Welcome to the Saudi Arabia focus edition of Law Update.
One of the key markets in the Middle East and North Africa (MENA) that continues to lead from the front is the Kingdom of Saudi Arabia (KSA). As the largest country in the Middle East and the 18th largest economy in the world, the progress KSA continues to make is underpinned by its Vision 2030 that envisions developing the country as an investment powerhouse and hub that ultimately connects Asia, Europe, and Africa. Given Saudi Arabia’s significance to the regional economy, our team of experts have prepared a range of pertinent articles that provide insights into new laws, regulations, and the legal landscape in the Kingdom.
This edition will provide you with an up-to-date guide on matters such as; the framework issued by the Saudi Central Bank on IT governance, the anti-corruption landscape under Vision 2030; we also provide practical tips for dispute avoidance. This is only a snapshot; there are many more articles within the KSA focus section for you to read, which we hope you will find valuable and enjoyable.Read the edition
Information and communication technology (‘ICT’) plays a critical role in supporting the delivery of quality healthcare service through the provision of new and efficient ways of accessing, communicating, using and storing health data.
The Federal Law No. 2 of 2019 on the Use of Information and Communications Technology in Healthcare (‘ICT Health Law’) regulates the use of ICT in the healthcare sector throughout the United Arab Emirates (‘UAE’) including in free zones with the following four aims of:
The ICT Health Law came into force in May 2019 and is fully effective, although not yet fully supplemented by implementing regulations, which are expected to be issued imminently.
Health Data in the ICT Health Law is broadly defined as “health data processed and made apparent and evident whether visible, audible or readable, and which are of a health nature whether related to health facilities, health or insurance facilities or beneficiaries of health services”.
The new law contemplates the establishment of a centralised health data exchange (‘HIE’ or ‘Central System’) which is to be controlled by the Ministry. The HIE will keep the health data collected by health service providers and will enable them to access and exchange this data in an uniform and secure way, subject to any controls determined by government.
The implementing regulations (which, as of the authoring of this article, are yet to be issued) will set out the professional guides, the details as to which businesses are allowed to use the Central System, and any necessary administrative steps that need to be followed.
The local Emirate health authorities are empowered to establish the rules, standards and controls for their own electronic data and health information exchange systems, such as the methods of operation, exchange of data and information and their protection, as well as access to and copying of data and information. In Abu Dhabi, the Department of Health (‘DOH’) has launched the Abu Dhabi Health information exchange ‘Malaffi’. In Dubai, the ‘Salama’ health information exchange is used.
The Ministry, in co-ordination with the local Emirate health authorities, is to develop and implement a national strategic plan concerning the use of ICT in healthcare, as well as setting mandatory procedures for using ICT.
The ICT Health Law requires all health service providers that use ICT for health data to make certain that such information is kept confidential and is not shared without authorisation. The law also requires health service providers to ensure that the health data is available to the authorised parties and access given when needed.
In adherence with international data protection best practices, the ICT Health Law requires businesses to introduce technical, organisational, and operational procedures to ensure the security and integrity of Health Data.
Under the ICT Health Law, health service providers may use or disclose Health Data without the consent of the patient:
The law regulates the processing of electronic health data originating in the UAE, including patient names, diagnosis, consultation and treatment data, and other such health data.
The law also introduces data privacy and protection concepts which include
The ICT Health Law states that Health Data cannot be stored, processed, generated, or transferred outside of the UAE, unless the activity has been approved by a resolution of a health authority or the Ministry. To our knowledge, no such resolutions have yet been issued.
There is a penalty of no less than AED 500,000 and no more than AED 700,000 (approx. US$136,147 to US$ 190,605) for breach of this prohibition.
While there is some expectation that the local health authorities will accommodate requests where Health Data may be needed to be transferred outside of the UAE, early indications are that the scope for approvals will be very limited.
Going forwards, to comply with the ICT Health Law, it will be necessary for local operators to host data on local servers and to control access and processing activity in accordance with the law. In addition to the ICT Heath Law, there are also additional pieces of legislation that support this:
the executive regulations to the medical liability law, Cabinet Resolution No. 40 of 2019, include an appendix that issues controls and terms for providing ‘Remote Health Services’. Article 2.1(f) of the resolution requires “a server within the country for showing and keeping the information and back-up”;
Section CM 4.2 of the Abu Dhabi DOH Healthcare Information and Cyber Security Standard (‘ADHICS’) (which was issued prior to the ICT Health Law) states:
“The healthcare entity shall not use cloud services or infrastructure to store, process or share information that contains health information. The healthcare entity shall:
As it cannot be the intention of the Ministry that data localisation requirements should have a detrimental effect on the provision of healthcare to UAE residents, we recommend that any healthcare provider affected by localisation requirements should engage with the relevant local health authority (or Ministry) that has licensed its services to explain how the restrictions are affecting the delivery of services and seek approval for the management of its data. Of particular importance is the effect on the delivery of telehealth services, and the transfer of data to physicians and laboratories outside the country for very specialist clinical opinions, and to support telehealth providers already licensed in Abu Dhabi and Dubai under other regulations to continue being able to support local communities.
The ICT Health Law requires that Health Data must be kept for a minimum of 25 years from the date on which the last health procedure was performed on the patient. This period may be extended if it is proportionate with the need to keep such data.
For non-compliance, the law contains sanctions, including monetary fines and disciplinary actions, which may be imposed by a disciplinary committee within each health authority.
Specifically, sanctions include:
The most contentious point of the ICT Health Law are the data localisation requirements. The Ministry has mandated that data must remain onshore. This, in itself, creates difficulties because, until recently, there were so few data centre services based in the country. We understand that there may be some softening to the requirement to host data on local servers, and that the use of local cloud-based systems will be permitted, if those services providers are licensed in the UAE (noting that this currently breaches the DOH requirement, with no indication of cloud approvals in Abu Dhabi). The Ministry indicated that approvals for the movement of data offshore would be permitted, but then delegated this responsibility to each of the established health authorities to issue resolutions, neither of which have yet done. It is understood that each health authority in Abu Dhabi and Dubai is waiting for the Ministry to issue its executive regulations before issuing resolutions of its own. Meanwhile, any operator sending data outside the country will remain in breach of the ICT Health Law. It is difficult to predict when the executive regulations will be issued. Strictly speaking, they should be issued six months after the law came into effect (which would mean November 2019). However, in practice, it is not unusual to take longer for example, the Ministry did not issue executive regulations to the medical liability law until earlier this year even though the medical liability law was passed in 2016. On the critical topic of data localisation in the healthcare context, which has the potential to affect patients’ access to overseas expertise, it is hoped that the executive regulations to the ICT Health Data Law are published imminently in order to prevent operators being left in limbo and potentially in breach of data localisation restrictions.
For the most part, the ICT Health Law is a welcome introduction. The requirement to establish health information systems and to centralise the hosting of Health Data will benefit patients, and should not be too burdensome for regulated operators to align information technology systems with those of the Ministry’s HIE, Malaffi, and Salama, so as to enable data to be uploaded on a continuous ‘as is’ basis. The data is then available to the Ministry and health authorities for use in research and population health management which, in turn, will feed into patient health plans being developed on a country-wide basis and eventually better control of the introduction of new services, specialities and sub-specialities that are fully aligned with population health needs. In parallel with this, the health regulators are working on wellness and prevention programmes, with the aim of keeping the population fit and healthy rather than only treating people when they are sick.
Al Tamimi & Company’s Healthcare Practice and Technology, Media & Telecommunications team regularly advise on laws and regulations impacting the healthcare sector. For further information please contact firstname.lastname@example.org.