Cabinet Decision No. 32/2020 on the Implementing Regulation of UAE Federal Law No. 2/2019 on the Use of Information and Communication Technology in Health Fields

BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

Summary

Federal Law No. 2/2019 on the Use of Information and Communication Technology in Health Fields (“ITC Health Law”) applies to health information and the use of ICT in health fields in the UAE.  Its aim is to preserve the integrity and confidentiality of health information, as well as to ensure access to such information by authorised parties through establishment of the Central System. 

Cabinet Decision No. 32/2020 (“Implementing Regulation”), which comes into force 6 months from the date of publication (which was on 30 April 2020), prescribes the controls and rules for use of the Central System and “Circulation” of health information and data, including the following: 

  1. Obligation to obtain various consents and approvals prior to disclosing or publishing Health Information and Data;
  2. Obligation to report activities that may affect the confidentiality of Health Information and Data;
  3. Obligation to use encrypted electronic transmissions when transmitting patient information; and
  4. Obligation to take all necessary steps to protect the integrity of patient personal information and data.  

While the Implementing Regulation also prescribes the rules governing the retention of Health Information and Data on ITC, it does not provide clarification on how to determine the relevant start date of the obligatory retention period, nor does it address key issues arising from the prohibition on transferring and subsequent processing of Health Information and Data outside the UAE. 

On 30 April 2020, Cabinet Decision No. 32/2020 on the Implementing Regulation of Federal Law No. 2/2019 on the Use of Information and Communication Technology in Health Fields (the “Implementing Regulation”) was published, and it comes into force 6 months from the date of publication. 

The Implementing Regulation relates to the implementation of Federal Law No. 2/2019 on the Use of Information and Communication Technology in Health Fields (the “ITC Health Law”).  The ITC Health Law applies to health information and the use of ICT in health fields in the UAE (including the free zones).  “ICT” refers to information and communication technology, which is defined in the law as the technical or electronic tools, systems or other media permitting the processing of information and data, including storage, retrieval, dissemination and exchange.  The ITC Health Law aims to preserve the integrity and confidentiality of health information, as well as to ensure availability of, and access to, such information by authorised parties.

The ITC Health Law establishes the “Central System” which is an electronic platform for the collection, analysis and retention of Health Information and Data by the Ministry of Health and Prevention (the ”Ministry”).  “Health Information” is broadly defined in the law as information given a visual, auditory or readable indication relating to the health sector, and “Data” is broadly defined as anything that may be stored, processed, generated or transferred through ICT such as numbers, letters, codes, photos, etc.  The law provides that the Central System, together with its electronic system principles, standards and controls, are to be implemented by regulation, and it is the Implementing Regulation that aims to achieve that. 

Most notably, Article 6 of the Implementing Regulation prescribes the conditions and rules for use of the Central System and “Circulation” of Health Information and Data.  Of particular significance are the following:

-        Prohibition on disclosure of Health Information to any party without the consent of the patient (except as permitted by UAE law (Article 6(2)));

-        Reporting obligation for suspicious activities that may affect the confidentiality of Health Information and Data (Article 6(5));

-        Requirement for emails and electronic communications containing patient information to be encrypted (Article 6(6));

-        Prohibition to publish Health Information and Data in the UAE without the consent of the Ministry (Article 6(10));

-        Requirement to obtain patient consent for publication of Identity Data (Article 6(11)). “Identity Data” refers to any data or information that may identify a patient.  A list of Identity Data is to be specified by Ministerial Decision;

-        Requirement for data, information and statistics being published in the UAE to comply with the standards set by the Ministry (Article 6(12)); and

-        Obligation to take all necessary steps to protect patient personal information and data from loss, misuse, unauthorized access, disclosure, modification or destruction (Article 6(13)). 

In addition, Article 7 of the Implementing Regulation prescribes the rules governing the retention of Health Information and Data on ITC.  In particular, paragraph 8 states that Health Information and Data are to be stored on ITC according to the relevant rules regarding retention of medical records and archives at each health facility, provided that such rules comply with those set by the Ministry. 

The Implementing Regulation, however, does not provide clarification on certain key issues raised in the ITC Health Law, including how to determine the relevant start date of the mandatory retention period prescribed by the law.  Article 20 sets out the conditions upon which Health Information and Data may be retained on ICT, including the obligation to retain such information for a period not less than 25 years from the date of the last health procedures provided to the patient.  To comply with such condition, companies handling health information need to have a clear understanding on what is meant by “the date of last health procedures”, as well as to ensure that their ITC systems and associated policies are sufficiently robust to enable them to retain large amounts of confidential information intact over substantial periods of time.

Another key issue raised in the ITC Health Law but not elaborated in the Implementing Regulation relates to the restriction on transferring health information outside of the UAE.  Article 13 prohibits any storing, processing, generating or transferring outside of the UAE of Health Information and Data related to health services provided in the UAE (except as specified by a decision of the Health Authority).  Violation of this Article results in a fine of not less than AED500,000 and not exceeding AED700,000.

Given the nature of many corporate set-ups in the pharmaceutical and healthcare sectors operating in the UAE, such a provision prohibits the sharing of health-related information and data received in the UAE with group companies outside the UAE.  Often, multi-national pharmaceutical and healthcare companies are required to transfer health-related information and data to a parent or affiliate for analysis, pharmacoviligence and/or other purposes, and thus the question remains on how they may do so without contravening applicable law.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© BCLP

Written by:

BCLP
BCLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide