Health Data Classification Policy2022852434

Download as pdf or txt
Download as pdf or txt
You are on page 1of 40

‫قطاع التنظيـم الصحـي‬

Health Regulation Sector

Document Type: Ref No: Version

Health Information Policy DHA/HRS/HISHD/HIACP/1/2021 Number: 1
Effective Revision
Document Title:
Date: Date:
Policy for Health Information Assets Classification
29/12/2021 29/12/2024
Ownership: Health Regulation Sector
Applicability: All Healthcare Entities under the Jurisdiction of Dubai Health Authority

1. Purpose

1.1. To set out Dubai Health Authority (DHA) `s requirements for Classifying Health

Information Assets (HIA) in the Emirate of Dubai; in line with the UAE and Emirate of

Dubai legislative, regulatory frameworks, and necessities.

1.2. To outline the requirements and responsibilities of healthcare Entities working under

jurisdiction of DHA on HIA classification.

1.3. To ensure that the applicable and relevant security controls are set in place for HIA in

line with relevant UAE and Emirate of Dubai legislative and regulatory requirements.

2. Scope

2.1. All HIA within the Emirate of Dubai handled by healthcare Entities under jurisdiction

of DHA.

2.2. These HIA as defined by UAE Information and Communications Technology (ICT) in

Healthcare law includes information/data in all its form, as well as the underlying

application, technology, and physical infrastructure to support its processing, storing,

communicating and sharing. This includes but is not limited to below information

Health Information Assets Classification Policy Page 1 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

assets in health Entity :

2.2.1. Medical and non-Medical information (e.g. Administrative, HR, etc.).

2.2.2. Identifiable and De-identifiable data.

2.2.3. Data Accessed for primary or secondary use.

2.2.4. Physical or digital forms of data.

2.3. All users accessing and using information in healthcare sector in the Emirate of

Dubai; including all employees, contractors, consultants, suppliers, vendors, partners,

customers and wider stakeholders where appropriate.

3. Definitions/Abbreviations:

Audit: Systematic and independent examination of HIA classification to determine whether

the activities were conducted, and the data were collected, used, retained or disclosed

according to organizational standard operating procedures, policies, good clinical practice, and

applicable regulatory requirement(s).

Assets: are economic resources. It is anything tangible or intangible that is capable of being

owned/controlled to produce value and that is held to have positive economic value.

Classification: means assigning categories to assets on pre-set criteria. In information

security classification is used to categorize information assets in terms of sensitivity to

protect it from unauthorized access, use, disclosure, disruption, modification or destruction.

Classified information assets: information assets/material or data that an Entity claims as

Health Information Assets Classification Policy Page 2 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

sensitive, secret, or confidential that requires protection of its confidentiality, integrity, or

availability. Access to these information is restricted to people, process or other parties.

Compliance: is the act of adhering to, and demonstrating adherence to, a standard or

regulation (international or internal).

Confidentiality: part of the information security triad, confidentiality means the

nondisclosure of certain information assets expect to an authorized individual as per the

classification level of the asset.

Custodian: is defined as an individual or Entity that has approved responsibility for

maintaining an information asset.

Encryption: The process of converting information or data into a code, especially to prevent

unauthorized access.

External parties: an individual or organization that deals with the Entity through a business

relationship and has access to Entity`s health information.

Data: All that can be stored, processed, generated and transferred by Information and

Communications Technology (ICT) such as numbers, letters, symbols, images and the like.

Data Collection: A systematic gathering or organized collection of data, in any format, for a

particular purpose, including manual entry into an application system, questionnaires,

interviews, observations, existing records, and electronic records.

Declaration of Maturity: is a comprehensive assessment of Entity’s capability to classify,

handle, store, archive and dispose HIA as per existing Laws and regulations.

De-identified Health data: De-identified health data is patient data that has been scrubbed of

important identifiers such as birth date, gender, address, and age. De-identified patient data is

often used for research.

Health Information Assets Classification Policy Page 3 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

Electronic Medical Records: Subject of care Administration System used across the Entity to

record subject of care activity in real time. Management of the system is in conjunction with

the Health regulation electronic records requirements.

Electronic Platform: An electronic system composed of hardware; software; networks; storage

systems; and a connectivity and communication site, via which Dubai Data are disseminated

and exchanged.

Entity: Entity in Dubai that is involved in the direct delivery of healthcare and/or supportive

healthcare services, or in the financing of health such as health insurer and health insurance

facilitator, healthcare claims management Entity, payer, third party administrator, hospital,

medical clinic and medical centre, telemedicine provider, laboratory and diagnostic centre, and

pharmacy, etc.

Exchange of Health Information: Access, exchange, copying, photocopying, transfer, storage,

publication, disclosure or transmission of health data and information.

Health Information: Health data processed and made apparent and evident whether visible,

audible or readable, and which are of a health nature whether related to health facilities, health

or insurance facilities or beneficiaries of health services.

Identifiable Health Data: Data are considered “individually identifiable” if they include any of

the 18 types of identifiers specified by the Health Insurance Portability and Accountability

Act (HIPAA) Privacy Rule:

 Name

 Address (all geographic subdivisions smaller than state, including street address, city,

county, ZIP code)

 All elements (except years) of dates related to an individual (including birth date,

Health Information Assets Classification Policy Page 4 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

admission date, discharge date, date of death and exact age if over 89)

 Telephone numbers

 FAX number

 E-mail address

 Social Security number

 Medical record number

 Health plan beneficiary number

 Account number

 Certificate/license number

 Any vehicle or other device serial number

 Device identifiers or serial numbers

 Web URL

 Internet Protocol (IP) address numbers

 Finger or voice prints

 Photographic images

 Any other characteristic that could uniquely identify the individual.

Incidents: an incident can be thought of as violation or imminent threat of violation of

computer security policies, acceptable use policies, or standard security practice.

Information and Communication Technology: Technical or electronic tools or systems or

other means that enable the processing of information and data of all types, including the

possibility of storage, retrieval, dissemination and exchange.

Information assets: includes information/data in all its form, as well as the underlying

application, technology, and physical infrastructure to support its processing, storing,

Health Information Assets Classification Policy Page 5 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

communicating and sharing. The following are considered HIA:

(a) Information (in physical and digital forms)

(b) Medical device and equipment

(c) Applications and Software

(d) Information System

(e) Physical Infrastructure (Data center, access barriers, electrical facilities, HVAC

systems, etc.)

(f) Human resources (in support of care delivery)

Information Asset Owner: A senior member of Entity who is the nominated owner for one or

more identified HIA of the Entity.

Information Assets classification: is the process of categorizing all HIA, based on its

sensitivity, business value and context, and determines the level of safeguards that are applied

to the information.

Information Governance (IG) Office/Section: is the point of contact for all enquiries related


(a) Data protection

(b) Freedom of information

(c) Records management

(d) Information risk management

(e) Information security

(f) Business continuity

Internet Protocol (IP) address: is a unique address that identifies a device on the internet or

a local network.

Health Information Assets Classification Policy Page 6 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

NABIDH: A health information exchange platform by the Dubai Health Authority that

connects public and private healthcare facilities in Dubai to securely exchange trusted health


Need-to-Know: A criterion used in security procedures that requires the custodians of

classified information to establish, prior to disclosure, that the intended recipient must have

access to the information to perform his or her official duties.

Primary use: The information collected by the healthcare provider for the primary purposes

of giving treatment and health care to the subject of care.

Processing: Data processing covers the creating, entering, using, modifying, updating,

deleting, storing, disclosing and disposing of data.

Secondary use: The secondary use is use of personal health information for purposes other

than treating the individual subject of care, including but not limited to Research, Public

Health, Quality Improvement, Safety Initiatives, payment and marketing. Some secondary

uses directly complement the needs of primary use. Examples include medical billing, hospital

administrative, and management operations.

Subject of care: An individual approaching the health services in the Emirate of Dubai.

System: A set of electronic data and health information exchange operations, involving a set

of electronic parts or components that link together and work together to achieve a specific


Very Important Person (VIP) Criteria:

(a) Senior visitors (leaders and heads of state)

(b) Foreign ministers during their visit to the UAE

(c) Ambassadors and Delegates in the UAE

Health Information Assets Classification Policy Page 7 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

(d) Ministers and Undersecretaries of the Ministry of the UAE

(e) Chairmen and Undersecretaries of the government departments of the UAE

(f) Royals and crown princes of the UAE and other Emirates including their immediate

family members (wives, sons, daughters, brothers and sisters)

(g) Al Nahyan and Al Maktoum family members

(h) Members with prefix “Sheikh” or “Sheikha” in their official identity

(i) Members with prefix “High Excellence” or “Her Excellence” in their official identity.

DHA : Dubai Health Authority

EMR : Electronic Medical Records

HIA : Health Information Assets

HISHD : Health Informatics & Smart Health Department

HRS : Health Regulation Sector

ICT : Information and Communications Technology

IG : Information Governance

IP address : Internet Protocol address

VIP : Very Important Person

Term Meaning / Application

Must This term is used to state a mandatory requirement of this Policy

Should This term is used to state a recommended requirement of this Policy
May This term is used to state an operational requirement of this Policy

Health Information Assets Classification Policy Page 8 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4. Policy Statement:

4.1. The Health Information Assets (HIA) classification policy is an integral part of the

DHA’s approach to Information Governance (IG). This policy must be read in

conjunction with other related DHA_Health Regulation Sector (HRS)_Health

Informatics & Smart Health Department (HISHD)_IG policies and regulations.

4.2. All HIA generated by Health Entities must be subject to classification into one of the

following sets based on value and sensitivity of the information, and the consequences

of Information compromise:

4.2.1. Open Data /Public

4.2.2. Confidential

4.2.3. Sensitive

4.2.4. Secret

4.3. Information compromise includes, but is not limited to:

4.3.1. Data loss.

4.3.2. Data misuse.

4.3.3. Data interference.

4.3.4. Data unauthorised access.

4.3.5. Data unauthorised modification.

Health Information Assets Classification Policy Page 9 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.3.6. Data unauthorised disclosure.

4.4. As per Resolution No. (2) of 2017, on Approving the Policies for Classification,

Dissemination, Exchange, and Protection of Data in the Emirate of Dubai:

"Personal Data that reveals information about or is, directly or indirectly, related to a

Person’s family; racial, ethnic, or social origin; affiliations; political views; religious or

philosophical beliefs; criminal record; membership in unions; health; or personal life" is

considered as Sensitive data.

4.5. A limited subset of information could have more damaging consequences (for

individuals, the health sector, or the UAE Government generally) if it was lost, stolen

or published in the media. Where information is identified as such, it must be clearly

marked as Secret.

4.6. The Sensitive and Secret data require the Entity to impose measures (generally

procedural or personnel) to reinforce strict controls while accessing, storing, sharing,

and disposing. Example of these controls are:

4.6.1. Subject of care/ Patient consent

4.6.2. Data sharing agreement

4.6.3. Encryption of Data

4.6.4. Anonymization of information.

4.7. Secret data are the utmost critical information, requiring the highest levels of

Health Information Assets Classification Policy Page 10 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

protection from the all types of threats. Unauthorized access to Secret data might

cause significant damage to the following:

4.7.1. The ability of a Federal Government or a Local Government to perform its


4.7.2. The operational effectiveness of highly valuable security procedures.

4.7.3. Diplomatic relations with any country or international organisation.

4.7.4. Safety, security, or prosperity of the UAE; or any other country, by affecting

its commercial, economic, or financial interests.

4.7.5. Security of critical national infrastructure.

4.7.6. The operational effectiveness of the police authorities or military forces of the

UAE in a way that causes them to encounter, in the course of performing their


4.7.7. Public interest or national security of the Emirate of Dubai or the UAE.

4.7.8. Domestic stability of the Emirate of Dubai or the UAE.

4.7.9. Capabilities or security of the UAE or its allied forces, leading to their inability

to perform military duties.

4.7.10. Long-term damage to the economy of the Emirate of Dubai, or UAE.

4.7.11. Private Entity that has a vital and strategic role in the national economy,

resulting in heavy financial losses, bankruptcy, or loss of its leading role.

Health Information Assets Classification Policy Page 11 of 40 DHA/HRS/HISHD/HIACP/2021/01
‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.7.12. The safety and lives of certain personnel of the police, security, or military

authorities; or of witnesses in critical court cases.

4.7.13. Security and the administration of justice, or obstructing investigations

into serious crimes or prosecution of perpetrators.

4.7.14. Invading any Intellectual Property Rights.

4.7.15. Causing heavy loss of life.

4.8. The classification of HIA is wholly based on the examination of the value of the

information, who will have access to the HIA, and the resulted risk impact if the

information was compromised or accessed by unauthorized individuals:

Category Description Risk Impact of Information Examples



 Information intended to be No impact  Public Domains

Open Data/Public

used in public domain or  Patient information leaflets

public use, and has no legal,  Press release /
regulatory or organizational announcements
restrictions for its access  Regulatory filings, such as
and/or usage. Internal Revenue Service
 Intended purpose from the filings
creation, access and use of  Certification labels such as
the information is the general The Joint Commission
advancement of society, Certification
promotion of the interest of  Research publications
the organization and of the  General public health
country, providing essential awareness or regulation
information equipping awareness publications

Health Information Assets Classification Policy Page 12 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

citizens, patients and other  General sales or marketing

stakeholders understand materials
better the country’s/  Business contact
governmental/organizational information.
vision and values.  Etc.
 Encryption recommended.
 The use and release of open
data must comply with
applicable copyright laws.
 Information that must be  Its compromise may  Routine business operations

afforded limited violate UAE federal law, and services.

confidentiality protection Emirates of Dubai local  Minutes of meetings,
due to its use in the day-to- law, and/or DHA policies internal Policies, Standard
day operations. and regulations. Operating Procedures and
 Information that relates to  Cause limited damage to Internal Circulars, Contract
the internal functioning of the the public interest, Entity/ of non-critical projects,
Entity and will not have individual reputation, projects charters, and
general relevance and  Limited financial aspects Entity`s performance
applicability to a wider damage. reports.
audience.  Adversely affecting the  Correspondence within the
 Although individual items of Entity by limiting its Entity or with other Entities
information are not sensitive, competitiveness or third parties.
taken in aggregate they may  Adversely affecting public  Financial reports and
reveal more information than safety or justice. transactions.
is necessary, if they were to  Confidential decision-
be revealed. making documents.
 Internal regulations,
policies, standards,
 Etc.

Health Information Assets Classification Policy Page 13 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

 Information that requires  The compromise of this  Medical records and


strong protection due to its information might violate Personal health information.
critical support to decision- UAE federal law, Emirates  Sensitive medical
making within the Entity, of Dubai local law, and/or information:
across health sector, and DHA policies and - Chemical dependency,
government. regulations. - Human immunodeficiency
 Information that could  Lead to significant virus infection
disclose designs, disruption/loss of - Mental health conditions
configurations or emergency and heath care - Behavioral health
vulnerabilities exploitable by capabilities, loss of public information
those with malicious intent. trust in the health sector, - Psychotherapy notes,
 Information that the Entity, or or significant loss of -Alcohol and substance
through government or reputation to the health abuse,
regulatory mandates, has a sector with momentous - Reproductive health,
duty of care to others to hold coverage by the national - Genomic information,
in safe custody. and international press. -Sexual health (including
 Adversely affecting the sexually transmitted
Entity by limiting its diseases),
competitiveness. - Child pregnancy data
 Adversely affecting public - Child abuse conditions.
safety or justice.  Strategic/critical projects
contract or RFPs
 Audit reports
 Risk/assets registers
 Financial details in relation
to projects or proposals
 Information security
incidents reports
 Human resource
files/Personal information
about staff/Personally
Identifiable Educational
information about the
management of the Entity.
 Court proceedings.
 Adoption records.

Health Information Assets Classification Policy Page 14 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

 Disciplinary records,
complains, investigations
minutes, violations.
 Agreements or contracts of
a secret nature between the
Entity and another Entity
within the UAE or
 Etc.
 Information that requires  The disclosure of such  Medical record of Very

significant and multilevel information to the public Important Person (VIP).

protection due to its highly or exchange within the  Security forces data.
sensitive nature. Government on other than  Security reports, minutes, or
an authorized basis is orders.
illegal and may cause very  Sensitive minutes and
serious damage to the report of executive council
Individuals, government, and its committees.
national security, social  Agreements/contracts
cohesion, economic between the Emirate of
viability and health of the Dubai and another Emirate
country. or between the UAE with
 Information compromise another country.
could potentially threaten  Data relevant to witnesses
life; seriously prejudice of serious law suites.
public order, triggering  Credit Card Details/Credit
discrimination, Card Details/Payment card
mistreatment, humiliation information.
or undermining people’s  Controlled Technical
dignity or safety. Information ("CTI")
 IP addresses.
 Network & Infrastructure
 Etc.

Health Information Assets Classification Policy Page 15 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.9. Assessing Risk of Potential Disclosure

As the total potential impact of information disclosure increases from Low to High,

the classification of data should become more restrictive moving from Public to Secret.

Below table can assist in classification of HIA within the Entity. If appropriate data

classification is still unclear after considering these points, contact the DHA_HISHD

for assistance (

Potential Impact

Security Objective Low Moderate High

Confidentiality The unauthorized The unauthorized The unauthorized
Preserving authorized disclosure of disclosure of information disclosure of information
restrictions on information could be could be expected to could be expected to have
information access expected to have a have a serious adverse a severe or catastrophic
and disclosure, limited adverse effect effect on organizational adverse effect on
including means for on organizational operations, organizational operations,
protecting personal operations, organizational assets, or organizational assets, or
privacy & proprietary organizational assets, individuals. individuals.
information or individuals.
Integrity The unauthorized The unauthorized The unauthorized
Guarding against modification or modification or modification or
improper information destruction of destruction of destruction of
modification or information could be information could be information could be
destruction, and expected to have a expected to have a expected to have a severe
includes ensuring limited adverse effect serious adverse effect or catastrophic adverse
information non- on organizational on organizational effect on organizational
repudiation and operations, operations, operations, organizational
authenticity. organizational assets, organizational assets, or assets, or individuals.
or individuals. individuals.
Availability The disruption of The disruption of access The disruption of access
Ensuring timely and access to or use of to or use of information to or use of information
reliable access to and information or an or an information system or an information system
use of information. information system could be expected to could be expected to have

Health Information Assets Classification Policy Page 16 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

could be expected to have a serious adverse a severe or catastrophic

have a limited adverse effect on organizational adverse effect on
effect on organizational operations, organizational operations,
operations, organizational assets, or organizational assets, or
organizational assets, individuals. individuals.
or individuals.

4.10. Health Information Assets Labelling

4.10.1. All HIA regardless of its form (Electronic or physical) must be appropriately

labelled based upon the security classification category identified and the

level of confidentiality the information needs.

4.10.2. To achieve clearly identifiable protective markings for physical documents,

it is recommended:

a. Using capitals, bold text, large font and a distinctive colour (red

preferred), for example SENSITIVE.

b. Placing markings at the centre top and bottom of each page.

c. Separating markings by a double forward slash to help clearly

differentiate each marking.

4.10.3. The labelling system needs to be clear and easy to manage.

4.11. Health Information Assets Re-classification

4.11.1. The Entity must consider reclassification of the HIA at any point of time

whenever there is a need to change the classification based on a

Health Information Assets Classification Policy Page 17 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

reassessment of the potential impacts of its compromise.

4.11.2. Reclassification may raise or lower the security classification of HIA.

4.11.3. Declassification is the administrative decision to reduce the security

classification of HIA when it no longer requires security classification

handling protections.

4.11.4. The re-classification of HIA (in terms of either degrading or upgrading its

classification) must be done by the information asset owner.

4.11.5. Since re-classification involves change in access control, appropriate pre-

cautions/security controls must be considered against information


4.12. Health Information Assets Access Permissions within the Entity

4.12.1. No Individual must access Confidential/Sensitive/Secret HIA without first

obtaining an Access Permission from the Entity.

4.12.2. Entity must follow the principles of ‘need to know’ and ‘minimum necessary’

while providing access to Sensitive and Secret HIA and for the minimum

extent required for processing / purposes of the Entity’s operations.

4.12.3. Entity must periodically review the continuing necessity of HIA access.

4.12.4. The Entity must establish rules for protecting data, based on its

classification, such as access restrictions or encryption.

Health Information Assets Classification Policy Page 18 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.12.5. Below table explains the HIA access control requirements:

Health Information Assets Access Control Requirements

Open Data /Public Confidential Sensitive Secret
 Available to the  Available to  Available only to authorized  Access to this
public. authorized users. users. information may be
 Can be shared  Shared by HIA  Information asset owner distributed only:
with third parties owner consent. must consider more Stringent  If required by law or
with no permission. access control regulation.
 Sharable across  Pursuant to a
Government /Private Entities: lawfully issued order.
- With the consent of the  If necessary in the
individual. course of a legal
- As required by contract, proceeding.
subject to appropriate non-
disclosure restrictions and
data sharing agreement.
- Pursuant to a waiver of
authorization issued by an
authorized Institutional
Review Board.
 Access must be logged and
reviewed by the information
asset owner.

4.13. Health Information Assets Sharing with Third Parties

4.13.1. Healthcare Entities must specify, in accordance with the provisions of this

policy and as per the UAE ICT law, the Government and Private Entities that

are authorised to access/share it`s Confidential/Sensitive Data:

d. Sharing of Sensitive Data with the UAE Ministry of Health and

Prevention (MOHAP) is allowed within the framework of the UAE ICT

Health Information Assets Classification Policy Page 19 of 40 DHA/HRS/HISHD/HIACP/2021/01
‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

law and through DHA_HISHD.

e. Sharing of Sensitive Data with other UAE Government Entities must be

approved and facilitated by DHA_HISHD.

f. Sharing of Sensitive Data with Private third parties should be evaluated

and approved by DHA_HISHD (

4.13.2. A Data Sharing Agreement must be produced, agreed and signed by all

parties prior to any health data containing Sensitive information being

accessed or shared with any organisation or body external to the Entity.

4.13.3. The Data Sharing Agreement must contain relevant clauses, as denoted


a. Notifying subject of care and obtain their consent prior to disclosing

identifiable health data to a third party.

b. Confidentiality and non-disclosure requirements.

c. A Non-Disclosure Agreement valid after end of the life of the data

sharing agreement.

d. Security requirements to process (i.e. at store, at transfer, at disposal

etc.) the HIA securely.

e. Providing health information timely when and as required.

f. Incident handling and reporting in case of HIA breach.

Health Information Assets Classification Policy Page 20 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

g. Retention requirements and secure information asset disposal.

h. Restriction clauses for no further subcontracting without permission of

the Entity.

i. Liabilities and indemnifications.

j. Clause for periodic audits to ensure compliance.

4.13.4. Sharing of Confidential/Sensitive data for Secondary use (e.g. Research,

Public Health, Quality Improvement, Safety Initiatives, Insurance, Payment,

and Marketing) must be as per UAE and Emirate of Dubai legislative and

regulatory requirements.

4.13.5. Access/sharing of Secret Health information with any governmental /

private Entities must be granted only on below conditions:

a. If required by law or regulation.

b. Pursuant to a lawfully issued order.

c. If necessary in the course of a legal proceeding.

4.14. Health Information Assets Physical Security and Access Control Requirements

4.14.1. The Entity must establish policies and procedures for information security,

access control of HIA and HIA handling, within the Entity.

4.14.2. Information should be made available for all authorised purposes and

protected from unauthorised access.

Health Information Assets Classification Policy Page 21 of 40 DHA/HRS/HISHD/HIACP/2021/01
‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.15. Health Information Assets Storage, Archival, Retention, and Reuse Requirements

4.15.1. All HIA must be stored/reused/archived in a secure manner as per their


4.15.2. All information servers must be located in a secure data centre within the


4.15.3. The Entity must ensure that health data is not transferred/stored out of

the country as per UAE laws and regulations.

4.15.4. If data has to be transferred/stored out of the country; then it should be as

per UAE ICT law exemptions and after getting approval from DHA_HISHD.

4.15.5. The information asset owner must ensure data is retained for the periods

set out by UAE ICT law and related DHA_HISHD policies and regulations.

4.15.6. The information asset owner must ensure that appropriate security controls

are considered while storing/reusing/archiving the HIA.

4.15.7. The UAE ICT Health Law requires that Health Data must be kept for a

minimum of 25 years from the date on which the last health procedure was

performed on the patient.

4.15.8. The Entity must:

a. Identify and enforce archival criteria (what and when to archive, how

long to archive) and methods (physical/electronic archiving).

Health Information Assets Classification Policy Page 22 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

b. Preserve data during archive.

c. Maintain adequate record on archival.

4.15.9. The Entity must ensure that appropriate backup are maintained securely while

storing/archiving the HIA.

4.15.10. Suggested HIA storage requirements are provided Below:

Health Information Assets Storage Requirements

Category Open Data /Public Confidential Sensitive Secret
Printed Material No special handling  Store in a secure area.
 Maintain a clear desk. Workforce members should “clear
their desks” at the end of each workday.
 Documentation must be labelled accordingly as
 Physical and environmental security measures (e.g.
backups, storing in a fireproof cabinets …etc.) must be
maintained to enable secure HIA processing, storage,
communication/sharing, hosting and disposal.
Electronic No special handling  Storage on Entity`s-approved devices is required.
Documents  Control access and print capability.
 Store on secure network drives only (not on hard drives or
 Documentation owned and/or created by Entity must be
labelled accordingly as Confidential/ Sensitive/ Secret.
Medical devices - Specific attention to access control, authentication,
and equipment authorization, handling procedures, risk log and disposal of
medical equipment and devices is required.
Electronic media No special handling  Storage on Entity`s-approved devices is required.
(memory sticks,  Control access and print capability.
hard drives, CDs)  Store on secure place.
Use Entity`s-approved encryption.
 Backup media must be physically secured.
 Backup media stored offsite must be encrypted.
 Backup media must be made unreadable before

Health Information Assets Classification Policy Page 23 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

Mobile Devices No special handling  Mobile devices must be configured to prevent
unauthorized use.
 All mobile devices must employ encryption.
 Connections between authorized mobile devices and EMRs
must be encrypted.
 Mobiles should be stored on secure place.
E-mail No special handling  Secret data must not be shared through email.
 for Sensitive data:
 Use of corporate email system is required.
 Limit the amount of personal health information being
sent to only what is necessary.
 Ensure that no personal health information is in the
subject line of the email.
 Personal health information should be sent as:
- A secure, locked (e.g. .pdf) attachment which requires a
password to open.
- As a link to the health information portal.
 Read/received/delivery receipts should be used where
 Add a disclaimer to your signature that indicates that the
email is confidential and intended only for the intended
recipient. It should also instruct anyone who receives the
email in error to delete or shred the misdirected mail and
notify the sender.
 Copies of the email and attachments should be
maintained in the client file. The date, time, addressee of
the email should be apparent.

Health Information Assets Classification Policy Page 24 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.16. Physical and Environmental Security

4.16.1. Physical environment and its security measures must be maintained to

enable secure HIA processing, storage, communication/sharing, hosting and


4.16.2. The Entity must consider various measures or controls that protect HIA

from loss of connectivity, ensure availability of information processing,

enable storage (backup and archival) equipment(s), protecting medical

equipment’s/devices from theft, fire, flood, intentional destruction,

unintentional damage, mechanical failure, power failure, etc.

4.16.3. Physical security measures should be adequate to deal with foreseeable

threats and should be tested periodically for their effectiveness.

4.16.4. The following aspects of physical and environmental security should be

considered by the Entity:

a. Physical protection of data centre and information processing


b. Physical entry control for secure areas.

c. Medical devices/equipment(s) protection.

d. Heating, ventilation, and air conditioning of critical areas and work places.

e. Supporting mechanical and electrical equipment.

Health Information Assets Classification Policy Page 25 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

f. Surveillance of critical areas and work places.

g. Security and protection of physical archives.

h. Fire and environmental protection.

i. Visitor management.

4.17. Health Information Assets Disposal Requirements

4.17.1. The retention demands of UAE federal, Emirate of Dubai, and DHA_HISHD

laws, regulations, and policies must be followed before physical or digital

data is disposed.

4.17.2. All HIA must be disposed-off in a secure manner as per their classification

at the end of their intended life cycle with proper authorization from the

HIA owner.

4.17.3. The Entity must ensure that appropriate security controls are considered

while disposing the HIA so that the information contained in it is


4.17.4. Formal procedures for the secure disposal of HIA should be established to

minimize the risk of confidential information leakage to unauthorized


4.17.5. The Entity must maintain appropriate log for all HIA Reused/Destructed.

4.17.6. All media for disposal should be treated as confidential.

Health Information Assets Classification Policy Page 26 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.17.7. The Entity should maintain records, on media disposal. The records should

be available for audit purposes for a period defined by the retention policy.

The records should have, but not be limited to, the following fields:

a. Information asset owner.

b. Type of HIA.

c. Classification.

d. Disposal type.

e. Reason for disposal.

f. Retention expiry date (if data).

g. Data removal confirmation and evidence.

h. Disposal authorized by.

4.17.8. Destruction of media by a third party should be supervised and the third

party should issue a certificate of destruction.

4.17.9. Suggested HIA disposal requirements are presented below:

Health Information Assets Classification Policy Page 27 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

Health Information Assets Reuse/Destruction Requirements

Category Open Data /Public Confidential Sensitive Secret
Printed Materials No special handling.  Must be discarded in appropriately identified document
Consider recycling. container for shredding or destruction (except if subject to
a legal hold).
Electronic media No special handling.  Media subject to a legal hold may not be reused. If other
(memory sticks, media are to be reused, all data must first be removed by
hard Information Services.
drives, CDs)  Disposal of electronic media should be in a secure manner.
 All discarded media must be destroyed following the
requirements of ISO 27001:2013 and Information Security
Regulation (ISR) standards from Dubai Smart Government.

4.18. All Health Entities must

4.18.1. Adopt well-crafted Information governance policies with the relevant

provision(s) of this policy and other related DHA_HISHD IG policies.

4.18.2. Maintain appropriate plans and procedures to ensure HIA within their

facilities are classified in line with the data classification categories specified

in this Policy.

4.18.3. Implement a classification scheme to indicate the need and priority for the

secure protection of HIA in order to ensure that:

a. The appropriate level of sensitivity of information is recognised.

b. The appropriate protective measures are taken while collecting, using,

handling, storing, transferring, archiving and disposing the HIA as per this


Health Information Assets Classification Policy Page 28 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

c. All Employees are aware of different HIA sensitivity levels and can apply

appropriate controls.

4.18.4. Ensure data designated as Confidential, Sensitive, and Secret is handled in

accordance with the relevant provision(s) of this policy.

4.18.5. Must set the appropriate HIA classification and access as well as retention

details, in accordance with relevant UAE laws, Emirate of Dubai Laws and

regulations, and DHA_HISHD data governance applicable policies.

4.18.6. Apply an appropriate degree of protection to all HIA that needs to be

collected, stored, processed, generated or shared to deliver services and

conduct Entity`s business.

4.18.7. Comply with all international, UAE federal, and Emirate of Dubai new and

existing related regulatory requirements governing E-Health, Telehealth,

Electronic Health Information Exchange (HIE), Data Protection, Data

Quality, Privacy, Transparency, Cybersecurity, and Information security.

4.18.8. Comply with all Articles detailed within UAE Federal Law No. (2) Of 2019

concerning the Use of the Information and Communication Technology in

the Area of Health (“ICT Health Law”) and its exemptions.

4.18.9. Comply with Resolution No. (2) Of 2017 Approving the Policies Document

on Classification, Dissemination, Exchange, and Protection of Data in the

Emirate of Dubai.

Health Information Assets Classification Policy Page 29 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.18.10. Comply with The Telecommunications and Digital Government Regulatory

Authority (TDRA) of the UAE rules and regulations.

4.18.11. Comply with Dubai Government Information Security Regulation (ISR) rules

and regulations.

4.18.12. Comply with UAE National Electronic Security Authority (NESA) rules and


4.18.13. Comply with requirements for Information Security Management System

(ISMS), ISO 27001.

4.18.14. Comply with Cabinet resolution No. (40) Of 2019 and Federal Decree-Law

No. (4) Of 2016, Concerning the Executive Regulation of on Medical

Liability and Addendum Regulations and Conditions for Providing

Telehealth Services.

4.18.15. Comply with UAE federal, and Emirate of Dubai Electronic Security

Authority standards and guidelines for cyber security.

4.18.16. Comply with all DHA IG policies (e.g. Nabidh policies and standards, Health

Data Protection & Confidentiality policy, Health Data Quality policy, and

Health Data Security Policy).

4.18.17. Comply with "Dubai Electronic Security Centre" requirements as applicable.

4.18.18. Comply with "Smart Dubai Government" regulations and requirements as


Health Information Assets Classification Policy Page 30 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.18.19. Comply with DHA-Dubai health insurance corporation requirements for e-

claims, reimbursement and documentations as applicable.

4.18.20. Ensure that assets received from or exchanged with Third Parties are

protected in accordance with relevant UAE legislative or regulatory

requirements, including this policy.

4.18.21. Maintain appropriate training and awareness strategies to support

compliance with this Policy.

4.18.22. Ensure the employee with access to HIA have the necessary trainings to

effectively perform their roles.

4.18.23. Have a process for periodically reviewing the competency of the staff and

other resources including third party vendors.

4.18.24. Review the training and awareness courses periodically to reflect current

health data governance regulatory, policy / procedure requirements.

4.19. Roles and Responsibilities

4.19.1. The Entity must establish and implement clear roles and responsibilities

regarding the attainment and safeguarding of HIA.

4.19.2. The Information Governance (IG) Manager (or the job title assigned with

responsibilities of managing IG) is responsible for enforcement and

endorsement of this policy.

Health Information Assets Classification Policy Page 31 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.19.3. The IG Office/Section (or the function assigned with IG responsibilities) is

responsible to support the relevant business Office/Section in

implementation of the defined controls and ensuring compliance with this


4.19.4. All HIA Users are responsible to read, understand, and adhere to this policy

in their day-to-day activities.

4.19.5. The IG Office/Section (or the function assigned with IG responsibilities) is

responsible to conduct awareness about the policy to Users.

4.19.6. Information asset owner (or job title assigned with responsibilities of

Entity’s higher management) is responsible for compliance to this policy

within the Entity.

4.19.7. Data Stewards (or job title assigned with responsibilities of Entity’s higher

management) must endorse this policy for its effective implementation.

4.19.8. All Employees, contractors, and users with access to the Entity's data

(electronic, paper and other records) are responsible to ensure the safety

and security of the data is protected; and must respect and abide by the

relevant obligations and protections, as per this policy.

4.19.9. All Employees who handle Confidential, Sensitive, or Secret data assets:

a. Must sign an Employee Confidentiality Agreement / Non-disclosure


Health Information Assets Classification Policy Page 32 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

b. Must understand the impact of these legal frameworks, and how it

relates to their role.

c. Should be supported by training as appropriate.

4.19.10. Table below presents brief of HIA responsibilities within the Entity:

Position Responsibility Example

Information Senior Level Management in the Entity with organizational and Chief Executive
asset owner policy responsibility for a broad segment of Entity data. Officer

Data - Official with direct operational responsibility for a broad Director of Entity
Stewards segment of Entity data. / Chief
- Responsible for assessing the impact Levels, specifying data Information
Classification guidelines, and assign a corresponding Data Governance
Classification to Data Types or Data Sets. Officer
- Ensuring the protection and establishing appropriate use of
the HIA.
- Develops general procedures and guidelines for the
management, security and access to data, as appropriate.
- Authorize access to data for which they are responsible and
use reasonable means to inform those receiving or accessing
the data of their obligations in so doing.
- Reviews, amends, and prepares proposed enhancements
to either the Data Classification Guide for review and
- Annually reviews the Data Classification Guide with
appropriate authoritative bodies.
Data - Ensure that systems handling Restricted / Internal data Various Information
Custodians provide security and privacy protections according to the Technology (IT) Staff:
Data Classification, the Data Steward’s policies, - Application/
obligations, and authorizations, and as may be identified in Database / System &
the Data Classification Guide. Server administrator
- Use reasonable means to inform those accessing data - Banner Specialists
sets in their control of their obligations in so doing. - Operations Staff
- Housing, keeping the data, and managing the resources, - Data Management

Health Information Assets Classification Policy Page 33 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

which enable its collection, management and controlled Specialists

- Has custodial responsibilities for managing the data for
the day-to-day, operational-level functions.
- Maintains the Data Classification Guide and the
framework defined by this policy.
Data User Any individual or unit in possession of Entity data. - Most Entity staffs as
Employees observe the constraints and directions of Data appropriate.
Stewards and Data Custodians and follow the Data - Contractors.
Classification Guide in their handling of confidential - Consultants.
information. - Suppliers/Vendors.
- Customers.
Certifying Official authorized to certify the appropriateness and Health Informatics &
Authority accuracy of Entity data and to release data for publication Smart Health
or other purpose that furthers the Entity’s mission. Department, HRS,

4.20. Implementation

4.20.1. Implementation of the HIA classification, handling, sharing, storage, and

disposal framework described above encompasses all forms of HIA

including electronic medical records (EMR), electronic platforms, as well as

non-electronic information, such as paper files, and hard-copy data.

4.21. Monitoring and Compliance

4.21.1. Entities are responsible for complying with this Policy.

4.21.2. The Entity should create a compliance monitoring plan which can be used

to continually assess the Entity`s overall compliance with this policy.

Health Information Assets Classification Policy Page 34 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

4.21.3. Key controls should be applied in accordance with the sensitivity of the

information. Controls must be physical, procedural and technical.

4.21.4. The IG Office/Section (or the function assigned with IG responsibilities)

must check the compliance of this policy on a periodic basis.

4.21.5. Any exceptions to this policy with valid business justification require

approval from DHA_HISHD as a certified authority as per ICT law.

4.21.6. Entities are expected to provide a Declaration of Maturity provided by a

competent third party regarding information classification and handling,

to be included in their Annual Report. This should be supported or

coordinated by the IG Manager (or job titles assigned with responsibilities

of managing Entity’s business divisions and sections).

4.21.7. If some of the IG technical roles are not available in the Entity, then it

should be outsourced to competent consultancy company.

4.21.8. If users are unsure or not clear of any point in this policy, they should

seek clarification or advice from DHA_HISHD (

4.22. Enforcement

4.22.1. Any compromise of HIA must be reported to the IG office/section of


4.22.2. Accidental or deliberate compromise of HIA by

employees/contractors/users must lead to disciplinary action and in

Health Information Assets Classification Policy Page 35 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

some cases must constitute a criminal offence.

4.22.3. An Employee found to have violated/breached this Policy must be subject

to Entity`s Human Resource disciplinary procedure in accordance with

relevant HR Law, the Code of Conduct for Employees, and any other

applicable UAE Laws in this regard. In certain circumstances termination

of employment or engagement, as applicable, and/or legal action must be


4.22.4. The Entity has the responsibility on failure of a supplier or contractor to

comply with this Policy. If any violations happened, the Entity must take

the necessary legal action. The DHA_HISHD must be informed instantly


4.22.5. Breaches of the HIA Classification Policies / related laws must be

reported immediately to DHA_HISHD ( through IG

office/section of the Entity.

Health Information Assets Classification Policy Page 36 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

5. References

5.1. Federal Law No. 2 of 2019, Concerning the Use of the Information and Communication

Technology in the Area of Health (“ICT Health Law”). Available on:


5.2. Federal Decree-Law No. 45 of 2021 regarding Personal Data Protection. Available on:


5.3. Resolution No. (2) Of 2017 Approving the Policies Document on Classification,

Dissemination, Exchange, and Protection of Data in the Emirate of Dubai. Available on:



5.4. Law No. (26) Of 2015 Regulating Data Dissemination and Exchange in the Emirate of

Dubai. Available on:



5.5. Cabinet Decision No. (32) of year 2020 on the Implementing Regulation of UAE Federal

Law No. 2/2019 on the Use of Information and Communication Technology in Health

Fields. Available on:

Health Information Assets Classification Policy Page 37 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector


5.6. The Telecommunications and Digital Government Regulatory Authority (TDRA) of the

United Arab Emirates (UAE). Available on:


5.7. Federal Law No. (5) Of year 2012 on Combatting Cybercrimes and its amendment by

Federal Law No. 12 of 2016. Available at:

5.8. Cabinet Resolution No. (24) Of Year 2020 On the Dissemination and Exchange of Health

Information Related to Communicable Diseases and Epidemics and Misinformation

Related to Human Health. Available at:


5.9. Federal Decree Law No. (4) Of Year 2016 on Medical Liability. Available at:


5.10. Executive Council Resolution No. (32) Of year 2012 on regulating the practice of health

professions in the Emirate of Dubai. Available at:

5.11. Law No. (13) Of 2021 establishing the Dubai Academic Health Corporation, and Law No.

(14) Of 2021 amending some clauses of Law No. (6) Of 2018 pertaining to the Dubai

Health Information Assets Classification Policy Page 38 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector

Health Authority (DHA). Available on :


5.12. Dubai Health Authority (2016). DHA Health Strategy 2016-2021 - Towards a Healthier

and Happier Community. Available on :

5.13. Dubai Health Authority Nabidh policies and standards. Available on:

5.14. Dubai Health Authority Policy for Use of Artificial Intelligence in the Healthcare in the

Emirate of Dubai. Available on:



5.15. Dubai Health Authority Policy for Policy for Healthcare Data Quality in the Emirate of

Dubai. Available on:


5.16. Dubai Health Authority Code of Ethics and Professional Conduct (2014). Available on:


5.17. Dubai Government Information Security Regulation (ISR). Available on:

5.18. UAE National Electronic Security Authority (NESA). Available on:

Health Information Assets Classification Policy Page 39 of 40 DHA/HRS/HISHD/HIACP/2021/01

‫قطاع التنظيـم الصحـي‬
Health Regulation Sector


5.19. Requirements for an Information Security Management System (ISMS), ISO 270001.

Available on:

5.20. The General Data Protection Regulation (GDPR) (from Must 2018). Available on:

5.21. A pilot comparison of medical records sensitivity perspectives of patients with behavioral

health conditions and healthcare providers. Hiral Soni, Julia Ivanova, Adela Grando, Anita

Murcko, Darwyn Chern, Christy Dye, Mary Jo Whitfield. Health Informatics J. Apr-Jun

2021; 27(2): 14604582211009925. Available on :

5.22. Health Insurance Portability and Accountability Act (HIPAA). Available on:


Health Information Assets Classification Policy Page 40 of 40 DHA/HRS/HISHD/HIACP/2021/01

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy