Privacy is the New care!

12 November 2022

Saranya Mohan

Compliance 101: The Basics of complying with Health Data Law in UAE.

Following The General Data Protection Regulation (GDPR) in EU and the Confidentiality of Medical Information Act ("CMIA") in the USA, UAE enacted Federal Law No. 2 of 2019 (Health Data Law) in February 2019, which governs the use of information technology and communications (ITC) in the healthcare sector-hence for the first time focusing on sector-specific Data protection.


What is Heath Data under the law?

Any "visual, audible or readable indication, and that may be attributed to the health sector, whether related to the health or insurance facilities or to the health services beneficiaries." This implies that details such patient names, dates of birth, and other data gathered during consultations and other medical procedures will be considered to be "health data."


Who does it affect?

The Health Data Law applies to all entities operating in the uae and Free Zones that provide healthcare, health insurance, healthcare IT, and other direct or indirect services linked to the healthcare sector, as well as those engaged in activities involving electronic health data management (Health Service Providers).


What Should the Healthcare Organizations do?

Healthcare organizations should start thinking about how they'll comply with the Health Data Law. A feasible first step for organizations would be to perform a data discovery exercise to compile an inventory of all data that falls under the law's purview. Organizations will also need to make modifications to their policies, and systems in order to comply with the law.


1. Perform a data mapping exercise.

Starting with a data mapping exercise, we will be able to understand exactly where an organization stands when it comes to collecting and storing patient data. This pretty simple activity can demonstrate, the following points:

• The origin and information regarding data that is collected, processed, stored, and transferred.

• Why was the information gathered in the First Place? Is it essential to gather the information?

• How will it be stored and transferred?

• Are the Data Handlers aware regarding the requirement of confidentiality?

• With who do you disclose the personal information of the patient?


2. Determining the Legal Basis for Personal Data Processing

The legal bases for processing personal information is to safeguard a patient’s right to privacy, and any organization processing personal data should have processes in place to ensure the following:

• Personal Data is processed by obtaining informed consent from the patient

• Personal data processing is required for medical reasons.

• Personal data processing is required for legal or security reasons.

• For the interests of scientific, historical, archival, and statistical research

• Personal data processing is required for data handlers to comply with the law.

• Any other instances that the Executive Regulation may emphasize in the future


3. Creating a Consent Mechanism and Appropriate Policies

Consent is used as a legal basis for processing, and an organization must comply with all consent standards. The right use of language is key, and obtaining proper consent has become even more important as a result of the new law. Not only must the wording used to request consent be explicit, but it must also be tailored to the purpose for which we intend to utilize the data collected.

It ensures that all data subjects whose information is being collected are fully aware of the processing activities that will be carried out on their behalf. Furthermore, it allows to specify the intended purpose and manner of processing data. Simply training data subjects on these issues can make a significant difference in the company's overall data compliance.


4. Create a procedure for dealing with data breaches.

This is going into "worst-case scenario" territory, but it's critical to have a robust data breach procedure system in place. With this in mind, all relevant personnel must be aware of their specific roles in launching a counter-response to the data breach. And only if an organization has a complete, detailed, and successful data breach response plan in place will it be able to comply with the regulations of data protection.



The Health Data law is the starting point for data protection in the healthcare industry and businesses in healthcare should be aware that patient data and other types of data that are commonly recognized as sensitive personal data in other parts of the world must be considered more carefully in UAE than in the past and each organization has to implement processes in place that make compliance to the law more systematic.

botão whatsapp
Schedule a consultation for all your legal challenges.

Call us Today

+971 50 561 6799