How is Health Data Protected in the UAE?

The UAE today stands at the forefront of technology-led healthcare innovation. You can walk into a hospital where the doctor is assisted by an AI-enabled system to analyse your symptoms, your treatment plan is instantly generated and stored in the cloud, and your insurance claim is processed digitally within minutes. All this is made possible by the health data you provide, and it has made healthcare more effective than ever before.

However, it might also make you wonder – is my personal health information safe? Who has access to it? And what keeps it from being misused?

In an era where healthcare is deeply intertwined with technology, protecting health data is no longer just a technical challenge — it’s a legal imperative. It's also a concern that the UAE has been tackling head-on in recent years, and doing so with commendable progress.

UAE Health Data

The UAE’s healthcare ecosystem, valued at $34 billion in 2024, is projected to grow at a CAGR of 8% to reach $50 billion by 2029. Meanwhile, revenue in the digital health market alone is expected to hit over $566 million in 2025, with a projected CAGR of 23.3% from 2024 to 2030. This growth is primarily driven by the increasing integration of technology in healthcare, which is also strongly supported by the government.

As the UAE races ahead with its digital health initiatives, from telemedicine and wearable healthtech to AI-powered healthcare solutions, there is a growing reliance on Information and Communication Technology (ICT) in healthcare delivery, diagnostics, and data analytics. Naturally, this means that the protection, integrity, and ethical use of health data have become top priorities in the country.

In response, the UAE has enacted a few different laws to govern the collection, processing, and transfer of personal data (including health data), ensuring patient confidentiality, data security, and system accountability.

Who Regulates Personal Data?

In the UAE, data protection is regulated through a combination of federal and sector-specific authorities. At the federal level, the UAE Data Office is designated as the supervisory authority for personal data protection.

Free Zones

In the free zones, specific regulatory bodies may be established to oversee data protection within their respective jurisdictions. For example, the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) have each enacted comprehensive data protection laws, which are independently enforced by their respective authorities – the Commissioner of Data Protection in the DIFC and the Office of Data Protection in the ADGM.

Healthcare Sector

Furthermore, some sectors have their own regulators and legal frameworks. In the healthcare sector, the Ministry of Health and Prevention serves as the primary authority for overseeing the use of ICT in healthcare under the Health Data Law (discussed below). At the emirate level, the Dubai Health Authority (DHA) and the Department of Health (DOH) in Abu Dhabi play major roles in regulating health data within their respective jurisdictions. The Dubai Healthcare City (DHCC), a healthcare-centric free zone, also has its own specific health data protection regime while remaining under the broader oversight of the DHA.

Health Data Law

What is the UAE’s Health Data Law?

Federal Law No. (2) of 2019 Concerning the Use of the Information and Communications Technology in Health Fields (Health Data Law) is the UAE’s federal law regulating the handling of health data in the country. It was introduced even before the personal data protection law in the UAE, making it the country’s first dedicated data protection legislation.

This law regulates the use of ICT in the healthcare sector and applies to all ICT methods and uses in the areas of health in the UAE, including the free zones. It came into effect in 2019, impacting businesses in the UAE that use ICT to process health information, such as healthcare service providers, life sciences and healthtech companies, and medical insurance providers.

Key Provisions

The law regulates the processing of electronic health data originating in the UAE, as well as its transfer to countries outside the UAE. It sets out certain conditions that must be adhered to when using ICT in the areas of health:

1. To keep all health data and information confidential, not use it for non-health purposes without the patient's written consent, and to allow its circulation only in authorised cases.
2. To ensure the confidentiality, validity and credibility of the health data and information, by protecting its integrity from destruction or unauthorised amendment, alteration, deletion, or addition.
3. To ensure the availability of the health data and information to any authorised parties and to facilitate access to it if needed.
4. To not store, process, generate, or transfer health data outside the UAE, except in cases authorised by a resolution from the MOHAP. Transfer may be allowed under exceptions such as patient written consent and encryption using the best standards.
5. To retain health data using ICT for a period that meets operational needs, provided that it is not less than twenty-five (25) years from the date of the last health procedure concerning the individual, and to ensure the data’s confidentiality, validity, and credibility during this period. This is significantly more than the US’s Health Insurance Portability and Accountability Act (HIPAA), which requires healthcare organisations to retain patient medical records for six (6) years after their last procedure.

Personal Data Protection Law

How is Health Data Dealt With?

Federal Decree Law No. (45) of 2021 Concerning the Protection of Personal Data is the UAE’s federal personal data protection law (PDP Law), and it provides comprehensive regulations for the processing of personal data within the country. As per this law, ‘sensitive personal data’ includes health-related data that pertains to an individual's physical, psychological, mental, genetic, or bodily state, as well as information related to healthcare services that may reveal a person's health condition.

The PDP Law grants individuals several rights with respect to their data (access, correction, deletion, transfer, etc.), and also imposes obligations on data controllers and processors to implement strong security measures to prevent breaches or unauthorised access and protect the privacy of the data.

Importantly, in its scope of application, the PDP Law states that it will not apply to personal health data that has legislation regulating its protection and processing. This carve-out prevents overlaps with existing regulations that are particularly for health data protection.

GDPR Comparison

By classifying health data as sensitive personal data, this law aligns itself with the General Data Protection Regulation (GDPR), which classifies health data as a special category of personal data. Both the ADGM and DIFC data protection regulations also follow this approach, prohibiting the processing of such data unless specific exceptions apply, such as explicit consent or when necessary for the vital interests of the data subject.

DHCC Health Data Protection Regulation

The DHCC has its own Health Data Protection Regulation (HDPR), issued by the DHCC Authority. This regulation applies to all licensed healthcare professionals and entities operating within the DHCC, and its implementation and enforcement are overseen by the DHA.

Notably, the HDPR regulates the protection of Patient Health Information (PHI), as opposed to personal data, making it all the more healthcare-specific. Also, in contrast to the Health Data Law, which applies to entities across the UAE, the HDPR only applies to those entities licensed within the DHCC and to patient information generated and stored therein.

Alignment with Global Standards

The main provisions of this law resemble those in other major data protection regulations, such as purpose limitation, lawful collection, and rights of the data subjects (or in this case, patients). The law places strict limits on the use of PHI for reasons other than the intended purpose, requiring the attainment of patient consent, ensuring the new use is directly related to the original purpose, or using the data for public health, research, or legal compliance (provided the data remains de-identified where required). This is in line with the GDPR as well, which mandates the anonymisation of personal data if it has to be used further.

Conclusion

When compared to global standards, the UAE’s legal framework bears similarities to the GDPR and HIPAA in the way it classifies health data as sensitive personal data, emphasises the protection of health information from unauthorised access, and requires patient consent (among other controls) for non-health uses. The major difference is that the GDPR and HIPAA have higher compliance requirements and impose much harsher punishments in case of any violations.

Overall, the UAE has made notable progress in this area, with a legal framework that includes laws at different levels of governance. These laws are designed to complement, not override each other, with each serving a distinct purpose within its jurisdiction. For example, the Health Data Law focuses on ICT use in healthcare in the country, while the PDP Law provides broader privacy protections, and regulations like those in DHCC and free zones such as DIFC and ADGM offer zone-specific oversight.