The United Arab Emirates has issued guidance in relation to the cross-border transfer of health-related data, including telemedicine, which was previously prohibited under the UAE's Health Data Law. In this article, we explain the changes in the law and how to comply with the new regulations when making international transfers of health-related data.
The headline news
The United Arab Emirates recently issued a long-awaited statutory instrument, Ministerial Resolution 51/2021 (the "Resolution"), which provides clarity on circumstances in which health data may be shared and processed, and puts in place a practical framework allowing the for the transfer of health data in connection with health services provided within the UAE.
The Resolution is a welcome development, the first piece of legislation setting out any parameters for data transfer and storage since the publication of Federal Law No. 2 of 2019 (the "Health Data Law"), which entered into force in May 2019 and put in place a number of restrictions on storing and processing patient data electronically, including a prohibition on the storage, processing, generation, or transfer of health-related data outside of the jurisdiction without the appropriate permissions from the UAE Ministry of Health and Prevention. Since the Health Data Law came into force, healthcare providers have largely either taken a risk-based approach or avoided any practices which could involve data transfer outside of the UAE; the Resolution offers a clear roadmap for legal operations and will allow consumers and providers alike a greater degree of freedom to operate.
The Resolution sets out 10 exceptions (listed in full at the end of this update) to the general prohibition on health data transfer, including in relation to medical treatment provided overseas, insurance claims, samples shared with laboratories overseas, and the provision of remote medical services. There is also a general exemption in relation to data in relation to which the relevant patient or their legal representative makes an "official request" for the transfer, although the Resolution contains no guidance on what form this official request should take.
Certain of the exceptions require that written consent be obtained from the patient prior to the data transfer, and the healthcare provider should work closely with its IT and data security teams to ensure that the data is encrypted and sufficiently secure prior to and during transmission.
The finer details
- The Health Data Law defines health information as any health-related information processed and given a visual, audible, or readable indication attributed to the health sector, and stated that it was to apply to all information and communication technology methods and uses in health fields both onshore and in free zones. Article 13 of the Health Data LAw states that "health information and data related to the health services provided in the UAE may not be stored, processed, generated or transferred outside the UAE, unless in the cases defined by virtue of a decision issued by the Health Authority in coordination with the Ministry." Since the publication of the Health Data Law, legal advisors and medical providers alike have been awaiting guidance on any exceptions and any application processes for permission to transfer overseas.
- The full list of circumstances in which health data may be transferred overseas is:
- The majority of the exceptions laid out above are subject to further controls and conditions, set out in Articles 3, 4 and 5 of the Resolution. These are:
- in relation to exceptions 1, 2, 5, 7 and 10:
- the patient must grant specific written consent;
- the information and data must only be shared with the specific entity and persons notified to the patient;
- the information and data must only be shared to the extend specifically required for the individual case or treatment; and
- the data and information must be encrypted to the highest possible standard prior to transmission;
- in relation to exceptions 5, 7, 8 and 10, copies of the data and any consents or permissions must be kept and stored in the UAE;
- in relation to exceptions 3 and 5:
- the data must be anonymised;
- the data may only be shared with the specific entity authorized;
- the data and information must be encrypted to the highest possible standard prior to transmission; and
- the data and information must be transmitted using highest possible security;
- in relation to exception 3, the information and data must only be used for scientific research and not used for any reason other than the research;
- in relation to exception 4:
- the insurers and claims management companies must be those operating (and therefore licensed) within the UAE, and all data and information must be stored in the UAE;
- all data must be anonymised;
- the patient must provide their written consent;
- the data and information must not be transferred in full (i.e. only the specific information required must be transferred);
- the insurance policy number may be only transferred to facilitate treatment outside of the UAE, and must not be transferred in other circumstances;
- the data and information must be encrypted to the highest possible standard prior to transmission; and
- the data and information must be transmitted using highest possible security.
- Patients visiting the UAE are permitted to transfer medical data and information outside of the UAE for the purposes of their insurance requirements in their home country.
Next steps
Businesses looking to take advantage of the new regulations by partnering with entities or physicians based internationally should proceed with due caution, and ensure that they comply with all of the relevant technological and technical requirements in relation to data security, as well as the provisions of Emirate- or Free Zone-level regulations on the provision of telemedicine services, some of which require agreements to be put in place with duly licensed facilities and professionals overseas rather than being able to conduct the practice of telemedicine on an ad hoc basis. Businesses located in jurisdictions within the UAE which have their own data protection regulations, such as the DIFC or ADGM, should also be mindful of their obligations under those laws.
[View source.]