Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
Amna Qureshi - Associate - Digital and Data
Increasingly, we are hearing about ‘med-tech’ and the use of technology and innovation in transforming the healthcare sector around the globe. With the EU General Data Protection Regulation (‘GDPR’) that came into effect earlier this year, and many jurisdictions in the region, and across the globe, now implementing or in the process of implementing their own data protection regimes, it is clear that data privacy and security are global issues of which all companies need to be aware. It is of particular importance when dealing with highly confidential healthcare information in the healthcare sector. In this article, we take a look at some of the key tech trends in relation to the UAE and some of the legal issues that can arise as a result, specifically in relation to data privacy and security.
While cloud technology offers great potential for providing benefits to healthcare industries, specifically due to the large volume of files processed and managed by healthcare entities, there are certain issues that arise from a UAE regulatory perspective. Information that relates to patients is generally considered highly sensitive. The UAE has certain restrictions in relation to where patient data is stored.
This does not mean that cloud solutions cannot be adopted in the healthcare sector; rather, such technological solutions will need to meet the requirements of the applicable UAE regulations. Various federal laws are applicable. Here we highlight several of the healthcare authority specific regulations.
The Dubai Health Authority (‘DHA’) touches upon data protection in a number of different healthcare regulations, including the DHA Healthcare Record Guidelines, which addresses proper record keeping, storing, and destruction of patient healthcare records. However, the DHA has not yet implemented a comprehensive healthcare data protection and security policy.
For entities based in Dubai Healthcare City (‘DHCC’), the DHCC Health Data Protection Regulation No. 7 of 2013 (‘Regulation’) restricts disclosure of patient health information to a third party located outside DHCC, unless certain conditions are met. Specifically, it sets out requirements regarding patient data, such as retention periods, storage and security requirements, and limits on disclosure. The Regulation goes so far as to set out the jurisdictions that are pre-determined to have an adequate level of protection, thereby permitting the transfer of patient health information to those jurisdictions, after the transfer is authorised by the patient or the transfer is determined to be necessary for the ongoing provision of healthcare services to the patient.
The Department of Health Abu Dhabi’s (‘DOH’) Information Retention Policy expressly provides that off-site storage systems may be adopted as retention options, provided that the off-site storage system ensures the same level of access, safety and security of the records/information as provided by the healthcare facility. However, it is the originating facility’s responsibility to ensure that this criterion/requirement is satisfied.
Further, the DOH Data Standard sets out protection policies and procedures regarding confidential health information (‘CHI’), which is all of the information that can be used to identify a patient or a commercial entity in a commercially sensitive context. This standard covers storage and transmission of CHI. The DOH Data Standard recommends data encryption, even when using secure point-to-point connections. Finally, the DOH’s Healthcare Regulator Policy Manual (‘Policy Manual’), amongst others, imposes general duties on healthcare providers, including ensuring that:
Telemedicine is the provision of healthcare services via telecommunication and information technology, and generally covers video conferencing, as well as electronic sharing of medical images and results. Its obvious benefits include increasing accessibility, and reducing both costs and wait time for diagnosis and treatment. However, with more and more of this sensitive information exchanged through online systems, it is very important that telemedicine companies operating in the UAE have effective and transparent methods of communicating to patients how their personal information will be processed (and obtaining the proper consents required under the applicable UAE regulations).
For example, if a patient has a teleconsultation with a general practitioner (‘GP’), and the GP determines that the patient should be referred to a specialist, it is very important that the patient gives his or her consent to that transfer of personal information, or that the GP has some other legal basis for transferring that personal information. Therefore, telemedicine providers need to understand and adhere to their confidentiality, security and data protection requirements.
Recent developments in policies and regulations demonstrate that the DHA will support telemedicine as a way of improving the delivery of care. In support of this objective, the DHA’s long-term vision to implement the Dubai Smart Healthcare Model, launched in 2013, includes the implementation of telemedicine technology. In 2017, the DHA’s Administrative Resolution No. 30 of 2017 Approving the Regulations of Telehealth Care Services came into effect, which requires practitioners to take adequate measures to ensure the confidentiality and integrity of patient information, and even requires practitioners to explain to patients what measures are in place to maintain their privacy. Further, the outsourcing of diagnostic imaging services through teleradiology is specifically permitted by the DHA. The Diagnostic Imaging Services Regulation of 2012 states, “[d]iagnostic imaging services and/or reporting and interpreting services may be provided within the [d]iagnostic imaging premises, or by written agreement with [an] outside provider.” The DHA requires that the transferring of the image and report must be in such a way so as to ensure the diagnostic image quality and confidentiality of the report. Technologies, such as picture archiving and communication systems or teleradiology, are permitted to augment service provision. When utilising teleradiology services in Dubai, the diagnostic imaging facility must submit a request to the DHA with evidence that the services and technology meet the standard requirements.
Similarly, the DOH implemented a Service Standards for Tele-counselling in the Emirate of Abu Dhabi, which requires providers to adhere to the DOH’s regulations in relation to data management and medical record retention. DOH licensed telecounselling healthcare providers must comply with the data retention requirements of the DOH Standard for Medical Record, Health Information Retention and Disposal Standard, even when patient data may be transmitted outside the Emirate of Abu Dhabi. The DOH licensed healthcare provider is expected to have written agreements in place, memoranda of understanding and contracts with the telecounselling service providers, including the elements prescribed in the Standard. At a minimum, to ensure compliance with relevant federal laws, the provider should obtain the patient’s written consent to disclose the patient’s data to a tele-counselling partner and, where applicable, its transmission and storage outside of the Emirate of Abu Dhabi.
Further, the Dubai Healthcare City Regulatory (‘DHCR’) Standards for Telehealth Services of 2017 requires DHCR licensed healthcare facilities to obtain approval for the addition of ‘tele healthcare services’ to their facility licence prior to commencing the same.
It is 2018. It is very likely that you or at least someone you know uses a wearable. Whether it is a smart watch, smart glasses, or even smart clothing, wearable technology is becoming increasingly popular. Wearable technology is being used not only in the preventive medicine space, but also for the treatment and monitoring of medical conditions. For example, the DHA has partnered with a wearable technology provider to implement a pilot sensor-augmented physiotherapy and rehabilitation initiative at Rashid Hospital and Latifa Hospital to assist people suffering with disabilities. The data collected from these wearable devices is very personal in nature and generally includes location data and health data, such as heart rate, sleep related data, calories burned, exercise and activity statistics. Wearable companies should ensure they have very clear privacy policies that set out how they are managing this personal information as well as whether its technology crosses the threshold so as to be considered a medical device by the UAE Ministry of Health and Prevention.
The use of artificial intelligence (‘AI’) and machine learning in healthcare includes a broad spectrum of technology, such as chatbots, data predicting analysis, AI assisted robotic surgery and even a machine learning algorithm for image analysis. Just earlier this year, the DOH released a new policy (‘AI Policy’) to govern the use and implementation of AI in healthcare. The DOH is the first entity in the region to take this step, and the AI Policy also forms part of the implementation of the UAE’s strategy of AI launched in October 2017, which aims to embrace AI in numerous sectors, including healthcare.
The AI Policy notes that the role of AI in healthcare service delivery includes enhancing data analysis and improving the specificity of diagnoses and prognoses; however, it also recognises that users of AI must still comply with all UAE and the DOH regulatory requirements, including data protection. The AI Policy sets out what the DOH considers the essential requirements of an effective AI in a healthcare framework. While the policy sets out minimum acceptable requirements that the DOH expects of AI (and its tools) introduced in Abu Dhabi, it leaves to future implementation a regulatory framework that governs the safety, responsibility, transparency and ethical implications of AI use in healthcare.
While the regulatory framework for advances in technology tools for the healthcare sector are ever changing, it is clear that the UAE regulators are forward thinking. However, as with all countries, regulations lag behind innovation. Consequently, technology providers must understand the legal and regulatory landscape with which their technology solutions will need to comply.
Al Tamimi & Company’s Healthcare Practice Group regularly advises on healthcare technology matters in the UAE. For further information please contact Amna Qureshi (firstname.lastname@example.org) of our Technology Media and Telecommunications department or Christina Sochacki (email@example.com) of our Corporate Commercial department.