This article is the second of two articles to explore the topic of eHealth - and in particular telemedicine services - in the Gulf countries. In this final instalment, Andrea and Christina consider some of the legal issues, beyond licensing, relating to telemedicine services.

Liability for out-of-jurisdiction  healthcare advice 

An important issue that all parties to a telemedicine arrangement need to understand is how medical liability is determined, both between providers within the region, and between providers where one is local and the other is from outside of the region. There is inevitably some uncertainty over which party will be left holding the proverbial 'baby.' In the UAE the position is governed by a suite of Federal and local Emirate laws. Federal Law No. (10) 2008 concerning Medical Liability and the Cabinet Decision No. (33) of 2009 are the governing medical liability laws in the UAE (together, 'Liability Law'). The Liability Law pertains to practitioners within the UAE. This law does not address liability as it relates to foreign practitioners engaged in activities with local facilities. In general, UAE laws would not have jurisdiction over foreign providers except insofar as they are parties to a contract governed by UAE law. 

In terms of individual healthcare practitioner liability, all healthcare providers in the UAE are subject to the Liability Law. Failing to observe the law or committing a medical error would expose the practitioner to the risk of a civil claim for damages. A medical error under the Liability Law, Article 14, is an 'error which is due to ignorance of technical matters which every practitioner of the
[p]rofession is supposed to be familiar with, or to negligence or lack of due care.' 

Regulations such as the Dubai Health Authority's ('DHA') Hospital Regulation and Day Surgical Center Regulation indicate that while clinical services provided by an external contractor are permitted (such as radiology, laboratory, pathology and allied health) the contracting DHA licensed healthcare facility retains the fundamental responsibility for quality. Given that the DHA places this burden on the contracting facility, even when out-of-jurisdiction contracts are not specifically contemplated, in circumstances where healthcare services are performed by out-of-jurisdiction providers, such as in tele-radiology services using foreign providers, we expect that the facility or a named practitioner at that facility could be named as a party to civil (i.e. tortuous) proceedings brought before the UAE courts in the event of a malpractice case resulting from the errors of a foreign provider. We expect that such a case would centre around (i) evidence of negligence with regard to the services provided, and (ii) the potential failure of the local facility to perform proper due diligence in contracting with the third party or (iii) proper quality regulation and oversight of the third party. 

The question of whether the out-of- jurisdiction provider can be drawn-in to the proceedings will depend on the facts. Then, if a local provider is found to be liable, the commercial contract with the out-of-jurisdiction provider may then govern whether any indemnity or claw-back provision applies. 

The Health Authority - Abu Dhabi ('HAAD') has implemented similar standards governing how liability is managed in a telemedicine arrangement. HAAD regulations place liability on the originating HAAD-licensed healthcare facility for the clinical and medical services provided through telemedicine. Medical and legal risk exposure can be reduced by implementing facility telemedicine policies and guidelines, including continual training and licensing requirements, and proactive monitoring of staff performance.

Data protection issues

In the event of a data breach, the key issues are (i) what are the legally required mechanisms for reporting and rectifying the breach and (ii) to what extent does the provider have liability for the release of confidential information. 

The use of telemedicine services, especially those which require personal health information to be transmitted electronically out-of-jurisdiction, increase the risk of a security breach and loss of confidential patient data. Digital health records can be valuable to criminals. Medical identity theft, the fraudulent use of someone's personal identity to obtain medical services, prescription drugs or devices, are a few examples of the potential damage. 

In Abu Dhabi, the management of data is governed by a very chunky Data Standard. Accordingly, compliance with these requirements require both the local licensed healthcare provider and the foreign service provider to implement IT systems to meet this standard as a minimum. This ensures a robust regulatory environment along with basic data protection and confidentiality standards, together with a process for reporting and remedying breaches, as well as provider liability to patients in the event of a breach. 

Securing the data network, from both outsider threats and from a business continuity perspective, is of paramount importance. Advances in telemedicine and eHealth across the region will be determined by regulators developing efficient policies, developing appropriate data protection laws, and ensuring that legal and regulatory constraints do not impede innovation. 

The advertising of services from out-of-jurisdiction 

Health service advertising is regulated in two main ways, primarily under the aegis of the Ministry of Health of each Gulf country, which typically have oversight powers over all health-related matters in their jurisdiction, and secondarily by other regulators, such as the Ministry of Information in the Kingdom of Saudi Arabia ('KSA'), which regulates all publications in KSA with specific oversight and licensing powers as regards to publicity, advertising and public relations. 

A healthcare provider wishing to target patients within a Gulf country from outside the jurisdiction in order to advertise their services and attract patients to travel outside the jurisdiction for treatment, or for telemedicine consultations, needs to be aware of the restrictions in the countries in which advertisements are likely to be viewed. The question of whether a provider would be deemed to be caught by the laws of a particular country will depend on many factors, such as the classification of advertising, social media, print media, magazines and commercials, coupled with the extent to which it is targeted at a certain country or region.  

Whilst a high-profile advertising campaign may extend the potential pool of patients, thought should be given as to how to ensure payment for services delivered. Some providers are using such advertising to target only high net-worth individuals and insured patients who will pay themselves then seek reimbursement from their insurer. Thought should be given to addressing advertising, licensing, permit, and regulatory issues, as applicable. 

Insurance reimbursement  

The opportunity to grow telemedicine services as a tangible alternative to traditional face-to-face consultations relies heavily upon there being a reliable route to obtaining reimbursement. Typically, healthcare providers in the region have arrangements in place with governments or insurers for reimbursement of services. The various payment codes set up for this must include payment for telemedicine in all of its various formats. Progress on this has been made in the UAE with many insurers now recognising the benefits of telemedicine as a preventative medicine tool. However, as the overall cost of healthcare provision escalates, insurers are looking for opportunities to cut costs and are pruning certain benefits out of the reimbursement scheme. Such cut backs are currently on the radar of the government of Abu Dhabi for certain telemedicine services, which are at risk of being withdrawn. The reasons for this are currently unclear but must be viewed as a set-back that we hope will not contaminate other Emirates of the UAE or regional thinking for these benefits. 

The urgent need for clarity and consistency 

There remains a significant gap between the traditional laws that govern the establishment and 'setup' of a healthcare business, on the one hand, and the telemedicine laws on the other. For example, a local healthcare provider must demonstrate that it has the requisite number of employed radiologists and radiographers etc. at its facility, but if it later adopts telemedicine services and outsources radiology services via a telemedicine provider, there is no relaxation of the rules with regard to the number of on-site employed personnel. This situation clearly impacts upon the question of whether the outsourcing of those services is a cost-effective option. As this issue is becoming increasing more common and as outsourcing via telemedicine services grows in popularity, local health authorities should be consulted about outsourcing plans and their approval sought to enable a downscaling of requirement for on-site support. 

Conclusion 

What is urgently needed is a consistent regional approach to regulation governing the use of telemedicine services based upon internationally recognised standards. For the Gulf countries, this means a whole-scale re-think of how telemedicine will impact upon the existing set-up of healthcare facilities to enable a smooth transition over to telemedicine outsourcing on a larger scale. As things currently stand, the fact that the region lacks leadership on this point should not be seen as a barrier to entry. The Gulf countries are keen to embrace telemedicine as the weapon of choice that will meet the future needs of the region.

This article was originally published in eHealth Law & Policy - November 2015.  www.e-comlaw.com/ehealth-law-and-policy/

© Al Tamimi & Company 2016