DHA Compliance

Dubai Health Authority Regulatory Compliance

Last Updated: April 20, 2026

Overview

RepHigh operates in full compliance with Dubai Health Authority (DHA) regulations, UAE Federal Decree-Law No. 45 of 2021 (PDPL), and the NABIDH Data Privacy Framework. This page outlines how we meet each regulatory requirement.

DHA Health Data Quality Policy

Effective November 1, 2023, DHA mandates strict standards for health data accuracy, completeness, security, and retention. RepHigh complies by:

  • Storing all patient data exclusively within the UAE
  • Retaining patient communication logs for 25 years per DHA mandate
  • Maintaining consent records for the full retention period
  • Implementing AES-256 encryption at rest and TLS 1.3 in transit
  • Conducting regular data quality audits

NABIDH Framework

RepHigh's data handling (encryption, UAE residency, access controls, and retention) is designed to be NABIDH-compatible. RepHigh does not connect to NABIDH directly; clinics maintain their own NABIDH registration. We require proof of active NABIDH registration (where applicable) before onboarding.

Patient Data Protection

What We Process

  • Patient first name, WhatsApp number, appointment details
  • Message delivery status and engagement data
  • Last visit date for reactivation workflows

What We Never Process

  • Medical diagnoses, conditions, or clinical notes
  • Prescription details or medication information
  • Test results or health metrics
  • Financial or insurance information
  • Biometric data

Consent Requirements

Clinics using RepHigh must obtain explicit, documented patient consent before adding any patient to a workflow. Required consent elements include:

  • Clear identification of the clinic as data controller
  • Identification of RepHigh as data processor
  • Specific description of communication types
  • WhatsApp as the communication channel
  • Right to withdraw consent at any time
  • Active opt-in checkbox (unchecked by default)
  • Separate consent for utility vs. marketing messages

WhatsApp Business API Compliance

All message templates are pre-approved by Meta, contain only logistics information, do not contain medical advice, include opt-out instructions, and are sent only to patients who have provided explicit consent.

Data Breach Protocol

  • Investigation and containment within 24 hours
  • Initial notification to affected clinics within 24 hours
  • Full notification within 72 hours
  • UAE Data Office and DHA notified as required by law
  • Clinics provided with all information needed for patient notification

Security Infrastructure

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Role-based access control (RBAC)
  • Multi-factor authentication for all staff
  • Regular penetration testing and vulnerability scanning
  • Annual staff data protection training
  • Data Protection Officer (DPO) appointed

Important Limitation

RepHigh is a communication and workflow platform. We do not provide medical advice, clinical services, or telehealth. All clinical decisions remain with DHA-licensed healthcare professionals.

Contact

Data Protection Officer
RepHigh, Dubai, UAE
Email: support@rephigh.com

For urgent data breach notifications: support@rephigh.com (24/7 monitored)