Al Tamimi’s Andrea Tithecott, Partner and Head of Healthcare & Life Sciences Practice, and Andrew Fawcett, Partner, Digital & Data consider the application of the new ICT Health Law and Resolution 51
Since the introduction of a Federal law specifically regulating patient health data in 2019, the United Arab Emirates (UAE) has promulgated the concept of data localisation, with restrictions upon health data sent outside the country. This is an important consideration for any international health provider undertaking digital health projects in the UAE.
ICT Health Law
Federal Law No.2 of 2019 on the use of information and communications technology (ICT) in health fields in the UAE (ICT Health Law) introduced national regulations to allow the Ministry of Health and Prevention (MOHAP) to collect and analyse health data at a state level in the UAE.
One of the most impactful provisions of the ICT Health Law was that it mandated that health information and data related to services provided in the UAE could only be processed, generated, or transferred outside of the UAE in cases prescribed by virtue of a decision issued by a local Emirate health authority, in coordination with MOHAP.
This restriction on the movement of health data was problematic for healthcare providers whose services involve the movement of health data across borders, such as, where local healthcare providers had entered into partnership with other international partners, either for second opinion services, or as regards data analytics, insurance claims processing, or other data processing activities.
Despite MOHAP alluding to allowances for data transfers being permitted by local health authorities, no such resolutions were passed for a period of nearly two years, with some considerable ‘grey areas’ and lack of transparency as to how to go about seeking approval on a case-by-case basis.
In response to requests from the healthcare community for clarity on this issue, MOHAP took steps to address the situation. In April of 2021, Ministerial Resolution No 51 of 2021 concerning Federal Law No.2 of 2019 on the use of Information and Communication Technology in Health Fields and Executive Regulation (Resolution 51) introduced several clarifications and exceptions to the data localisation restriction in ICT Health Law.
Providing Definitions to Terms and Phrases
The Resolution 51 defines the phrase “health services provided within the [UAE]” as “any health work or procedure carried out by a health facility operating within the [UAE], whether it is within the scope of diagnosis, prevention, treatment, rehabilitation or health monitoring.”
The Permissible Cases
Generally, the default position remains that health information and data may not be stored or transferred outside of the UAE.
However, the Resolution expressly provides for 10 circumstances wherein the transfer of health information and data outside of the UAE may be permissible.
Those 10 exemptions are as follows:
- Overseas Treatment: The information and data is of patients being treated outside of the UAE, within the limits of the necessary treatments and procedures.
- Overseas Laboratories: The information and data is related to samples that are sent to laboratories outside of the UAE.
- Scientific Research: The information and data is used within the framework of scientific research, in compliance with the laws of the UAE.
- Insurance: The information and data is required by insurance institutions and claims management institutions within the scope of their procedures.
- Organisations Cooperating with the UAE government: The information and data is requested by competent organisations that cooperate with the UAE.
- Personal Medical Devices and Wearables: The information and data is in simple medical devices and tools used by the public, based on personal use, and entails the recording of some simple medical data for the patient.
- Drug Safety: The information and data is related to the prevention, treatment, or diagnosis of a patient that may cause side, reverse, or negative reactions.
- Transfers Approved by a Health Entity: The information and data is related to any other health information and data that a health entity agrees to transfer or store outside of the UAE (subject to some further considerations related to public security, public interest, and public health).
- Telemedicine: The information and data is used within the scope of providing telehealth services.
- Specific Formal Patient Requests: The health entity keeping the information and data of a specific person receives an official request from that person or their legal representative for a transfer for use outside of the UAE.
Additional Conditions for Rendering the Exemptions Permissible
In addition, the Resolution states that certain conditions must be fulfilled in order to render the aforementioned cases listed in exemptions 1, 2, 5 and 7 above fully permissible.
Those conditions are as follows:
• Written consent of the recipient of the health service of his legal representative must be obtained;
• Only the concerned person or entity shall be authorised to access the data and information;
• Data and information related to the relevant health condition of the concerned patient will only be to the extent needed to use such data and information for its intended purposes; and
• Data and information shall be encrypted before being sent, using the best encryption standards.
In addition to these controls, a copy of the relevant health information and data must be kept and stored inside the UAE, as well as documentation of consent for the transfer or storage outside of the UAE for the exemptions in clauses 5, 7, 8 and 10 above.
The health data and information listed in exemptions 3 and 5 are subject to the following controls:
• No identifiable information about the patient may be transferred;
• Only the concerned entity may access the data and information;
• The data must be encrypted using the best encryption standards before it is sent; and
• Data and information shall be transferred using media of the highest security standards.
Exemption 3 maintains an additional control requiring that the sharing of data and information must be made for the purpose of scientific research only, and not be used for purposes other than the research being carried out.
Health data and information transferred under exemption 4 are subject to the following controls:
• The insurance institutions and claims management institutions must be operating in the UAE;
• All data and information must be stored inside the UAE;
• No identifiable data about the patient may be transferred;
• Written consent of the recipient of the health service shall be granted;
• The data and information shall not be completely transferred;
• The insurance policy number may be sent for processing only if part of the request is concerned with processing claims outside of the UAE; and
• The data and information shall be encrypted using the best encryption standards before being sent, and will be transferred using media that adopt the highest security standards.
A patient who comes to the UAE on a visitor visa may transfer their health data and information outside of the UAE at their request or for the purpose of fulfilling the health insurance requirements.
Resolution 51 and permissible transfers – one year on
We are now one year having passed since Resolution 51 was brought into force. The question is, has Resolution 51 fixed the problem? Does it allow sufficient flexibility for data transfers when there is a legitimate justification?
The jury remains firmly out on this question. Unless a transfer squarely falls within a listed exemption under Resolution 51, the exemption does not apply and a further approval is needed from a local Emirate health authority. Unfortunately, neither health authority in Dubai or in Abu Dhabi has published any guidance or a clear process for making an application for approval. It is a matter of approaching the regulator on a case-by-case basis and arguing the case for a one-off approval.
This is an undesirable situation, but despite further protestations from stakeholders engaged in digital health projects requiring trans-border movement of health data, MOHAP does not appear to be mobilising on this topic or considering widening the goal posts.
While Resolution 51 provides welcome guidance on when health data may be transferred outside of the UAE, the exemptions remain limited and subject to particular controls. Accordingly, any business that wishes to rely on any of the exceptions must ensure proper comprehension and compliance with the exception and its conditions.