NABIDH Policies 101: Demystifying the Data Management Policy

Dubai Health Authority’s NABIDH policies establish a comprehensive framework for healthcare entities in Dubai to manage and use health data effectively for enhanced patient care. NABIDH integration can bring about significant benefits for healthcare providers and patients alike. While the NABIDH policies define the rules, guidelines and procedures for health data exchange and use over the NABIDH network, the Data Management policy under NABIDH more specifically explains how healthcare data should be collected and stored within your healthcare facility, and how it should be managed and accessed. It also defines how and for what purposes the NABIDH health data can be used. The Data Management Policy aims to ensure that patient health information is handled in a responsible, and ethical manner. Thoroughly understanding this policy is therefore necessary to reap its benefits to the fullest extent. To enable this, let’s break down and simplify the various aspects of this policy:

 

Scope & Purpose

The idea behind the Data Management policy is to specify the permissible uses of different forms of healthcare data within the NABIDH network. It defines the regulations surrounding primary and secondary uses of data, where primary use refers to the use of patients’ health information for purposes of better diagnosis and treatment, and secondary use refers to the use of health data for purposes such as research, public health, safety initiatives, and quality improvement.

This policy ensures that data from NABIDH is accessed and used strictly in accordance with the relevant laws and regulations of the DHA to maintain privacy, security, and legal compliance.

 

What exactly does the NABIDH Data Management Policy state?

This policy defines regulations surrounding primary and secondary use of data that includes acquiring, validating, storing, protecting, and processing data to ensure accessibility, reliability, and timeliness for its users. It requires that personal health information be made available in NABIDH for the following uses:

 

Primary Use

  • Healthcare providers can collect and use information to provide medical treatment and care to individuals (subjects of care).
  • In emergency situations, healthcare providers can access data to provide urgent care, even if it requires overriding consent policies.
  • Authorized individuals and processes can access data to ensure proper healthcare provision.

 

Subject of Care Uses:

  • Health information can be used to inform subjects of care to support their own interests and upon presentation for medical treatment.
  • Data related to diagnosis, treatment, and healthcare operations can be accessed.
  • Health information received from within or outside the UAE can be accessed via the NABIDH Platform.
  • Patients can share their health data with healthcare facilities outside the UAE for treatment abroad, in accordance with relevant laws.

Secondary Use

  • Health information can be used for health service management, quality assurance, and risk/error management.
  • Health data can be utilized to assess healthcare service availability, quality, safety, equity, and cost-effectiveness.
  • Health insurance companies and providers can access data for auditing, approval, and verification of financial benefits related to services.
  • Aggregate health information can be used for public health reporting and surveillance.

 Public Health & Safety:

  • Data can be used for public health surveillance, disease control, and maintaining the health and safety of individuals.
  • Health information may be used to formulate strategies, policies, and measures for population health management.

 

Organ Transplant:

UAE Organ Procurement Organization can access NABIDH data to facilitate organ, eye, or tissue donation and transplantation.

 

Research:

  • Health information can be used for scientific and clinical research while ensuring subject identity is well protected.
  • Research proposals need approval from the Dubai Scientific Research Ethics Committee (DSREC).
  • Data use agreements need to be established between research entities and NABIDH.
  • De-identified data may be released for research purposes based on DSREC assessment.

 

Who is this policy applicable to?

The Data Management Policy under NABIDH is applicable to everyone in your healthcare facility, including the management and administrative teams, healthcare practitioners both registered and non-registered, staff members, your business associates, subcontractors, consultants, as well as temporary workers. The policy also applies to all EMR users, patients, and their agents/representatives.

 

Procedures to be Adopted

The NABIDH Data Management Policy outlines specific procedures that have to be adopted by your healthcare facility for implementing and enforcing the rules and regulations governing the primary and secondary use of health data. This includes documenting and imposing:

  • Protocols for emergency care procedures, patient access to health information
  • Steps to be taken by your facility to make sure health data is being handled in a secure manner
  • Measures to be taken to mitigate threats and breaches
  • Protocols and procedures for reporting security events or breaches.

The policy also gives specific recommendations and guidelines to different teams within your facility to make sure health data is handled properly, protected well, and security threats/events are reported promptly. These recommendations and guidelines require you to:

  • Implement protocols for primary use of data so that it can support direct care to patients
  • Establish emergency care procedures, such as the possibility to override the Consent Policy if the data has to be accessed during urgent/emergency situations
  • Enable patients to access their own health information and facilitate safe data sharing with other healthcare facilities within or outside of the UAE (as per Article 13 of ICT Law 2019) when required.
  • Implement secondary use procedures, including risk management, quality assurance, public health reporting, and research.
  • Obtain approval from DSREC for research purposes and follow data use agreements and de-identification methods.
  • Prohibit non-permitted uses of NABIDH health data.

 

What are the non-permitted/prohibited uses of NABIDH health data?

The policy clearly lists out the uses of data that are not permitted, and prohibits actions that could compromise patient privacy and data security. According to the policy, health information collected over the NABIDH network should not be used for:

  • Unlawful gains, whether personal or otherwise
  • Disclosure of PHI that became known to the healthcare professional in the course of his or her profession
  • Access or use of PHI by healthcare professionals who are not associated with the treatment of that specific patient or cohort of patients
  • Distribution of PHI to third parties
  • Granting PHI access to third parties
  • Use of PHI for commercial gain or marketing purposes
  • Sub-licensing of PHI
  • Cloud storage of PHI
  • Ingesting, storing, or recording of PHI in a manner that could be used to identify a patient.

 

What should your healthcare facility do to comply with NABIDH’s Data Management Policy?

Assign specific responsibilities to the different teams in your facility.

The management team should be in charge of:

  • Establishing the necessary protocols for proper data use, disclosure, and storage, as required by the policy
  • Adopting measures to prevent unauthorized use of PHI
  • Providing the necessary support for policy implementation
  • Collaborating with DSREC and other regulatory bodies for ethical approval of research involving NABIDH data.

The administrative team should be responsible for:

  • Maintaining PHI securely in your facility’s systems
  • Storing PHI in secure locations with restricted access
  • Protecting PHI from unauthorized access, use, disclosure, or destruction
  • Implementing security measures such as firewalls, access controls, and encryption
  • Reporting data breaches or security events to NABIDH and patients within 72 hours
  • Reporting breaches and security events with details, impact, and mitigative steps

The EMR users in your healthcare facility should ensure they are:

  • Using EMR responsibly by adhering to policy guidelines
  • Safeguarding PHI from unauthorized access
  • Not sharing PHI with unauthorized individuals
  • Avoiding prohibited use of PHI
  • Reporting suspected data breaches to the administrative team

The NABIDH Data Management Policy attempts to strike a balance between providing quality care to patients, while also protecting their privacy. It provides the framework for your facility to contribute towards better care and advancing medical research while complying with ethical standards and legal requirements.