Health data transfers outside the UAE

The Ministry of Health and Prevention introduces a process for transferring health data outside the United Arab Emirates.

Ministry of Health and Prevention (MOHAP) Resolution No. 51/2021 allowing health data transfers outside the UAE (Resolution) issued on 28 April 2021 became effective from 16 May 2021 being the date of publication in Gazette No. 702. Here are the salient points to enable the healthcare community to mobilise.

Background

Federal Law No. (2) of 2019 concerning the Use of Information and Communications Technology in Health Fields (ICT Health Data Law) and its implementing regulations Cabinet Resolution No.32 of 2020, together regulate the uses of information and communications technology for the healthcare sector in the country. The ICT Health Data Law contains provisions concerning data processing, data security and confidentiality, and data localisation and is the primary UAE health data protection law.

In accordance with Article 13 of the ICT Health Data Law, health data cannot be stored, processed, generated, or transferred outside of the UAE, unless the activity has been approved by a resolution of a health authority in coordination with the MOHAP.

The Resolution provides long-awaited clarity on this topic.

Ministry of Health and Prevention Resolution No. 51/2021 allowing data transfers outside UAE

Under the Resolution, MOHAP confirms the process for transferring health data outside UAE.

The basic position remains the same, health data and information (“Health Data”) may not be stored or transferred outside the UAE if it is related to health services provided inside the country, with the exception of the following cases:

• Health Data related to patients who are being treated outside the UAE, within the limits of the necessary treatment procedures;
• Health Data related to samples that are sent to laboratories outside the UAE;
• Health Data used in the framework of scientific research, in compliance with the laws in force in the UAE and with the relevant controls, standards, conditions and procedures for scientific research;
• Health Data that insurance companies and claims management companies operating within the UAE require to be sent outside the country within the scope of their procedures to provide health insurance coverage, after obtaining the consent of the patient;
• Health Data requested by the competent authorities cooperating with the UAE provided that this is within the limits of the purpose of requesting such data;
• Health Data contained in simple medical devices, tools, and the like, that are used by members of the public for personal use and that entail the recording of simple medical data, such as blood pressure/blood sugar, or oxygen saturation rate;
• Health Data related to the prevention, treatment or diagnosis of the patient, which may cause adverse or negative reactions or similar, within the limits and conditions of good pharmacovigilance practice;
• Any other Health Data that health authorities in the UAE agree to transfer or store outside the country.

The transfer of Health Data under these exceptions will be subject to strict controls concerning:

1. Patient written consent
2. Limitations over the sharing of Health Data
3. Encryption using best standards
4. A copy of the data must be stored inside the country

As the Resolution has been published in the Official Gazette and there are no apparent transitional mechanisms, it is in full legal effect as of now.  Consequently, all regulated entities will need to comply. Therefore, healthcare industry operators and digital technology providers are encouraged to familiarise themselves with this Resolution with a view to bringing their activities into conformity.

Our leading Healthcare and Life Sciences Practice is the largest healthcare legal practice in the region. Our lawyers are available to support on every aspect of healthcare regulation compliance.