Abu Dhabi’s Health Information Exchange Looks at Privacy from a Global Perspective
Recently, I was asked to put together a privacy and security training program for the Malaffi health information exchange (HIE) in Abu Dhabi, the capital city of the United Arab Emirates (UAE).
When I landed, I took a taxi from Dubai to Abu Dhabi. The door-to-door taxi ride was about 70 miles, but my figurative journey began at the AHIMA World Congress, which was hosted in the capital city in October 2019, and is a must-attend event for international healthcare professionals.
During the conference, AHIMA met with members of the Abu Dhabi Department of Health and the Malaffi HIE, who saw it as their mission to draw on the advice from privacy experts around the world and implement as many best practices as possible.
An International Hub of Healthcare Innovation
With more than 150 ultra-modern skyscrapers, including the world’s tallest—the 2,717-foot Burj Khalifa—Dubai’s skyline is unmatched. Set against the backdrop of an Arabian Sea dotted with spectacular man-made islands, Dubai is a major financial, commercial, and real estate hub, as well as a world-renowned tourist destination.For players in the healthcare industry, this region is known for its investment in cutting-edge technology and innovation. The Cleveland Clinic, for example, is partnering with a large hospital in Abu Dhabi. Other American healthcare providers are also looking at the markets in Dubai and the UAE.
More than 80 percent of Abu Dhabi’s healthcare workforce are expatriates who were recruited for their abilities, creating a diverse multinational team of experts and operations staff.The UAE is a hybrid of insurance-based payers and government healthcare. The region is financially and politically stable with a relatively small population, so healthcare providers can focus on innovation. Most of the region’s health systems have adopted well-known American electronic health record (EHR) systems and have been profoundly influenced by US and international HIE models.
The audience for my training program was equally imbued with an international flavor. My class included five Americans, one Canadian, a New Zealander, and others from various countries in the region, including the Emirates.
More than 80 percent of Abu Dhabi’s healthcare workforce are expatriates who were recruited for their abilities, creating a diverse multinational team of experts and operations staff. English is the primary language spoken, so the country can easily attract talent and products from around the world.
Most of the training program’s attendees were healthcare specialists who worked in technical security, HIEs, and government. None were directly involved with HIM, but insurance billing, coding, clinical documentation integrity, and privacy and security compliance are all topics that healthcare professionals need to be on top of in that region.
They were completely engaged and asked many questions which allowed me to think and understand how they view the problems they are faced with solving and the copious regulations they must follow. Due to cybersecurity concerns, which are a global issue, the country is further down the road in implementing cybersecurity safeguards. Privacy is still top of mind.
The Global Challenge of Privacy
My training program was designed to be HIPAA-focused, but it needed to be tied to international laws and regional security standards and policies. The UAE is actively creating its own laws, standards, and policies in relation to privacy, so the country’s healthcare professionals are keen to understand how the rest of the world does it.Healthcare providers based outside of the United States aren’t considered covered entities but can voluntarily choose to comply with HIPAA regulations. For example, the UAE has a comprehensive set of Abu Dhabi Healthcare Information and Security Standards (ADHICS) that includes some HIPAA language and therefore has commonality with US laws.
This document is a robust security standard that draws from international standards and best practices, but it does not have a great deal of privacy language. They also have the Abu Dhabi Department of HIE policy that likewise has some privacy regulations, but they believe more is needed. These documents are written in English only and are very well formatted and consistent with security practices and controls adopted globally, including the US with NIST standards upon which HIPAA is based.
It is important for AHIMA to be teaching best practices in other countries, not only from an ethical perspective to assist in global health improvement, but also from practical considerations.The UAE is moving towards global health information exchange, so they are constructing their standards, policies, procedures, forms, and automation to line up with emerging national/global standards, such as HIPAA and the European Union’s General Data Protection Rule (GDPR) along with guidance such as International Standards Organization (ISO) Security and NIST Cybersecurity. I included California Consumer Privacy Act (CCPA) concepts in my training because they are evolving into models for international privacy.
Healthcare professionals in Abu Dhabi and the United States are confronting very similar privacy and security challenges, including the need to add privacy rules and procedures. However, while the UAE’s security rules are well developed, privacy is new to them. There is no concept of Treatment, Payment, and Operations, for example, so disclosures and consents are different from those in the United States.
They have the concept of sensitive information, which can be applied to certain data (which HIPAA does not apply as broadly)—a useful concept for segmentation of data within the HIE and any applications with personal health information. They heavily support interoperability and are successfully working on implementation of their HIE.
Lessons Learned
It is important for AHIMA to be teaching best practices in other countries, not only from an ethical perspective to assist in global health improvement, but also from practical considerations. For example, if citizens of Abu Dhabi come to the United States for healthcare, we would want to receive clinical information that has integrity and that we can rely on.I learned so much from my conversations with the students and others I met. After the training program concluded I was invited to a meeting with the Malaffi compliance management team and another with the Abu Dhabi Department of Health, which promulgates many of the regulations the HIE follows.
I am thankful for the opportunity to get to know how a major area in the international marketplace is dealing with the same health information problems that we do in the United States, but with some different perspectives that we can learn from.
The most striking aspect of the whole trip was how nice, professional, and interesting all of the people were that I encountered, both officially and unofficially. I came back with some new ideas to consider and a set of new business associates and friends. Everyone wins and I certainly hope to go back as soon as possible.
Kelly McLendon (kmclendon@complianceprosolutions.com) has been a HIM practitioner for over 40 years with a specialization in electronic medical records, privacy and security for as long as they have existed. He is a founder of CompliancePro Solutions.