UAE Health Data Law and Its Intersection with HIPAA

The UAE implemented a federal healthcare law in 2019 known as Federal Law No 2 of 2019 (Health Data Law). This law regulates the use of information technology and communications and created standards for telehealth. The UAE healthcare law is similar to HIPAA in many ways. The UAE Health Data Law and its similarities to HIPAA are discussed.

What Does the UAE Health Data Law Require?

The UAE Health Data Law regulates the healthcare industry across UAE including the Free Zones. All healthcare entities that provide healthcare, healthcare IT, health insurance, or other services related to the healthcare industry must comply with the law.

The UAE Health Data Law created standards for data security, processing, localization, management, and retention. It also provides health data disclosure restrictions and sanctions for noncompliance.

Data security.

The UAE Health Data Law requires healthcare providers that utilize information technology and communications (ITC) to implement security measures to ensure Health Data’s availability, confidentiality, validity, and credibility. These measures must protect Health Data from unauthorized access, by implementing technical, organizational, and operational policies and procedures.

Data processing.

◈ Accuracy. Healthcare providers are responsible for ensuring that the data they process is reliable and accurate. 

◈ Purpose limitation. Health Data can only be used for the provision of health services, unless the subject of the Health Data (the patient) gives written authorization for its use otherwise.

◈ Consent to disclosure. Health Data is prohibited from being disclosed to a third-party unless it is permitted by law, or the patient gives written consent for the disclosure.

◈ Security measures. Healthcare providers must safeguard Health Data by implementing security measures to prevent unauthorized alteration, amendment, addition, deletion, or damage.

Data localization.

One of the most important aspects of the UAE healthcare law is the requirement to keep Health Data within the UAE. The Health Data Law prohibits healthcare entities from transferring, processing, or storing Health Data outside of the Kingdom, unless they receive authorization from the health authority and government ministry.

Data management.

The UAE government requires healthcare providers to use a centralized Health Data management system that is controlled by the Ministry of Health and Prevention. Healthcare providers are granted secure access to the system so that they may access and exchange Health Data.

Data retention. 

The UAE healthcare law requires healthcare entities to retain Health Data for 25 years after the date on which the patient had their last procedure.

Exceptions to Health Data disclosure restrictions.

According to the Health Data Law, healthcare entities may use or disclose data without patient consent for the following reasons:

• to allow insurance companies and other entities funding the medical services to verify financial entitlements;
• for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with);
• for public health preventive and treatment measures;
• to comply with a request from a competent judicial authority; or
• to comply with a request from the relevant health authority for public health purposes including inspections.

Sanctions for noncompliance.

The UAE Health Data Law allows for both monetary and disciplinary sanctions for violating the law. 

These sanctions include:

• the potential suspension or withdrawal of the license to use the central IT system;
• a formal notice or warning from the relevant health authority; and/or
• fines ranging from AED 1,000 to AED 1,000,000 ($272 – $272,258).

How is the UAE Healthcare Law Similar to HIPAA?

There are many ways in which HIPAA and the UAE Health Data Law are similar.

Data security.

HIPAA requires healthcare organizations to ensure the confidentiality, integrity, and availability of protected health information (PHI). This is done by having written policies and procedures that implement administrative, technical, and physical safeguards.

Patient authorization.

HIPAA requires healthcare entities to obtain written patient authorization for the use or disclosure of PHI for purposes other than the treatment, payment, or healthcare operations.

Data retention.

HIPAA requires healthcare organizations to retain patient medical records for six (6) after their last procedure.

Sanctions for noncompliance.

HIPAA imposes both disciplinary and monetary sanctions for failing to comply with the law. 

Penalties for noncompliance are as follows:

• Tier A includes penalties for HIPAA violations in which the offender didn’t realize he or she violated the Act and would have handled the matter differently if he or she had. The result is a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year.
• Tier B is for violations due to reasonable cause, but not “willful neglect.”  The result is a $1,000 penalty for each HIPAA violation, and the fines cannot exceed $100,000 for a calendar year.
• Tier C is for violations due to willful neglect that the organization ultimately corrected. The result is a $10,000 fine for each violation, and fines cannot exceed $250,000 for the calendar year.
• Tier D is for HIPAA violations of willful neglect that the organization did not correct. The result is a $50,000 fine for each violation and the fines cannot exceed $1,500,000 for the calendar year.