Abu Dhabi, UAE Issues Standard on Healthcare Data Privacy

The Department of Health Abu Dhabi (‘DOH’) issued a new policy on patient healthcare data privacy in September 2020 (‘Data Privacy Standard’). The Data Privacy Standard addresses identifiable patient health information, also called protected health information (‘PHI’), setting the minimum data protection requirements including:

• Circumstances in which PHI may be used or disclosed;
• Secure and optimal use of PHI;
• Operational policies, standards, and practices; and
• Security and safety of PHI to maintain confidentiality, integrity, availability, and privacy.

The standard applies to all categories of healthcare entities regulated by the DOH in the Emirate of Abu Dhabi as well as healthcare professionals, insurance providers, service providers, vendors, brokers and third-party administrators who have access to and are processing or storing PHI related to Abu Dhabi patients.

In line with the federal ICT Health Law (please see our article entitled ‘The Federal Law regulating the Use of Information and Communication Technology in the UAE Healthcare Sector‘ for further information), it remains that no entity is permitted to store, develop, or transfer PHI outside the United Arab Emirates that is related to health services provided within Abu Dhabi, except in cases where an exception to do so is issued by the DOH in coordination with the Ministry of Health and Prevention.

Entities are required to have a privacy policy and procedures in place that describes the way they collect, use, and disclose PHI, including guidelines on data collection, processing, security, localisation, and retention. Further, entities must communicate with relevant health authorities within 24hrs of initial knowledge of a data breach and implement an incident response management plan and investigate the incident.

The DOH requires that the entities to which this standard applies perform a privacy risk assessment to understand and implement the controls as appropriate, including for situations where the patient is receiving treatment via telemedicine, remote care and for medical tourism. Further, DOH expects that such entities will execute periodic privacy compliance programs and perform compliance audits to evaluate the effectiveness of the implemented privacy program.

Al Tamimi & Company’s Healthcare sector and Technology, Media, and Telecommunications Department regularly advises on data privacy matters in the UAE as well as assists client to carry out risk assessments. For further information, please contact healthcare@tamimi.com.

Key Contacts:

Christina Sochacki
Senior Associate, Healthcare
c.sochacki@tamimi.com

Andrew Fawcett
Senior Counsel, Technology, Media & Telecommunications
a.fawcett@tamimi.com