Healthcare Fields

Is the use of telehealth permitted?

Yes, telehealth is permitted and is currently being practiced in the public and private healthcare sectors in Qatar.

How is telehealth regulated?

There are currently no specific laws that regulate telehealth in Qatar. Telehealth has been introduced to patients by the Qatar Ministry of Public Health ("MoPH") in collaboration with key stakeholders and as part of Qatar’s E-Health and Data Management Strategy. The MoPH has activated channels to healthcare services at Qatar’s Primary Healthcare Corporation ("PHCC"), Qatar’s State healthcare provider Hamad Medical Corporation ("HMC"), and TASMU Smart Qatar, Ministry of Communications and Information Technology (previously, Ministry of Transport and Communication) (“MoCIT”)(an initiative aligned to the MOCIT that aims to transform Qatar into a world class smart city that has the latest digital solutions to increase the standard of living and increase Qatar’s competitiveness internationally).

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

The public healthcare system includes telehealth services (see Fields of healthcare).

Telehealth services on offer are available for all patients free of charge provided the patients are registered with PHCC and HMC and hold health cards.

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection ("Data Protection Law"). The Data Protection La is supplemented with a set of regulatory guidelines (“Guidelines”) issued by the Compliance and Data Protection Department (now referred to as the National Data Privacy Office). The guidelines incorporate concepts from EU privacy regulatory frameworks and seek to clarify obligations under, and address matters that are not dealt with in, the Data Protection Law.

 The Data Protection Law applies to personal data when this data is any of the following:

• Processed electronically;
• Obtained, collected or extracted in any other way in preparation for electronic processing; and
• Processed by combining electronic and traditional processing.

The Data Protection Law provides that each individual shall have the right to privacy of their personal data. Such data may only be processed within a framework of transparency, honesty, respect for human dignity and in accordance with the provisions of the Data Protection Law.

Personal data is defined under the Data Protection Law as data relating to a natural person whose identity is identified or is reasonably identifiable, whether through this data or by means of combining this data with any other data or details.

Sensitive personal data means personal data consisting of information as to a natural person’s:

• ethnic origin;
• health;
• physical or mental health or condition;
• religious beliefs;
• relationships; and
• criminal records.

Generally, data subject consent is required to collect and process personal data, except to the extent processing is deemed necessary for a “lawful purpose” of the controller, or the third party to whom the personal data is sent. There are limited exceptions to this rule.

“Lawful purpose” is broadly defined to mean the purpose for which the personal data of the data subject is being processed in a legally compliant manner. The guidelines have clarified that “lawful purpose” includes cases where a data controller is processing personal data for its own legitimate interests or to comply with legal or contractual obligations.

Sensitive personal data may only be processed if the National Data Privacy Office consent to the processing of such data.

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Data controllers may collect, process and transfer personal data when the data subject consents, unless deemed necessary for realising a lawful purpose for the controller or for the third party to whom the personal data is sent. Data controllers should not take measures or adopt procedures that may curb trans-border data flow, unless processing such data violates the provisions of the Data Protection Law or will cause gross damage to the data subject. The Data Protection Law defines ‘trans-border data flow’ as accessing, viewing, retrieving, using or storing personal data without the constraints of state borders.

The Guidelines have clarified that a data controller transferring personal data outside of Qatar must:

• be able to demonstrated that the transfer is for a lawful purpose and that the transfer of data is made pursuant to the provisions of the Data Protection Law;
• keep track of personal data transferred outside of Qatar as part of its processing activities records;
• take into consideration a number of factors in assessing whether a transfer of personal data would cause “serious damage” to personal data including, but not limited to, whether the data subject would experience emotional distress or physical or material damage; and
• inform the data subject of any transfers of data to countries outside of Qatar and the information should include the location(s) the personal data is being transferred to and information regarding the safeguards in place to protect the data subject's data and privacy.

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

No.

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

N/A