DHA & PDPL Compliance in AI Review Responses

Why AI review responses require regulatory care in the UAE

Google reviews are now the single most visible public communication channel for healthcare facilities in the UAE. A prospective patient searching for "dentist in Dubai Marina" or "best aesthetic clinic in Jumeirah" will encounter your star rating and your responses to past reviews before they ever see your website, your DHA licence, or your facility certification.

This creates a regulatory problem that is more acute in the UAE than in most other healthcare markets. The Dubai Health Authority (DHA) — together with the Department of Health Abu Dhabi (DOH) for Abu Dhabi-licensed facilities and the Ministry of Health and Prevention (MOHAP) elsewhere in the country — expects licensed clinicians to maintain strict patient confidentiality in all communications. The DHA Advertising Standards 2017, distinct from any other healthcare jurisdiction, expressly prohibit superlatives and absolute claims in health advertising. And Federal Decree-Law 45/2021 — the UAE's first federal data protection statute, in force since January 2022 — treats health data as sensitive personal data subject to the highest level of regulatory protection.

In this environment, many facility managers have turned to AI tools to manage their review responses at scale. The appeal is obvious: consistent tone, rapid turnaround, and fewer hours spent agonising over the right words. But AI-generated responses carry the same regulatory obligations as those written by the practice manager or the licensed clinician. The tool changes; the responsibility does not — and in the UAE, the consequences of getting it wrong include fines, licence suspension, and criminal liability under the cybercrime law.

This guide sets out exactly what the DHA, the DHA Advertising Standards 2017, and the UAE PDPL require when responding to online reviews, how Dubai healthcare facilities commonly fall short, and how Fidelia's AI is specifically engineered to stay within those boundaries.

What the DHA says about online communication

The Dubai Health Authority regulates healthcare facilities and licensed clinicians operating in the Emirate of Dubai (excluding the Dubai Healthcare City free zone, which operates under DHCR rules). Two strands of DHA regulation apply directly to Google review responses: the Professional Code of Ethics governing licensed clinicians' confidentiality obligations, and the Advertising Standards governing how clinics may communicate publicly about their services.

Professional Code of Ethics — patient confidentiality

The DHA Professional Code of Ethics applies to every DHA-licensed healthcare professional — physicians, dentists, allied health professionals — and requires absolute confidentiality regarding any patient information acquired in the course of professional practice. The Code makes no distinction between traditional clinical settings and online or social media contexts: a public statement that confirms an individual is a patient, or that references their treatment, is a confidentiality breach regardless of where it appears.

This applies directly to Google review responses. When a patient leaves a review — even a negative one containing clinical details — the facility's response must not confirm the reviewer's identity as a patient, acknowledge any treatment details, or reference dates, procedures, or outcomes. A reply such as "We're sorry your dental implant didn't meet your expectations" both confirms the patient relationship and discloses the treatment type — twin breaches of the Code that any DHA-licensed clinician on the facility's payroll could be held responsible for.

Facility licence accountability

Beyond the individual clinician's obligations, the DHA holds the licensed facility itself accountable for communications made in its name. A non-clinical reception staff member posting a non-compliant review response on the facility's Google Business Profile does not absolve the facility — or its licensed Medical Director — of responsibility. The DHA can investigate, fine, or suspend a facility licence for repeated or serious confidentiality breaches in public communications.

DHA Advertising Standards 2017 and review responses

The DHA Advertising Standards 2017 — formally Health Advertising Content Standards in the Emirate of Dubai — go further than equivalent rules in the UK, Spain, or Portugal. The Standards apply to any health-related advertising or promotional content directed at the Dubai public, and a Google review response is almost always classified as such.

The prohibition on superlatives and absolute claims

Section 3 of the Standards expressly prohibits the use of superlatives, absolute claims, and unsubstantiated guarantees in health advertising. The list of prohibited language includes:

• "The best," "the leading," "the only," "number one"
• "Guaranteed results," "100% satisfaction," "painless treatment"
• "Always," "never," "completely safe," "risk-free"
• Any comparison that disparages other healthcare providers

Crucially for review responses, the prohibition applies even when the language echoes what the reviewer themselves wrote. A reviewer who says "best clinic in Dubai" may be expressing a personal opinion; the facility that replies "Thank you for confirming we're the best clinic in Dubai" has now made an absolute claim in a health advertising context, which is a Section 3 violation.

The prohibition on testimonials in advertising

The Standards also constrain how facilities may use patient testimonials in promotional content. While Google reviews themselves originate from the public and are outside the facility's control, a public response that quotes, repeats, or amplifies the testimonial transforms that testimonial into facility-controlled advertising — and brings it within the scope of the Standards. A response such as "We're so glad to hear our team gave you the best dental implant experience in Dubai" effectively republishes the testimonial as a facility claim.

Pre-approval requirements

Some categories of health advertising in Dubai require pre-approval from the DHA before publication. Although Google review responses are generally treated as reactive rather than proactive advertising, repeated patterns of response language can be aggregated by the DHA as constituting an unapproved advertising campaign — particularly if responses consistently emphasise specific treatments, results, or pricing.

PDPL implications of replying to Google reviews

UAE Federal Decree-Law 45/2021 (the Personal Data Protection Law, or PDPL) is the country's first comprehensive federal data protection statute. It came into force on 2 January 2022 and applies to most processing of personal data of UAE residents, including processing by healthcare facilities licensed in mainland Dubai. The free zones (DIFC, ADGM) operate under their own data protection regimes that are largely consistent in spirit with the federal PDPL.

Health data as sensitive personal data

Article 1 of the PDPL classifies data revealing physical or psychological health as "sensitive personal data." Article 5 restricts the processing of sensitive personal data to specific lawful bases, the most common of which is the explicit consent of the data subject. Critically, merely confirming that an individual is a patient at a healthcare facility constitutes processing of sensitive personal data — because it implies the individual has sought or received medical treatment.

This means that a review response such as "Thank you for being our valued patient" is, strictly speaking, a disclosure of sensitive personal data in a public forum without an evident lawful basis. In most cases the reviewer has already disclosed their own patient status, but the facility's confirmation is a separate processing activity by a different data controller and requires its own lawful basis under the PDPL.

Article 13 — transparency obligations

Article 13 of the PDPL requires data controllers to notify data subjects about the purposes for which their personal data will be processed. A facility that uses patient data — collected for the purpose of providing healthcare — to compose a public response on Google has arguably processed that data for a purpose beyond the original notice. This compounds the lawful-basis problem under Article 5.

Cross-border data transfers

Article 22 of the PDPL restricts cross-border transfers of personal data to jurisdictions without adequate protection. Many AI review tools route data through US-based language models. Fidelia processes review text through Anthropic's Claude API under data processing terms compatible with the PDPL's transfer requirements, and never stores patient identifiers from review text in long-term storage outside the UAE-region Cloudflare infrastructure where review data is held.

UAE Data Office enforcement

The UAE Data Office, established under the PDPL, has authority to investigate complaints, impose fines, and order cessation of unlawful processing. While enforcement actions in the healthcare sector remain in their early stages — the PDPL is still relatively new and the implementing regulations were only finalised in 2023 — the precedent in adjacent sectors suggests fines for healthcare data breaches will be substantial. A single careless review response is unlikely to attract the maximum fine, but it can trigger a wider investigation that uncovers other compliance failures.

How Fidelia's AI guardrails work for the UAE

Fidelia was built for private healthcare in markets that are tightly regulated specifically because generic review management platforms do not account for jurisdiction-specific obligations. Our UAE rule library enforces five hard constraints on every draft we produce — one more than the UK rule set, because of the DHA Advertising Standards 2017.

Rule 1: Never confirm patient identity

Fidelia's AI will never use phrasing that confirms the reviewer is, was, or has been a patient at the facility. This means no "Thank you for choosing us," no "We're glad you visited," and no "As your dentist, I can assure you." The AI is trained to treat every reviewer as a member of the public whose relationship with the facility is unknown — because, from a DHA Code of Ethics perspective, that is the only safe assumption.

Rule 2: Never disclose clinical details

Even when the reviewer has described their treatment in detail, Fidelia's responses never acknowledge, confirm, or discuss those details. If a reviewer writes "my dental implant failed," the AI does not respond with anything that references implants, surgery, or any specific procedure. It acknowledges the concern in general terms only.

Rule 3: Never use superlatives or absolute claims

This is the rule that makes Fidelia's UAE configuration distinct. Where our UK and European rule sets treat absolute language as a warn-level issue, the UAE configuration treats it as fail-level. Phrases such as "the best," "guaranteed," "painless," or "100% safe" will never appear in a Fidelia draft for a UAE-licensed facility, even if the reviewer used those words first. This directly satisfies Section 3 of the DHA Advertising Standards 2017.

Rule 4: Never make health advertising claims

Fidelia avoids language that would constitute health advertising under the DHA Standards: specific treatment recommendations, success rate claims, pricing or promotional language, and disparagement of other facilities. Responses are limited to acknowledging the review, expressing the facility's commitment to high standards, and inviting private contact.

Rule 5: Always move to a private channel

Every response Fidelia generates includes a clear invitation for the reviewer to continue the conversation privately — by telephone or email. This is the single most important compliance technique: it demonstrates responsiveness without requiring any discussion of clinical or personal details in a public forum. Both the DHA and the UAE Data Office regard this as best practice.

Human review remains essential

Fidelia does not auto-publish responses. Every AI-drafted reply enters a review queue where the facility's Medical Director, manager, or designated approver can approve, edit, or reject it before publication. This is a deliberate design decision, not a limitation. The DHA holds the licensed facility accountable for all communications made in its name — and that accountability cannot be delegated to a software tool.

Common mistakes Dubai clinics make

Even Dubai facilities with rigorous compliance cultures routinely make errors in their public review responses. These are the patterns we see most frequently in UAE Google Business Profiles — and the ones Fidelia is specifically designed to prevent.

1. Echoing the reviewer's superlatives

The most common mistake in the UAE is unique to this jurisdiction: a reviewer writes "Best clinic in Dubai!" and the facility responds "Thank you so much — we're proud to be the best clinic in Dubai." The reviewer's superlative is their personal opinion; the facility's repetition of it is health advertising and a Section 3 violation of the DHA Advertising Standards 2017.

2. The generic template that confirms everything

"Thank you for your feedback, [Name]. We're glad you chose our facility for your treatment." This single sentence confirms the patient relationship, processes the reviewer's name in a healthcare context, and constitutes a disclosure of sensitive personal data under PDPL Article 5. It is well-intentioned and wholly non-compliant.

3. Naming the treating clinician

A response such as "Dr. Al Mansoori is delighted to hear about your positive experience" creates two problems. First, it confirms that Dr. Al Mansoori treated this specific reviewer — a confidentiality breach under the DHA Code. Second, it can be construed as a personal endorsement of a specific clinician, which has its own DHA Advertising Standards implications around personalisation of healthcare advertising.

4. Being defensive in public

A negative review stings, and the natural impulse is to correct the record. "We followed all DHA-approved protocols and your treatment outcome was within normal parameters" is a response that may be factually accurate but is catastrophic from a compliance standpoint. It confirms the patient relationship, references clinical protocols applied to a specific individual, and discusses outcomes in a public forum. Beyond the regulatory issues, defensive responses are also poor marketing — prospective patients reading the exchange typically sympathise with the reviewer.

5. Promotional language disguised as gratitude

"Thank you for choosing our clinic — book your next free consultation through our website!" combines two compliance failures in one sentence. The patient confirmation is a confidentiality and PDPL issue; the call-to-action is unapproved health advertising under the DHA Standards. Promotional language has no place in any response, regardless of the reviewer's tone.