UAE Health Data Law and Its Intersection with HIPAA

The UAE implemented a federal healthcare law in 2019 known as Federal Law No 2 of 2019 (Health Data Law). This law regulates the use of information technology and communications and created standards for telehealth. The UAE healthcare law is similar to HIPAA in many ways. The UAE Health Data Law and its similarities to HIPAA are discussed.

What Does the UAE Health Data Law Require?

UAE Health Data Law

The UAE Health Data Law regulates the healthcare industry across UAE including the Free Zones. All healthcare entities that provide healthcare, healthcare IT, health insurance, or other services related to the healthcare industry must comply with the law.

The UAE Health Data Law created standards for data security, processing, localization, management, and retention. It also provides health data disclosure restrictions and sanctions for noncompliance.

Data security.

The UAE Health Data Law requires healthcare providers that utilize information technology and communications (ITC) to implement security measures to ensure Health Data’s availability, confidentiality, validity, and credibility. These measures must protect Health Data from unauthorized access, by implementing technical, organizational, and operational policies and procedures.

Data processing.

Accuracy. Healthcare providers are responsible for ensuring that the data they process is reliable and accurate. 

Purpose limitation. Health Data can only be used for the provision of health services, unless the subject of the Health Data (the patient) gives written authorization for its use otherwise.

Consent to disclosure. Health Data is prohibited from being disclosed to a third-party unless it is permitted by law, or the patient gives written consent for the disclosure.

Security measures. Healthcare providers must safeguard Health Data by implementing security measures to prevent unauthorized alteration, amendment, addition, deletion, or damage.

Data localization.

One of the most important aspects of the UAE healthcare law is the requirement to keep Health Data within the UAE. The Health Data Law prohibits healthcare entities from transferring, processing, or storing Health Data outside of the Kingdom, unless they receive authorization from the health authority and government ministry.

Let’s Simplify Compliance

HIPAA compliance can be difficult to manage. Let us help!

Learn More!
HIPAA Seal of Compliance

Data management.

The UAE government requires healthcare providers to use a centralized Health Data management system that is controlled by the Ministry of Health and Prevention. Healthcare providers are granted secure access to the system so that they may access and exchange Health Data.

Data retention. 

The UAE healthcare law requires healthcare entities to retain Health Data for 25 years after the date on which the patient had their last procedure.

Exceptions to Health Data disclosure restrictions.

According to the Health Data Law, healthcare entities may use or disclose data without patient consent for the following reasons:

  • to allow insurance companies and other entities funding the medical services to verify financial entitlements;
  • for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with);
  • for public health preventive and treatment measures;
  • to comply with a request from a competent judicial authority; or
  • to comply with a request from the relevant health authority for public health purposes including inspections.

Sanctions for noncompliance.

The UAE Health Data Law allows for both monetary and disciplinary sanctions for violating the law. 

These sanctions include:

  • the potential suspension or withdrawal of the license to use the central IT system;
  • a formal notice or warning from the relevant health authority; and/or
  • fines ranging from AED 1,000 to AED 1,000,000 ($272 – $272,258).

How is the UAE Healthcare Law Similar to HIPAA?

There are many ways in which HIPAA and the UAE Health Data Law are similar.