Privacy & Compliance

PDPL for clinics: a 5-minute compliance primer

By the Carehub team 5 min read

Egypt's Personal Data Protection Law (Law 151 of 2020) applies to every clinic that holds patient data. The law is short on details and long on penalties. Here's the practical version.

Note: this is operational guidance, not legal advice. For high-stakes decisions (a breach, a complaint, a Ministry of Health audit), talk to a Cairo-licensed lawyer.

What PDPL is, in one paragraph

PDPL (قانون حماية البيانات الشخصية رقم 151 لسنة 2020) is Egypt's first comprehensive data protection law. It applies to anyone who collects, stores, processes, or transfers personal data — including clinics, hospitals, pharmacies, and labs. Health data is treated as "sensitive personal data" with stricter requirements. Penalties run from EGP 100,000 fines for procedural violations up to EGP 5,000,000 and prison terms for unauthorized cross-border transfer of sensitive data.

The 5 things every clinic must do

1. Get explicit consent

Every patient must sign (digitally or on paper) a clear consent that names the clinic as the Data Controller, explains what data is collected, what it's used for, and who else might see it (lab partner, referring doctor, insurance). Implied consent is not enough. The consent must be freely given — patients can refuse and still receive care.

2. Maintain a record of processing activities

You need a written log of (a) what categories of data you collect (name, phone, diagnosis, prescriptions, etc.), (b) how long you keep it, (c) who has access, (d) what you do with backups. This is the document the Egyptian Personal Data Protection Center will ask for if there's a complaint. Most clinics don't have one. Write a 1-page version today; refine over time.

3. Honor patient rights within 30 days

Patients have the right to request a copy of their file, correct inaccurate information, and (in some cases) ask for their data to be deleted. The clinic has 30 days to respond. The most practical approach: give patients ongoing read-only access through a patient portal so a "request to access" never actually needs a manual response.

4. Encrypt sensitive data and identifiers

National ID numbers, health insurance numbers, payment information — all of this should be encrypted at rest. "At rest" means inside your database, not just over the wire. Most off-the-shelf clinic systems store these fields in plain text. That's a violation, not a best practice.

5. Have a 72-hour breach plan

If patient data leaks (lost laptop, ransomware, accidental email to wrong recipient), you have 72 hours to notify the Egyptian Personal Data Protection Center and the affected patients. Write this runbook now, before you need it. It's a short document: who you call, what you say, who can authorize what.

What you can skip

You probably don't need a Data Protection Officer (DPO) unless you process the data of 100,000+ patients or handle especially sensitive categories at scale. You don't need ISO 27001 certification; that's nice-to-have, not required. You don't need to translate every internal document into Arabic — bilingual clinic-facing forms are enough.

How Carehub handles it for you

Carehub is PDPL-aligned by design. We're a Data Processor (not Controller) — your clinic is the Controller. We provide:

  • Explicit consent collection at intake (bilingual EN/AR), versioned, with revocation flow.
  • Encrypted national IDs and payment fields at the database layer (AES-256 at rest).
  • Audit log of every data access and modification, retained for 6 years.
  • Patient portal that satisfies the "right to access" automatically.
  • EU-region (eu-west-1, Ireland) data hosting with documented sub-processors.
  • 72-hour breach notification SLA, written into our Data Processing Agreement.

You still need your written record of processing activities, your in-clinic policies, and to actually use the consent flow at intake. We don't replace those, but we make them easy. Book a demo if you want to walk through the compliance side specifically.