Regulation of AI-Driven HealthTech in the UAE

PRELIMINARY GUARDRAILS

The UAE has introduced certain policies and guidelines in light of their increasing applications of AI healthcare in the country. In 2018, Abu Dhabi published its policy on the use of AI in the healthcare sector. With this policy, the Department of Health (DOH) Abu Dhabi became the region’s first entity to develop an AI policy in the healthcare sector. While the policy leaves to future regulatory decisions a number of key elements, essential requirements of an effective AI system in the healthcare framework are addressed. The DOH has been directed to develop a regulatory framework that will govern the following elements of AI use in healthcare; safety and responsibility, privacy and security, transparency and oversight, and ethical implications. Further, users of AI will be required to, among other things:

1. have in place clear governance on the use of AI
2. provide clear guidelines and boundaries on access to and sharing of any patient information to protect confidentiality and ownership of such information
3. conduct regular audits of AI functionality and reporting to DOH
4. comply with all UAE and DOH related regulatory requirements, including those governing e-health, health information exchanges, data protection, information security, and AI.

The National Artificial Intelligence Strategy 2031, which began formation in 2017, is a cornerstone of the UAE government’s AI policy. This initiative aims to position the UAE as a global leader in AI, focusing on key sectors including healthcare, education, and transportation. In light of the increasing pressure on the healthcare system over the years, the UAE is focusing on integrating AI technologies to improve healthcare services, operational efficiencies, and patient outcomes. For instance, the development of advanced AI tools to improve the healthcare sector by employing simulation models that leverage historical data to forecast future patient bed demands and optimize resource allocation. This approach not only aims to alleviate the burden on healthcare providers but also enhances working conditions for practitioners and improves the overall patient experience. By harnessing AI to develop comprehensive resourcing plans, the UAE government is cognizant of ensuring that healthcare services are responsive to the evolving needs of its population.

Digital Dubai, a Dubai Government platform established in 2021, had also released Ethical AI Guidelines that businesses can turn to for practical guidance and resources, including a self-assessment tool. A key recommendation in these guidelines is that the development of AI systems informing significant decisions should include consultation with experts in the field in which the system will be deployed. In the healthcare sector, this means that AI developers creating systems intended to support critical medical decision-making should actively involve healthcare professionals throughout the development process. A pertinent example of this principle in action is the Babylon app, which utilizes AI to assess medical symptoms for its vast user base. Babylon faced regulatory scrutiny due to numerous complaints from healthcare professionals. Doctors expressed concerns that the app could overlook signs of serious illnesses, highlighting the potential risks associated with AI systems operating in such a sensitive domain. This serves as an example for healthcare applications that must follow certain guidelines in order to ensure their safe application.

These guardrails provide essential guidance for the safe and effective implementation of healthcare AI systems in the UAE. In addition, the UAE has established guidelines for the registration, importation, marketing, and use of medical devices, including those that are a software acting as a medical device.

UAE REGULATION OF SOFTWARE AS A MEDICAL DEVICE

The regulation of Software as a Medical Device (SaMD) in the UAE is primarily governed by the Ministry of Health and Prevention (MoHAP) and the Drug Control Department (DCD). The MoHAP has established registration guidelines for medical devices, outlining the necessary requirements for obtaining regulatory approval. Medical devices have been defined as “any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material, or another similar or related article.” Hence, software has also been included in the ambit of medical devices, and will have to follow the same rules for approval and registration. The registration guidelines reflect a commitment to globally recognized regulations, bearing close resemblance to the EU Medical Device Rules, 2017 and guidelines from the U.S. Food and Drug Administration (FDA).

The registration process for SaMDs involves submitting documentation that demonstrates safety, efficacy, and compliance with applicable standards.  An application to register a medical device in the UAE must be made by the device manufacturer or its local representative. The local representative must be formally authorized by the manufacturer to handle the application process and the manufacturer’s legal obligations and responsibilities with regard to putting the medical device on the market in the UAE.

The registration guidelines provide four classes of medical devices for the purposes of registration – Class I (low risk), IIa (low to moderate risk), IIb (high to moderate risk), and III (high risk). The classification system is based on intended use, duration of use, and degree of invasiveness, and there are different requirements for different risk classes. Compliance with international standards, such as ISO 13485 (quality management systems) and ISO 14971 (risk management), is also crucial. This ensures that the SaMD meets stringent safety and performance criteria, aligning with global best practices.

Manufacturers must also submit a declaration affirming the accuracy of the submitted materials. This declaration confirms that they accept full responsibility for the medical device and its post-market plan, and that they will comply with the requirements set forth by the DCD once the medical device is placed on the market. If the MoHAP approves the registration, a certificate and an identification number is issued that allows the import/sale of the registered medical device in the UAE. The registration is valid for five years. However, if there are significant changes to the product data submitted during the application, the certification may become invalid. The DCD can also cancel the registration if requested by the manufacturer or if there are valid reasons to do so.

In addition, the MoHAP also passed the Federal Law No. (8) of 2019 on Medical Products, Pharmacy Profession and Pharmaceutical Establishments. This law covers medical products (including their operation software) and states that they cannot be circulated in the UAE unless the marketing authorization or approval for exclusive marketing is obtained from the MoHAP. Interestingly, the law makes a distinction with ‘healthcare products,’ which are defined as “Any medical product used for general human healthcare and is not intended for the diagnosis, treatment, cure or prevention of any disease, and its sale does not necessitate a medical prescription or doctor’s supervision upon use.“ Such healthcare products can be announced, advertised, or promoted (unlike medical products) after obtaining the market authorisation.

Apart from medical devices, another key area in which the UAE has been developing its rules and infrastructure is electronic medical records.

THE UAE’s ELECTRONIC MEDICAL RECORDS

An electronic medical record (EMR) is a digital version of a patient’s medical chart and personal information. It includes the patient’s medical history, diagnoses, medications, treatment plans, immunization dates, and more. Although EMRs have been in use at the Dubai Health Authority (DHA) since 1998, in 2021 it was announced that all healthcare facilities, including hospitals, outpatient clinics, dental clinics, pharmacies, labs, and rehabilitation facilities will be required to implement and maintain EMR systems. This initiative was prompted by the COVID-19 pandemic and the launch of NABIDH. NABIDH is a healthcare platform established by the DHA to securely exchange trusted healthcare information across both public and private facilities in Dubai. By centralizing health data, NABIDH allows for advanced data analytics that can support public health initiatives, research, and evidence-based decision-making. Hence, all the hospitals, clinics and diagnostic centres licensed under DHA need to be connected with NABIDH and exchange information using one of the qualified EMR system. However, such health data would also be subject to the UAE’s regulations on data protection and security.

HEALTH DATA REGULATIONS

In the UAE, Federal Law No. 2 of 2019 (Health Data Law) regulates the use of Information and Communication Technology (ICT) in the healthcare sector.  The Health Data Law applies to all ICT methods and uses in the areas of health in the UAE, including the Free Zones.  It came into effect in May 2019, impacting businesses in the UAE that use ICT to process health information, such as healthcare service providers, life sciences companies, cloud service providers, healthcare IT systems suppliers, and medical insurance providers. Hence, the law regulates the processing of electronic health data originating in the UAE, as well as its transfer to countries outside the UAE. According to the law, the following conditions shall be adhered to when using ICT in the areas of health:

1. To keep all Health data and information confidential and to allow the circulation thereof only in authorised cases.

1. To ensure the validity and credibility of the health data and information, by protecting the integrity thereof from destruction or unauthorised amendment, alteration, deletion, or addition.
2. To ensure the availability of the health data and information to the authorised parties and to facilitate access thereto if needed.

Federal Decree Law No. 45 of 2021 Concerning the Protection of Personal Data is the UAE’s Personal Data Protection Law, and it provides comprehensive regulations for the processing of personal data within the country. It defines key terms such as personal data, sensitive personal data, and biometric data, and outlines its applicability to various types of information, including health-related data that pertains to an individual’s physical, psychological, mental, genetic, or bodily state, as well as information related to healthcare services that may reveal a person’s health condition. The law grants individuals several rights, including the right to access, correct, and delete their personal data. It also imposes obligations on data controllers and processors to ensure the security and privacy of personal data.

• Sensitive Personal Data: Health data is explicitly classified as sensitive personal data, requiring stricter protection measures.
• Processing Restrictions: The law allows for the processing of health data without consent in certain cases, such as for public health purposes or medical diagnosis.
• Data Security: Controllers and processors must implement robust security measures to protect health data from breaches and unauthorized access.
• Individual Rights: Individuals have the right to access, correct, or erase their health data, subject to certain exceptions.

Federal Decree-Law No. (34) of 2021 On Countering Rumours and Cybercrimes outlines penalties for various cybercrimes in the UAE, including those related to health and medical data.

• Illegal Content: Content punishable by law includes anything compromising UAE’s security, public health, or relations with other countries.
• Causing Harm to Information Systems (Article 4): Wilfully harming or disrupting a website or information system can result in imprisonment (minimum of one year) and/or a fine ranging from AED 500,000 to AED 3,000,000 with increased penalty for health-related cyberattacks.
• Infringement of Personal Data and Information (Article 6): Unauthorized use or dissemination of personal electronic data without permission leads to imprisonment (minimum of six months) and/or fines ranging from AED 20,000 to AED 100,000. Aggravated circumstances apply if the data involves healthcare or financial information.
• Promoting Medical Products without a License (Article 49): Managing a website or promoting unlicensed medical products is punishable by imprisonment and/or fines.

CONCLUSION

The governance of AI-driven healthcare applications in the EU and the UAE reveal significant differences shaped by their regulatory landscapes. The EU’s AI Act largely classifies AI-enabled healthcare systems as high-risk, enforcing strict compliance with standards for risk management, data quality, transparency, human oversight, and cybersecurity. This ensures that all AI technologies, from diagnostic tools to patient monitoring systems, undergo rigorous assessments to check their safety. In contrast, the UAE has not introduced specific AI legislation for healthcare AI systems, even though it has expressed its intention to do in its National AI Strategy 2031. The country is actively supporting AI innovation, and does have guidelines, policies, and ethical standards in place to act as guardrails.

The UAE is, however, at the forefront of health information exchange, owing to its centralized system of EMRs via platforms like NABIDH. This facilitates seamless sharing of patient information across healthcare providers, enhancing quality of care and improving patient outcomes. Furthermore, the UAE has established a strong legal framework for health data protection, ensuring that patient information is safeguarded against unauthorized access and breaches. This commitment to data security not only fosters trust among patients but also positions the UAE as a leader in leveraging technology to improve healthcare delivery.