12 November 2022
Saranya Mohan
Following The General Data
Protection Regulation (GDPR) in EU and the Confidentiality of Medical
Information Act ("CMIA") in the USA, UAE enacted Federal Law No. 2 of
2019 (Health Data Law) in February 2019, which governs the use of information
technology and communications (ITC) in the healthcare sector-hence for the
first time focusing on sector-specific Data protection.
What is Heath Data under the law?
Any "visual, audible or
readable indication, and that may be attributed to the health sector, whether
related to the health or insurance facilities or to the health services
beneficiaries." This implies that details such patient names, dates of
birth, and other data gathered during consultations and other medical
procedures will be considered to be "health data."
Who does it affect?
The Health Data Law applies to all
entities operating in the uae and Free Zones that provide healthcare, health
insurance, healthcare IT, and other direct or indirect services linked to the
healthcare sector, as well as those engaged in activities involving electronic
health data management (Health Service Providers).
What Should the Healthcare
Organizations do?
Healthcare organizations should
start thinking about how they'll comply with the Health Data Law. A feasible
first step for organizations would be to perform a data discovery exercise to
compile an inventory of all data that falls under the law's purview.
Organizations will also need to make modifications to their policies, and
systems in order to comply with the law.
1. Perform a data mapping exercise.
• The origin and information
regarding data that is collected, processed, stored, and transferred.
• Why was the information gathered
in the First Place? Is it essential to gather the information?
• How will it be stored and
transferred?
• Are the Data Handlers aware
regarding the requirement of confidentiality?
• With who do you disclose the
personal information of the patient?
2. Determining the Legal Basis for
Personal Data Processing
• Personal Data is processed by
obtaining informed consent from the patient
• Personal data processing is
required for medical reasons.
• Personal data processing is
required for legal or security reasons.
• For the interests of scientific,
historical, archival, and statistical research
• Personal data processing is
required for data handlers to comply with the law.
• Any other instances that the
Executive Regulation may emphasize in the future
3. Creating a Consent Mechanism and
Appropriate Policies
It ensures that all data subjects
whose information is being collected are fully aware of the processing
activities that will be carried out on their behalf. Furthermore, it allows to
specify the intended purpose and manner of processing data. Simply training
data subjects on these issues can make a significant difference in the
company's overall data compliance.
4. Create a procedure for dealing
with data breaches.
Conclusion:
The Health Data law is the starting
point for data protection in the healthcare industry and businesses in
healthcare should be aware that patient data and other types of data that are
commonly recognized as sensitive personal data in other parts of the world must
be considered more carefully in UAE than in the past and each organization has
to implement processes in place that make compliance to the law more
systematic.
11/14/2024
Bini Saroj
Call us Today