The United Arab Emirates has issued Federal Law No. 2 of 2019, Concerning the Use of the Information and Communication Technology in the Area of Health (“ICT Health Law”). The ICT Health Law applies to all methods and uses of information and communication technology (“ICT”) in the UAE healthcare sector, including in free zones, and comes into force in May 2019.

Establishment of a central exchange

Under the law, the Ministry of Health & Prevention (“Ministry”) sets out to establish a central electronic health data and information exchange (“HIE”), to facilitate confidential access, collection and exchange of health data and information within the UAE. The local emirate health authorities are empowered to establish the rules, standards and controls for their own electronic data and health information systems, such as the methods of operation, exchange of data and information and their protection, as well as access to and copying of data and information. However, the health authorities in the UAE must join the central HIE, in accordance with the regulations and procedures that are to be specified in the subsequent executive regulations. The executive regulations are to be issued within six months of the publication of this law.

National ICT strategy

The Ministry, in coordination with the local emirate health authorities, is to develop and implement a national strategic plan concerning the use of ICT in healthcare, as well as setting mandatory procedures for using ICT. One of the goals is to ensure compatibility and interoperability between information systems to procure valid, credible, and accessible health data and information. The executive regulation will further set out the conditions and controls of storing health data and information within the UAE.

Prohibition on sending health data outside the UAE

The ICT Health Law expressly prohibits handling, transferring or storing of medical records and health information outside the UAE, except where a resolution is passed by the relevant authorities. This may pose a problem for UAE healthcare facilities that have relationships with foreign vendors.

Healthcare data retention

Further, health information and data must be maintained through ICT for a period of 25 years from the last healthcare interaction of the concerned patient; the executive regulations are set to elaborate upon this obligation.

Healthcare providers, health insurers and insurance related services, medical device and pharmaceutical companies, and healthcare technology companies, amongst others, should audit their current practice for compliance with the ICT Health Law.

Should you require any advice concerning the use of Information and Communication Technology in the healthcare sector, we would be happy to assist. In a forthcoming Law Update article, we will expand upon this development.