Skip to main content Scroll Top

ADHICS Compliance and HIS Software: What You Need to Know

ADHICS Compliance and HIS Software: What You Need to Know
0
By Jeff Taylor Uncategorized April 27, 2026

If you run a hospital, clinic, or healthcare facility in Abu Dhabi, you have probably heard the term ADHICS. But knowing what it means and what it actually requires are two different things.

ADHICS stands for the Abu Dhabi Healthcare Information and Cyber Security Standard. It is the mandatory cybersecurity and data security framework for all DoH-regulated healthcare entities in Abu Dhabi. It covers how your hospital information system stores, processes, and shares patient data.

Getting this wrong can cost you your license.

This guide breaks down what ADHICS means, what ADHICS v2.0 requires, and how the right HIS software can help you stay compliant without disrupting your operations.

What is ADHICS?

ADHICS is issued by the Department of Health Abu Dhabi (DoH). It sets out the rules for protecting health information across all digital systems. This includes your EMR, your HIS, your cloud storage, your connected medical devices, and any third-party vendor handling your data.

The standard was first released in 2019. It was built to align with international frameworks like ISO 27001, NIST, and HIPAA, while also addressing the specific needs of the Abu Dhabi healthcare sector.

ADHICS is not optional. Every hospital, clinic, pharmacy, insurer, and health technology provider operating under DoH oversight must comply.

The goal of ADHICS is straightforward: protect patient data, keep healthcare systems running, and build public trust.

ADHICS v2.0 Requirements: What Changed in 2024

In May 2024, the DoH released ADHICS v2.0. This was a major upgrade from the 2019 version. It did not just update a few rules. It expanded the entire framework.

Here is what ADHICS v2.0 introduced:

  • A tiered compliance structure. ADHICS v2.0 breaks requirements into three levels: Basic, Transitional, and Advanced Controls. Smaller clinics follow the Basic tier. Larger hospitals with 21 or more beds must meet all three tiers, totalling 692 mandatory controls across 11 domains.
  • Cloud computing rules. For the first time, ADHICS formally acknowledges the use of cloud services like Microsoft Azure and Amazon Web Services. But there is a catch: patient data cannot be stored or processed outside the UAE. Healthcare data sovereignty is strictly enforced.
  • End-to-end encryption. All patient data transmissions must now use end-to-end encryption. This applies to data at rest and data in motion.
  • Multi-factor authentication. MFA is now required for all access to systems holding patient data.
  • Faster breach reporting. If a security incident occurs, healthcare entities must report it to the DoH within 24 hours.
  • Annual compliance audits. Facilities must undergo independent audits every year, with quarterly self-assessments in between.
  • Integration with Malaffi and Nabidh. ADHICS v2.0 mandates that healthcare providers connect with the UAE’s national health information exchanges. Your HIS software must support these integrations.
  • IoMT and AI governance. The updated standard now includes rules for Internet of Medical Things devices and AI-powered diagnostic systems. If you use smart equipment or AI tools, they fall under the ADHICS scope.

Who Does ADHICS Apply to?

ADHICS applies to all entities regulated by the DoH in Abu Dhabi. This includes:

  • Public and private hospitals
  • Specialist clinics and polyclinics
  • Pharmacies
  • Diagnostic labs and radiology centers
  • Insurance companies handling health data
  • Health technology and EMR software vendors
  • Any third-party provider with access to patient data

It is important to note that ADHICS is specific to Abu Dhabi. Dubai operates under the Dubai Health Authority (DHA), which has its own compliance requirements. If your facility operates in both emirates, you need to meet both sets of rules.

For providers in Sharjah and the Northern Emirates, the Ministry of Health and Prevention (MOHAP) sets the standards.

Knowing which regulator governs your facility is the first step to compliance.

The AAMEN Portal and How Compliance Is Tracked

One thing many providers overlook is the AAMEN portal. This is the DoH’s official digital platform for ADHICS compliance tracking.

Through the AAMEN portal, healthcare entities submit self-assessments, track compliance status, and prepare for DoH audits. If your HIS software vendor cannot support your AAMEN submissions, that is a major gap.

Any healthcare entity seeking Malaffi integration must also demonstrate a minimum set of ADHICS controls. Compliance with these controls is a prerequisite. Without them, Malaffi onboarding stalls.

Why Your HIS Software Matters for ADHICS Compliance

Your hospital information system is at the center of your ADHICS compliance. Here is why.

Every patient record created, every diagnosis documented, every prescription issued moves through your HIS. If the software does not meet ADHICS standards, you are non-compliant by default, regardless of what your internal policies say.

A properly built, ADHICS-compliant HIS software should handle:

  • Encrypted health records. Patient data must be encrypted using AES-256 standards both at rest and in transit. Your EMR platform should handle this automatically.
  • Role-based access control. Not everyone on your team needs access to every record. Your HIS should allow you to define precise access levels for each staff role.
  • Audit trails. Every action taken on a patient record must be logged. Who accessed it, when, and what was changed. This is mandatory under ADHICS and essential for any audit.
  • Data residency within the UAE. Your cloud-based HIS must store data within UAE borders. Cross-border data transfers require explicit DoH approval.
  • Malaffi and Nabidh integration. Abu Dhabi providers must connect to Malaffi. Dubai providers connect to Nabidh. Your HIS must support both, depending on where you operate.
  • Multi-factor authentication. Logging in to your EMR system must require more than just a password.
  • Incident response readiness. If there is a breach, you need a documented response plan. Your software should support this with real-time monitoring and alerts.

ADHICS for Small Clinics in UAE: It Still Applies to You

There is a common misconception that ADHICS only matters for large hospitals. That is not true.

ADHICS v2.0 applies to every DoH-regulated entity, including small clinics. The tiered structure does reduce the number of required controls for smaller facilities. But the Basic Controls are still mandatory.

For a small clinic, the practical implications include:

  • Using an EMR or HIS platform that meets basic encryption and access control standards
  • Connecting to Malaffi if operating in Abu Dhabi
  • Maintaining a basic incident response plan
  • Training staff on data security and patient privacy

The good news is that cloud-based HIS software makes compliance far more manageable for smaller facilities. A cloud-based system handles infrastructure security, backups, and encryption on your behalf. You focus on care delivery; the platform handles the compliance layer.

Healthcare Data Security in the UAE: The Bigger Picture

ADHICS does not exist in isolation. It sits within a broader framework of healthcare data protection in the UAE.

Here is how it connects to other key standards:

  • Malaffi is the health information exchange for Abu Dhabi. Malaffi integration compliance requires meeting ADHICS controls as a prerequisite. All patient records must flow securely through Malaffi when a patient visits multiple facilities.
  • Nabidh is the health information exchange for Dubai, managed by the DHA. Nabidh compliance is required for all DHA-licensed facilities in Dubai.
  • Riayati is the national health exchange that connects records across all seven emirates. It enables continuity of care on a federal level.
  • Federal Law No. 2 of 2019 on the use of information and communication technology in health fields prohibits storing health data outside the UAE without explicit regulatory approval. ADHICS enforces this at the emirate level.

Together, these systems form the UAE’s digital health infrastructure. An ADHICS-compliant EMR software is the anchor that ties your facility to all of them.

DHA vs DoH Compliance in UAE: Understanding the Difference

This is a question that comes up often, especially for providers expanding across emirates.

The DoH governs Abu Dhabi. ADHICS is its cybersecurity standard. Malaffi is its health information exchange.

The DHA governs Dubai. It has its own licensing requirements, insurance processing formats, and digital health standards. Nabidh is its health information exchange.

If your facility operates in both Abu Dhabi and Dubai, you need to meet both frameworks. This sounds complex, but the right HIS software manages both within a single platform.

The key is to choose an EMR system that has native integration with Malaffi, Nabidh, and Riayati, rather than one that requires third-party plugins or custom builds.

What to Look for in an ADHICS-Compliant HIS Software

Not all hospital information systems are built equal. When evaluating HIS software for ADHICS compliance UAE, these are the features that matter:

  • Native Malaffi and Nabidh integration. No middleware, no workarounds. The connection should be built in.
  • End-to-end encrypted health records. AES-256 encryption as a default, not an add-on.
  • UAE-based cloud hosting. Your data must stay within UAE borders to comply with ADHICS and federal data sovereignty laws.
  • Multi-factor authentication built in. Every login should require verification beyond just a password.
  • Full audit logging. Every action on every record must be traceable.
  • Bilingual interface. Arabic and English support is essential in the UAE clinical environment.
  • Telemedicine support. With telehealth now part of daily care delivery in the UAE, your HIS should have video consultation built in alongside the patient record.
  • Role-based permissions. Granular control over who can view, edit, or export patient data.
  • Automated compliance alerts. The system should flag potential issues before they become violations.
  • Regular updates aligned with DoH changes. Regulations evolve. Your software provider must update the platform when ADHICS or Malaffi requirements change.

How Health Cluster Supports ADHICS Compliance

Health Cluster is a cloud-based HIS and EMR software platform built specifically for the UAE and GCC healthcare market. With over seven years of experience supporting hospitals, clinics, and specialty centers across Dubai and Abu Dhabi, Health Cluster has built ADHICS compliance into the foundation of its platform, not as an afterthought.

Here is what that means in practice:

  • Full ADHICS alignment. Health Cluster’s platform is built to meet ADHICS standards, covering data security, encryption, access controls, and audit trails required by the DoH.
  • Malaffi, Nabidh, and Riayati integration. Health Cluster connects natively to all three national health information exchanges. Abu Dhabi providers connect to Malaffi. Dubai providers connect to Nabidh. Federal-level care coordination uses Riayati.
  • UAE-based cloud infrastructure. All patient data processed through Health Cluster stays within the UAE, in line with ADHICS data sovereignty requirements and Federal Law No. 2 of 2019.
  • Encrypted electronic health records. Patient records are encrypted at rest and in transit, with role-based access ensuring only authorized staff can view sensitive information.
  • Multi-factor authentication. Every login to the Health Cluster platform requires MFA, meeting ADHICS v2.0 authentication requirements.
  • Telemedicine and telehealth capabilities. Health Cluster supports virtual care delivery, with teleconsultation built directly into the patient record workflow. This keeps telemedicine sessions fully documented and compliant.
  • End-to-end revenue cycle management. From patient registration to final insurance claim, billing flows through the same compliant system. No gaps, no data leakage points.
  • Pharmacy, lab, and radiology modules. All departments within a facility run on the same ADHICS-aligned platform, eliminating compliance fragmentation.

Whether you operate a single-specialty clinic or a multi-facility hospital network, Health Cluster scales with your compliance needs. The tiered structure of ADHICS v2.0 applies regardless of facility size, and Health Cluster is built to support both small clinics and large hospital groups within the same platform.

The Cost of Non-Compliance

Ignoring ADHICS is not a neutral choice. The DoH actively enforces these standards.

Non-compliance can result in:

  • License suspension or revocation
  • Significant financial penalties
  • Delayed or blocked Malaffi integration
  • Reputational damage with patients and insurers
  • Legal liability in the event of a data breach

The DoH enforces compliance through audits, self-assessment requirements on the AAMEN portal, and third-party inspections. Facilities that fall behind risk losing the ability to operate.

The transition from ADHICS v1.0 to v2.0 has a defined timeline. For facilities new to the standard, implementation is expected within six months of onboarding. For existing facilities upgrading from v1.0, the expectation is a gap assessment followed by a structured remediation plan.

Starting early is not optional. It is the only realistic path.

Healthcare Cybersecurity in the UAE

Cyber threats in the healthcare sector are growing. Ransomware attacks on hospitals have made headlines globally. Patient data is among the most valuable and sensitive information a criminal can access.

ADHICS v2.0 was designed with this threat environment in mind. Its six pillars, covering governance, resilience, capabilities, partnerships, maturity, and innovation, address not just current risks but future ones too.

The UAE is also watching how GCC neighbors develop their own frameworks. Saudi Arabia, Kuwait, and other Gulf states are building similar healthcare cybersecurity standards. ADHICS v2.0 positions Abu Dhabi as a regional leader, and the model is already influencing other emirates and neighboring countries.

For healthcare providers in the UAE, the message is clear: cybersecurity is not a one-time project. It is an ongoing operational requirement. Your HIS software is the primary tool for meeting it.

Conclusion

ADHICS compliance is not a box-ticking exercise. It is the foundation of how healthcare data is protected, exchanged, and trusted in Abu Dhabi.

Understanding ADHICS v2.0 requirements, knowing the difference between DHA and DoH compliance, connecting to Malaffi and Nabidh, and choosing the right ADHICS-compliant HIS software are all part of running a responsible, sustainable healthcare facility in the UAE.

The right platform does not just help you meet the standard. It makes compliance part of your daily operations, invisible to your clinical staff but always present in your infrastructure.If you are looking for a hospital information system that is built for ADHICS compliance from the ground up, book a free demo and learn more about our EMR and HIS solutions for hospitals and clinics across the UAE.

Jeff Taylor
Jeff Taylor / About Author
More posts by Jeff Taylor

Leave a comment