On 30 June 2022, the Government of Abu Dhabi Department of Health (DoH) issued Circular No. 147 of 2022 (“Circular“) requiring health and pharmaceutical facilities licensed by the DoH (“Licensed Entities“) to obtain a “secure” or “safe” certificate that certifies they operate in full compliance with the requirements of the Abu Dhabi Standard for Health Information Security and Cyber Security Standards (“Standards“). Licensed Entities have until the end of this year (i.e., by 31 December 2022) to complete an audit process to verify their self-certification with the Standards.
The Circular also states that Licensed Entities are urged to apply stricter cybersecurity controls, including to ensure health data is not transmitted outside of the UAE and to discontinue the use of any cloud-based services that store or utilize health data, irrespective of whether that solution is hosted within or outside the UAE.
The development is likely to pose an operational challenge to participants in the health tech sector in the UAE, including pharmaceutical and medtech companies that require patient data to power their services, such as providers of precision medicine and robotic surgery tools as well as those who operate patient support programs. Yet, more importantly, in the absence of any exceptions this development also prima facie operates to prevent mandatory safety reporting and associated activities such as pharmacovigilance and materiovigilance.
- The Circular applies exclusively to all Licensed Entities (i.e., entities licensed to operate by the DoH in Abu Dhabi).
- Licensed Entities are required to certify compliance with the Standards by 31 December 2022 to avoid sanctions.
- In the event a Licensed Entity fails to obtain a certificate confirming it is compliant with the Standards, it is at risk of sanctions, including licence suspension.
- The Standards prohibit Licensed Entities from:
○ exporting health data outside of the UAE and oblige Licensed Entities to identify and disconnect any cloud services that process health data; and
○ sharing health data (even if de-identified) with third parties without the authorization of the DoH.
In more detail
The Standards were initially published in 2019, shortly after the publication of Federal Law No. 2 of 2019 on the Use of the Information and Communication Technology (ICT) in Health Fields (“Health Data Law“), which contains a similar default prohibition on the cross-border transfer and processing of health data. However, the Ministerial Resolution No. 51 of 2021 on the Cases of Allowing the Storage and Transfer of Medical Data and Information out of the State (“Health Data Export Resolution“), published by the Ministry of Health and Prevention following that date, introduced certain exceptions to the default data residency requirement.
As a result, it was understood that the exceptions in the Health Data Export Resolution could be relied upon by Licensed Facilities to make cross-border transfers of health information. The publication of the Circular, which does not reference the Health Data Export Resolution, indicates that the DoH expects the Licensed Entities to adhere strictly to the Standards.
Key requirements of the Standards include the obligation to:
- ensure that health data is not transmitted outside the UAE;
- identify and disconnect integrated systems that process, store or utilize health data with any of the entity’s systems that connect or utilize cloud services; and
- not share identified or de-identified health data with third parties, including counterparts and partners, unless authorized by the DoH.
In addition, the Standards expressly prohibit the use of cloud services and infrastructure. Based on a plain interpretation of this language, it would appear to prohibit the use of even single-tenanted, on-premise cloud solutions although it remains to be seen whether this will be clarified by the DoH.
In light of the significant impact this development will have on Licensed Entities, in addition to providers of health tech services, we eagerly await further guidance from the DoH on how Licensed Entities may comply with the Standards while still leveraging the latest healthcare technologies in the interests of providing the highest standard of patient care.
To speak to us in relation to any data and technology related matters, please reach out to the Baker McKenzie contacts below.