Market Intelligence
Information and Communication Technology Health Information Technology Healthcare Services United Arab Emirates

United Arab Emirates Regulations Limit Cross Border Health Data Flows

Understanding how to navigate and comply with health data regulations is an important factor in successfully doing business in the UAE, particularly in the healthcare services, health insurance, medical device and diagnostics sectors.  Case-by-case approvals in each of the seven Emirates may be necessary in addition to consent from each individual health data subject.

UAE Federal Law Number 2 of 2019, known as the Health Data Law covers the collection, processing and circulation of health data and sets out processing, security, and retention requirements.  The Health Data Law places a general restriction on the transfer of patient health data outside the UAE but allows for exceptions as specified in the UAE Health Ministerial Resolution 51 of 2021.

UAE Health Ministerial Resolution 51 of 2021 created ten exceptions that can be granted by the health authorities in each Emirate on a case-by-case basis to allow the cross-border flow of health data.  The ten types of exceptions that can be granted for cross border data flows are: pharmacovigilance reporting, patient treatment overseas, the administration of insurance claims, scientific research and clinical trials, wearable healthcare monitoring devices, medical diagnostic testing, cooperation with UAE governmental institutions, telemedicine, for personal use, and other purposes as approved based on coordination with the federal Ministry of Health and Prevention.

Section CM 4.2 of the Communications Policy contained in the November 2019 Abu Dhabi Department of Health’s Healthcare and Information and Cyber Security Standard (ADHICS) covers the collection, processing and circulation of health data within the Emirate of Abu Dhabi and sets out processing, security and retention requirements.  ADHICS restricts cross border flows of health data by stating that a “healthcare entity shall not use cloud services or infrastructure to store, process or share information that contains health information.”  The Abu Dhabi Department of Health has the authority to grant exceptions on a case-by-case basis to allow the use of cloud-based data center services.

The Dubai Health Authority’s Policy for Health Information Assets Classification of December 29, 2021, and Policy for Health Information Assets Management of December 26, 2022, cover the collection, processing and circulation of health data and sets out processing, security, and retention requirements.  Both Dubai Health Authority policies allow cross-border flows of health data.

The Dubai Health Care City free-trade zone has some regulatory autonomy and its own Health Data Protection Regulation No. 7 of 2013 that applies to entities that are licensed to conduct business within the DHCC.  The regulation applies to any licensed healthcare professional, licensed complementary and alternative medicine professional, licensed healthcare operator, approved education operator, approved research operator, licensed commercial company, or a non-clinical operating permit holder operator.  The regulation places restrictions on the licensee’s management of patient health data, regardless of where that data might be held, and sets out the requirements for patient health data retention and cross border flows of patient health data.

We recommend U.S. companies discuss their health data storage and processing requirements with the health authority in each of the seven Emirates to ensure compliance before doing business.  If you have any questions, please contact the U.S. Commercial Service, before planning to start operations in the UAE. We are happy to guide and support your expansion plans.

For more information, please contact Office.Dubai@trade.gov