• Law requires secure storage of healthcare data in UAE for 25 years
  • Healthcare providers, insurers, brokers, IT providers must audit their compliance

The United Arab Emirates is preparing to roll out a new law that will regulate the use, storage and privacy of healthcare data in the country.

The law, which broadly mirrors the U.S. Health Insurance Portability and Accountability Act, would help safeguard patient data while increasing the compliance burden on providers, insurers and brokers, practitioners say. It will impact international healthcare providers, including Johns Hopkins Medicine International, that operate facilities in the UAE, which is a major destination for global health tourism.

The law would create a central system to gather healthcare data to develop services in public health and safety; mandate confidentiality, security and 25-year storage of healthcare data; require licenses for anyone using or advertising on the new central system; and prohibit transferring, processing or storing data outside the UAE without permission.

Violators can be end up paying up to 1 million dirhams ($270,000) and have their websites blocked by the government, under the new law.

Healthcare providers, clinics, hospitals, health insurance companies, brokers, claims administrators and IT platforms providing telemedicine services or gathering and processing clinical data could be acted, practitioners said.

"Everybody will have to look at their current systems, controls and platforms and how they process and control data. They will have to conduct an audit and then see to what extent they comply with the provisions," said Simon Isgar, Partner and Head of Insurance and Reinsurance at BSA Ahmad bin Hezeem & Associates LLP law firm in Dubai, said by phone.

The government approved the law Feb. 6, and it will take effect three months after it is published in the official gazette. The 31 articles in the law refer to forthcoming executive regulations, ministerial resolutions, mandatory mechanisms and procedures that have yet to be published.

"The law just sets the framework," Isgar said.

A spokesman for the UAE Ministry of Health and Prevention did not respond to requests for comment.

The prohibition on storing data outside the country, while not unusual, is "significant" for the many local healthcare entities that have relationships with international providers, said Andrew Fawcett, senior counsel in the technology, media and telecommunications practice and healthcare group at one of the law firm in Abu Dhabi.

"They are going to have to look at how data is dealt with. It is permissible with approval," Fawcett said. "My understanding is that there will be things which allow practitioners access to some international bodies outside the UAE but it needs to be worked through. There are challenges in that because the practitioners are acting under their own rules and regulations and they need to keep appropriate les in their own countries."

Healthcare providers consider the new law "a welcome move," despite the lack of details, Isgar said.

We anticipate that where health data and information is captured and processed properly, this will benefit the UAE healthcare markets in terms of providing quality and accurate data to avoid potential frauds and better underwriting of health insurance risks for the market," he said.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.