Our knowledge, experience, and expertise are now available on the go.
My Tamimi App, a convenient new tool for anyone with an interest in the legal sector, from law students to General Counsel.Find out more
Last year, a federal law was issued to regulate the use of information communication technology ( ‘ICT’) in the healthcare sector through the United Arab Emirates ( ‘UAE’), including in free zones (Federal Law No. 2 of 2019 ( ‘ICT in Health Law’)). While the ICT in Health Law came into force in May 2019, much of the key elements of the law were left to implementing regulations. At the core of the ICT in Health Law, it provided a basic framework, introducing a general prohibition on the transfer of health data outside the UAE and providing for the establishment of a central healthcare IT system ( ‘Central System’) for the purposes of collection, storing, and exchanging health data for all patients in the UAE. (Please see our summary of the ICT in Health Law, available here: https://www. tamimi.com/law-update-articles/the-federal- law-regulating-the-use-of-information-and- communication-technology-in-the-uae-
While further implementing regulations are still expected, in late April 2020, the Cabinet issued its first set of executive regulations to the ICT in Health Law (Cabinet Resolution No. 32 of 2020 ( ‘ICT in Health Regulation’), which come into force in November 2020.
The ICT in Health Regulation has now specified the controls and protocols for the establishment, operation, and permitted access to the Central System. We outline the significant aspects of these below.
Obligations required of health authorities and concerned entities joining the Central System include:
Under the ICT in Health Law, ‘concerned entities’ include any authority or entity in the UAE providing health services, health insurance services, facilitation, claims management, electronic health services, or any entity directly or indirectly associated with the application of the ICT in Health Law.
The Ministry, in co-operation with health authorities and concerned entities, will also determine the procedures taken to ensure the quality of personal health data placed in the Central System.
The Ministry will also have the authority to audit any health data stored in the Central System to ensure the data’s authenticity, quality, and its compliance with national digital health standards.
A new joint committee is to be formed by the Ministry, together with the health authorities and concerned entities; the aim of the committee is to govern the implementation of new joiners to the Central System.
The health authorities and concerned entities have the authority to determine the persons authorised to access the Central System, as long as they meet certain safety and privacy standards set out by the Ministry.
Health authorities and the concerned entities must determine the persons authorised to access the Central System, on an as-needed basis, and depending on the professional role.
No person may use the Central System unless authorised to do so by the health authorities or the concerned entities, in accordance with the following controls:
Importantly for individuals, they may:
After obtaining permission, every person authorised to have access to the Central System has a duty of confidentiality to take all the necessary steps to protect the data and information in the Central System In particular, in respect of a patient’s data:
Storing health data and information by means of ICT has to be according to specified controls including:
The Ministry, in conjunction with health authorities, is to issue the necessary decisions to implement the ICT in Health Regulation.
The ICT in Health Regulation prescribes controls and protocols necessary for the establishment and operation of the Central System including how it will be accessible to health authorities and other concerned entities in the health sector and the parameters on how the data can be used.
While the establishment of the Central System is a significant feature of the ICT in Health Law, it is not the only notable feature of the law.
Importantly, Article 13 of the ICT in Health Law provides that it is not permitted to store, develop, or transfer data and health information outside the UAE that is related to health services provided within the country, except in cases where a decree is issued by the health authority in co- ordination with the Ministry.
The ICT in Health Regulation is focused solely on the Central System and appears to be a preliminary guideline as further decisions are still needed by the Ministry and health authorities to implement them. We expect that further implementing regulations, or guidance at the emirate health authority level will be issued to detail further, for example, the process for a healthcare facility to join the Central System and the associated deadlines. Further, we are awaiting additional implementing regulations, or guidance from the individual emirate health authority level, to clarify the ICT Health Law’s restriction on the transfer of health data outside the UAE and permissible exceptions.
For further information, please contact email@example.com.
Disclaimer: This chat service should not be relied upon as a substitute for professional advice which takes account of your specific circumstances and any changes in the law and practice. No warranty is made as to the accuracy or completeness of the information provided via this service and no liability is accepted by Al Tamimi & Company Limited, its affiliates, partners or employees for any loss arising as a result of reliance upon the information provided.
Kindly accept the disclaimer to proceed to a live chat.
Thank you for your inquiry. We will connect you to one of our agents now.
Thank you for your interest in working with Al Tamimi & Company. Please click here to view our latest job openings.