The UAE's Health Data Law: an important and welcome update permitting certain transfers of health data

The headline news

The United Arab Emirates recently issued a long-awaited statutory instrument, Ministerial Resolution 51/2021 (the "Resolution"), which provides clarity on circumstances in which health data may be shared and processed, and puts in place a practical framework allowing for the transfer of health data in connection with health services provided within the UAE.

The Resolution is a welcome development, the first piece of legislation setting out any parameters for data transfer and storage since the publication of Federal Law No. 2 of 2019 (the "Health Data Law"), which entered into force in May 2019 and put in place a number of restrictions on storing and processing patient data electronically, including a prohibition on the storage, processing, generation, or transfer of health-related data outside of the jurisdiction without the appropriate permissions from the UAE Ministry of Health and Prevention. Since the Health Data Law came into force, healthcare providers have largely either taken a risk-based approach or avoided any practices which could involve data transfer outside of the UAE; the Resolution offers a clear roadmap for legal operations and will allow consumers and providers alike a greater degree of freedom to operate.
 
The Resolution sets out 10 exceptions (listed in full at the end of this update) to the general prohibition on health data transfer, including in relation to medical treatment provided overseas, insurance claims, samples shared with laboratories overseas, and the provision of remote medical services. There is also a general exemption in relation to data in relation to which the relevant patient or their legal representative makes an "official request" for the transfer, although the Resolution contains no guidance on what form this official request should take.

Certain of the exceptions require that written consent be obtained from the patient prior to the data transfer, and the healthcare provider should work closely with its IT and data security teams to ensure that the data is encrypted and sufficiently secure prior to and during transmission.

The finer details

• The Health Data Law defines health information as any health-related information processed and given a visual, audible, or readable indication attributed to the health sector, and stated that it was to apply to all information and communication technology methods and uses in health fields both onshore and in free zones. Article 13 of the Health Data LAw states that "health information and data related to the health services provided in the UAE may not be stored, processed, generated or transferred outside the UAE, unless in the cases defined by virtue of a decision issued by the Health Authority in coordination with the Ministry." Since the publication of the Health Data Law, legal advisors and medical providers alike have been awaiting guidance on any exceptions and any application processes for permission to transfer overseas.

• ​The full list of circumstances in which health data may be transferred overseas is:
  • Treatment overseas – where necessary to facilitate the provision of medical treatment outside of the UAE.​
  • Laboratory testing – where related to samples sent to laboratories overseas.
  • Scientific research – any data or information used for scientific research purposes, so long as the research is in compliance with UAE laws and standards and has been approved by the relevant health authority.
  • Insurance coverage and claims – any information or data required by insurance companies and/or claims management companies in connection with the provision of health insurance, subject to the insured patient's specific approval.
    
    Organizations co-operating with UAE governmental bodies – any data and information required by organizations cooperating with the UAE state or its entities, provided that the data or information is within the purpose of the request and co-operation.
  • Medical devices and wearables – data and information relating to simple medical devices and tools used by members of the public in a non-supervised capacity and which require the registration of simple medical data such as blood pressure, blood sugar or similar.
  • Pharmacovigilance – any data and information related to detection, assessment, understanding, prevention, treatment or diagnosis of adverse effects of any medicament or any other medicine or vaccine-related issue, subject to the controls and conditions of generally-accepted good pharmacovigilance practices.
  • Data transfers approved by the healthcare facility – any other medical information or data that the healthcare provider approves for transfer or storage outside the UAE, provided that (i) the information or data is not confidential for grounds related to public security, public interest, or public health, and (ii) the disclosure of the information or data does not lead to the disclosure of any medical secret of the patient, unless the patient has given specific written approval. 
  • Telemedicine – all data and information used in relation to providing remote medical services, provided that (i) the doctor or other professional is allowed to access the system only for a specific and limited period of time in order to access the necessary information and data, and that the access does not extend further than specifically required in either time or scope, (ii) if a specific report or medical image needs to be transmitted, this may only be sent directly to the relevant doctor or other medical professional, and (iii) the patient gives their written consent.
  • Specific, formal request by the patient – any information and data related to a patient who makes a formal request to the medical facility detailing the information required to be shared and the intended recipient.
• ​The majority of the exceptions laid out above are subject to further controls and conditions, set out in Articles 3, 4 and 5 of the Resolution. These are:
  • ​in relation to exceptions 1, 2, 5, 7 and 10:
    • the patient must grant specific written consent;
    • the information and data must only be shared with the specific entity and persons notified to the patient;
    • the information and data must only be shared to the extend specifically required for the individual case or treatment; and
    • the data and information must be encrypted to the highest possible standard prior to transmission;
  • in relation to exceptions 5, 7, 8 and 10, copies of the data and any consents or permissions must be kept and stored in the UAE;
  • in relation to exceptions 3 and 5:
    ​
    • the data must be anonymised;
    • the data may only be shared with the specific entity authorized;
    • the data and information must be encrypted to the highest possible standard prior to transmission; and
    • the data and information must be transmitted using highest possible security;
  • in relation to exception 3, the information and data must only be used for scientific research and not used for any reason other than the research;
  • in relation to exception 4:
     
    • ​​​the insurers and claims management companies must be those operating (and therefore licensed) within the UAE, and all data and information must be stored in the UAE;
    • all data must be anonymised;
    • the patient must provide their written consent;
    • the data and information must not be transferred in full (i.e. only the specific information required must be transferred);
    • the insurance policy number may be only transferred to facilitate treatment outside of the UAE, and must not be transferred in other circumstances;
    • the data and information must be encrypted to the highest possible standard prior to transmission; and
    • the data and information must be transmitted using highest possible security.
    • Patients visiting the UAE are permitted to transfer medical data and information outside of the UAE for the purposes of their insurance requirements in their home country.

Next steps

Businesses looking to take advantage of the new regulations by partnering with entities or physicians based internationally should proceed with due caution, and ensure that they comply with all of the relevant technological and technical requirements in relation to data security, as well as the provisions of Emirate- or Free Zone-level regulations on the provision of telemedicine services, some of which require agreements to be put in place with duly licensed facilities and professionals overseas rather than being able to conduct the practice of telemedicine on an ad hoc basis. Businesses located in jurisdictions within the UAE which have their own data protection regulations, such as the DIFC or ADGM, should also be mindful of their obligations under those laws.

For further advice on how best to operate in light of the new regulations, or if you have any other questions, please contact Imtiaz Shah or Ashley Connick in Hogan Lovells’ Dubai Corporate practice on imtiaz.shah@hoganlovells.com or ashley.connick@hoganlovells.com respectively.

Authored by Imtiaz Shah and Ashley Connick.