How is Healthtech Regulated in the UAE?

Healthcare has witnessed a profound technological revolution over the past decade. Software, EMRs, robotics, cutting edge medical devices and artificial intelligence have transformed the staid practice of medicine and healing such that hospitals now look like gleaming tech hubs.

The UAE stands at the cutting edge of this revolution, boldly embracing AI not as a distant future, but as an immediate catalyst for change. From bustling medical centres to modern research laboratories, intelligent systems are reshaping the landscape of healthcare in the country, promising to diagnose faster, treat more precisely, and ultimately save lives with unprecedented efficiency.

Yet, this technological leap is not without its challenges. As technology becomes increasingly embedded in healthcare delivery, it also brings forth challenges related to regulation, data privacy, and ethical considerations which the UAE must address before more progress takes place.

PRELIMINARY GUARDRAILS

DOH Policy on Use of AI in Healthcare

The UAE has introduced certain policies and guidelines in light of their increasing applications of AI healthcare in the country. In 2018, Abu Dhabi published its policy on the use of AI in healthcare services, which made the Department of Health (DOH) Abu Dhabi the region's first entity to develop an AI policy in the healthcare sector.

While the policy leaves to future regulatory decisions a number of elements, it does establish some core requirements of an effective AI system in the healthcare framework, including: (i) having in place clear governance on the use of AI; (ii) conducting regular audits of AI functionality and reporting to DOH; and (iii) comply with all UAE and DOH related regulatory requirements, including those governing e-health, health information exchanges, data protection, information security, and AI.

National Artificial Intelligence Strategy 2031 The National Artificial Intelligence Strategy 2031, which began formation in 2017, is a cornerstone of the UAE government’s AI policy. It aims to position the UAE as a global leader in AI, focusing on key sectors including healthcare, education, and energy. The UAE Ministry of State for Artificial Intelligence, Digital Economy, and Remote Work Applications serves as the central authority for implementing the country’s AI initiatives such as this one, and regulates the growth and use of AI in the UAE.

Ethical AI Guidelines Digital Dubai, a Dubai government platform established in 2021, had also released Ethical AI Guidelines that businesses can turn to for practical guidance and resources, including a self-assessment tool. A key recommendation in these guidelines is that the development of AI systems informing significant decisions should include consultation with experts in the field in which the system will be deployed. In the healthcare sector, this means that AI developers creating systems intended to support critical medical decision-making should actively involve healthcare professionals throughout the development process.

In addition, the UAE has established guidelines for the registration, marketing, and use of medical devices that integrate AI, including those that are a software acting as a medical device.

REGULATION OF SOFTWARE AS A MEDICAL DEVICE

Software as a Medical Device (SaMD) is essentially any software that performs one or more medical functions without being part of a hardware medical device. Even if the software happens to be embedded in a piece of hardware, it must be the software itself that performs the core medical functions to be classified as an SaMD.

There are a few different types of SaMDs, including diagnostic software (assist in identifying diseases or conditions), monitoring software (tracks health data over time), and therapeutic software (guides treatment decisions or delivers therapeutic interventions). Clearly, since these tools can directly impact clinical decisions and patient outcomes using technology and data, they must be regulated to ensure their safety and efficacy.

UAE Regulation

The regulation of SaMDs in the UAE is primarily governed by the Ministry of Health and Prevention (MoHAP) and the Drug Control Department (DCD). The MoHAP has established registration guidelines for medical devices, outlining the necessary requirements for obtaining regulatory approval. Medical devices have been defined as “any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material, or another similar or related article.”

Hence, software has also been included in the ambit of medical devices, and will have to follow the same rules for approval and registration. The registration guidelines reflect a commitment to globally recognized regulations, bearing close resemblance to the EU Medical Device Rules, 2017 and guidelines from the U.S. Food and Drug Administration.

Registration

The registration process for SaMDs involves submitting documentation that demonstrates safety, efficacy, and compliance with applicable standards, and must be submitted by the device manufacturer or its local representative. The registration guidelines provide four classes of medical devices for the purposes of registration - Class I (low risk), IIa (low to moderate risk), IIb (high to moderate risk), and III (high risk) based on intended use, duration of use, and degree of invasiveness.

If the MoHAP approves the registration, a certificate and an identification number is issued that allows the import/sale of the registered medical device in the UAE. The registration is valid for five years. However, if there are significant changes to the product data submitted during the application, the certification may become invalid. The DCD can also cancel the registration if requested by the manufacturer or if there are valid reasons to do so.

Additional Regulation In addition, the MoHAP also passed the Federal Law No. (8) of 2019 on Medical Products, Pharmacy Profession and Pharmaceutical Establishments. This law covers medical products (including their operation software) and states that they cannot be circulated in the UAE unless the marketing authorization or approval for exclusive marketing is obtained from the MoHAP. Interestingly, the law makes a distinction with ‘healthcare products,’ which are defined as “Any medical product used for general human healthcare and is not intended for the diagnosis, treatment, cure or prevention of any disease, and its sale does not necessitate a medical prescription or doctor's supervision upon use.“ Such healthcare products can be announced, advertised, or promoted (unlike medical products) after obtaining the market authorisation.

Apart from medical devices, another key area in which the UAE has been developing its rules and infrastructure is electronic medical records.

ELECTRONIC MEDICAL RECORDS

An electronic medical record (EMR) is a digital version of a patient’s medical chart and personal information. It includes the patient’s medical history, diagnoses, medications, treatment plans, and more. Although EMRs have been in use at the Dubai Health Authority (DHA) since 1998, in 2021 it was announced that all healthcare facilities, including hospitals, outpatient clinics, dental clinics, pharmacies, labs, and rehabilitation facilities will be required to implement and maintain EMR systems.

This initiative was prompted by the COVID-19 pandemic and the launch of NABIDH. NABIDH is a healthcare platform established by the DHA to securely exchange trusted healthcare information across both public and private facilities in Dubai. By centralizing health data, NABIDH allows for advanced data analytics that can support public health initiatives, research, and evidence-based decision-making. Hence, all the hospitals, clinics and diagnostic centres

licensed under DHA need to be connected with NABIDH and exchange information using one of the qualified EMR system. However, such health data exchange would also be subject to the UAE’s regulations on data protection to ensure patients’ rights are secured.

PRIVACY AND CYBERSECURITY

Abu Dhabi and Dubai

In Abu Dhabi, the DOH mandates compliance with the Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS); a compulsory framework for all healthcare entities. ADHICS requires the use of cybersecurity controls such as firewalls, multi-factor authentication, encryption, and regular risk assessments. It also stresses on incident response planning and strict adherence to data privacy laws. In Dubai, entities connected to NABIDH must follow stringent information security protocols aligned with international standards like ISO/IEC 27001 and ISO/IEC 27799.

Cybercrime Law Federal Decree-Law No. (34) of 2021 On Countering Rumours and Cybercrimes is the mainland law that outlines penalties for various cybercrimes in the UAE, including those related to health and medical data.

· Wilfully harming or disrupting a website or information system can result in imprisonment (minimum of one year) and/or a fine ranging from AED 500,000 to AED 3,000,000 with increased penalty for health data related cyberattacks.

· Unauthorized use or dissemination of personal electronic data without permission leads to imprisonment (minimum of six months) and/or fines ranging from AED 20,000 to AED 100,000. Aggravated circumstances apply if the data involves healthcare or financial information.

· Managing a website or promoting unlicensed medical products is punishable by imprisonment and/or fines.

CONCLUSION

With growing pressure on its healthcare system over the years, the UAE is turning to AI to enhance their healthcare services. However, its integration must adhere to clearly established standards to ensure safe use in this highly sensitive field.

The governance of AI-driven healthcare applications differs notably between the EU and the UAE, given the EU’s relatively more advanced regulations and the UAE’s developing, innovation-driven approach. The EU’s Artificial Intelligence Act largely classifies AI-enabled healthcare systems as high-risk, enforcing strict compliance with standards for risk management, data quality, transparency, human oversight, and cybersecurity. This ensures that all AI technologies, from diagnostic tools to patient monitoring systems, undergo rigorous assessments to check their safety.

In contrast, the UAE has not introduced specific AI legislation for healthcare AI systems (or AI in general), even though it has expressed its intention to do so in its National AI Strategy 2031. Regardless, by drawing on international best practices, as it has done with its Personal Data Protection Act and Health Data Law, the UAE is on the path to developing a strong legal framework for AI and its application in healthcare.