protection of patient health data related to the remote healthcare service, ensuring confidentiality, and prohibiting unauthorised access thereto;
  • providing the necessary mechanisms for the protection of the privacy of patients who avail of the remote healthcare service;
  • adopting manuals and procedures regulating the provision of the remote healthcare service, indicating all roles and liabilities in the context of the governance system;
  • setting a system in place to determine and verify the identity of the patient receiving the remote healthcare service; and
  • obtaining the consent of the patient before transferring their health data to any other facility for the purpose of performing a remote diagnosis.

Abu Dhabi

In 2019, the ADDH announced the launch of the Abu Dhabi Healthcare Information and Cyber Security Standard. The general cyber security requirements enshrined therein apply to all ADDH regulated healthcare service providers, such as healthcare/medical facilities, healthcare professionals, and support staff who have access to patients' health data, diagnostic laboratories, pharmacies, and insurance providers. The Abu Dhabi Healthcare Information and Cyber Security Standard covers health data in both physical and digital forms, medical device and equipment, applications and software, information systems, and physical infrastructure, such as data centres and human resources personnel that support healthcare services.

Health data transfers and exchange standards are regulated by the ADDH that oversees the Policy on Health Information Exchange, which mandates the use of coding standards and units of measurement to standardise the capturing of patients' demographics and clinical data in electronic medical records. Health data transfers and exchanges are facilitated through Malaffi, Abu Dhabi's central system that is operated by Abu Dhabi Health Data Services.

Health facilities are required to create interoperability standards and agreements that can be leveraged for all health facilities subject to the ADDH Standard on Patient Healthcare Data Privacy.

Stefan Mrozinski Partner
[email protected]
Gabrielle Lowe Lawyer
[email protected]
Arnold Krutilins Associate
[email protected]
White & Case LLP, Dubai

Any views expressed in this publication are strictly those of the authors and should not be attributed in any way to White & Case LLP.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback