Privacy is the New care!

12 November 2022

Saranya Mohan

Compliance 101: The Basics of complying with Health Data Law in UAE.

Following The General Data Protection Regulation (GDPR) in EU and the Confidentiality of Medical Information Act ("CMIA") in the USA, UAE enacted Federal Law No. 2 of 2019 (Health Data Law) in February 2019, which governs the use of information technology and communications (ITC) in the healthcare sector-hence for the first time focusing on sector-specific Data protection.

What is Heath Data under the law?

Any "visual, audible or readable indication, and that may be attributed to the health sector, whether related to the health or insurance facilities or to the health services beneficiaries." This implies that details such patient names, dates of birth, and other data gathered during consultations and other medical procedures will be considered to be "health data."

Who does it affect?

The Health Data Law applies to all entities operating in the uae and Free Zones that provide healthcare, health insurance, healthcare IT, and other direct or indirect services linked to the healthcare sector, as well as those engaged in activities involving electronic health data management (Health Service Providers).

What Should the Healthcare Organizations do?

Healthcare organizations should start thinking about how they'll comply with the Health Data Law. A feasible first step for organizations would be to perform a data discovery exercise to compile an inventory of all data that falls under the law's purview. Organizations will also need to make modifications to their policies, and systems in order to comply with the law.

1. Perform a data mapping exercise.

• The origin and information regarding data that is collected, processed, stored, and transferred.

• Why was the information gathered in the First Place? Is it essential to gather the information?

• How will it be stored and transferred?

• Are the Data Handlers aware regarding the requirement of confidentiality?

• With who do you disclose the personal information of the patient?

2. Determining the Legal Basis for Personal Data Processing

• Personal Data is processed by obtaining informed consent from the patient

• Personal data processing is required for medical reasons.

• Personal data processing is required for legal or security reasons.

• For the interests of scientific, historical, archival, and statistical research

• Personal data processing is required for data handlers to comply with the law.

• Any other instances that the Executive Regulation may emphasize in the future

3. Creating a Consent Mechanism and Appropriate Policies

It ensures that all data subjects whose information is being collected are fully aware of the processing activities that will be carried out on their behalf. Furthermore, it allows to specify the intended purpose and manner of processing data. Simply training data subjects on these issues can make a significant difference in the company's overall data compliance.

4. Create a procedure for dealing with data breaches.

Conclusion:

The Health Data law is the starting point for data protection in the healthcare industry and businesses in healthcare should be aware that patient data and other types of data that are commonly recognized as sensitive personal data in other parts of the world must be considered more carefully in UAE than in the past and each organization has to implement processes in place that make compliance to the law more systematic.