As we witness the evolution of the regulatory landscape across the MENA region, it was timely for us to investigate and lift the lid, on what is keeping the region’s legal decision-makers awake at night.
Our first-of-its-kind report titled Legal Leaders in MENA is out now! It captures the views of 700 legal decision-makers across nine countries and 13 industry sectors in MENA, as well as in-depth interviews with experts from key sectors such as financial services and education to name a few, which revealed the emerging risks and priorities challenging the legal sector across the region.
Read the full report and share your feedback with us at firstname.lastname@example.org.Read the full report
Last year, a federal law was issued to regulate the use of information communication technology ( ‘ICT’) in the healthcare sector through the United Arab Emirates ( ‘UAE’), including in free zones (Federal Law No. 2 of 2019 ( ‘ICT in Health Law’)). While the ICT in Health Law came into force in May 2019, much of the key elements of the law were left to implementing regulations. At the core of the ICT in Health Law, it provided a basic framework, introducing a general prohibition on the transfer of health data outside the UAE and providing for the establishment of a central healthcare IT system ( ‘Central System’) for the purposes of collection, storing, and exchanging health data for all patients in the UAE. (Please see our summary of the ICT in Health Law, available here: https://www. tamimi.com/law-update-articles/the-federal- law-regulating-the-use-of-information-and- communication-technology-in-the-uae-
While further implementing regulations are still expected, in late April 2020, the Cabinet issued its first set of executive regulations to the ICT in Health Law (Cabinet Resolution No. 32 of 2020 ( ‘ICT in Health Regulation’), which come into force in November 2020.
The ICT in Health Regulation has now specified the controls and protocols for the establishment, operation, and permitted access to the Central System. We outline the significant aspects of these below.
Obligations required of health authorities and concerned entities joining the Central System include:
Under the ICT in Health Law, ‘concerned entities’ include any authority or entity in the UAE providing health services, health insurance services, facilitation, claims management, electronic health services, or any entity directly or indirectly associated with the application of the ICT in Health Law.
The Ministry, in co-operation with health authorities and concerned entities, will also determine the procedures taken to ensure the quality of personal health data placed in the Central System.
The Ministry will also have the authority to audit any health data stored in the Central System to ensure the data’s authenticity, quality, and its compliance with national digital health standards.
A new joint committee is to be formed by the Ministry, together with the health authorities and concerned entities; the aim of the committee is to govern the implementation of new joiners to the Central System.
The health authorities and concerned entities have the authority to determine the persons authorised to access the Central System, as long as they meet certain safety and privacy standards set out by the Ministry.
Health authorities and the concerned entities must determine the persons authorised to access the Central System, on an as-needed basis, and depending on the professional role.
No person may use the Central System unless authorised to do so by the health authorities or the concerned entities, in accordance with the following controls:
Importantly for individuals, they may:
After obtaining permission, every person authorised to have access to the Central System has a duty of confidentiality to take all the necessary steps to protect the data and information in the Central System In particular, in respect of a patient’s data:
Storing health data and information by means of ICT has to be according to specified controls including:
The Ministry, in conjunction with health authorities, is to issue the necessary decisions to implement the ICT in Health Regulation.
The ICT in Health Regulation prescribes controls and protocols necessary for the establishment and operation of the Central System including how it will be accessible to health authorities and other concerned entities in the health sector and the parameters on how the data can be used.
While the establishment of the Central System is a significant feature of the ICT in Health Law, it is not the only notable feature of the law.
Importantly, Article 13 of the ICT in Health Law provides that it is not permitted to store, develop, or transfer data and health information outside the UAE that is related to health services provided within the country, except in cases where a decree is issued by the health authority in co- ordination with the Ministry.
The ICT in Health Regulation is focused solely on the Central System and appears to be a preliminary guideline as further decisions are still needed by the Ministry and health authorities to implement them. We expect that further implementing regulations, or guidance at the emirate health authority level will be issued to detail further, for example, the process for a healthcare facility to join the Central System and the associated deadlines. Further, we are awaiting additional implementing regulations, or guidance from the individual emirate health authority level, to clarify the ICT Health Law’s restriction on the transfer of health data outside the UAE and permissible exceptions.
For further information, please contact email@example.com.