AI medical scribe compliance in the UAE and Saudi Arabia comes down to three questions: does the scribe meet ADHICS requirements in Abu Dhabi, does it satisfy PDPL obligations for patient data, and does it actually integrate with the EHR systems Gulf hospitals run on, most notably InterSystems TrakCare? Most AI scribes built for the US market fail at least one of these tests. This guide walks through exactly what each framework demands, and how to evaluate any vendor against them.
Key Takeaways
ADHICS is a licensing requirement, not a nice-to-have: Abu Dhabi's Department of Health has made ADHICS compliance mandatory for facility licensing and renewal, and a minimum control set is a prerequisite for connecting to the Malaffi health information exchange.
Saudi PDPL is fully enforced with real penalties: The grace period ended September 14, 2024, and unlawful disclosure of sensitive data, which explicitly includes health data, can trigger fines up to SAR 3 million and imprisonment.
UAE health data must stay in the UAE: Federal Law No. 2 of 2019 requires electronic health data to be stored in-country, which rules out most US-cloud-only scribes by default.
EHR fit decides real-world viability: TrakCare powers flagship deployments from Mediclinic in the UAE to King Fahd Hospital of the University in Saudi Arabia, an AI scribe without TrakCare integration creates a manual copy-paste workflow that undermines both efficiency and auditability.
Why AI Medical Scribe Compliance in the UAE and Saudi Arabia Is Different
Let's be honest: "HIPAA-compliant" is where most AI scribe vendors stop. In the Gulf, that's where the conversation starts. The UAE and Saudi Arabia have built layered regulatory regimes that combine health-sector cybersecurity standards, national data protection laws, and strict data residency rules and each layer has its own regulator and its own penalties.
Three characteristics make the region distinct:
Sector-specific health data laws sit above general privacy law. In the UAE, the federal PDPL (Federal Decree-Law No. 45 of 2021) explicitly carves health data out to be governed by dedicated legislation, Federal Law No. 2 of 2019 on ICT in Health Fields.
Data localization is the default. UAE health data must be stored domestically, with narrow exceptions, and health records must be retained for at least 25 years after the last procedure, far beyond HIPAA's retention norms.
Regulators are actively enforcing. SDAIA's enforcement committees have already issued dozens of decisions confirming PDPL violations, covering unlawful processing, unauthorized disclosure, and missing safeguards.
This means an ambient AI scribe, a tool that records clinician-patient conversations and generates structured notes, is processing the most sensitive category of data these laws recognize, in real time, at scale. The compliance bar is correspondingly high.
What Makes an ADHICS Compliant AI Scribe?
The Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) is the Department of Health's mandatory framework for every entity handling patient health information in the emirate: hospitals, clinics, insurers, and the technology vendors that serve them. The standard spans 11 domains with 692 controls, covering everything from asset classification to third-party security, and an updated ADHICS V2 took effect in August 2024.
For an AI scribe specifically, the controls that matter most are:
Encryption in transit and at rest: Every audio stream, transcript, and generated note containing patient data must be encrypted end to end.
Role-based access with multi-factor authentication: MFA is mandated for administrative access, and permissions require routine revalidation.
Comprehensive audit logging: Every access to a clinical note, human or AI, needs a traceable record.
Third-party security assurance: The facility remains accountable for its vendors, so the scribe provider must be able to evidence its own control environment.
Pro Tip: Ask any scribe vendor for their ADHICS control mapping before a pilot, not after. If they can't produce one, your compliance team will be building it for them, on your license renewal timeline.
The stakes are practical, not theoretical: ADHICS compliance is tied to facility licensing and Malaffi integration. A non-compliant documentation tool doesn't just create risk, it can jeopardize the connectivity your facility depends on.
What Makes a PDPL Compliant AI Scribe?
Here's where it gets nuanced: "PDPL" means two different laws depending on which side of the border you're on. A genuinely PDPL compliant AI scribe has to satisfy both.
Saudi Arabia's PDPL
Saudi Arabia's Personal Data Protection Law, enforced by SDAIA, classifies health data as sensitive personal data and applies extraterritorially to anyone processing the data of Saudi residents. For an AI scribe deployment, that translates into concrete obligations:
Lawful basis and consent for recording and processing clinical conversations
Data processing agreements between the facility (controller) and the scribe vendor (processor)
Cross-border transfer controls: Transfers outside the Kingdom require an adequacy determination, SDAIA-approved safeguards such as standard contractual clauses, or specific exemptions
Breach notification to SDAIA within 72 hours of becoming aware of an incident
Registration and DPO requirements for large-scale sensitive data processing
General violations carry fines up to SAR 5 million, doubled for repeat offenses. For a scribe vendor, the cleanest answer to the transfer problem is architectural: in-Kingdom processing or a self-hosted deployment that keeps patient data inside Saudi infrastructure entirely.
The UAE's PDPL and Health Data Law
The UAE's PDPL sets the national baseline, but health data is governed primarily by the Health Data Law, which applies across the UAE including free zones. Its requirements are stricter than most vendors expect: confidentiality obligations, purpose limitation, in-country storage, and quarter-century retention. Emirate-level regulators (DoH in Abu Dhabi, DHA in Dubai) add their own layers on top.
Bottom line: a scribe that routes Gulf patient audio to US or EU servers for transcription is non-compliant by design, regardless of how strong its encryption is.
The TrakCare Factor: Compliance Meets Workflow
Compliance frameworks get the attention, but EHR integration is where AI scribe projects quietly fail. In the Gulf, that overwhelmingly means InterSystems TrakCare. It runs across Mediclinic Middle East's hospital network in the UAE and anchors major Saudi deployments, from Sultan Bin Abdulaziz Humanitarian City, the Kingdom's first TrakCare site, to King Fahd Hospital of the University, where TrakCare also enables integration with NPHIES, Saudi Arabia's national health and insurance exchange platform.
Why does this matter for compliance, not just convenience? Because a scribe without native EHR integration forces clinicians to copy notes between systems manually. That workflow:
Breaks the audit trail both ADHICS and PDPL expect
Multiplies the surfaces where patient data can leak
Pushes PHI through clipboards, browsers, and personal devices that sit outside your control environment
Key Insight: In the Gulf, TrakCare integration isn't a feature checkbox, it's a compliance control. Direct, bi-directional integration keeps patient data inside one governed, logged pathway from conversation to chart.
Compliance Snapshot: What to Verify Before You Deploy
Requirement | UAE | Saudi Arabia | What to Ask the Vendor |
Health-sector security standard | ADHICS (Abu Dhabi, mandatory) | NCA controls + SDAIA oversight | "Show me your ADHICS control mapping" |
Data protection law | PDPL (45/2021) + Health Data Law (2/2019) | PDPL (M/19), enforced since Sept 2024 | "What's your lawful basis and DPA template?" |
Data residency | Health data stored in-country | Cross-border transfer restricted | "Where is audio processed exactly?" |
Breach notification | Per sector regulator | SDAIA within 72 hours | "Walk me through your incident runbook" |
EHR integration | TrakCare widespread | TrakCare + NPHIES connectivity | "Is the TrakCare integration live at a reference site?" |
Common Mistakes When Evaluating AI Scribes in the Gulf
Accepting "HIPAA-compliant" as a proxy
HIPAA has no data residency requirement and no ADHICS equivalent. It tells you almost nothing about Gulf readiness.
Ignoring where inference happens
Vendors often store data regionally but send audio abroad for model processing. Under the UAE Health Data Law and Saudi transfer regulations, processing location matters as much as storage location.
Treating the two PDPLs as one law.
The UAE and Saudi frameworks differ on scope, transfer mechanisms, and regulators. A vendor who can't articulate the difference hasn't done the work.
Deferring the integration question
A scribe pilot that works on a laptop but can't write into TrakCare will stall at exactly the moment you try to scale it.
Where Sully.ai Stands
Sully.ai built its Gulf offering around the three assets this article has covered, so the evaluation questions above have direct answers:
ADHICS alignment: Sully.ai tracks ADHICS within its compliance program alongside SOC 2 Type II, HIPAA, ISO 27001, and HITRUST, with a live trust portal for real-time verification - the control mapping is ready before your compliance team asks.
PDPL readiness: PDPL obligations are addressed through documented data governance, processing agreements, and, critically for cross-border restrictions, a self-hosted deployment option that keeps patient data inside UAE or Saudi infrastructure.
TrakCare integration: Sully's single-integration architecture connects the AI Scribe (plus Receptionist, Coder, and other agents) directly to TrakCare with bi-directional, encrypted PHI flow, RBAC, and full audit trails, so documentation lands in the chart through one governed pathway.
In our experience talking with Gulf health system IT leaders, the vendors that succeed here are the ones that treated regional compliance as an architecture decision, not a paperwork exercise. That's the standard to hold every scribe to, ours included.
Frequently Asked Questions
What is ADHICS, and does my AI scribe vendor need to comply with it?
ADHICS is the Abu Dhabi Department of Health's mandatory information and cybersecurity standard for all entities handling patient health information in the emirate. Yes, because facilities remain accountable for third-party vendors, your scribe provider must demonstrate alignment with the relevant controls.
Is a HIPAA-compliant AI scribe automatically compliant in the UAE or Saudi Arabia?
No. HIPAA doesn't address data residency, ADHICS controls, or PDPL transfer rules. Gulf compliance requires meeting local frameworks in addition to, not instead of, international certifications.
Can an AI scribe send patient audio outside Saudi Arabia for processing?
Only under strict conditions. Saudi transfer regulations require an adequacy determination, SDAIA-approved safeguards like standard contractual clauses, or a qualifying exemption. In-Kingdom or self-hosted processing avoids the question entirely.
What are the penalties for PDPL non-compliance in Saudi Arabia?
General violations can draw fines up to SAR 5 million (doubled for repeat offenses), while unlawful disclosure of sensitive data, including health data, can carry fines up to SAR 3 million and up to two years' imprisonment.
Why does TrakCare integration matter for compliance?
Because manual note transfer between a scribe and the EHR breaks audit trails and multiplies data exposure points. Direct integration keeps patient data in one logged, access-controlled pathway, which is what ADHICS and PDPL auditors expect to see.
How long must patient health records be retained in the UAE?
At least 25 years from the date of the last health procedure, under Federal Law No. 2 of 2019, one of the longest retention requirements globally, and one your documentation vendor's storage architecture must support.
Sources
Department of Health – Abu Dhabi: ADHICS launch announcement; licensing and Malaffi requirements. https://www.doh.gov.ae/en/news/department-of-health-launches-abu-dhabi-healthcare-information-and-cyber-security
Department of Health – Abu Dhabi: ADHICS FAQ; 692 controls across 11 domains. https://www.doh.gov.ae/-/media/Feature/Aamen/ADHICS-FAQ.ashx
ADHICS V2 Standard: Updated standard effective August 2024. https://www.scribd.com/document/828668343/ADHICS-v2-standard
Kiteworks: ADHICS domain requirements including MFA and encryption mandates. https://www.kiteworks.com/guide-kiteworks-guide-to-the-abu-dhabi-healthcare-information-and-cyber-security-standard/
Morgan Lewis: Saudi PDPL transition-period analysis; sensitive data classification. https://www.morganlewis.com/pubs/2024/09/saudi-arabia-personal-data-protection-law-transition-period-ends-september-14
King & Spalding: Saudi cross-border transfer regulations under the PDPL. https://www.kslaw.com/news-and-insights/international-personal-data-transfers-under-saudi-arabias-data-protection-law
ICLG / Data Protection Laws 2025–2026: Saudi PDPL penalty framework. https://iclg.com/practice-areas/data-protection-laws-and-regulations/saudi-arabia
Securiti: Saudi PDPL sensitive-data disclosure penalties. https://securiti.ai/saudi-arabia-personal-data-protection-law/
SGC Management Consulting: SDAIA enforcement decisions under the PDPL. https://www.sgc.consulting/sdaia-saudi-personal-data-protection-law-pdpl-compliance-guide/
UAE Government Portal (u.ae): Federal data protection laws overview, PDPL health-data carve-out. https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws
Clifford Chance: UAE Health Data Law localization requirements and KSA transfer rules. https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2025/03/doing-business-in-the-middle-east--data-transfers-in-the-uae-and-ksa.html
Muhami: UAE health data protection overview; 25-year retention requirement. https://muhami.ae/articles/how-is-health-data-protected-in-the-uae/
Lexology: UAE Health Data Law scope including free zones. https://www.lexology.com/library/detail.aspx?g=6854a690-61f4-460b-9a66-bfad5eab127c
Intelligent CIO: Mediclinic Middle East TrakCare implementation across UAE hospitals. https://www.intelligentcio.com/me/2019/11/25/mediclinic-middle-east-implements-intersystems-trakcare-to-transform-care-delivery/
Gulf News: King Fahd Hospital of the University TrakCare go-live and NPHIES integration. https://gulfnews.com/business/corporate-news/king-fahad-hospital-enhances-patient-care-with-intersystems-trakcare-1.1698737654111
PR Newswire: Sultan Bin Abdulaziz Humanitarian City, first TrakCare site in Saudi Arabia. https://www.prnewswire.com/news-releases/sultan-bin-abdulaziz-humanitarian-city-streamlines-clinical-workflows-and-enhances-user-experience-with-intersystems-trakcare-meui-upgrade-302242091.html
TABLE OF CONTENTS
Hire your
Medical AI Team
Take a look at our Medical AI Team
AI Receptionist
Manages patient scheduling, communications, and front-desk operations across all channels.
AI Scribe
Documents clinical encounters and maintains accurate EHR/EMR records in real-time.
AI Medical Coder
Assigns and validates medical codes to ensure accurate billing and regulatory compliance.
AI Nurse
Assesses patient urgency and coordinates appropriate care pathways based on clinical needs.