Setting Healthy Boundaries – regulated exemptions to restrictions on the transfer the health data outside of the UAE

This illustration is inspired by the original photograph of Lunch atop a Skyscraper.

Federal Law No.2 of 2019 on the use of information and communications technology (‘ICT’) in health fields in the UAE (‘ICT Health Law’) introduced national regulations to allow the Ministry of Health and Prevention (‘MOHAP’) to collect and analyse health data at a state level in the UAE.

One of the most impactful provisions of the ICT Health Law was that it mandated that health information and data related to services provided in the UAE could only be processed, generated, or transferred outside of the UAE in cases prescribed by virtue of a decision issued by a local Emirate health authority, in coordinaton with MOHAP.

This restriction on the movement of health data was problematic for health care providers whose services involve the movement of health data across borders. This was particularly impactful given that, for a period of nearly two years, there were no formal decisions by the regulators permitting the transfers outside of the UAE.

MOHAP has since addressed the situation. In April of 2021, Ministerial Resolution concerning Federal Law No.2 of 2019 on the use of Information and Communication Technology in Health Fields and Executive Regulation (‘Resolution’) introduced several clarifications and exceptions to the data localisation restriction in ICT Health Law.

Providing Definitions to Terms and Phrases

The Resolution defines the phrase “health services provided within the [UAE]” as “any health work or procedure carried out by a health facility operating within the [UAE], whether it is within the scope of diagnosis, prevention, treatment, rehabilitation or health monitoring.”

The Permissible Cases

Generally, the default position remains that health information and data may not be stored or transferred outside of the UAE. However, the Resolution expressly provides for 10 circumstances wherein the transfer of health information and data outside of the UAE may be permissible.

Those 10 exemptions are as follows:

1. Overseas Treatment: The information and data is of patients being treated outside of the UAE, within the limits of the necessary treatments and procedures.
2. Overseas Laboratories: The information and data is related to samples that are sent to laboratories outside of the UAE.
3. Scientific Research: The information and data is used within the framework of scientific research, in compliance with the laws of the UAE.
4. Insurance: The information and data is required by insurance institutions and claims management institutions within the scope of their procedures.
5. Organisations Cooperating with the UAE government: The information and data is requested by competent organisations that cooperate with the UAE.
6. Personal Medical Devices and Wearables: The information and data is in simple medical devices and tools used by the public, based on personal use, and entails the recording of some simple medical data for the patient.
7. Drug Safety: The information and data is related to the prevention, treatment, or diagnosis of a patient that may cause side, reverse, or negative reactions.
8. Transfers Approved by a Health Entity: The information and data is related to any other health information and data that a health entity agrees to transfer or store outside of the UAE (subject to some further considerations related to public security, public interest, and public health).
9. Telemedicine: The information and data is used within the scope of providing telehealth services.
10. Specific Formal Patient Requests: The health entity keeping the information and data of a specific person receives an official request from that person or their legal representative for a transfer for use outside of the UAE.

Additional Conditions for Rendering the Exemptions Permissible

In addition, the Resolution states that certain conditions must be fulfilled in order to render the aforementioned cases listed in exemptions 1, 2, 5 and 7 above fully permissible.

Those conditions are as follows:

• Written consent of the recipient of the health service or his legal representative must be obtained;
• Only the concerned person or entity shall be authorised to access the data and information;
• Data and information related to the relevant health condition of the concerned patient will only be to the extent needed to use such data and information for its itended purposes; and
• Data and information shall be encrypted before being sent, using the best encryption standards.

In addition to these controls, a copy of the relevant health information and data must be kept and stored inside the UAE, as well as documentation of consent for the transfer or storage outside of the UAE for the exemptions in clauses 5, 7, 8 and 10 above.

The health data and information listed in exemptions 3 and 5 are subject to the following controls:

• No identifiable information about the patient may be transferred;
• Only the concerned entity may access the data and information;
• The data must be encrypted using the best encryption standards before it is sent; and
• Data and information shall be transferred using media of the highest security standards.

Exemption 3 maintains an additional control requiring that the sharing of data and information must be made for the purpose of scientific research only, and not be used for purposes other than the research being carried out.

Insurance Context

Health data and information transferred under exemption 4 are subject to the following controls:

• The insurance institutions and claims management institutions must be operating in the UAE;
• All data and information must be stored inside the UAE;
• No identifiable data about the patient may be transferred;
• Written consent of the recipient of the health service shall be granted;
• The data and information shall not be completely transferred;
• The insurance policy number may be sent for processing only if part of the request is concerned with processing claims outside of the UAE; and
• The data and information shall be encrypted using the best encryption standards before being sent, and will be transferred using media that adopt the highest security standards.

A patient who comes to the UAE on a visitor visa may transfer their health data and information outside of the UAE at their request or for the purpose of fulfilling the health insurance requirements.

Conclusion

While the Resolution provides welcome guidance on when health data may be transferred outside of the UAE, the exemptions remain limited and subject to particular controls. Accordingly, any business that wishes to rely on any of the exceptions must ensure proper comprehension and compliance with the exception and its conditions.

For more information on how we can help, please contact either our specialist Healthcare practice group or Digital & Data teams