
INTRODUCTION
Team Karm, was proud to advise and represent our start-up client that built the 'Hayat' app. The Hayat app will use blockchain technology to create a database, allowing both nationals and expatriates to express their wish to donate organs after their death, by registering for the programme. His Highness Shaikh Mohammad Bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE and Ruler of Dubai, launched the ‘Hayat’ registry at the Ministry of Health and Prevention (MoHP) pavilion of the Arab Health forum on January 30, 2019.
Team Karm also advised another HealthTech solution targeted towards creating repository of medical records. In this month’s Newsletter we bring to you, a brief outline of the scope and ambit of the major federal laws and regulations in force for HealthTech sector; and data protection laws applicable to the healthcare sector, as they currently stand in UAE.
PART 1 of the Newsletter discusses the regulations on Organ Transplant and PART 2 of the Newsletter discusses the extant data protection laws applicable to the healthcare sector at the Federal, Emirate and Freezone level.
[Note:-The licensing regime for HeathTech sector is beyond the scope of this Newsletter. Please feel free to reach out to our team members for more information.]
PART I
LAWS AND REGULATIONS IN FORCE FOR HEALTHTECH SECTOR
As a precursor, a Healthtech solution intending to launch in UAE, requires an appropriate license to be able to set-up. At the same time, depending upon the nature of activities, the license holder shall also have to take cognizance of the applicable healthcare laws. Some of them are outlined below:
- Organ transplant
In the UAE the transplantation of human organs and tissues from both living donors and the deceased is allowed in accordance with the provisions of the Federal Decree Law No. 5 of 2016 on ‘Regulation of Human Organs and Tissue Transplantation’ (“Organ Transplant Law”). The Organ Transplant Law came into force in March, 2017 and officially annulled the ‘Federal Decree Law No. (15) of 1993’ ‘Regulating the Human Organs and Tissue Transfer and Transplant’. The following are the key factors governing the organ transplant and donation as per the Organ Transplant Law.
- The Organ Transplant Law defines ‘Donation’ to mean that “a living individual legally accepts to donate, during his lifetime or after death under a legal will left for his heirs or permitted successors to donate with no compensation the whole or part of any of his body organs or tissues to someone by way of transplantation operation.” As per Article 3 of the Organ Transplant Law, the provisions therein are applicable to human organs and tissues transplantation operations performed within UAE (including the free zones). Operations of transplanting stem cells, blood cells and bone marrow are specifically excluded.
- Prohibitions - Article 5 of the Organ Transplant Law prohibits the following acts/ activities: (i) Buying or selling the whole or part of human organs or tissues by any means or receiving any return for it; (ii) Performing surgeries of transplanting or sharing the whole or part of any human organ or tissue if in violation with the Organ Transplant Law; (iii) Propaganda, advertisement, promotion or brokerage for impermissible unlicensed operations of transplantation of the whole or part of any human organ or tissue (iv) Financing surgeries of whole or part of human organs and tissues transplantation.
- Trafficking of human organs is also prohibited as per Federal Law No. 51 of 2006 on Combating Human Trafficking Crimes (“Anti-Trafficking Law”). Under Article 1 of the Anti-Trafficking Law any person who for the purposes of ‘exploitation’ commits any of the acts mentioned therein, shall be deemed to have committed a ‘human trafficking crime’. The term exploitation shall be deemed to include ‘human-organ trafficking’ as per Article 1(3) of the Anti-Trafficking Law.
PART 2
DATA PROTECTION LAWS APPLICABLE TO HEALTHCARE SECTOR
Federal Law
- Article 31 of the United Arab Emirate’s constitution of 1971 (the "UAE Constitution") provides for a general right to privacy with respect to correspondence and other means of communication: "Freedom of corresponding through the post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law". Although it is interesting to note that this only applies to UAE nationals. Further, Article 378 of Federal Law no. 3 of 1987 concerning ‘Promulgating Penal Code’, as amended by Federal Law no. 34 of 2005, (the "Penal Code") provides that the violation of private or familial life by recording or transmitting private conversations and by capturing or transmitting the picture of a person in a private place is punishable by a fine and imprisonment. Article 379 of the Penal Code further provides that any individual who, by reason of his profession or situation, is entrusted with a secret and who discloses it in unauthorised cases, or uses it for his own advantage, is punishable by a fine and by imprisonment.
- Further, Federal Law Number 7 of 1975 concerning the Practice of the Human Medicine Profession (the "Human Medicine Profession Law") under Article 13 states that a doctor has no right to divulge a private secret concerning a patient and relating to his profession. Certain exceptions apply to this, namely if divulging the secret is held to serve the interests of the individual or to prevent a crime from occurring.
- Article 2 of the Federal Decree Law No. 5 of 2012 on Combating Cybercrimes (“Cybercrime Law”) prohibits unauthorised access to websites or electronic information systems or networks. Article 2 further imposes more severe penalties when such actions result in, among other things, the disclosure, alteration, copying, publication and republication of data. The penalty's severity may be increased if such data is of a personal nature. Article 21 of the Cybercrime Law also prohibits the invasion of privacy of an individual by means of a computer network and/or electronic information system and/or information technology, without the individual's consent and unless otherwise authorised by law. This includes eavesdropping and photographing. Article 21 further prohibits disclosing confidential information obtained in the course of, or because of, work, by means of any computer network, website or information technology. To help enforce the Cybercrime Law, the National E-Security Authority was also established in 2012. The aim of this body is to regulate the protection of communications networks and information systems in the UAE. The creation of this Authority strictly related to data protection and online privacy shows the seriousness attached to cybercrime and e-security by the UAE government.
Emirate of Abu Dhabi
Health Authority of Abu Dhabi ("HAAD") Data Standards and Procedures, of January 2008, as revised by the April 2014 version outlines the policies and procedures which must be followed when handling Confidential Health Information ("CHI") focusing on four areas: the necessary and authorised access to CHI; the unauthorised access to CHI; the storage of CHI; and the transmission of CHI. It further provides regulations relating to health insurance fraud. The HAAD has created a Data Standards Panel whose role is to "review and recommend to HAAD changes and additions to electronic data exchange standards, such as transactions, codes and business rules".
Emirate of Dubai
Dubai Health Authority (DHA) has issued a code of conduct for healthcare professionals licensed to practice under the jurisdiction of DHA. As per Clause 7 of the code, all healthcare professionals are required to keep patient’s records confidential, and use the information obtained in the course of the professional practice only for the purposes for which it was given, or where it is otherwise lawful. The licensed professionals are also required to ensure that there is no disclosure of any patient information without consent, except where it is required or permitted by law or if it is required to protect your patient or others from harm. The professionals are also required to ensure at all times that there is no unauthorized access use or accidental disclosure of patient’s information.
Freezone
Dubai Healthcare City (DHCC)
DHCC is the only healthcare freezone to have a dedicated data protection regulation. The regulation applies to all licensees who manage the patient health information. The patient health information includes (a) information about the health of a Patient, including his medical history; (b) information about any disabilities that Patient has, or has had; (c) information about any healthcare services that are being provided, or have been provided, to that patient; (d) information provided by that Patient in connection with the donation, by that Patient, of any body part or any bodily substance of that Patient, or derived from the testing or examination of any body part, or any bodily substance of that Patient; or (e) information about that Patient which is collected before, or in the course of, and incidental to, the provision of any Healthcare Service to that Patient.
CONCLUSION
There are myriad of laws governing the Healthcare sector in UAE. In our experience the authorities have been extremely supportive of innovative HealthTech solutions and we are looking forward to working with more ideas and solutions in this space soon.
Authored by Akshata Namjoshi (Senior Associate) and Cherry Bhatnagar (Senior Associate) with inputs from Kokila Alagh (Founder).