Press enter to see results or esc to cancel.

UAE issues new health data protection law

Everyone in this world produces data in one way or another through online and offline activities. While some data only reveals our habits and behaviors, other specific data, such as health data,  contains more sensitive and confidential personal information. In this information age, it is getting increasingly common for insurance providers, clinics and hospitals to store medical records and data in a centralized and digitized format. While such electronic health records allow for quick access to accurate, up-to-date, and complete information about patients, they also pose immense security challenges. For example, the health authorities in Singapore and Hong Kong had fallen prey to cyber attack last year and lost millions of patients records to hackers.

In light of this, the UAE authorities have issued a new law in February in order to offer adequate healthcare data protection and bring the Emirates up to the global standard for data handling. Set to come into effect in May, the Federal Law No. 2 of 2019 regulates all entities that are involved in the healthcare processes and obtain private information from insurers and hospitals.

In today’s Pacific Prime Dubai article, our team of experts will look closer to the new law and analyze the potential impacts it might have to different industries.

What does the new law entail?

The Federal Law No. 2 of 2019 regulates the use of information technology and communications (ITC) in the healthcare sector for anyone who collects, processes or transfers electronic health data originating in the UAE. According to the Federal Gazette, this law:

  • aims to raise the minimum bar for protection of health data and to introduce certain concepts which are on a par with international best practice in information technology and privacy law;
  • continues the legislative trend towards localization of sensitive categories of data; and
  • paves the way for centralized health data capture and analysis to support public health initiatives conducted by the UAE Ministry of Health.

The Law applies to all entities operating in the UAE, whether onshore or from one of its free zones (including Dubai Healthcare City), which provide:

  • healthcare service
  • health insurance services (including insurance brokers or providers of related administrative services);
  • healthcare IT services; or
  • any other services, directly or indirectly, related to the healthcare sector or engaged in activities that involve the handling of electronic health data (such as cloud service providers).

What are the new legal requirements?

1. New “data protection” obligations and restrictions

Businesses are legally required to properly control access to their data and allow access only to authorized personnel who understand the need for patient confidentiality. They will also need operational and technical procedures to ensure the integrity and security of data.

It applies to all sorts of electronic health data regardless of its form, including names of patients, information collected during the consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology (CPT) codes, images produced by medical imaging technology, and lab results among other types of data.

2. Prohibition on storage of health data outside of the UAE

Article 13 of this new law bans the storage and processing outside the UAE of health data related to services provided within the UAE, unless where an exception is issued by the relevant health authority. This new restriction will clearly pose challenges for businesses which collect and monitor UAE’s patient information remotely such as wearable health devices companies.

Having said that, the authorities do envisage certain exceptions to this default data localization requirements, which will be set out in subsequent ministerial resolutions or the implementing regulations.

3. Minimum standards for the processing of health data

The new law has also included a host of key concepts familiar from international data protection norms, including:

  • Purpose limitation: patient information must only be used for the provision of health services, except with the prior consent of the patient;
  • Accuracy: healthcare service providers must ascertain that the health data processed is accurate and reliable;
  • Security measures: healthcare service providers must take measures to prevent unauthorized processing, damage, alteration, deletion or amendment of health data; and
  • Non-disclosure/patient consent: the law reiterates existing obligations not to disclose patient data to any third party without the prior consent of the patient.

4. Retention period

Healthcare bodies need to retain all health data for at least 25 years following the most recent point of contact with the patient, or as long as is necessary if longer. Businesses will need to allocate additional resources for storage capacity to comply with this latest requirement.

5. Centralized data management system

The Ministry of Health and Prevention will develop and manage a centralized data management system (DMS) to collect and exchange healthcare data, and to enable healthcare organizations to access data in a uniform and secure way. However, while it is regulated that only organizations authorized by the local health authority under executive regulations will be allowed access to the system, it is still unclear who should be identified as ‘authorized’ and ‘required’ to use the central system and what administrative steps must be taken.

Exceptions to the new law

In the following circumstances, the data sharing restrictions will be lifted:

  • to allow insurance companies and other entities funding the medical services to verify financial entitlement;
  • for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with);
  • for public health preventive and treatment measures, for example. in the case of a public health crisis;
  • at the request of a competent judicial authority; or
  • at the request of the relevant health authority for public health purposes including inspections.

Sanctions for breach

A disciplinary committee will be set up within each local Emirate health authority to enforce the law and apply sanctions for breach.

Apart from certain penal sanctions for breach of key requirements, the law also sets out a number of overarching disciplinary sanctions, ranging from warnings to fines of AED 1 million and/or potential suspension or withdrawal of the licence to use the central IT system, which might render a healthcare provider unable to lawfully run a practice.

What should companies do to comply with the law?

While it is possible that the UAE authorities will grant a grace period for the relevant health parties to achieve compliance with the law, below are some key steps businesses can take to change their operation procedures:

  • identify and evaluate what type of health data is held, where it is processed and which third parties it is shared with;
  • cease the transfer of health data to overseas third-parties, anonymize such data altogether, or source alternative third party service providers to process such data within the UAE;
  • ensure that administrative requirements such as registration / licensing are met and that the IT system is capable of interacting with the central system.

Contact Pacific Prime Dubai for further enquiries

For updates and news on the protection law and other issues related to health and insurance, stay tuned to our weekly updated blog. With over 19 years of experience and nine offices across the world, Pacific Prime Dubai is an established insurance brokerage that is specialized in international health insurance and employee benefits solutions. Our dedicated team of insurance experts knows the ins and outs of different products from various insurance providers. Contact us today for impartial insurance advice, an obligation-free quote, and/or a free plan comparison.


Content Creator at Pacific Prime Dubai
Anthony Chan is a content writer at Pacific Prime. He’s responsible for writing, translating, and editing articles, guides, infographics, leaflets, as well as other resources for Pacific Prime and Kwiksure.

When he’s not working, he’s usually on the hunt for great restaurants, playing badminton, and writing screenplays.