Regulation3 min read
By Mujahid Hasan, Sales Director, nshield.io

NABIDH 24–48h vs ADHICS 72h: Two UAE Healthcare Breach Windows, Same Patient

Two breach-notification windows. Same patient data. Different number of hours to notify. If your UAE healthcare incident response runbook only references the 72-hour ADHICS standard, it is incomplete for any Dubai-licensed facility.

Two Regulators, Two Clocks

Abu Dhabi ADHICS v2.0 — 72 hours. Clinics, hospitals, labs, and telehealth platforms licensed by the Abu Dhabi Department of Health (DoH) have up to 72 hours from breach detection to notify.

Dubai NABIDH — 24 to 48 hours. Facilities licensed by the Dubai Health Authority (DHA) operate under a tighter window — notification to both the UAE Information Office and the DHA within 24 to 48 hours of detection, depending on severity classification.

The August 2024 Tightening

The 24–48-hour requirement was tightened in August 2024 by DHA Policy HISHD/PP-13, Section 4.23.4(d). It quietly superseded the earlier 2022 policy. Most healthcare CISOs we speak to are still operating on the pre-2024 version.

The notification email for Dubai also changed — from the 2022 address to datacompliance@dha.gov.ae. If your IR playbook contains the old contact, your first notification bounces.

What This Means in Practice

  • Multi-emirate clinic groups need two breach-notification protocols, not one. A single runbook aligned to 72 hours will miss the Dubai window.
  • Severity classification has to exist before incident, not after — the difference between 24-hour and 48-hour notification depends on classification under HISHD/PP-13.
  • Federal Health Data Law still applies (FL 2/2019) — UAE localization of electronic health records regardless of emirate.
  • PDPL still covers every non-patient record a healthcare organization holds (employee records, vendor contracts, marketing contacts).

Penalties

Missing the NABIDH window can result in licence suspension, revocation, or referral for further regulatory action from the DHA. These are not administrative fines — they are clinical-operations consequences. A licence action stops practice. The ADHICS 72-hour regime has equivalent enforcement through the Abu Dhabi DoH.

If your IR documentation only references “72 hours to DoH,” that documentation is incomplete for any Dubai-licensed facility — and needs to be updated against HISHD/PP-13 Section 4.23.4(d).

NABIDH, ADHICS, and the Federal Health Data Law are three of 13 mandates in our open UAE Regulations Registry. Deadlines, penalties, and primary-source references for each.

Sources and Citations

[1] Dubai Health Authority (DHA). Policy HISHD/PP-13 — Health Information Security and Data Protection. Section 4.23.4(d). Effective: November 2024 (issued August 2024). Available at: dha.gov.ae

[2] Abu Dhabi Department of Health (DoH). ADHICS v2.0 — Abu Dhabi Healthcare Information and Cybersecurity Standard. Available at: doh.gov.ae

[3] Federal Law No. 2 of 2019 on the Use of Information and Communications Technology in Health Fields. Available at: mohap.gov.ae

[4] DHA notification channel: datacompliance@dha.gov.ae (updated 2024 from the prior HISH@dha.gov.ae address).

[5] ITSEC, DTS Solution, ASC Global. Secondary analyses of ADHICS v2.0 compliance obligations.

Rebuild the IR Runbook for Both Clocks

A UAE healthcare IR assessment produces a dual-regime runbook — ADHICS 72-hour and NABIDH 24–48-hour — with severity classification, escalation paths, and notification templates for each regulator.

Schedule a Healthcare IR Assessment
← Previous: CBUAE ReconciliationNext: UAE Cyberattack Volume →