The Israeli Privacy Protection Authority (PPA) recently published a document for public comments entitled, “Protecting Patients’ Privacy When Transferring Medical Information via Digital Devices and Undesignated Software.”

This document presents the PPA’s position on the responsibility of healthcare service providers and medical professionals when using a variety of digital devices (smartphones, handheld computers, laptops, etc.) and messaging software (such as Gmail, WhatsApp, etc.) for the purpose of transferring sensitive medical information about patients.

In this document, the PPA states that the responsibility for safeguarding medical information falls on the medical institution as the database owner. The PPA expresses its concerns about potential infringement of patients’ privacy due to the growing use of software such as Gmail, WhatsApp, Telegram, etc., and as a result of medical professionals using their personal mobile phones to photograph and document medical information and then forward it to various parties.

Medical information can be transferred in three ways:

  1. Designated medical information-forwarding software installed on medical professionals’ personal digital devices.
  2. Undesignated software installed on digital devices owned by a medical institution or organization.
  3. Undesignated software installed on medical professionals’ personal digital devices.

Possible scenarios include, for example, the transfer of a patient’s imaging results via WhatsApp between medical professionals for consultation purposes, or forwarding a medical summary from a physician’s mobile phone to the patient’s private email address. This analysis refers also to instances when the forwarding of medical information may be justified, such as between members of the medical team and consulting specialists or the patients themselves.

The concerns about exposure of personal information relate to human error (such as forwarding a patient’s imaging results via personal phone to another physician without knowing whether the patient’s results are being saved on that phone’s cloud) or information leaks due to incompatible tools for safeguarding sensitive medical information.

In addition, the PPA expresses concerns about the transfer of medical information via digital means without patients’ knowledge or consent and about the use of patients’ medical information by private companies for their own needs.

As stated in the document, the PPA believes that medical information contained in personal devices and software may constitute a computerized medical record. Therefore, the PPA believes it should be subject to the Ministry of Health’s directives regarding the retention of medical records.

The PPA states that the use of these tools imposes an enhanced information security obligation in relation to systems and that the full information security process should also be carried out in relation to supplier audits.

The PPA also believes that medical professionals’ use of personal devices without authorization or permission from the medical organization, as well as event of theft of personal device containing medical information, may, in some instances, constitute a severe security incident, and lead to a notification requirement to the PPA. Accordingly, medical organizations must ensure that their information security procedures and policies also address medical professionals under their employ.

Practical Recommendations

The PPA’s document does not categorically prohibit the use of digital messaging software for the purpose of forwarding medical information. Rather, it proposes several practical recommendations about the transfer of medical information to medical professionals and to organizations.

Consequently, entities seeking to allow their employees to use their personal or organizational devices and undesignated software must implement a series of data security measures, such as:

  • Minimization of information (such as deletion from the software and device memories immediately after sending).
  • Disabling various cloud backups.
  • Enhancing security measures, and more.

The PPA also recommends that organizations provide dedicated devices and use accepted device management systems in order to minimize information leaks.

The PPA further recommends that healthcare organizations perform a privacy impact assessment before assimilating new systems and solutions. Another recommendation is that healthcare organizations appoint a privacy protection officer.

The document was published for public comments until 12:00 p.m. on December 6, 2022.