Licensing and data rules for telehealth providers in the UAE

Telehealth licensing in the UAE sits with the health facility. A practitioner's professional licence already covers remote care. The facility it operates through must hold telehealth authorisation from the emirate's regulator for the service to be lawful. The data rule comes from Federal Law No. 2 of 2019, which keeps health information tied to UAE services on servers inside the country.

These two controls usually sit with different teams, and the gap between them is where providers get caught. A platform can hold its facility approval and still breach the health data law by hosting patient records offshore. For corporate and commercial lawyers in Dubai, the work is aligning both before the first consultation, not after a regulator asks.

Which authority licenses a telehealth provider in the UAE

Three regulators divide the country. The Dubai Health Authority (DHA) governs Dubai, including its mainland and most free zones. The Department of Health Abu Dhabi (DOH) governs Abu Dhabi. The Ministry of Health and Prevention (MOHAP) sets the federal baseline and directly regulates the Northern Emirates of Sharjah, Ajman, Ras Al Khaimah, Umm Al Quwain, and Fujairah. Where federal and emirate rules conflict, the federal rule prevails.

There is no separate telemedicine licence to apply for. A practitioner's existing professional licence already covers remote consultations, on one condition. The health facility through which they practise must hold telehealth authorisation from its regulator. The exposure therefore sits with the facility, not only the doctor. A clinic that lets its physicians consult by video without that authorisation is providing an unlicensed service, even though every individual on the platform is licensed. The facility licence is the gate, and our guide to healthcare facility licensing in the UAE covers how that base licence is obtained.

What telehealth authorisation requires

The DHA sets out its requirements in the Telehealth Standard (reference ST-14), updated to version 4 with effect from 26 November 2025. The standard treats virtual care as a defined service with its own registration, care pathways, and documentation requirements. A DHA-licensed facility must register its telehealth service, run approved care pathways, document each encounter in writing, and capture patient consent through secure electronic means before the consultation.

The technical bar is specific. Platforms must encrypt data in transit and at rest, use multi-factor authentication, hold recognised security certification such as ISO 27001, and run on servers located inside the UAE. Interfaces must work in Arabic and English. The service has to integrate with the emirate's health information exchange, which is NABIDH in Dubai, Malaffi in Abu Dhabi, and Riyati for MOHAP facilities. Some activities fall outside what telehealth may cover at all. The DHA standard excludes emergency cases that need immediate intervention, and the prescribing of narcotic, controlled, and semi-controlled medication by remote consultation.

Cross-emirate practice adds a layer. The working principle in 2026 is that the patient's physical location decides which authority's rules govern a consultation. A DHA-licensed doctor consulting a patient sitting in Abu Dhabi should meet DOH requirements for that encounter. The policy is still settling, so a provider operating across emirate lines should obtain written guidance from each regulator rather than assume one approval travels.

Where patient data must live under the ICT Health Law

Federal Law No. 2 of 2019 on the use of ICT in health fields is the primary health data law, and it applies across the whole country including the free zones. Article 13 sets the rule that shapes every telehealth data design. Health information connected to services provided in the UAE may not be stored, processed, generated, or transferred outside the country, unless a health authority approves the activity in coordination with MOHAP. Cabinet Resolution No. 32 of 2020 issued the executive regulation that fills in how the rule operates.

The definition of health data is wide. It reaches patient names, the data gathered during a consultation, diagnosis and treatment records, alpha-numeric patient identifiers, medical images, and lab results. For a telehealth platform, almost everything it touches is health data. The law also requires that data be kept for at least 25 years from the patient's last procedure, which sets a long retention obligation the platform's storage has to support. A cloud setup hosted abroad, an overseas IT support desk, or a wearable that streams patient readings to servers outside the UAE each raises a localisation problem.

When health data may leave the UAE

MOHAP Resolution No. 51 of 2021 set out the cases where health data may move outside the UAE. The exemptions cover patients being treated abroad, samples sent to overseas laboratories, and scientific research under UAE controls. They also reach data that UAE insurers need to process a claim with the patient's consent, requests from cooperating authorities, simple personal wearables and devices, drug safety information, transfers a health entity agrees to, and formal requests from the patient. For several of these, the provider must obtain the patient's written consent, restrict access to authorised recipients, and share only the data the purpose needs.

The health data law does not sit alone. The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies to personal data generally, and health data is sensitive data under it, so a telehealth provider carries duties under both. Providers inside Dubai Healthcare City, the DIFC, or the ADGM also answer to those zones' own data regimes. The practical result is that a platform often has to satisfy the ICT Health Law, the PDPL, and a free zone framework at the same time.

What happens if a provider gets the rules wrong

The data localisation breach carries its own penalty. Storing or transferring health data outside the UAE without approval draws a fine between AED 500,000 and AED 700,000. The law adds further sanctions tied to the central health data system, from written warning to suspension or cancellation of the entity's access. These run alongside the licensing risk. A facility found to be running telehealth without authorisation, or outside its approved scope, faces action against its health facility licence, which can stop the service entirely.

The cross-emirate point recurs here. A provider that treats one emirate's approval as cover for activity in another can find the consultation was unlicensed where the patient sat. The cost is not only a fine. A public finding against a digital health business damages the trust the model depends on, and it can unsettle investors mid-raise.

What telehealth providers should do before launch

The compliance work has to happen before the platform goes live. Confirm that the operating facility holds telehealth authorisation from the right regulator for each emirate it serves, and that the clinical scope matches what the service delivers. Host all patient data on servers inside the UAE, and map any planned transfer abroad against the Resolution 51 exemptions, securing health authority approval where the exemption requires it. Where transfers are unavoidable, our guide to cross-border data transfers under UAE law sets out the approval routes.

Build consent, retention, and access controls into the platform from the start. Telehealth consent has to be captured electronically and securely, records have to survive the 25-year retention period, and access has to stay limited to authorised staff. Vendor and cloud contracts deserve the same attention, since a hosting arrangement that places data abroad turns a compliant clinical model into a regulatory breach. Where the service bills insurers, the data-sharing route for claims carries its own consent condition, covered in our note on UAE health insurance obligations.

How should UAE telehealth providers approach licensing and data compliance in 2026?

Licensing and data compliance for telehealth providers in the UAE are two halves of one question, and a virtual care service is lawful only when both are answered. The facility needs telehealth authorisation from its emirate's regulator, and the patient data has to stay inside the UAE unless a recognised exemption and the necessary approval allow it to leave.

The most time-sensitive gap is usually data residency. A platform built on offshore cloud infrastructure breaches Article 13 from its first consultation, and the fine reaches AED 700,000 before any licensing question is raised. DHA-regulated providers also have to meet the updated Telehealth Standard that took effect in November 2025. A service already operating without confirmed authorisation or UAE-based hosting is carrying exposure on both fronts.

For telehealth platforms, clinic groups, and digital health investors entering the UAE, our corporate and commercial lawyers in Dubai advise on facility authorisation, the ICT Health Law, and the health authority approvals a launch requires. Legal advice may be needed to confirm which regulator and which data rules apply to a specific model.