Digital Healthcare 2022

Last Updated June 30, 2022

Saudi Arabia

Law and Practice


Hammad & Al-Mehdar Law Firm was founded in 1983 in Jeddah, Saudi Arabia, and has grown to become one of the largest private-practice Saudi firms in the Kingdom and the GCC, with offices also in Riyadh, Al-Khobar and Abu Dhabi. The firm boasts a leading local presence supported by international capabilities. Hammad & Al-Mehdar provides a full suite of corporate and private client legal services in all major areas of Saudi and ADGM law, working on cutting-edge, complex and high-value transactions and disputes. Headquartered in Jeddah, Hammad & Al-Mehdar’s growth story is one of trade, innovation and technology in the Kingdom’s private sector. Hammad & Al-Mehdar maintains a strong specialisation in servicing privately held businesses, with unrivalled expertise in business and transaction structuring, private construction works, commercial, intellectual property, corporate governance, and regulatory advisory services.

The digital healthcare sector in the Kingdom of Saudi Arabia (the “Kingdom”, or KSA) is constantly developing to address the Kingdom’s response to health and related economic and social impacts. Telehealth/telemedicine is a good example of the use of digital healthcare and digital medicine, which entails the use of technology such as electronic information and telecommunication to provide digital solutions for healthcare institutions and patients. The capability of such platforms extends to monitoring patient health and subsequently facilitating patients obtaining medical advice based on the results.

Therefore, the Ministry of Health (MoH) is seeking to develop telemedicine as part of its desire to advance the field of digital health in Saudi Arabia and increase awareness and regulatory guidance on remote diagnosis and examination services through advanced electronic means. The MoH has implemented several additional e-health and electronic information platforms to promote and provide healthcare and telemedicine, which will be explained below.

According to the Digital Health Strategy update issued by the MoH, digital health is defined as “the cost effective and secure use of information and communication technologies and the associated cultural change it induces, to help people manage their health and wellbeing and transform the nature of health care delivery”. The MoH has issued decisions and guidelines to regulate the use of telehealth in the KSA, such as the Regulation Governing Telehealth (telemedicine) issued by the National Health Information Centre (NHIC) (the “Telemedicine Regulations”).

The Telemedicine Regulations define telemedicine as “a remote medical practice using information and communication technology”, and refer to the interaction between a healthcare practitioner and patient. It is further explained that the MoH is working to create a programme regarding e-health that is a "safe, efficient health system, based on the care centred on a patient, standard-oriented, and supported by the e-health". The MoH defines e-health as the usage of information technology (IT) and digital communication as a means of providing services such as diagnoses, examinations, medical assessments and communications between patients and professional health practitioners.

As part of the Kingdom’s Vision 2030, the MoH aims to improve healthcare through IT and digital transformation. The use of digital technologies has enabled remote monitoring services and artificial intelligence (AI) systems to perform virtual appointments and consultations. The implementation of E-health systems began to arise throughout several hospitals and organisations. Such key systems include the following.


Telemedicine is the use of IT and electronic communication platforms to connect patients with healthcare professionals using electronic communication systems. The benefits of telemedicine involve remote examination, analysing health results and forwarding the results to the appropriate authorities, and other medical applications that can be performed using computers and other types of communication systems.

Electronic Medical Record (EMR)

An EMR is an electronic healthcare information record that stores patient information. It helps store and analyse medical records from services rendered to patients in different departments. The EMR system has been implemented across hospitals in the region for patients and medical professionals to access data from remote premises.

Picture Archiving and Communication Systems (PACS)

The objective of PACS is to replace manual medical imaging systems that depend on radiological films with digital systems that allow a multitude of healthcare specialists to examine digital images through online networks. This overcomes problems relating to lost images, which would reduce the time and cost of taking additional images multiple times.

Emergency Response Plan (ERP)

The ERP is a set of guidelines for individuals to follow during unforeseen events or in the case of emergencies.

Computerised Provider Order Entry (CPOE)

This system aims to reduce the occurrence of medication errors and has been recently implemented in hospitals and healthcare facilities in the Kingdom. CPOE systems allow health institutions and practitioners to electronically enter medical information and orders for patient access and reference.

Patient Portals

Various hospitals have begun to initiate the use of patient portals, which are secure websites that allow patients to access personal health information wherever they are, provided they have access to the internet. Patients may also view lab results, medications, allergies and other medical options.

Mobile Applications

Mobile applications offer prevention services, self-management and educational tools. The MoH has introduced a number of applications in its mission to improve e-healthcare systems. Further examples of such e-health mobile applications include the following.

  • Sehaty, which was introduced to allow individuals to book appointments in the closest COVID-19 testing location. Users also have the ability to view their results within 24 hours of taking the test in the same app.
  • Tetamman was also launched, by the MoH, with the purpose of monitoring individuals who were asked to isolate, due to being infected with the virus or being in contact with another person who was infected. There are other services offered by Tetamman, such as contacting healthcare practitioners regarding a follow-up of their tests or to book a re-test when needed.
  • Tabaud was developed by the National Information Centre (NIC) and the Saudi Arabia Data Artificial Intelligence Authority (SDAIA), and was then launched by the MoH. The Tabaud application provides services that include:
    1. notifying users if they have been in contact with a person infected with COVID-19;
    2. providing aid to users who have recently tested positive or users who have been in contact with an infected person by sending their details to the MoH, which then provides them with the necessary guides and medical support in accordance with the severity of their case; and
    3. giving the opportunity to users who have tested positive to voluntarily share their test results with people they have been in contact with in the past 14 days.
  • Mawid is an e-service booking application that was established by the MoH that allows users to book and/or cancel appointments at different healthcare centres within the KSA.
  • Tawakkalna was introduced by the SDAIA and approved by the MoH with the aim of supporting the efforts to limit the spread of COVID-19. The application reflects the medical condition of users and whether they received any doses of the COVID-19 vaccine, in addition to the number of such doses, including booster shots. Depending on the vaccine status, users are then issued an immunity passport that can be used in various countries around the world and acts as proof of a valid COVID-19 vaccination.

The emerging issues arising from the growth of digital health relate to various security and data protection-related concerns. Overall, digital health providers are required to comply with the commercially adopted standards of medical care, and regulations relating to medical devices, data privacy and security. Some of the key challenges are described below.

Antitrust, Abuse and Fraud

Considering the expansion of digital health operations in the Kingdom, service providers must comply with the Saudi Anti-Fraud Regulations to minimise the risk of fraud and abuse. Digital health companies must implement enforcement and monitoring strategies to minimise such risks associated with data sharing activities and data breaches.

Technological and Professional Standards

As more digital health devices are adopted by employers and consumers, there is a need to employ qualified health professionals and technology specialists who can meet the developing e-health standards. This is to ensure that employees in the industry comply with the current commercial standards to limit any potential liability. Technological difficulties may arise with regard to security and database management due to the use of electronic means instead of paper medical records. Different hospitals follow different policies regarding the usage of e-health systems. Therefore, inaccurate records or damage to patient and medical information may prove to be challenging as there is a high degree of dependence by medical professionals on the use of reliable records.

Confidentiality and Data Privacy

Due to the sensitive nature of patient information and data, the protection of privacy, security and confidentiality are significant and must be maintained and safeguarded. Healthcare practitioners or institutions dealing with such sensitive information should consider seeking consent, notifying potential data subjects of third-party use of information and a breach of any data records. The growing use of online data processing and storage of patient health records through different service providers results in challenges related to professional training and accuracy of information, as these issues affect potential liability.

Product Liability

Product liability may be imposed on any data provider, software developer, device manufacturer, or the company commercialising the product, for involvement in any product defects that resulted in misdiagnosis or injuries to patients. Disciplinary actions would be applied in accordance with the Law of Practicing Healthcare Professions and the Consumer Protection Association of Saudi Arabia, which aims to protect and safeguard all consumer rights.

Due to the effects of the COVID-19 pandemic, the need for, and use of, digital health increased rapidly. As such, the implementation of digital health has faced barriers due to heightened legal scrutiny from regulators in the Kingdom. Nonetheless, the challenges posed by the rise of digital health during the pandemic led medical professionals to adopt new technology health advancements and telemedicine practice.

The implementation of the Digital Health Strategy by the MoH provided for easier patient access to medical consultations at cost-effective rates, distant monitoring and health information management systems, which have transformed the method of providing healthcare services to patients in the KSA. The Digital Health Strategy facilitated maintaining low COVID-19 infection rates through platforms such as Tawakkalna, Sehhaty, Tetammen and EMR, as explained in 1.3 New Technologies.

The MoH and the Saudi Food and Drug Authority (SFDA) are the main regulatory bodies overseeing the healthcare industry in the Kingdom. The MoH is the authority responsible for supervising the management, financing and organisation of the healthcare industry. This includes implementing health policies and guidelines, and permitting the use of e-health apps. The MoH regulates with the aim of improving digital healthcare as part of the KSA’s Vision 2030, approving numerous telemedicine and digital healthcare technology uses.

Furthermore, the SFDA regulates three primary industries in the Kingdom, including food, drugs (medicine) and medical devices. Companies or pharmacies must seek the SFDA’s approval for carrying out activities relating to medical devices, medical supplements, healthcare products and food. The SFDA also oversees the overall legal framework to authorise medical devices used in the Kingdom, in which manufacturers seeking to supply medical devices in the KSA must obtain the requisite licensing and approvals from the SFDA.

A key regulatory development is the recent public consultation and release of the draft Personal Data Protection Law (PDPL), which is intended to be adopted by all entities within the Kingdom in March 2023.

The draft PDPL protects the use of personal data; ie, any information, in whatever form, in which a person is directly or indirectly identified. The draft PDPL would further provide for protection on patient data processed through digital devices, which previously lacked clear regulatory guidance under the current laws. The draft PDPL has differentiated the terms "personal information" and "sensitive information", in which sensitive information includes health data; ie, all personal data relating to an individual’s health or relating to a health service such as hospitalisation, medication and treatments.

Additionally, the draft PDPL restricts access to health data, including medical records, to the fewest possible members of staff, as well as limiting the involvement of third parties to the required scope of medical service. As such, it is important to note that the PDPL (when in force) would impose further obligations relating to the security of personal and sensitive data on digital health companies, while also imposing potential penalties for a breach of a patient’s personal data.

The SDAIA is encouraging all entities to participate in any future initiatives to enhance and amend the law based on public responses.

The Law of Practicing Healthcare Professions outlines the obligations for healthcare professionals in relation to professional responsibility, duties and necessary licences. It also imposes penalties and disciplinary actions for professional violations, including issuing warnings, fines of up to SAR10,000 and cancellation of the healthcare professional's licence. The Law of Practicing Healthcare Professions further imposes civil liability, whereby patients are entitled to claim damages and can be indemnified in the case of a breach of duty or malpractice by the healthcare professional.

Additionally, the draft PDPL stipulates criminal and administrative sanctions for the disclosure of sensitive data and breaches of cross-border data transfer restrictions. The penalties and fines range from approximately SAR1 million to SAR5 million depending on the severity of the violation, with further prospects of the penalty increasing for any repeat offenders.

The Telecommunications Law specifies sanctions in the event of a breach of privacy within the telecommunications sector.

The Cybersecurity Law imposes fines of up to SAR3,000,000 for disclosing or providing unauthorised access to private data, which extends to distributing, leaking or destroying such data. Further criminal sanctions may include imprisonment for repeated violations.

There are many concerns that relate to the advancements in healthcare services and delivery of such services, specifically with regard to the use of mobile applications and digital health platforms that permit the monitoring and collection of personal data to administer and regulate medication schedules, track personal health, and notify of any abnormalities. As such, the concept of digital health also carries with it security and data breach concerns and such concerns have resulted in extensive legal regulations.

The importance of personal data security and confidentiality was recognised by the SDAIA and reflected in the draft PDPL, which stated it would apply to all sectors to further safeguard and ensure the security of personal data processed in the KSA. Additionally, the Penal Law on Dissemination and Disclosure of Confidential Documents and Information prohibits an individual from jeopardising the safety and security of the Kingdom by disclosing confidential information. Additional laws protecting the use of personal data include:

  • the Saudi Anti-Cyber Crime Law (regulated by the Ministry of Communications and Information Technology);
  • the Saudi Telecommunications Law (regulated by the Communications and Information Technology Commission); and
  • the E-Commerce Law (regulated by the Ministry of Commerce).

Generally, diagnostic care is offered to treat existing medical concerns, whereas preventative care is the method of detecting health concerns prior to any symptoms developing. Regulatory schemes in the KSA do not differentiate between the two types; however, there are healthcare institutions and systems implemented to oversee the healthcare services offered. This includes the concept of primary healthcare (PHC) in line with the KSA’s Vision 2030 goals.

The PHC initiative was adopted in an attempt to improve health education and disease prevention, in addition to the promotion of healthier lifestyles. The services offered by PHC include:

  • controlling infectious diseases through immunisation;
  • child and maternity health;
  • basic dental services;
  • chronic disease management;
  • essential medications; and
  • health education.

Primary care services are provided through a network of primary healthcare centres (PHCCs), which are easily accessible and have satisfactory standards of infrastructure and equipment, with the focus of improving the health sector, and several medical laboratories and diagnostic centres have emerged within the Kingdom in recent years.

As a result of the COVID-19 pandemic, there is an increased use of preventative care to address medical concerns and limit any negative impact at an early stage. In addition, the Kingdom’s Vision 2030 has resulted in implementing the Health Sector Transformation Program to ensure the development of medical services, with increased awareness of adopting more advanced methods and devices to restructure the current industry and provide a more effective and integrated system that contributes to the improvement of overall health in the Kingdom.

Moreover, the Saudi Central Bank (SAMA) governs and monitors the insurance sector in the KSA, including medical insurance, which covers medical treatment costs, medications and services. The concept of PHC is relatively new in the Kingdom, but with the proposal of the Model of Care (which was introduced as part of the Kingdom’s Vision 2030), the MoH focused on upgrading PHC systems to improve the Kingdom’s healthcare development with regard to its methods, efficiency and technology. The MoH further implemented strategies such as raising awareness of PHC, allowing easier access by online appointment bookings, and introducing new automated, standardised systems to make PHCCs more efficient.

Accordingly, the recent developments in the healthcare sector in the Kingdom have resulted in the advancement of the technological capabilities of healthcare providers and allowed healthcare systems to have extensive coverage throughout all regions in the Kingdom, as well as improving the quality standards when providing such healthcare services. Perhaps the most notable accelaration of development in the healthcare sector was due to the COVID-19 pandemic, which required the adoption of advanced technology, lower costs, and an increase in the regulatory development with respect to healthcare and the use of advanced technology to prevent, and respond to, COVID-19.

The use of wellness and fitness programmes prompts individuals to provide data through online health surveys, transferring genetic material, and the use of fitness trackers, in which such personal information is used to analyse personal life developments, with the aim of managing and improving health and well-being. Such use of personal data would be subject to the PDPL (once implemented) with regard to confidentiality, security and storage of individuals’ personal data and information.

The legal system in Saudi Arabia is uncodified and based on Islamic sharia, and does not recognise "judicial precedent". As such, laws in the KSA are developed and enacted pursuant to legislation (such as royal decrees, royal orders and ministerial resolutions) as opposed to laws being developed by the KSA courts.

Regulations that relate to healthcare include:

  • the Private Health Institutions Law issued by Royal Decree No M/40 dated 3/11/1423H (2002G);
  • the Executive Regulations of the Private Health Institutions Law, issued by Ministerial Decree 683151 dated 10/3/1436H (2015G);
  • the Executive Regulations of the Health Practice Law, issued by Royal Decree No M/59 dated 4/11/1426H (2005G); and
  • the Legal Regulations for Telehealth Services, issued by Royal Order (No 47455) on 9/8/1441 (2021G).

In line with the KSA’s Vision 2030 goals, the Kingdom has increased the usage of PHCCs around the KSA, which is resulting in the development of new regulations from various sectors. Such sectors involve SAMA as the regulator of the insurance sector. Furthermore, due to the increase of PHC usage, the development of the healthcare methods, devices and technology used is accelerating. An example of this is the increase in the use of telehealth systems/devices, which are being increasingly implemented within PHC services, such as communication channels and already-existing devices and platforms that promote telehealth usage with respect to PHC.

The SFDA regulates and specifies the types of medical devices that are allowed to be introduced into the Saudi market. Companies seeking to sell specific types of medical devices will have to obtain licences and approvals from the SFDA, including representatives who act on behalf of foreign manufacturers.

The SFDA has launched the Medical Devices National Registry (MDNR) to obtain the profile of the medical devices that are allowed in the KSA, and establish a database of all manufacturers, companies and suppliers.

The SFDA further introduced the National Centre for Medical Devices Reporting (NCMDR) to record, analyse and manage medical devices. The NCMDR’s main objective is to prevent repetition of adverse events. Authorised representatives, manufacturers, importers, distributors and users are expected to inform the SFDA of any adverse events that took place and that they have been made aware of.

In addition, the SFDA introduced a Medical Device Establishment Licensing System for institutions involved with the importation and/or distribution of medical devices in the Saudi market. Medical devices must be registered in the MDNR to ensure that they are able to appropriately manage the imported and/or distributed devices in relation to storage, transport, traceability and installation.

Therefore, companies seeking to enter the market and introduce new technologies must comply with the aforementioned SFDA procedures and guidelines while also considering, and complying with, the relevant licensing requirements when promoting the use of such technologies in the healthcare sector in the KSA.

The internet of medical things (IoMT) includes devices and applications that are designed to enable healthcare providers to communicate and provide healthcare services through digital platforms and devices via the internet. The advancement of the IoMT facilitates the further development of monitoring patient health for medical assessments, results and training purposes. Applications such as Sehha, which has been introduced by the MoH, allow medical practitioners to virtually communicate with users for diagnoses and treatment for a range of medical issues using the internet. This is in line with a variety of recently developed technologies that are used to communicate with medical professionals through video, audio and written means. The developments allow the updating of user data in relation to examination results, and the provision of prescriptions and necessary medical advice for homecare services.

Moreover, as previously mentioned, the MoH has recently approved and launched technology applications that utilise the IoMT for the purposes of monitoring COVID-19 cases and user health status, such as Sehaty, Tetmmen, Tabaud, Tawakkalna and Mawid, which were described in 1.3 New Technologies. Considering the usage and benefit of such applications, the digital health solutions deployed will further advance service options to shift the current health infrastructure and introduce technological innovations in the Kingdom using the IoMT.

The Law of Practicing Healthcare Professions imposes civil, criminal and disciplinary liability for malpractice, professional violations and criminal violations.

Civil Liability

Article 27 of the Law of Practicing Healthcare Professions imposes civil liability on healthcare professionals for errors in treatment, lack of knowledge or skills, inadequate monitoring or supervision, or failure to attend patient needs. Such civil liability cannot be limited or excluded.

Criminal Liability

Article 28 specifies that providing false information, practising healthcare without the appropriate licences, or neglecting treatment may result in imprisonment for up to six months or a fine of up to SAR100,000, whichever is applicable to the case.

Disciplinary Liability

Article 32 states the violations relating to a practitioner who defaults in carrying out their duty or violates their code of conduct and/or ethics may be subject to disciplinary action, including a warning, a fine of up to SAR10,000 or the cancellation of their medical licence.

From the practitioner’s perspective, the Kingdom has implemented insurance policies in line with the regulations of the Saudi Commission for Health Specialities that provide protection against financial consequences arising out of potential adverse outcomes against healthcare professionals.

Technological developments and the new generation of the IoMT are significant in acting as interactive tools between healthcare practitioners, patients and healthcare service providers. The data sharing nature of such tools poses cybersecurity risks in terms of unauthorised access and breaches to privacy, in that there is an increased risk of hacking threats and breaches to IT infrastructures as a result of recent advancements and reliance on the IoMT. For this reason, digital technology companies are urged to ensure they have solid security policies in place and clear data protection provisions in their contractual arrangements.

The Communications and Information Technology Commission (CITC) has also urged companies to take further security procedures with respect to internet of things solutions and to mitigate cybersecurity risks by incorporating end-to-end encryption, firewall barriers and extensive automation to enhance cybersecurity and avoid unforeseen data leaks and data breaches.

The MoH has recently approved the charter of the NHIC, which, in parallel with the MoH, will regulate and supervise healthcare services and healthcare institutions. The MoH's decision will be enacted in successive stages in which holding companies will be established to implement a set of digital health programmes and virtual medical care services to expand digital health, while the MoH will oversee regulatory preparations to cover the scope of any such advancements.

The SFDA is the body that regulates software that would fall under the definition of a medical device. Article 1 of the Medical Device Interim Regulations defines a medical device as: “any instrument, apparatus, implement, machine, appliance, implant, in vitro-reagent or calibrator, software, material, or other similar products or related article which: (i) is intended by the manufacturer to be used, alone, or in combination of diagnosis, prevention, or monitoring, and (ii) which does not achieve its intended action in or on the body by pharmaceutical means but which may be assisted in its intended function by such means.”

The SFDA further established the National Centre for Medical Devices Reporting to manage and record adverse events that may occur from medical devices. Furthermore, in 2021, the SFDA issued guidance on the Review and Approval of Data Based Medical Devices and Artificial Intelligence, in which it outlines the requirements to use AI medical devices. The requirements stipulate the need for digital companies to test AI patterns and monitor the results when predicting or diagnosing diseases. The SFDA guidance further provides information on the criteria for a software product as a medical device, risk classification, standards of the software, and compliance with registration and approval requirements. The guidance applies to software such as computer-aided detection/diagnosis and clinical decision supporting software. The scope extends to hardware-configured AI software and standalone software types of medical devices that apply machine learning AI technology that predicts, manages and diagnoses diseases by analysing medical data.

Moreover, the classification of medical devices is based on the degree of potential risk and the intended use of the medical device according to the Guidance on Requirements for Listing and Medical Device Marketing Authorization.

As explained under 1.2 Regulatory Definition, the MoH and the NHIC have approved the Regulation Governing Telehealth. The NHIC also launched the Saudi Telehealth Network to remotely connect various healthcare facilities with PHCCs via the telehealth systems. Further initiatives offered by telehealth and telemedicine efforts include remote access to appointments and qualified health professionals. The role of telehealth/telemedicine in the KSA is to develop the standard and quality of healthcare services provided in the Kingdom in a faster and more cost-efficient manner, regardless of the size of the healthcare facility or the geographical location thereof.

The regulatory environment in the Kingdom has been evolving to encourage organisation and efficiency in offering digital health solutions in response to COVID-19.

Among the regulatory digital platforms that were introduced during the COVID-19 pandemic, Tawakkalna has become prevalent to access public spaces and record users' health status in accordance with the MoH requirements. In terms of the use of online platforms for business purposes, such platforms are required to disclose the extent to which data is recorded and offer authentication and encryption of data to comply with data privacy regulations.

Digital platforms such as Tawakkalna are to be permanent fixtures in the KSA as they include digital services such as a virtual health passport, a virtual national ID, a virtual driving licence, insurance, an emergency ambulance request and an online organ donation platform.

The Ministry of Finance and SAMA oversee financial payment processing in Saudi Arabia. The online payment (and potential reimbursement) of telehealth services can be seen as a new challenge when compared to classic in-person payments. Generally, in the healthcare sector, there is more than one party involved in the payment process, including insurance companies, the patient, the relevant government authority and the telehealth company. Payment consistency can therefore vary between in-person consultations and telemedicine and will therefore depend on the payment processing system implemented by the telehealth company.

The IoMT is facilitating the monitoring of patients and enabling healthcare practitioners to conduct early interventions through diagnosis tools. The IoMT therefore serves healthcare providers in reducing costs and enhancing their proficiency. Sehha, which is an e-health mobile application, was launched to further support and increase the services provided as it is linked to over 100 hospitals within the Kingdom. The application incorporates the latest technology emerging in this sector and further contributes to the investment in medical devices and reports, as well as the training of newly qualified healthcare practitioners.

Additional technologies emerging in this sector include wearables that help monitor the health, fitness and wellness of a patient and provide an overview on an individual’s sleep pattern and heart rate. Such wearable devices include Fitbits and smart watches, which are designed to collect the personal data of the user’s personal health and fitness.

Telemedicine is another example of the use of the IoMT in the KSA, whereby telemedicine allows medical professionals to communicate with patients through digital devices and videoconferencing, using the internet to remotely monitor the patient and provide remote medical consultations.

The regulatory issues associated with digital assistants (such as Alexa) include access to patient data, misdiagnosis, variations in quality and security concerns. Given that virtual assistants and other applications related to AI would be exposed to processing personal data, such applications would therefore fall under the scope of the draft PDPL, under which the use of such devices in the healthcare sector is required to comply with the required data security and data storage obligations.

5G networks facilitate the implementation of augmented reality surgery, post-surgery care, home-surgery care, monitoring patients remotely and robotic-assisted surgery. The demand for 5G adoption is increasing as part of the KSA’s Health Vision to further enable the latest generation of technology to be utilised in the latest medical devices. Key contractual considerations would include details of operation, licence fees and standards of technical conditions and quality with respect to entering into contractual agreements with telecommunication companies for the use and utilisation of 5G for healthcare facilities and their medical devices.

The key legal issues that would arise in sharing personal health data for clinical purposes are confidentiality and the disclosure of personal information. Generally, disclosure would only be permitted for limited purposes for the safety of the patient. An exception for the disclosing party would be the transfer or processing of health information arising due to the need to preserve health, combat disease, or satisfy a requirement in the Kingdom’s interest. The draft PDPL imposes restrictions that would limit the role of de-identification and aggregation for the purposes of reducing precise data due to the monitoring terms involved.

In addition, a key development in the implementation of the PDPL is the rules concerning consent, as it is now recognised as the primary basis to carry out any means of processing for all types of data, whereby the SDAIA is the responsible authority for providing registration and fees to all data controllers dealing with personal data in accordance with Article 32 of the draft PDPL. The SDAIA will be the main regulatory authority for at least two years, upon which SAMA and the CITC will be the governing bodies responsible for maintaining such registrations and fees.

Please refer to 5.2 Legal Implications with respect to liability for any data breach or unauthorised use or access to personal health information.

The following matters are subject to review and approval by the SFDA when using AI in the healthcare sector:

  • security standards;
  • cloud server environment;
  • technical specifications;
  • performance and clinical efficiency;
  • protection of sensitive data; and
  • security requirements.

Risks may arise if medical information is transmitted through cloud technology that may modify data or damage information depending on the security rights. Therefore, regulations issued by the SFDA impose security requirements for the use of a network to include further encryption and proper authentication. Other issues include clinical accuracy where several studies are conducted on the sample data obtained from the technology. The draft PDPL facilitates the protection of confidential information and sensitive data, which would apply to medical big data that is being processed through machine learning and AI-based medical devices used by medical and healthcare institutions.

The current regulatory approach to the use of AI and machine learning data is to constantly review current trends and future products to ensure that any medical device incorporating AI is properly managed to protect patient data.

The Guidance on Review and Approval of Artificial Intelligence and Big Data based Medical Devices issued by the SFDA imposes provisions in relation to monitoring AI medical results and patterns to ensure that any services provided are completed with accuracy. It covers the scope of cloud computing technology, submission requirements for device approval, clinical validation, and further essential requirements when seeking to offer AI devices in the Saudi market. Clinical validation for AI-based medical devices is done through conducting a prospective study or a retrospective study with the applicable clinical trial procedure.

Legal and regulatory issues primarily consist of protection of personal information, obtaining the requisite approvals to efficiently provide digital healthcare technologies and ensuring the stability of the platform over time. Healthcare institutions and users should seek to clearly identify in any contractual arrangement the scope of expertise, licensing, data use and storage, IP use and IP rights in their contractual arrangements. The rights of use and ownership of such technology solution should be specified, along with the payment terms arranged at the outset. Further considerations include licensing or non-disclosure agreements depending on the scope of use and parties involved.

In consideration of the rapid growth of digital healthcare trends, digital health companies must constantly update their systems and/or devices to improve patient experience, quality and data protection standards in accordance with the applicable laws and regulations. Investments in digital transformation companies may also facilitate the ability to carry out such initiatives. Please also refer to 5.3 Cybersecurity and Data Protection with respect to the security procedures relating to IoMT solutions to mitigate cybersecurity risks and data privacy.

The following regulations are applicable with regard to the use of personal or sensitive data:

  • the PDPL (which is currently in its draft form), which applies to the processing of data by any means, including data sharing and data storage;
  • the Law of Practising Healthcare Professions issued under Royal Decree No M/59 dated 04/11/1426H, which sets out the duties and responsibilities of healthcare professionals, healthcare licensing requirements and the different liabilities imposed on healthcare professionals;
  • the Saudi Health Information Exchange Policies issued on 21/04/2016, which aims to ensure the confidentiality of personal health data being shared and exchanged;
  • the Penal Law on Dissemination and Disclosure of Confidential Documents/Information issued by Royal Decree No 16913/B dated 10/5/1433;
  • the Anti-Cyber Crime Law issued on 03/08/1428 H (03/27/2007);
  • the Document Records and Archives Law issued by Royal Decree M/54 dated 23/10/1409H; and
  • the Document Archiving Regulations issued by Royal Decree 7/1379/M dated 21/7/1416H.

Additionally, the Law of Practising Healthcare Professions imposes an obligation on all health practitioners to protect patients’ data that they become aware of, except in cases where patients’ written approval is obtained.

Patent Protection

Patent protection is governed by the Patents, Layout Designs and Integrated Circuits, Plant Varieties and Industrial Designs Law, and its Implementing Regulations. The scope of patent protection relates to a group of integrated parts that form a single invention concept or a single invention. Inventions include any new methods of manufacture, improvement, and any new article including a product or a process. The scope of patent protection (which lasts for 20 years from issuance of the patent) extends to medical devices that have been created to work in co-operation with devices created for healthcare (including telehealth or telemedicine) purposes, including wearable devices such as smartwatches and Fitbits.

Copyright Protection

The Saudi Copyright Law governs the scope of copyright protection. This covers a work of authorship produced, published, displayed or performed for the first time within the Kingdom. The protection extends to copyrighted work included in treaties of international agreements to which the Kingdom is a party, such as the Berne Convention for the Protection of Literary and Artistic Works. The scope of copyright protection extends to medical mobile applications such as Tawakkalna and digital health products such as EMRs, which are subject to copyright protection in terms of the software and its coding. The duration of such copyright protection lasts for 50 years after the death of the author/creator.

Trade Secret Protection

The Regulations for the Protection of Confidential Commercial vaguely defines trade secrets as information not known in its final form or where the information is not easily obtainable by those who work in the same business. Protection of trade secrets extends to protect information of commercial value so long as the rightful owner takes reasonable measures to maintain its confidentiality. What is important to note here is that the Regulations do not provide for a limit on protection duration, except for information submitted to an official body or competent authority for the purpose of approval – ie, the marketing of drugs or for chemical substances used in chemical agricultural products – in which case, a minimum protection period of five years will apply.

The legal framework governing intellectual property in the Kingdom extends to protect different elements in relation to innovative products. However, there are many advantages and disadvantages that health institutions must be aware of. Such associated advantages include enhancing healthcare institutions’ value and competitive edge by protecting their name, brands and inventions, which also helps with the marketing of the medical devices and products. It is important to note that disadvantages arise in the costs associated with such protection and the potential difficulty in obtaining certain patents with complex products that involve several complicated processes, methods and designs. The legal framework governing IP is further described in 14.1 Scope of Protection.

Moreover, given that the notion of judicial precedent is not recognised in the KSA, the principles of sharia would apply with respect to IP protection in the absence of specific regulatory guidance.

Considerations for contractual licensing structures related to intellectual property include IP usage rights and third-party risks. The main licensing structures are exclusive or non-exclusive rights. Exclusive licensing restricts any third parties from having such IP rights, whereas non-exclusive licences allow the licensor to further exploit the IP and grant similar IP rights to third parties and other licensees to use the same IP granted to the initial licensee.

It is therefore important to assess any agreements and licences required, as well as clarify the ownership and usage rights of any IP. In addition, digital health companies should ensure that any potential inventions are confidential until any design or patent filing is obtained to ensure such inventions are appropriately protected.

The current legal framework in the KSA does not directly address the allocation of IP rights related to research for academic institutions, as such IP rights are generally identified in the contractual arrangements. Such IP rights and obligations would stipulate that any patent, copyright, trade secret or trade mark created will be considered the property of the physician and/or inventor or university and/or institution. It is usually the university and/or healthcare institution that retains ownership over any such research, invention or technology developed for it by virtue of the commercial or employment arrangement between it and the physician and/or inventor.

Contractual arrangements should address any third-party or joint rights and the procedure of establishing ownership of intellectual property during the phases of development of any digital health device or product throughout the term of the contractual arrangement. Important terms to include in such arrangements are ownership, usage rights, exclusivity rights, scope and duration of the licence rights, warranties and indemnities, and confidentiality. This will set out clear rights and obligations of all parties involved to avoid disputes regarding the development and use of such IP inventions and authorship.

As discussed in 6.1 Categories, Risks and Regulations Surrounding Software as a Medical Device Technologies, the SFDA governs medical devices that incorporate data analytics, AI, machine learning and software to ensure that any devices on the market have been tested, analysed and approved prior to their use by practitioners and patients. This therefore limits liabilities for any potential malpractice in terms of damaged or false information transmitted and shared. The professional liability imposed on healthcare professionals includes civil liability, criminal liability and disciplinary liability, as explained in 5.2 Legal Implications.

Healthcare institutions may be subject to third-party liabilities in the event that there are inadequate risk management systems in place. Therefore, health institutions should seek to determine the potential risk involved and the risk tolerance levels. They should also classify vendors with respect to the risk criteria, conduct proper due diligence on the vendor and address any vendor risks that arise from such assessment.

In line with the KSA’s Vision 2030, the following trends are likely to grow and have a notable impact on digital health in the Kingdom.

Virtual and Augmented Reality

Virtual and augmented reality is expanding to offer practical uses within the healthcare sector beyond entertainment. Various healthcare providers are starting to use virtual reality (VR) for healthcare learning purposes such as using VR as training simulations. These training simulations provide medical students and healthcare practitioners in general with the new opportunity to practise complex procedures in a safe and controlled environment. Moreover, VR is also being used as distraction technology, to distract children during vaccinations and injections to reduce the pain and fear among children and more vulnerable patients.

Innovations in Disease Management

The outcome of COVID-19 created a need for healthcare companies to rapidly respond and develop innovations in the healthcare industry. This rapid change will facilitate and encourage healthcare providers to treat and monitor patients outside of the traditional healthcare premises.


As a result of the COVID-19 pandemic and the reduction of in-person consultations, digital health technologies such as the use of tablets, mobile phones and laptops have been, and will be, developed to facilitate more efficient healthcare services. This will impact digital health, with reduced contact, urgent care for chronic conditions and continuity of care with patients remotely.


The growth of the IoMT has resulted in an increased use of monitors and wearable devices to meet a range of healthcare needs. The involvement of AI can further facilitate the development of wearable devices to accurately monitor patient conditions and reduce the requirement for in-person consultations.

Hammad & Al-Mehdar Law Firm

King Road Tower
L 12
Office 1209
King Abdulaziz Road
Saudi Arabia

+966 92000 4626

+966 12 606 9190
Author Business Card

Trends and Developments


Hammad & Al-Mehdar Law Firm was founded in 1983 in Jeddah, Saudi Arabia, and has grown to become one of the largest private-practice Saudi firms in the Kingdom and the GCC, with offices also in Riyadh, Al-Khobar and Abu Dhabi. The firm boasts a leading local presence supported by international capabilities. Hammad & Al-Mehdar provides a full suite of corporate and private client legal services in all major areas of Saudi and ADGM law, working on cutting-edge, complex and high-value transactions and disputes. Headquartered in Jeddah, Hammad & Al-Mehdar’s growth story is one of trade, innovation and technology in the Kingdom’s private sector. Hammad & Al-Mehdar maintains a strong specialisation in servicing privately held businesses, with unrivalled expertise in business and transaction structuring, private construction works, commercial, intellectual property, corporate governance, and regulatory advisory services.

Current Framework and Recent Developments

Digital transformation and the advancement of health technologies has led to major changes in the health infrastructure and the resources through which health services are provided in the Kingdom of Saudi Arabia (the “Kingdom”, or KSA). In response to this transformation, the application of IT and telecommunication products and methods are being used to address and manage the healthcare industry through the rising concepts of telemedicine and e-health.

The KSA's Vision 2030 framework introduced in 2017 has enabled the promotion of, and provided guidance on, the use of artificial intelligence (AI) and different data sources to increase innovative digital health solutions. The digital health industry is mainly supervised by the Ministry of Health (MoH) in parallel with the Saudi Food and Drug Authority (SFDA), the Saudi Authority for Data and Artificial Intelligence (SDAIA) and the Communications and Information Technology Commission (CITC). In line with the KSA’s Vision 2030, and the accelerated digital transformation due to the COVID-19 outbreak, regulatory authorities are working to address upcoming trends and developments in the health sector, including promotion and awareness, user retention, preventative care, and accessibility.

Within this context, the establishment of digital health solutions led to the implementation of regulations and promotional initiatives to build awareness of the concept of digital health and digital devices to ensure that services related to virtual consultations, the purchase of medical products and health monitoring systems are properly managed in response to the high demand and consumer adoption rate. The MoH also launched the Health Sector Transformation Program to promote and expand the provision of telemedicine and e-health services by providing a comprehensive overview of the coverage and distribution of such services throughout the Kingdom. The KSA Telemedicine Regulations define telemedicine as “a remote medical practice using information and communication technology” between healthcare practitioners and patients.

Prior to COVID-19, there was limited awareness on how digital solutions can facilitate health management. However, the proven advantages of digital solutions have paved the way for a growing trend in building awareness of the benefits of such applications, as not only does it cater to individual medical needs, but the supporting digital counselling and virtual assistants have reduced depressive symptoms, improved wellness, and stabilised health measurements. Further marketing campaigns and training programmes will likely be implemented to address any gaps in the markets in relation to digital health services.

Moreover, it is important to ensure that there is a high percentage of user retention among these platforms to further encourage patients to depend on digital applications as a source for care, monitoring purposes and consultations. High demand and user rate will provide an incentive for organisations and companies to update their digital solutions, applications and/or platforms to support their user bases. The accessibility of such platforms through home devices such as laptops, tablets and mobile phones ensures that the solutions offer high efficiency and monetary savings for users. As such, digital companies and organisations are continuing to develop solutions to produce accurate results to improve health workflow administration and virtual care solutions. This will increase the medical proficiency in relation to remote consultations and healthcare, due to the affordability and quality of self-services provided.

Areas Impacted by Current Trends

The main sectors in the Kingdom that are likely to be affected by the current and upcoming trends include the following:

  • mental health management applications to facilitate the management of chronic illnesses and provide guidance for stress reduction and attentiveness improvement exercises;
  • online pharmaceutical solutions to allow patients to purchase medical products, and renew and obtain prescriptions;
  • health applications such as fitness trackers and workout applications;
  • the continued growth in telemedicine services in relation to virtual consultation booking, cancelling appointments and obtaining medical results;
  • services for diagnostic purposes, including home-testing kits; and
  • insurance-related services through applications that allow users to manage potential insurance claims or relevant appointments.

Primary Healthcare Initiatives and E-health Mobile Applications

As a result of the COVID-19 pandemic, and the Kingdom’s Vision 2030 goals, there is a growing trend to develop platforms and applications that promote preventative care and identify medical conditions to limit any negative impact in the preliminary stages. The Health Sector Transformation Program refers to development plans in the medical industry to adopt more advanced means of technology that can identify health issues and provide for a more effective and integrated system in the Kingdom.

Services offered by primary healthcare (PHC) institutions are facilitating disease prevention in the Kingdom by providing satisfactory standards of equipment to target such goals and focus on diagnostic services and technologies. Mobile applications such as Tawakkalna have become the primary tool in the KSA to allow individuals access to public and private spaces and record user health conditions through virtual identification and passports. Remote services through the Sehaty mobile application allow users to book and cancel vaccine appointments with healthcare facilities throughout the Kingdom. Relevant authorities in the KSA will encourage the development and use of such platforms to further monitor individual health statuses.

Additionally, the concept of the internet of medical things (IoMT) is enabling healthcare practitioners to conduct early interventions through digital diagnosis tools. The data collected from such investigations is stored in a digital infrastructure integrated by software applications, medical devices and professional services. The continued adoption of 5G-empowered devices will allow hospitals to incorporate such technologies when providing medical treatment and consultations. For example, the virtual healthcare institution Sehha is a health mobile application that was launched to increase health services relating to virtual consultations and appointments and is linked to over 100 hospitals throughout the Kingdom. This contributes to the current technologies emerging in this sector alongside digital wearables and assistants. The use of AI technologies will increase the advancements in this sector in terms of monitoring a patient’s conditions to reduce the need for in-person consultations.

Future Trends

In consideration of the above, the following trends are also likely to accelerate digital health transformation in the Kingdom.

Virtual reality and augmented reality (VR/AR)

The trending use of VR/AR is also likely to have a notable impact on digital health in the Kingdom as it is expanding to offer practical uses such as training simulations. This provides medical practitioners and students with new opportunities to explore and practise procedures in a more controlled environment. Telehealth innovations – through the use of mobile phones, tablets and laptops – will be further developed to reduce in-person contact, and offer urgent care for chronic health conditions and remote continuity of care with patients.


Robotic devices are being developed to assist in care management through food delivery, delivering health-related information via AI, and providing monitoring services to reduce the risk of infection.

3D printing

Due to the high number of patients and a lack of protective equipment such as face masks, eye protection and appropriate medical clothing, and a shortage of medical devices, 3D printing laboratories are being designed to create stocks and work in line with the SFDA to obtain approvals on such equipment, with a view to distributing it within the Kingdom to assist with high volumes of patients.

Tracing applications

Individual tracing applications using mobile phones have resulted in collecting real-time data on the location of people in the Kingdom. With this technology, and the implementation of data protection regulations, it is likely that advanced applications will continue to be implemented in the market to cater to medical needs that currently have a high demand.

Developments in the Legal/Regulatory Framework

The legislative framework in the KSA has been developing to clarify the regulatory requirements and data protection standards in offering digital health solutions in Saudi Arabia. Considering that users are increasingly looking to alternative options to in-person care as an outcome of COVID-19, there is a growing use and interest in wellness applications and online pharmacies. Individuals are looking to receive medical advice online, health and wellness applications, and fitness and diet management. It is certain that, considering the current pace of implementation, the regulatory regime will continue to develop as a response to the need for digital solutions in the medical industry.

An important development in response to the high rate of data collection through digital solutions is the draft Personal Data Protection Law (PDPL), introduced for public consultation in 2021, with the SDAIA and the National Data Management Office (NDMO) issuing a draft version of the Implementing Regulations on 10 March 2022. The draft PDPL is one of many initiatives in the regulatory sphere governing the use of digital technologies and telecommunications due to the issues surrounding data privacy, security and confidentiality.

Some of the key developments in implementing the PDPL include the following.


All organisations and companies processing personal or sensitive data must obtain consent from the data owner except in certain cases, including if the data processing is proven to be beneficial for the data owner, if it is required by law, or if the organisation is seeking to collect data for research or scientific purposes while having considered the additional requirement stipulated in the PDPL.


The PDPL will apply to the processing of sensitive and personal data relating to all individuals in the Kingdom. The PDPL has made a distinction in personal and sensitive data in that sensitive information refers to health data, including all personal data relating to an individual’s health or service obtained in relation to the current health status. The PDPL further requires that the processing of such sensitive data is limited to its purpose and does not extend the scope of disclosure required.

Privacy policy

The PDPL will require that all companies or institutions seeking to process personal data adopt a privacy policy to ensure that data subjects consent to, and review, the terms of the data collection. The policy is required to include information on the purpose and method of collection, storage, and rights of the data owner.

Accordingly, the aforementioned requirements and any further developments due to come into effect will require digital health companies to adjust their internal methods in accordance with the PDPL to have efficient mechanisms in place in the event of a data breach or reports being prepared for compliance reasons.


A sector that once had a limited use prior to the COVID-19 pandemic has now been the subject of acceleration in its use and purpose to offer daily and emergency health services in the Kingdom. Future trends and developments will include accepting new market entrants offering digital health solutions to increase foreign investment, digital health start-up companies, online pharmaceutical companies, health institutions, and telecommunication providers.

As the Kingdom continues to assess the relevant regulations, this will allow for further developments in, and the adoption of, the digital health solutions to facilitate the growth of the digital health industry in Saudi Arabia. E-health companies will continue to have a positive impact in developing the sector when such solutions prove to be highly beneficial in the healthcare sector, such as where there is a high demand but an inadequate supply in terms of remote or online services to sufficiently cover needs. In consideration of the above, the ultimate goal is for the Kingdom to advance its health systems to have the best technological capacity and capability to engage with all types of patients throughout the Kingdom.

Hammad & Al-Mehdar Law Firm

King Road Tower
L 12
Office 1209
King Abdulaziz Road
Saudi Arabia

+966 92000 4626

+966 12 606 9190
Author Business Card

Law and Practice


Hammad & Al-Mehdar Law Firm was founded in 1983 in Jeddah, Saudi Arabia, and has grown to become one of the largest private-practice Saudi firms in the Kingdom and the GCC, with offices also in Riyadh, Al-Khobar and Abu Dhabi. The firm boasts a leading local presence supported by international capabilities. Hammad & Al-Mehdar provides a full suite of corporate and private client legal services in all major areas of Saudi and ADGM law, working on cutting-edge, complex and high-value transactions and disputes. Headquartered in Jeddah, Hammad & Al-Mehdar’s growth story is one of trade, innovation and technology in the Kingdom’s private sector. Hammad & Al-Mehdar maintains a strong specialisation in servicing privately held businesses, with unrivalled expertise in business and transaction structuring, private construction works, commercial, intellectual property, corporate governance, and regulatory advisory services.

Trends and Development


Hammad & Al-Mehdar Law Firm was founded in 1983 in Jeddah, Saudi Arabia, and has grown to become one of the largest private-practice Saudi firms in the Kingdom and the GCC, with offices also in Riyadh, Al-Khobar and Abu Dhabi. The firm boasts a leading local presence supported by international capabilities. Hammad & Al-Mehdar provides a full suite of corporate and private client legal services in all major areas of Saudi and ADGM law, working on cutting-edge, complex and high-value transactions and disputes. Headquartered in Jeddah, Hammad & Al-Mehdar’s growth story is one of trade, innovation and technology in the Kingdom’s private sector. Hammad & Al-Mehdar maintains a strong specialisation in servicing privately held businesses, with unrivalled expertise in business and transaction structuring, private construction works, commercial, intellectual property, corporate governance, and regulatory advisory services.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.