NABIDH Policies 101: Demystifying the Consent and Access Control Policy

Posted on by

Introduction

In an increasingly digitized healthcare landscape, the protection of personal health information (PHI) and the assurance of patient consent are of paramount importance. NABIDH, the Dubai Health Authority’s (DHA) health information exchange platform, recognizes the significance of these concerns and has implemented a comprehensive policy to safeguard patient privacy and ensure responsible data sharing. This article delves into the policy’s key provisions, outlining how NABIDH fosters compliance with UAE laws and DHA regulations while promoting secure and transparent access control.

Understanding the Purpose of NABIDH’s Policy

NABIDH’s policy on consent and access control is designed to facilitate the access and sharing of PHI in accordance with applicable UAE laws and DHA regulations. The policy emphasizes the importance of informed consent, ensuring that individuals, known as Subjects of Care, or their authorized agents fully understand and agree to the sharing of their PHI. It also outlines the risks, benefits, and alternatives associated with data sharing.

Scope and Applicability

This policy applies to various stakeholders involved in protecting PHI, including the DHA, its business associates, subcontractors, healthcare facilities, and their respective business associates or subcontractors. Each party plays a crucial role in upholding the integrity of the NABIDH platform and ensuring compliance with the policy’s provisions.

The Role of NABIDH and Healthcare Facilities

NABIDH, as the central entity responsible for the health information exchange, commits to complying with DHA’s mandate to share both legacy and new PHI with healthcare facilities. To prevent the exchange or storage of Very Important Person (VIP) Subjects of Care PHI without appropriate authorization, NABIDH imposes specific measures and defines the PHI that will be made available by each healthcare facility.

Healthcare facilities, on the other hand, are entrusted with the task of obtaining consent from Subjects of Care for the sharing of their PHI through NABIDH. They must inform individuals that sharing relevant PHI with NABIDH is part of their treatment process. Healthcare facilities are also responsible for recording consent, capturing mandatory demographic information, and implementing internal policies and procedures to ensure compliance with NABIDH’s guidelines.

Access Control and Consent Management

NABIDH takes significant steps to enforce access control measures and protect sensitive health information. The platform restricts access to care providers based on their roles, employing special icons or distinct visual indicators to flag sensitive health information. Additionally, a “break glass” option is available for defined roles of health professionals, allowing emergency access to sensitive information while triggering notifications to the Subject of Care and Data Security and Privacy Officer. Such access is subject to after-the-fact review according to NABIDH’s Audit Policy.

Individual users associated with NABIDH must be linked to at least one standard healthcare role, ensuring appropriate access to information. Administrative personnel are restricted to administrative data, while clinical information is reserved for healthcare professionals based on their roles defined by NABIDH or the DHA. The policy accounts for regulated and non-regulated health professionals, tailoring access privileges to their specific roles and responsibilities.

Consent and Opt-Out Mechanisms

The policy emphasizes the importance of informed consent and gives Subjects of Care the right to opt out of the NABIDH platform. If a Subject of Care chooses to opt out, personal health information continues to flow into NABIDH but is anonymized to protect their privacy. Clinical data, however, is stored without anonymization. In the event of an opt-out, NABIDH ensures that personal health information cannot be retrieved using the “break glass” option.

Managing Consent Requests

NABIDH acts as the central recipient for consent-related requests from healthcare facilities and manages them appropriately. This ensures a streamlined process and accountability in handling consent-related matters.

Conclusion

NABIDH’s policy on consent and access control exemplifies its commitment to privacy, data security, and responsible data sharing in the healthcare ecosystem. By emphasizing informed consent, enforcing access control measures, and providing clear guidelines for all stakeholders, NABIDH sets a precedent for other health information exchange platforms to prioritize patient privacy and data protection. Through these efforts, NABIDH continues to play a vital role in transforming healthcare delivery and fostering trust between patients and healthcare providers in the United Arab Emirates.