The Dubai Health Authority has issued Guidelines for Medical Advertisement Content on Social Media. The Guidelines provide for organisational accountability, patient protection and safeguarding of data and reinforce the need for healthcare advertising to be accurate and safe. This article looks at the Guidelines and other important compliance considerations for healthcare businesses and professionals in the UAE.
The Guidelines recommend that Medical Directors of health facilities are responsible for the content of any social media advertising which names the facility or its services.
Reinforcement of the need for healthcare advertising in the UAE to be accurate and safe has been provided by the Dubai Health Authority's Guidelines for Medical Advertisement Content on Social Media. As the delivery of medical services becomes increasingly enabled via technology and such services by extension become more accessible to people (including, in countries and areas where access to modern medicine has been limited or difficult) it is vitally important that patients are equipped with the necessary information to make informed and sensible decisions regarding their care and that they are not misled through advertising. Online advertising, due to its ability to be tailored and personalised, is likely to be a dominant force in healthcare advertisement and sensible regulation of such activities is needed for the protection of patients and reputable and conscientious healthcare providers alike.
Social Media Advertising Guidelines
At a national level, the supply of both medical products and medical services is already subject to a comprehensive licensing and regulatory regime in the UAE. Healthcare advertising is also subject to a licensing regime operated by the Ministry of Health and Prevention.
The Emirate of Dubai has its own health strategy for the years 2016 through to 2021 and the recently issued Guidelines for Medical Advertisement Content on Social Media (Guidelines) aim to support the overarching objectives of the strategy; in particular, the recognition of Dubai as a medical destination of choice, the promotion of excellence and enhancement of patient happiness and the promotion of a happy, healthy and safe environment for the population of Dubai. Any licensed medical facilities, distributors and professionals operating in Dubai will be expected to comply with the Guidelines.
"Social Media" is defined by the Guidelines in a broad way, as the "collective of online communications platforms dedicated to community-based input, interaction, content sharing and collaboration or networking. It includes websites and applications dedicated to forums, microblogging, social networking, social bookmarking, social curation, to share opinions, information, experiences, images, and video or audio clips and includes websites and applications used for social networking". A non-exhaustive list of platforms is also set out in the definition which, interestingly, expressly includes WhatsApp (which, arguably, lacks some of the characteristics set out in the definition and would not otherwise necessarily be expected to fall within a definition of "social media" due to its private nature). Other, more obvious, examples of social media platforms that are expressly included are Facebook, Instagram, Twitter, YouTube, Snapchat and LinkedIn (amongst others).
Internal accountability and compliance
The Guidelines recommend that Medical Directors (MD) of health facilities are responsible for the content of any social media advertising (SMA) which names the facility or its services. This would apply to direct advertising and also advertising via influencers or other third parties. The MD should also be responsible for the management of the social media accounts for the facility. Organisational accountability is an important aspect of any successful compliance programme; by way of example, many data protection laws which have come into effect across the globe in recent times require a function or individual to be established within organisations to monitor, direct and enforce internal compliance. It is logical and sensible for medical organisations to ensure that similar internal controls and sign-offs are applied to all healthcare advertising, including digital and SMA, and that the organisation is aware of its legal responsibilities.
The management personnel of Dubai Health Authority (DHA) licensed facilities are required to ensure that, amongst other things:
- SMA content is factually accurate and contains all risks and benefits, advantages and disadvantages of services provided
- "Fine print" statements must be placed in a prominent location, legible to the naked eye
- A trained and experienced social media account moderator must be nominated
- Staff must be trained on social media use on induction and at regular intervals
- There is a clear social media policy for the organisation which is reviewed and updated regularly
- SMAs and posts must be archived for future verification and audit
Of course, the primary concern of any health regulation is patient outcome and patient protection. The Guidelines provide that healthcare professionals must be competent to provide the subject of any SMA they undertake and must ensure that any SMA content which refers to the outcome of procedures is fully substantiated and includes information relating to any associated risks. Health facilities and professionals should not promote: non-therapeutic products, products and services not directly related to healthcare, products and services that are not proven to be healthy or sound, products that are not supported by clinical evidence and products that affect health adversely.
Absolute statements and language and exaggerated claims should not be used. Examples cited of such language include, "the best", "the safest", "exclusive", "miraculous", "magic" and "famous".
Negative statements relating to other healthcare professionals, facilities or government bodies are not acceptable.
In addition, healthcare providers should not use personal Social Media accounts for patient interaction and should maintain a separate professional account (if required). Social Media discussions which may lead to a patient publicly disclosing health information should be avoided. Claims that one's own products or services are superior to those of another physician, health professional or health facility should not be made (there is no qualification that such a claim may be permitted if it is possible to objectively verify its accuracy).
Use of patients in Social Media Advertising
Any patient whose picture, video or statement is used in SMA must have provided documented written consent and the consent must be limited only to the subject requested and should not exceed the period of the grant of consent. The DHA is intending to issue further guidelines for patient informed consent, which the consent should be in-line with. If the consent requirement is interpreted in a similar way as it is in many data protection laws, then the healthcare organisations and professionals will not be able to capture general and unspecific consent from patients as part of their "business-as-usual" processes. Incorporating a general statement of consent in the terms that a patient agrees to in order to receive the service / procedure, rather than seeking an additional active consent, is unlikely to be good practice. Better practice is to ensure that the patient is separately informed exactly what they are being asked to consent to in a transparent way which identifies the use of the information for advertising purposes and imposes some time-boundaries on the consent.
In addition, all businesses and practitioners should note that the public disclosure of secret information relating to a person or the use of private information relating to a person (including pictures and video) in public information technology systems (such as, but not limited to, social media) without the permission of the person concerned could constitute a criminal offence under the Penal Code and/or the Cybercrime Law in the UAE (attracting a potential prison sentence as well as a fine).
Where a health facility or professional is financially incentivised to promote a particular product or service (whether health-related or otherwise) they should document and disclose this to their patients. The time and manner of disclosure, or the necessary level of content, is not expressly set out but presumably the disclosure should be made as part of the advertisement.
The management personnel of DHA licensed facilities are required to assure the protection of patient health information on social media platforms. This requirement is hard to comply with if the facility is using a third-party open platform where reliance is placed on the operator of the platform to secure the information. However, organisations should not generally be collecting personal data other than basic contact data via social media and it is inappropriate to do so, particularly where the platform is public and the information is sensitive (such as medical information).
Healthcare professionals using social media platforms are required, amongst other things, to ensure the below points are respected. Interestingly, some of these have a scope which extends beyond the act of SMA itself.
- Protect patient privacy and confidentiality at all times, especially on social media.
- Prevent unauthorized access to patient's personal data, including pictures and its use to assure that de-identified data cannot be linked back to the user or patient.
- Obtain informed consent from a patient to disclose their health-related information.
- Obtain verifiable consent from the child's parent before collecting, using, or disclosing personal or health information of a child below the age of eighteen (18) years.
- Avoid identification of patients.
The obligations in the Guidelines are in addition to any other applicable data protection obligations under law. For example, it should be noted that the advertising activities of healthcare organisations also need to comply with Federal Law No. 2 of 2019, Concerning the Use of the Information and Communication Technology in the Areas of Health (ICT Healthcare Law). The ICT Healthcare Law requires (amongst a number of other things) that patient data is kept within the UAE, unless permission has been obtained to the contrary (which would need to be considered carefully if any health data is collected via social media run on servers around the globe), and is treated confidentially and securely. There are also additional data protection laws in special economic zones within UAE which could apply; for example, the DIFC and ADGM have data protection laws.
Social Media Advertising will be an important activity for many healthcare providers and, when carried out responsibly, can benefit the healthcare ecosystem and patients alike. However there are inherent risks associated with targeted advertising which are particularly important when the subject matter of the advertisement is health and wellbeing. It is sensible that this area is regulated; however, the Guidelines are a small part of the overall picture with respect to patient-protection considerations relating to information provision, collection and use and with increasing amounts of data and novel methods of delivery being used in the industry, it is vital the practitioners and practices are aware of their obligations and responsibilities. Practices will need a joined-up approach to compliance which considers issues including:
- the content of advertisements
- how patient data is collected and where it is stored or processed
- how patient data is kept secure
- the retention period of patient data
- a consent mechanism for the use of patient testimonials or audio-visual information
Clyde & Co has leading and experienced healthcare, data protection and technology lawyers and would be happy to discuss any of the issues in this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.