The U.S.-U.A.E. Business Council hosted a virtual conversation with Department of Health – Abu Dhabi (DoH) officials on Monday, May 12th, 2025 about cross-border health data laws. Eng. Eissa Naser Al Hammadi, Office Director for Information and Cyber Security at the DoH, and his colleagues, Anton Kumar, Senior Specialist, Information Security Risk Management and Assurance, and Fathima Ali, Senior Cyber and Cloud Security Architect, discussed exemptions for cross-border flows of health data and in-country cloud-based storage and processing of health data within Abu Dhabi. 

Please see the DoH- U.S.- Cybersecurity Collaboration- 2025 presentation from the webinar, which includes various points of contact from the DoH (also see below for contacts.) Also, please see DoH Data Webinar for a link to a recording of this webinar, which is exclusively being shared with webinar attendees and members of the U.S.-U.A.E. Business Council.

DoH provided an overview of three important pieces of legislation relevant to companies managing healthcare data in the U.A.E.

• Federal Decree Law No. 2 (2019) regulates the processing of electronic health data originating in the U.A.E. and introduces familiar data privacy and protection concepts including accuracy, purpose limitation, consent to disclosure, and security measures. Article 13 of the law details the general prohibition of transferring health data outside the U.A.E. unless authorized by the relevant health authority in coordination with the government ministry.
• Ministerial Resolution 51 (2021) sets out exceptions to Article 13 of Federal Decree Law No. 2 of 2019 to permit cross-border transfers and overseas processing of U.A.E. health data in 10 separate circumstances. These circumstances include pharmacovigilance reporting, scientific research, the administration of insurance claims, and U.A.E. Health Data processing in the context of wearables and healthcare monitoring devices.
• Abu Dhabi Health Information Cybersecurity Standard Version 2.0 (2024) formally acknowledges cloud services for storing and processing healthcare data within the U.A.E. and provides guidelines for exemptions to cross-border data transfers.

DoH subsequently answered clarifying questions regarding the exemption criteria, request process, and compliance procedures for companies operating in Abu Dhabi. 

• Timeline for Exemptions: The DoH confirmed that exceptions can be for up to one year and they can be renewed as long as the company has demonstrated progress in their data localization plan. Exceptions can be granted during the software development process to allow companies to use their global software developer resources during the development period.  The DoH clarified that ultimately all health data and related software and operations, must be fully localized inside the U.A.E. and all of the related technology must be transferred to the U.A.E. by the time the final exception expires.  The DoH clarified that the goal of granting exceptions is to simply give companies enough time to localize and achieve compliance.  Even if the company is granted multiple one-year exceptions to allow them enough time for that localization and technology transfer, ultimately the health data and processing must be completely localized and completely cut off from the companies’ global security and tech resources.
• Who can Request Exemptions: There is an online portal for the Abu Dhabi Healthcare Information Security Program (AAMEN) that contains information about the ADHICS exemption process.The DoH said that any company can submit an application for an exception via email using their standard template, but that currently only healthcare providers (hospitals and clinics) and payers (insurance companies) have access to the AAMEN online portal.  Later in Q3 2025, they have plans to grant accounts to the AAMEN online portal to technology providers and to manufacturers and their distributors and regulatory marketing authorization holders.
• Blanket Exemptions: DoH stated companies can apply for receiving blanket exemptions for multiple hospitals based on a single request for use of a diagnostic testing or medical device. These entities can use these “blanket” exemptions for medical products with potential use across multiple hospitals. The DoH confirmed that if a U.S. service provider (for example of a particular diagnostic test or of a software application) or manufacturer does not have a U.A.E. representative appointed as their distributor or regulatory marketing authorization holder, then they cannot apply for a blanket exception.  Instead, each hospital in the U.A.E. must apply for exceptions one by one on behalf of the U.S. entity.
• Exemptions in other Emirates: The DoH said that their regulations and enforcement fully comply with the UAE 2019 Health Data Law so any exceptions granted in Abu Dhabi should in theory also be available in other Emirates. If a company receives an exemption from Abu Dhabi, DoH stated it is likely they will receive exemptions from Dubai and other Emirates.
• Global Travelers and Medical Tourism: DoH officials noted the availability of the “Sahatna” app as a tool for U.A.E. residents to access their health data in an increasingly globalized world. They stated they welcome dialogue with global companies to address concerns related to data transportability and mobility.
• U.A.E. Cloud: DoH officials explained U.S. companies do not need to apply for exceptions to put health data on the cloud as long as the data is being processed and stored in the U.A.E. These companies should, however, connect with the DoH to complete the necessary application for them to use the U.A.E. cloud for processing and storage of health data.

The DoH agreed to have additional industry sessions in future should more clarity be required. Moreover, they provided relevant contact details for companies to individually engage with them, noting that aamen@doh.gov.ae should be the default channel for communication:   

• Healthcare related Technologies: ADHTAC@doh.gov.ae
• Healthcare related Mobile & Web Applications: HFLD@doh.gov.ae
• Healthcare related Research, Studies & Clinical Trails: ADHRTC@doh.gov.ae
• Main Infosec Channel for all service providers: aamen@doh.gov.ae

For more information about the U.S.-U.A.E. Business Council’s programming and this event, please contact Adam Karadsheh at akaradsheh@usuaebusiness.org.