The Dubai Health Authority (DHA) is the governing body responsible for regulating and overseeing all healthcare providers operating in the Emirate of Dubai. This is a critical geographic distinction: DHA's jurisdiction is Dubai only. It does not regulate healthcare in Abu Dhabi (regulated by the Department of Health, DOH), nor in Sharjah, Ajman, Ras Al Khaimah, Fujairah, or Umm Al Quwain (regulated by the Ministry of Health and Prevention, MOHAP).
Every healthcare professional and healthcare facility operating within Dubai's borders — regardless of whether they are in Downtown Dubai, Dubai Healthcare City (DHCC is a special jurisdiction but DHA-affiliated), Jumeirah, Deira, Dubai Marina, or any other area of the emirate — requires a DHA license and is subject to DHA regulations.
DHA's digital health regulations cover two inter-related areas: the content and format of clinical patient records, and the sharing of those records via NABIDH, DHA's Health Information Exchange platform. A clinic can have excellent record content but fail compliance if it is not transmitting that data to NABIDH in real time — and vice versa.
DHA's Health Record Regulations define the minimum content that must be documented for every patient encounter at a DHA-licensed facility. The following elements are mandatory for every patient record.
DHA has implemented an e-prescription system as part of its digital health strategy. All DHA-licensed prescribers must use DHA-approved e-prescription formats. The following elements are mandatory in every DHA-compliant prescription.
Under DHA and MOHAP regulations applicable in Dubai:
DHA mandates the use of the International Nonproprietary Name (generic name) on all prescriptions. A clinician may additionally note the preferred brand, but the generic name must appear as the primary drug identifier. This requirement supports pharmaceutical substitution at the pharmacy level and ensures NABIDH medication records are drug-specific rather than brand-specific, enabling cross-facility drug interaction checking.
DHA's Health Record Regulations specify minimum retention periods for patient medical records. These are not optional guidelines — non-compliant destruction of records is a regulatory violation.
Patient medical records for adult patients (18 years and above at the time of the last visit) must be retained for a minimum of 10 years from the date of the last clinical encounter. This applies to all formats — electronic records in the HMS and any associated paper records. After the 10-year period, records may be destroyed only in accordance with a documented records management policy and with appropriate data security for any electronic records (secure deletion, not simple file deletion).
Records for patients who were minors (under 18 years) at the time of treatment must be retained until the patient reaches age 25, or for 10 years from the last visit, whichever period is longer. This extended retention recognises the potential for medico-legal claims related to childhood conditions to arise after the patient reaches adulthood.
Records of deceased patients must be retained for the same minimum periods as if the patient were alive — 10 years from the last clinical encounter or, if the patient was a minor, until the date they would have reached age 25. Deceased patient records are frequently requested in medico-legal proceedings related to estate claims, insurance disputes, or coronial inquiries.
The 10-year retention requirement has significant implications for cloud HMS contracts. Before signing any SaaS agreement, confirm: what happens to your records if the contract is terminated? Is data exported to you in a usable format? Is there a secure deletion certificate for any data the vendor destroys? A DHA-compliant records management policy must address these questions explicitly.
Every DHA-licensed facility's patient record system must not only store clinical data internally but must also transmit defined clinical events to DHA's NABIDH Health Information Exchange in real time. This is a separate but linked obligation to the record content requirements.
All clinical events generated at a DHA-licensed facility must be transmitted to NABIDH, including: patient demographics with Emirates ID, ICD-10 coded diagnoses, medications prescribed, laboratory results, procedures performed, documented allergies and adverse reactions, vital signs, referrals, and discharge summaries for inpatient episodes. The transmission must occur in real time using the HL7 FHIR R4 API — end-of-day batch uploads do not comply with DHA's real-time requirement.
NABIDH data sharing is a regulatory requirement — patient consent is required as an informational obligation (patients must be informed that their data is shared with DHA's HIE as a condition of receiving care at a DHA-licensed facility) rather than as an opt-in consent. Patients cannot opt out of NABIDH sharing while receiving care at a DHA-licensed facility. However, patients do have rights to access their own NABIDH records through the DHA patient portal.
DHA requires that all electronic health records systems maintain a comprehensive, tamper-evident audit trail for every patient record. The audit trail is a fundamental component of DHA digital health record compliance.
The audit trail must be tamper-evident — no user, including system administrators, should be able to delete or modify audit log entries. The audit trail must be stored separately from the clinical data it logs, using a write-once or append-only mechanism. Audit logs themselves must be retained for the same minimum period as the patient records they document — at least 10 years. DHA inspectors may request to review audit trail reports during facility inspections, including verification that specific record access events were appropriately authorised.
Audit trail integrity requires robust access control: every person who accesses the HMS must use an individual named login — shared logins are non-compliant because they make it impossible to attribute specific access events to a specific individual. System administrators must be assigned administrative access accounts separate from their clinical access accounts. Password policies must enforce minimum complexity and regular rotation.
DHA conducts routine and targeted inspections of DHA-licensed healthcare facilities. Understanding what inspectors examine allows facilities to maintain inspection-ready compliance at all times.
Inspectors typically request a sample of 10-20 patient records from the past 3 months for content review. They check for completeness: Is Emirates ID captured? Is the diagnosis ICD-10 coded? Are vital signs recorded? Is the prescription in the correct format with generic name and clinician license number? Is follow-up documented? Missing elements in a majority of sampled records trigger a compliance finding requiring a formal corrective action plan.
Inspectors access the DHA NABIDH monitoring dashboard to verify the facility's transmission status. They check: Is the facility actively transmitting to NABIDH? What is the transmission success rate? Are there a backlog of failed transmissions that have not been resolved? A high failure rate or evidence that NABIDH transmission has been interrupted for an extended period is treated as a serious compliance failure.
Inspectors may review the facility's prescription records — either in the HMS or via the DHA e-prescription audit log — to verify that all prescriptions include the required elements: generic name, clinician DHA license number, patient Emirates ID, and correct validity periods for controlled substances.
Inspectors may request to see the audit trail for specific patient records to verify that access was by appropriately authorised individuals. They may also check that the HMS enforces individual named logins and that there are no shared user accounts in use.
Use this checklist to evaluate whether your current HMS — or any HMS you are evaluating — meets DHA's digital health record requirements.
DHA requires patient records at all Dubai-licensed facilities to contain: patient demographics including Emirates ID, chief complaint, history of presenting illness, past medical and surgical history, family and social history, review of systems, physical examination findings, ICD-10 coded diagnosis, treatment plan, medications with generic name and dose, referrals if applicable, follow-up instructions, and patient consent documentation. Every record must have a complete audit trail of all access and modifications, and all clinical data must be shared with DHA's NABIDH HIE in real time.
DHA requires adult patient records to be retained for a minimum of 10 years from the date of the last clinical encounter. For patients who were minors at the time of treatment, records must be retained until the patient reaches age 25 or for 10 years from the last visit, whichever is longer. Destruction of records before the retention period expires without DHA authorisation is a regulatory violation that can result in penalties.
DHA does not explicitly prohibit paper records by a single stated law, but the NABIDH integration requirement effectively makes electronic records a functional necessity. NABIDH requires real-time transmission of clinical data in HL7 FHIR R4 format — a standard that cannot be fulfilled by paper records. Any DHA-licensed facility that uses paper records cannot comply with NABIDH and is therefore structurally non-compliant with a mandatory DHA requirement. In practice, all DHA-licensed facilities must use an electronic HMS with NABIDH connectivity.
A DHA-compliant prescription must include: the prescribing clinician's DHA license number, the prescribing clinician's name and specialty, the facility's name and DHA license number, the date of prescription, the patient's full name and Emirates ID, the drug's generic name (INN - mandatory; brand name may be added but cannot replace the generic name), dosage strength, dosage form, frequency, route of administration, total quantity, duration of treatment, and the relevant ICD-10 diagnosis code. Regular medications are valid for 3 months from the prescription date. Controlled substances have shorter validity periods regulated by MOHAP Ministerial Resolution requirements.
Book a free demo - no commitment, no sales pressure.
Book a Free Demo +971 50 386 9500 WhatsApp Us
