Federal Law No.2 of 2019 – Using IT and Telecommunications in the Healthcare Sector

Further to our recent Regulatory Alert "UAE Legal Update – Regulatory Alert

Healthcare Federal Law No.2 of 2019 – Using IT and Telecommunications in the Healthcare Sector" We now set out further details of the Law in this Regulatory Alert (2).

Federal Law No. (2) of 2019 – Using IT and Telecommunications in the Healthcare Sector was promulgated by UAE Federal Government at the Presidential Palace of Abu Dhabi on 6 February 2019 and is yet to be published in the Gazette at the time of writing. Once the Law is Gazetted and published, its provisions shall come in to force three (3) months thereafter.

The Law, for all intents and purposes is the first Federal data/privacy law of its kind in the United Arab Emirates albeit limited to healthcare data. The Law, (like US statute, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II, which deals with privacy rule for the protection of healthcare data) is a timely welcome relief with the recent implementation of the European Union (EU) General Data Protection Regulations (GDPR).

The Law will also be extremely relevant to Cyber risks, where we would predict that this line of insurance cover will grow in the UAE. Interestingly, many organisations in the UAE do not have insurance coverage in place for Cyber risks and they should look to review their current practices and existing insurance coverage to address this issue.

The Law prescribes 31 Articles and its application is wide both in terms of geographical spread and industry sectors. The Law covers the entire United Arab Emirates (UAE) including the Free Zones and will impact on many sectors including local healthcare regulators in the different Emirates as well as all sectors dealing with healthcare data/information. We anticipate that will include healthcare providers/facilities, medical insurance providers, insurance intermediaries dealing and placing medical insurance, third party medical claims administrators, technology companies in the healthcare space, and others dealing with healthcare date/information through technology platforms.

Article (1) sets out the definitions and includes inter alia "Data, Health Information, Processing, and Circulation of Health Information," which all have wide definitions to capture all and any areas of data processing related to health data and information. "Health Authority" is defined as "Any governmental Federal/local health entity in UAE", which will include the Department of Health, Abu Dhabi (formally HAAD), the Dubai Health Authority (DHA) and other Emirates with established health authorities. "Competent Authority" has a broad definition to include inter alia "Every authority in UAE that provides health services or health & medical insurance services, its brokerage, electronic services in the health domain which are directly/indirectly connected with the application of the provisions hereof". For the first time, the Law creates a "Central System", which is defined as "Set of electronic exchange of health data and information including the set of electronic parts/elements connected to each other to operate together for attainment of a specific purpose".

For the purposes of this update, we have referred to entities that deal with healthcare data/information in the UAE through IT/electronic platforms as "healthcare data/information processors" and Emirate healthcare regulators as "Health Authorities" where the context permits.

Pursuant to Article (3) of the Law, the objectives are ensuring the safety and security of health data/information using international standards and practices while ensuring the optimal use of Information and communications technology in the healthcare areas enabling the Ministry of Health & Prevention to collect, analysis and save the health data and information at a UAE level.

Article (4) regulates information and communications technology in the healthcare sector. This includes maintaining health data/information confidentiality by prohibiting the data to be handled in unauthorized cases, ensuring the authenticity and credibility of health data/information by maintaining its safety against unauthorized dilapidation, variation, misrepresentation, deletion or addition and ensuring availability of health data/information to the authorized parties and facilitation of accessibility of that data whenever needed by those parties.

Interestingly, and for the first time, Article (5) creates a Central System for data population between the Ministry of Health & Prevention, Health Authorities and all those involved with healthcare data/information, i.e. healthcare data/information processors. This is a welcome move by the UAE Government as we anticipate that where health data and information is captured and processed properly, this will benefit the UAE healthcare markets in terms providing quality and accurate data to avoid potential frauds and better underwritings of health insurance risks for the market.

Articles (7) and (8) refers to implementing regulations and suggests that these will deal with guidelines and procedures for joining the Central System as well as the confidentiality and protection measures to be put in place. Article (6) obligates all those involved with healthcare data/information to set up principles, standards and regulations for electronic systems/platforms to avoid and manage risk with healthcare data/information in terms of protection, transfers, processing, controlling, copy and amending healthcare data/information.

Article (10) refers to and deals with the coordination of healthcare data/information through information and communications technology between the Ministry of Health and Prevention, Health Authorities and healthcare data/information processors referring to the implementation of a national strategic plan.

Article (11) places, what might be deemed an implied contract between healthcare data/information processors and the Health Authorities obligations as to the authenticity, credibility and availability of health data/information in a way that would ensure the conformity of the used IT systems and the interfering operation among them for exchange and collection of health data/information. Article (11) specifically refers to "Warranty of Conformity of Used Electronic Systems". Articles (12) and (13) provide obligations around storage of healthcare data/information within and outside the UAE respectively, to be detailed by further Ministerial Resolutions. In terms of Article (13), health data/information may not be stored, processed, generated or transferred outside UAE related to the health services provided within UAE, other than through resolution issued in favour of the healthcare data/information processors in coordination with the Ministry of Health & Prevention. This of course will impact on many global health insurance providers that often process health data outside the UAE although we anticipate that if those healthcare data/information processors can satisfy the Ministry of Health & Prevention and the Health Authorities that they have appropriate systems and controls in place as to the security and control of the data, then this should not present any hurdles.

Article (14) prohibits use of the Central System unless the healthcare data/information processors is licensed by the competent authorities. Article (15) refers to the publication and statistics of health data/information subject to further clarity with specified guidelines.

Article (16) addresses information related to patient confidentiality protections and maintains the confidentiality of the data to only be used and processed for the specific purpose of health matters unless the patient consents or exceptions apply, which are:

Processing related to health financing or health insurance services and benefits;

Processing of scientific and clinical research provided that the patient's identity is not disclosed;

Processing for taking preventive and treatment measures related to public health or maintaining the safety and health of the patient;

Processing at the request of the competent judicial authorities; and

Processing at the request of the healthcare data/information processors for the purposes of supervision, inspection and maintaining public health.

Article (18) permits the Ministry of Health & Prevention to instruct Ministries and Health Authorities to block websites whether in the UAE or abroad where those websites are in violation of the guidelines/standards and without the appropriate licenses and authorisations.

Of interest, Article (19) obligates, we believe healthcare data/information processors to undertake training and qualifications through human cadres to ensure security and safety of the health data and information. Article (20) deals with retention periods and Articles (22) to (26) deals with violations, penalties and disciplinary sanctions, where financial penalties can range up to one million Dirhams. The penalties and sanctions in the Law are without prejudice to other violations on other laws including the UAE Penal Code.

In summary, the Law will have far reaching consequences for UAE healthcare services and IT industries insofar as it places strict obligations for the processing and control of health data and information in the UAE. Many business and organisations will need to carry out data information audits to stress test their current systems and control to meet compliance with the new requirements. We anticipate further guidance through Resolutions, Circulars and other forms of legal instruments from the Ministry of Health & Prevention. The Law is complex, and we recommend legal advice should be sought for further clarifications.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.