Privacy and Data Protection

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

The UAE does not have a comprehensive data protection law at a federal level. There are however a number laws in place that govern the collection and handling of personal data through telehealth services in the UAE.

Article 379 of Federal Law 3 of 1987 as amended ("UAE Penal Code") prohibits a person who, by reason of their profession, craft, situation or art, is entrusted with a "secret", from using or disclosing that secret, without the consent of the person to whom the secret pertains, or otherwise in accordance with the law. To mitigate against the risk of a breach of Article 379 of the Penal Code it is generally advised to obtain consent prior to the use or disclosure of any personal data, which would include any patient information* obtained through a telehealth service.

Article 4 of the ICT Health Law impose strict requirements around the circulation of patient information (in "authorised cases" only), as well as ensuring that it is protected from destruction or unauthorised amendment, alteration, deletion, or addition. Article 16 of the ICT Health Law further requires that "whoever circulates information related to patients must abstain from using such information for non-health purposes", unless certain exceptions apply.

In addition, Article 20 of the ICT Health Law provides that patient information must be kept for a minimum of 25 years from the date on which the last health procedure was performed on the patient. This broadly worded obligation is not targeted at any particular category of individuals or entities (e.g. Healthcare providers) and must therefore be assumed to apply any entity which uses ICT in the healthcare sector, as per Article 2 of the ICT Health Law. This law extends to health insurance brokers and insurers, claims management services and electronic services in the medical field.

The Federal Telehealth Regulations set out a number of data protection related conditions for providing various health services remotely. Those include obligations to provide:

  • a system for the protection of the data and registers related to the remote health services, and prohibiting any access thereto unless by the authorised persons;
  • the necessary mechanisms for the protection of the privacy of the persons who received remote health services;
  • servers in the United Arab Emirates for the storage and archiving of information as well as a backup;
  • internet technologies and systems that meet the requirements of providing remote health services;
  • the necessary means for the archiving of the entire registers and data related to the persons who received remote health services, in addition to the documentation thereof; and
  • a system for the protection of the data and registers related to the remote health services, and prohibit any access thereto unless by the authorised persons.

It is also stated within the Federal Telehealth Regulations that the "express consent" of those who receive such services is required, both to receive the service and to be recorded (by both audio and video).

At an Emirate Level, both the Dubai HA Standards and the AD DOH Standards include independent requirements relating to the protection and use of patient information.

In addition to the general requirements around the handling of health data found under DHCC Free Zone Health Data Protection Regulation No 7 of 2013, the DHCC Regulation contains requirements around the handling of patient information. Some of the key points are as follows:

  • Patient information shall not be collected by unlawful means; or means that, in the circumstances of the case are unfair; or intrude to an unreasonable extent upon the personal affairs of the patient;
  • Security incidents (i.e. data breaches) must be reported; and
  • Patients must be issued a privacy notice at the point of data collection which meets certain requirements.

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

Is the use of telehealth permitted?

Yes, telehealth is permitted in the United Arab Emirates (UAE).

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

How is telehealth regulated?

At a federal level, the annex to Cabinet Decision No. 40/2019 On the Implementing Regulation of Federal Decree-Law No. 4/2016 on medical liability ("ICT Health Law"), entitled "Controls and Conditions of Providing Remote Health Services" ("Federal Telehealth Regulations") expressly covers a range of telehealth services including:

  • Remote medical consultation;
  • Remote medical prescription;
  • Remote diagnosis;
  • Remote medical monitoring; and
  • Remote medical intervention.

At an Emirate level the Abu Dhabi Department of Health ("AD DOH") Standards for the Provision of Tele-Monitoring Services in the Emirate of Abu Dhabi ("AD DOH Standards") apply in Abu Dhabi, and the Dubai Health Authority ("Dubai HA").

Standards for Telehealth Services ("Dubai HA Standards") are the key pieces of regulation / policy to be referred to.

There are also regulations which apply specifically to providers located within the Dubai Healthcare City ("DHCC") free zone in the UAE, specifically Health Data Protection Regulation No 7 of 2013 ("DHCC Regulation").

Each law places extensive obligations upon telehealth service providers which should be considered carefully in advance applying for the relevant licence(s) to ensure that compliance can be demonstrated to the regulator(s) and maintained for the duration of the provision of the relevant telehealth services.

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

There are a range of telehealth services currently being provided in the UAE.

Those offered by the UAE government are listed in Costs of Telehealth.

We aren’t aware of the extent to which general videoconferencing applications are being utilised for medical consultation or dentistry services, if at all. However, we note that for psychiatric support a number of smaller providers appear to be offering such services.

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

UAE citizens receive free healthcare from the state, with residents paying their own healthcare costs or more typically relying upon insurance policies. On this basis, we understand that each of the services listed below would be provided free of charge to citizens.

In December 2019, the Dubai HA launched a smart service called Doctor for Every Citizen. Under this service, individuals can access free consultations through voice and video calls, 24/7. The service covers initial consultation and follow-ups with Dubai HA-certified physicians. The physician can request for laboratory and radiology tests and issue electronic prescriptions. When launched, this service was for UAE citizens only. However, after the spread of COVID-19, the Dubai HA suggests that this service was extended to all residents of the emirate of Dubai (i.e., including expatriates living in Dubai). We understand however that this extension only relates to cases which related to COVID-19, and it is not clear whether there would be a cost for non-citizens to access such a service.

The AD DOH launched the DOH RemoteCare app through which people can receive healthcare at their own homes, without visiting a hospital or clinic physically. The app has a tool for examining symptoms, diagnosing non-emergency cases, booking appointments and getting teleconsultations with doctors via voice or video calls or text messages. We understand that the AD DOH's intention is for healthcare providers across the Emirate to make use of this platform, which would allow for residents to access services via the platform at a personal cost or at the cost of their insurance provider (subject to approval).

The Federal Ministry of Health and Prevention recently launched a chatbot service called "Virtual Doctor for COVID-19". Individuals can use the service to assess whether their symptoms may be associated COVID-19. The chatbot in the Virtual Doctor service asks questions relating to the persons' travel history, if they have come in contact with someone who has travelled and is sick and if they have come in contact with someone known to have COVID19. It also asks if the person is suffering from specific symptoms and about his health habits. Depending on the person’s answers, the chatbot will deduce if he / she is at risk. It will connect them to a doctor through the same service. It is not clear whether there would be any associated cost for this.

Since the COVID-19 pandemic, the Federal Ministry of Health, in conjunction with the Dubai HA and AD DOH, has launched the "Al Hosn" contact tracing and test result app. The app provides the user with their test results (if a test is taken) and can also monitor contacts with other app users. Users consent at registration to the use of the data on the app being made available to the health authorities on an anonymised basis. The contact functionality of the app relies on the phone's Bluetooth connectivity being kept on at all times and the transfer between app users of anonymised data showing contact. The individual's (and any dependents') data is kept in encrypted form on the app. Anonymised data regarding contacts with other Al Hosn app users that is older than 21 days is deleted from the app. Currently the Al Hosn app is voluntary. However a Federal Attorney General directive requires that people testing positive must quarantine and may need to use a tracking system.

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

The UAE does not have a comprehensive data protection law at a federal level. There are however a number laws in place that govern the collection and handling of personal data through telehealth services in the UAE.

Article 379 of Federal Law 3 of 1987 as amended ("UAE Penal Code") prohibits a person who, by reason of their profession, craft, situation or art, is entrusted with a "secret", from using or disclosing that secret, without the consent of the person to whom the secret pertains, or otherwise in accordance with the law. To mitigate against the risk of a breach of Article 379 of the Penal Code it is generally advised to obtain consent prior to the use or disclosure of any personal data, which would include any patient information* obtained through a telehealth service.

Article 4 of the ICT Health Law impose strict requirements around the circulation of patient information (in "authorised cases" only), as well as ensuring that it is protected from destruction or unauthorised amendment, alteration, deletion, or addition. Article 16 of the ICT Health Law further requires that "whoever circulates information related to patients must abstain from using such information for non-health purposes", unless certain exceptions apply.

In addition, Article 20 of the ICT Health Law provides that patient information must be kept for a minimum of 25 years from the date on which the last health procedure was performed on the patient. This broadly worded obligation is not targeted at any particular category of individuals or entities (e.g. Healthcare providers) and must therefore be assumed to apply any entity which uses ICT in the healthcare sector, as per Article 2 of the ICT Health Law. This law extends to health insurance brokers and insurers, claims management services and electronic services in the medical field.

The Federal Telehealth Regulations set out a number of data protection related conditions for providing various health services remotely. Those include obligations to provide:

  • a system for the protection of the data and registers related to the remote health services, and prohibiting any access thereto unless by the authorised persons;
  • the necessary mechanisms for the protection of the privacy of the persons who received remote health services;
  • servers in the United Arab Emirates for the storage and archiving of information as well as a backup;
  • internet technologies and systems that meet the requirements of providing remote health services;
  • the necessary means for the archiving of the entire registers and data related to the persons who received remote health services, in addition to the documentation thereof; and
  • a system for the protection of the data and registers related to the remote health services, and prohibit any access thereto unless by the authorised persons.

It is also stated within the Federal Telehealth Regulations that the "express consent" of those who receive such services is required, both to receive the service and to be recorded (by both audio and video).

At an Emirate Level, both the Dubai HA Standards and the AD DOH Standards include independent requirements relating to the protection and use of patient information.

In addition to the general requirements around the handling of health data found under DHCC Free Zone Health Data Protection Regulation No 7 of 2013, the DHCC Regulation contains requirements around the handling of patient information. Some of the key points are as follows:

  • Patient information shall not be collected by unlawful means; or means that, in the circumstances of the case are unfair; or intrude to an unreasonable extent upon the personal affairs of the patient;
  • Security incidents (i.e. data breaches) must be reported; and
  • Patients must be issued a privacy notice at the point of data collection which meets certain requirements.

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Article 13 of the ICT Health Law provides that patient information which is "provided in the UAE may not be stored, processed, generated, or transferred outside of the UAE, unless the activity has been approved by a decision of the Health Authority in coordination with MOH". This is acts as a data localisation requirement for all patient information which falls within that law.

The Dubai HA Standards reiterate the data localisation requirement set out under the ICT Health Law. There is no express data localisation under the AD DOH Standards, however the ICT Health Law may, effectively, impose this.

Under the DHCC Regulation patient information may only be transferred to a third party located in a jurisdiction outside of the DHCC if:

  • an adequate level of protection for that patient information is ensured by the laws and regulations that are applicable to the third party. To this end, the DHCC adopts the same list as any list that is used by the Dubai International Financial Centre’s Commissioner for Data Protection;
  • or the transfer is either: (a) authorised by the patient; or (b) necessary for the ongoing provision of healthcare services to the patient.

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

In addition to the AD DOH Standards and the Dubai HA Standards, there are also a number of policies and standards which apply exclusively within the DHCC:

  • DHCC Teleradiology Policy (7 May 2019);
  • DHCC Teleconsultation Policy (18 May 2019);
  • DHCC Telehealth Standard (6 December 2017); and
  • Dubai Health Care City Rule No. 1/2018.

The DHA has also issued a set of "Guidelines for Informed Patient Consent", which set out best practice for obtaining consent in the healthcare sector.

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

N/A

Last modified 9 May 2023

United Arab Emirates

United Arab Emirates