You are in my system: the implementing regulations on Federal law regulating the use of ICT in the UAE healthcare sector

Last year, a federal law was issued to regulate the use of information communication technology ( ‘ICT’) in the healthcare sector through the United Arab Emirates ( ‘UAE’), including in free zones (Federal Law No. 2 of 2019 ( ‘ICT in Health Law’)). While the ICT in Health Law came into force in May 2019, much of the key elements of the law were left to implementing regulations. At the core of the ICT in Health Law, it provided a  basic framework, introducing a general prohibition on the transfer of health data outside the UAE and providing for the establishment of a central healthcare IT system ( ‘Central System’) for the purposes of collection, storing, and exchanging health data for all patients in the UAE. (Please see our summary of the ICT in Health Law, available here: https://www. tamimi.com/law-update-articles/the-federal- law-regulating-the-use-of-information-and- communication-technology-in-the-uae-

healthcare-sector/).

While further implementing regulations are still expected, in late April 2020, the Cabinet issued its first set of executive regulations to the ICT in Health Law (Cabinet Resolution No. 32 of 2020 ( ‘ICT in Health Regulation’), which come into force in November 2020.

The ICT in Health Regulation has now specified the controls and protocols for the establishment, operation, and permitted access to the Central System. We outline the significant aspects of these below.

Joining the Central System (Art. 2)

Obligations required of health authorities and concerned entities joining the Central System include:

• compliance with the rules regulating the national registry;
• adherence to the deadline of joining the Central System; and
• payment of costs associated with connecting with the Central System.

Under the ICT in Health Law, ‘concerned entities’ include any authority or entity in the UAE providing health services, health insurance services, facilitation, claims management, electronic health services, or any entity directly or indirectly associated with the application of the ICT in Health Law.

The Ministry, in co-operation with health authorities and concerned entities, will also determine the procedures taken to ensure the quality of personal health data placed in the Central System.

The Ministry will also have the authority to audit any health data stored in the Central System to ensure the data’s authenticity, quality, and its compliance with national digital health standards.

Establishment of a joint committee (Art. 3)

A new joint committee is to be formed by the Ministry, together with the health authorities and concerned entities; the aim of the committee is to govern the implementation of new joiners to the Central System.

Persons authorised and permission to access the Central System (Art. 4)

The health authorities and concerned entities have the authority to determine the persons authorised to access the Central System, as long as they meet certain safety and privacy standards set out by the Ministry.

Health authorities and the concerned entities must determine the persons authorised to access the Central System, on an as-needed basis, and depending on the professional role.

Permission controls to use the Central System (Art.5)

No person may use the Central System unless authorised to do so by the health authorities or the concerned entities, in accordance with the following controls:

• a health authority will grant the permission to the following persons:
• employees whose work requires the use of the Central System; and
• persons who work through service outsourcing companies under contracts concluded with these companies, or experts and consultants who are hired on a casual basis, or the agencies and entities of the health authority. In all cases, the nature of their work or the tasks entrusted to them must require the use of the Central System.
• the health authority concerned will only grant the permission to the persons who work for it, provided that the nature of their work requires the use of the Central System, and the use must be within the limits of the actual need required by the work; and
• the health authority and the concerned entities will determine, as appropriate, the persons authorised to enter the Central System remotely.

Importantly for individuals, they may:

• give access to their personal health information to other persons of their choice, provided that such persons shall be registered as users in the Central System’s database, in a manner that does not conflict with any other legislation issued in this regard; and
• request to prohibit or restrict access to their personal health information, in accordance with the requirements and controls set by the Ministry in co- ordination with other health authorities.

Conditions and controls for using the Central System and exchange of health data and information (Art. 6)

After obtaining permission, every person authorised to have access to the Central System has a duty of confidentiality to take all the necessary steps to protect the data and information in the Central System In particular, in respect of a patient’s data:

• the disclosure of the patient’s health information to any party without the consent of the patient or his or her representative shall be legally prohibited, unless disclosure of this information is permitted in accordance with applicable law;
• in case of an emergency, and if the patient’s consent cannot be obtained, healthcare providers may examine the patient’s file for health care purposes;
• the consent of the patient should be obtained in the event of the publication of his or her identity data, and the list of the person’s identity data shall be determined by a resolution of the Minister in co-ordination with the other health authorities; and
• all necessary steps should be taken to protect the patient’s personal data and information from loss, misuse, unauthorised access, disclosure, modification, or destruction.

Controls for storing health data and information by means of information and communication technology (Art. 7)

Storing health data and information by  means of ICT has to be according to specified controls including:

• the Central System should include all patient files in the UAE, and the files should contain data and information determined by the Ministry in co-ordination with other health authorities;
• a patient may choose to withdraw  from the Central System: in such a case, data and information can be kept unidentified;
• health data and information that has exceeded the preservation period may be archived for research and public health  purposes,  while  maintaining the patient’s privacy (noting that the preservation period under the ICT in Health Law is 25 years);
• the Ministry, in co-ordination with health authorities, and through specialised committees, will setstandards regarding the confidentiality, quality and validity of health data and information in a manner that does not violate UAE law but which reflects global standards; and
• health data and information should be stored by ICT means, and according to the regulations for maintaining medical records and archiving in force in each health facility, provided that it shall be compatible, at a minimum, with the controls set by the Ministry.

The Ministry, in conjunction with health authorities, is to issue the necessary decisions to implement the ICT in Health Regulation.

Summary

The ICT in Health Regulation prescribes controls and protocols necessary for the establishment and operation of the Central System including how it will be accessible  to health authorities and other concerned entities in the health sector and the parameters on how the data can be used.

While the establishment of the Central System is a significant feature of the ICT in Health Law, it is not the only notable feature of the law.

Importantly, Article 13 of the ICT in Health Law provides that it is not permitted to store, develop, or transfer data and health information outside the UAE that is related to health services provided within the country, except in cases where a decree is issued by the health authority in co- ordination with the Ministry.

The ICT in Health Regulation is focused solely on the Central System and appears to be a preliminary guideline as further decisions are still needed by the Ministry and health authorities to implement them. We expect that further implementing regulations, or guidance at the emirate health authority level will be issued to detail further, for example, the process for a healthcare facility to join the Central System and the associated deadlines. Further, we are awaiting additional implementing regulations, or guidance from the individual emirate health authority level, to clarify the ICT Health Law’s restriction on the transfer of health data outside the UAE and permissible exceptions.

For further information, please contact healthcare@tamimi.com.