Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreThis Edition of Law Update, From Africa to Asia: Legal Narratives of Change and Continuity, takes you on a journey through dynamic markets.
Africa is undergoing a tech-driven transformation, overcoming regulatory challenges while its startup ecosystem thrives. India’s legal framework is evolving rapidly, keeping pace with its expanding economy and diverse business environment.
We also dive into China’s regulatory shifts, particularly how they are shaping investments in the MENA region, and explore Korea’s innovative global partnerships, which are driving advancements in industries across the UAE and beyond.
Read NowThe Department of Health Abu Dhabi (‘DOH’) issued a new policy on patient healthcare data privacy in September 2020 (‘Data Privacy Standard’). The Data Privacy Standard addresses identifiable patient health information, also called protected health information (‘PHI’), setting the minimum data protection requirements including:
The standard applies to all categories of healthcare entities regulated by the DOH in the Emirate of Abu Dhabi as well as healthcare professionals, insurance providers, service providers, vendors, brokers and third-party administrators who have access to and are processing or storing PHI related to Abu Dhabi patients.
In line with the federal ICT Health Law (please see our article entitled ‘The Federal Law regulating the Use of Information and Communication Technology in the UAE Healthcare Sector‘ for further information), it remains that no entity is permitted to store, develop, or transfer PHI outside the United Arab Emirates that is related to health services provided within Abu Dhabi, except in cases where an exception to do so is issued by the DOH in coordination with the Ministry of Health and Prevention.
Entities are required to have a privacy policy and procedures in place that describes the way they collect, use, and disclose PHI, including guidelines on data collection, processing, security, localisation, and retention. Further, entities must communicate with relevant health authorities within 24hrs of initial knowledge of a data breach and implement an incident response management plan and investigate the incident.
The DOH requires that the entities to which this standard applies perform a privacy risk assessment to understand and implement the controls as appropriate, including for situations where the patient is receiving treatment via telemedicine, remote care and for medical tourism. Further, DOH expects that such entities will execute periodic privacy compliance programs and perform compliance audits to evaluate the effectiveness of the implemented privacy program.
Al Tamimi & Company’s Healthcare sector and Technology, Media, and Telecommunications Department regularly advises on data privacy matters in the UAE as well as assists client to carry out risk assessments. For further information, please contact healthcare@tamimi.com.
Christina Sochacki
Senior Associate, Healthcare
c.sochacki@tamimi.com
Andrew Fawcett
Senior Counsel, Technology, Media & Telecommunications
a.fawcett@tamimi.com
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.