Is Secondary Use of Patient Data Permitted in the UAE: A Comparative Study

The secondary use of patient data refers to the use of health-related data for purposes other than the original intent for which it was collected (typically clinical care). In this tech-driven era where data is the backbone of many industries, the health records, data and other information gathered during patient care is proving valuable far beyond the hospital setting.  

So, while primary use focuses on diagnosing, treating, and managing a patient’s health, secondary use includes things like medical research, public health planning, and AI development. As various industries increasingly rely on data-driven solutions, regulatory frameworks across jurisdictions are grappling with how to allow such secondary use of data while protecting patient rights. 

This article outlines the regulatory approaches adopted by the United Arab Emirates (UAE) in this regard, and compares it with the Kingdom of Saudi Arabia (KSA), European Union (EU), and United States of America (USA). 

THE UAE 

The UAE's approach to the use of patient data, particularly for secondary purposes, is still developing, but it has taken some strong initial steps. 

Personal Data Protection Law 

As per the UAE’s Personal Data Protection Law, personal data cannot not be kept after the purpose of its processing has been exhausted, thereby requiring patient consent to use data for further purposes like research and AI training. However, the law also provides an allowance for personal data to be used beyond its purpose; if the identity of the data subject has been concealed using an "Anonymization Mechanism" and cannot be traced back to them. This involves removing identifiers such as names, addresses, and other personal details that could link the data back to specific individuals. The anonymization must meet rigorous standards to ensure that re-identification is not possible. 

Health Data Law  

Even the Health Data Law in the UAE contributes significantly to the country’s health data protection framework. The law imposes restrictions on the storage and processing of electronic health data, including a ban on transferring health-related data outside the UAE without the necessary permissions from the UAE Ministry of Health and Prevention (MOHAP). As per the law, one of the circumstances in which a patient’s information may be used or disclosed without the patient’s consent is for scientific research (provided that the identity of the patient is not disclosed and applicable scientific research standards and guidelines are complied with). This could be interpreted to include the use of the data for secondary purposes, but this will be ultimately determined by the MOHAP.  

THE KSA 

Similar to the UAE, KSA has enacted a personal data protection law which categorizes health data as sensitive personal data. However, KSA has addressed the secondary use of such data more comprehensively, particularly through the implementing regulations to this law. These regulations outline specific standards for anonymization, requiring that any anonymized data be processed in a way that ensures individuals cannot be identified, either directly or indirectly, using reasonably available means. 

KSA also has a strong Health Information Exchange (HIE) ecosystem like the UAE, and the HIE Policies it has implemented comprehensively cover the secondary use of health information within this framework. Specifically it says that the use of health information is allowed for purposes such as research, education, and payment, but will be subject to policy constraints such as de-identification (with a corresponding re-identification risk assessment), a designated ethics committee, a data use agreement, and maintenance of a record of all de-identified, anonymized, and pseudonymized health information.  

THE EU 

In the EU, the General Data Protection Regulation (GDPR) applies to all EU member states and sets out guidelines for data privacy, including strict rules on the use of health data. Health data is covered under "special categories of personal data" of the regulation and cannot be processed unless explicit consent is given or it is to protect the vital interests of the patient (among other controls). However, the regulation includes exceptions for processing without consent for statistical or research purposes, as long as the data is anonymized or pseudonymized.  

Anonymization and Pseudonymization 

GDPR distinguishes between anonymization (which irreversibly removes all personal identifiers) and pseudonymisation (which replaces direct identifiers, such as names or personal numbers, with codes that can be reversed using additional information stored separately). While pseudonymised data remains subject to GDPR protections, anonymized data is no longer considered personal data and is thus not subject to the same regulatory requirements. 

For research, AI model training, and other secondary uses, anonymized data is often preferred, as it allows use of data while keeping patient privacy and complying with data protection regulations.  

Implications of Anonymization 

Under the current framework of the EU GDPR, anonymized patient data can typically be used for training AI models without requiring explicit consent, as long as the anonymization is full and irreversible. An important implication of this is that individuals lose their data protection rights under the GDPR once their data has been anonymized, even if it was originally collected in an identifiable form (e.g., during clinical treatment).  

In case the personal data is de-identified to a level that falls short of full and irreversible anonymization, subsequent uses of the de-identified data must still be compatible with the original purpose and may require an additional legal basis (consent, contract, lawful purpose, etc.). Irrespective of the anonymization, it is good practice to inform data subjects that their data will be de-identified and may be processed for additional purposes like AI training. 

The European Health Data Space 

The EU is also coming out with the European Health Data Space (EHDS) in the near future, after an agreement was reached earlier this year. Among other things, the EHDS establishes a framework for accessing and reusing health data. Hospitals seeking to use secondary health data (defined as personal health information that is used for purposes other than the original collection) must obtain a permit from a designated health data access body, which sets the specific conditions and purposes for data usage. Access to the data is restricted to secure, closed environments that comply with strict cybersecurity standards, and users can only extract anonymous data from these environments to ensure privacy.  

THE USA 

In the USA, the regulatory landscape for the use of patient data is shaped by a combination of federal and state laws, with notable emphasis on the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulates the use and disclosure of protected health information (PHI), including medical records and genetic data, by healthcare providers, insurers, and business associates.  

While HIPAA requires patient consent for most uses of PHI, it also allows for certain exceptions, particularly for research purposes. 

De-Identification of PHI 

HIPAA permits the use of PHI without patient consent for research if an institutional review board (IRB) has approved the research and the data is de-identified. The de-identification process is essential, and HIPAA has outlined two main methods for de-identifying data: 

• Safe Harbor Method: Under this method, PHI is considered de-identified if all 18 identifiers are removed from the data. These identifiers include direct identifiers (such as names, social security numbers, and addresses) and indirect identifiers (like date of birth, gender, and specific geographical information). Once these identifiers are removed, the data is deemed de-identified and can be used for secondary purposes such as research, AI training, or public health analysis without needing consent. 

• Expert Determination Method: This method involves an expert, typically a statistician or data scientist, assessing the data and determining that the risk of re-identification is very low. This expert reviews the context of the data and ensures that the data cannot be reasonably used to identify individuals, even if combined with other data. If the expert makes this determination, the data is considered de-identified and can be used for research or AI model training. 

In both cases, the goal is to ensure that data cannot be traced back to an individual, thereby minimizing the risk of re-identification. One of the main challenges in the US is the fragmented nature of data privacy laws, as states may have their own requirements, leading to inconsistencies in how data is handled.  

Conclusion 

While all these jurisdictions recognize the importance of protecting patient data, they differ in the depth and specificity of their regulatory frameworks. The EU stands out with its comprehensive GDPR, offering broader protections for patient privacy and clear guidelines for the use of sensitive data for secondary purposes (with even more guidelines being introduced through the Artificial Intelligence Act and EHDS).  

The USA offers a strong and more sector-specific framework through HIPAA, which includes explicit provisions for research and the use of de-identified data, similar to KSA which has established clear requirements for anonymization and governance mechanisms. 

The UAE’s framework shares similarities with the EU, US, and KSA in certain respects, particularly in its recognition of anonymization for further use and designating research as a general exception to requiring consent. However, its regulatory frameworks are still less comprehensive than those in the other regions which have introduced more specific and detailed guidelines for de-identification and controls for secondary use.  

As AI and data-driven healthcare continue to evolve however, all these regions will likely refine their approaches to further protect patient privacy and ethical data use while also allowing innovation to take place.