At a glance: data protection and management of health data in Israel

Data protection and management

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

‘Health data’ is medical information as defined in the Patient Rights Act, 1996, and also includes data about the patient’s behaviour, which directly relates to the physical or mental health of a patient or their medical treatment.

The draft Patient Rights Regulations (Research Use of Health Data), 2019 (the Research Regulations), which has not yet been adopted, broadens the definition of ‘health data’ to include information that indirectly relates to the patient’s health or mental condition or the medical treatment he or she receives including information on the patient’s behaviour that may affect his or her physical or mental health or treatment. This definition is also included in the draft circular of the Ministry of Health (MoH) titled Guidelines for Anonymization of Health Data for Research Use Purposes, 2019 (the Draft Regulatory Circular). The draft Research Regulations have yet to be adopted due to, among others, the Israel Democracy Institute’s public letter of objection. The Israel Democracy Institute raises many issues in the proposed Research Regulations, many of which involve privacy concerns.

The two circulars of the Director General of the MoH regarding the secondary use of health data and Collaborations Based on Secondary Uses of Health Data, 2018, refer to health ‘anonymized data’ as health data that has undergone an anonymisation process for a defined use and minimises the risk for the identification as a result of such usage, to a level that is not identifiable in the circumstances.

The Draft Regulatory Circular further defines health ‘anonymized data’ as health data that has undergone an anonymisation process in accordance with the Draft Regulatory Circular and in accordance with Regulation 13 of the Research Regulations, for a particular research use that has been lawfully approved under the Research Regulations, and in the circumstances, it is not possible, with reasonable effort, to re-identify the individual.

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

The Privacy Protection (Information Security) Regulations, 2017 specify the security measures that need to be implemented for personal data, based on the security level of each database: the higher the security level, the more stringent the requirements. The Security Regulations list health data as requiring a medium level of security. If the health data is included in a database of 100,000 or more individuals, or 100 or more persons have access to it, the level of security will become high.

Under the Patient Rights Act, a caregiver or a medical institution may only provide an individual’s health data in the following cases:

• the individual gave his or her consent;
• the caregiver or the medical institution is obligated by law to provide the health data to another caregiver for the purpose of treating the individual;
• the individual has not been provided with the health data under the Patient Rights Act and the Ethics Committee has approved its delivery to another;
• the Ethics Committee has determined that the provision of health data is essential for the protection of the health of others or the public; or
• the delivery of the health data is to the treating medical institution or to its employee to process the data, file or report it according to law for publication in a scientific journal, research or teaching purposes in accordance with instructions prescribed by the Minister of Health, provided that no identifying details of the individual have been disclosed.

The Privacy Protection Authority (PPA) has emphasised, through a guidance document first of its kind on privacy protection in telemedicine services, published on 2 August 2022, that health data is sensitive personal information and its unlawful disclosure may have serious consequences, both at the level of the patient and at the level of public trust in the country’s health institutions. Failure to secure health data as required may also lead to its disruption, in a way that could serve as a basis for incorrect medical decisions, and hence even harm the health of patients. The PPA guidance includes various recommendations for privacy aspects of telemedicine including in relation to privacy risks stemming from algorithm-based diagnosis using big data.

Is anonymised health data subject to specific regulations or guidelines?

The two circulars of the Director General of the MoH regarding secondary use of health data and Collaborations Based on Secondary Uses of Health Data, 2018 define secondary use as the use of health data for any non-medical need; but such circulars will not apply to secondary use required for the day-to-day conduct and activity supporting medical treatment, including control, management, operation and planning of future services, as well as ongoing learning and statistics within a health organisation, or for reporting required by law (secondary use).

The MoH’s Director General circular regarding the secondary use of health data prohibits the use of identifiable data for purposes other than that for which the data was provided. In general, even with regard to the use permitted by law, the secondary use of anonymised data should be preferred over the secondary use of identifiable data. In the absence of lawful approval or consent to the use of identified data, secondary use will only be permitted if the data is anonymised. Health data that accompanies or forms part of medical care may be used in an identifiable manner. Even in relation to such uses, preference should be given to the use of anonymised data. Health organisations that were performing secondary use of identified data when such circular was published were instructed to create a plan for building a solution based on anonymisation for the maximum uses in which anonymisation is possible.

The MoH will establish acceptable minimum rules or technological means for carrying out the anonymisation process, which will facilitate collaborations between health organisations and other bodies that need a unified and identical anonymisation mechanism. Until such rules or measures are established, health organisations will implement the means and technology based on the opinion of their professional advisers, in accordance with their best professional judgement. The anonymisation mechanism used will be to a level that does not allow re-identification through reasonable means and resources available to the general public.

The draft Research Regulations further detail the anonymisation process health data should undergo; a health organisation shall anonymise health data for research use before the data is made available to the researcher. The anonymisation process of health data for research use will be according to the assessment of the risk to privacy from that use, based, among other things, on examining all of the following:

• the number of individuals whose data is requested;
• the number and types of data fields;
• the field of health to which the data relates and the degree of its sensitivity;
• the existence of databases that are identified or inaccessible to the general public, to which the researcher has access;
• the identity of the party that is requested to give access to the data, the nature of their activity, and the purposes of the use of the data in their possession;
• number of access permissions requested;
• the manner of access to the requested data and the means of data security and additional privacy protection taken; and
• the applicability of Israeli law to such request.

The anonymisation process will include, at the very least, three steps:

• determining the minimum amount of data required for the research;
• removing all identifying details; and
• performing an identification risk reduction procedure for identifiable data according to the privacy risk assessment performed regarding the research use in the study.

The anonymisation process will be performed using the best professional methods available in its field and in a manner that minimises the risks of breach of privacy under the risk assessment.

The MoH draft circular titled Guidelines for Anonymization of Health Data for Research Use Purposes, 2019 details the necessary measures to anonymise health data. The obligatory steps are:

• request for research use of health data;
• deriving the scope of the minimum data required for use as defined;
• removing or encoding identifying data;
• risk mapping and management;
• creating an anonymisation model: anonymisation of identifiable data fields according to the risk management (in the case of actual provision of data to the researcher, also compliance with a defined threshold of anonymity is required);
• obtaining approval from a committee of the medical institution to use the data, in accordance with the risk management and protection circles;
• implementation of the anonymisation model and other protection circles; and
• making the data available to the researcher and conducting the research.

The MoH circular Basic Regulation for Cyber Protection in the Health Sector in Israel, 2022 (the Cyber Health Circular), in effect from 1 November 2022, defines principles for implementation in basic areas related to cyber protection in a healthcare organisation and is based on the Israel National Cyber Directorate’s cyber defence theory. The regulation is detailed but leaves sufficient room for the relevant authority of the medical organisation to exercise their responsibility in a manner appropriate to the organisation and their abilities. Such authority is required to manage the organisation’s cyber risks with a holistic view from a comprehensive risk-management concept and continuity processes of medical treatment processes in emergency situations while bearing overall responsibility for the cyber protection of the medical organisation.

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

There are no specific requirements applicable only to health data. As health data is considered personal data, the regular enforcement of data protection laws is applicable.

The PPA, as part of an extensive inspection and audit processes of compliance with the Privacy Protection Law, 5571-1981 (the Privacy Law) and the Security Regulations by companies that manage extensive and sensitive personal data in various sectors, conducted an inspection of medical institutes and treatment institutions, for the years 2018–2019.

According to the PPA’s report on its findings from such audit, the inspection process may be the beginning, after which the PPA may conduct additional and more in-depth audit procedures in such supervised entities, and it may also initiate a criminal investigation or administrative inspection procedure. As part of the inspection process, the audited entities were required to respond to audit questionnaires and provide various information for the purpose of examining their compliance with the provisions of the Privacy Law and Security Regulations, inter alia, regarding how to obtain consent to the use of personal data, how to use it, and its security.

According to the PPA’s published report, small and medium medical institutions are far less compliant than larger institutions or those associated with a hospital, and their awareness of the requirements of the Privacy Law and the Security Regulations is very low. The most important finding is that there is a great concern for data breaches and the unauthorised disclosure of data by small and medium medical institutions when they transfer data to third parties (such as outsourcing providers or employees of other institutions accessing the data). The findings also include non-compliance by large institutions with the requirements pertaining to outsourcing. The audited entities received specific guidelines to correct the discrepancies detected.

Another serious deficiency listed in the PPA’s published report is in the implementation of the duty to be transparent with patients. According to the report, patients do not always know that their information is transferred to an external company that provides outsourced information processing services, and patients are not made aware of their right to review the collected information, change or correct the information, as required by section 13 of the Privacy Law.

The PPA did not mention in its report what sanctions were imposed on the violating organisations. The PPA stated that it had sent instructions to those institutes and laboratories and that it would check again if those organisations had indeed corrected the deficiencies.

What cybersecurity laws and best practices are relevant for digital health offerings?

The main cybersecurity law in Israel is the Computers Law, 1955, which does not address digital health data specifically but sets penalties for the illegal use of digital data, hacking computer materials, transmission or submission of false data and more. In addition, MoH circulars refer to conducting secondary use of health data in accordance with the medical institutions’ data protection policies, which are subject to applicable law and MoH guidelines.

Best practices include purchasing cyber ​​insurance, and it should be tailored (or enhanced by purchasing an additional insurance policy) to cover as well data protection, cloud storage and more.

Additional best practices are obtaining ISO 27001 (or ISO 27799 specifically for information security management in health use, as first initiated in Israel) or SOC2 certifications, and implementing organisational security procedures and guidelines, including periodical security audits and penetration tests.

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

The ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions including secondary use, should be addressed in each contract, including any privacy policy. With respect to each category, the scope of ownership rights, licences to use, and rights to share and otherwise utilise such data (and with respect to secondary uses, whether used in an aggregated and unidentifiable form or otherwise) should be considered. As to artificial intelligence solutions in particular – the right to use the data to enhance the solution should be addressed as well. The negotiations of the contract usually take into account factors such as who created the data, the role of each of the players involved and their negotiation leverage, the data flow, and each party’s current and future potential needs with respect to each category of data.

An additional best practice would be a careful review of the means used to de-identify personal data, and the allocation of risk covering the de-identification process.

In addition, we recommend appointing a data protection officer (as required by the EU General Data Protection Regulation) or a privacy protection officer, as recently recommended by draft PPA guidelines. We further recommend organising data management and corporate governance processes in the organisation, including adopting privacy policies, implementing data protection by design processes for all data processing activities, auditing security measures in the supply chain that has access to health data and entering into appropriate agreements with all third parties having access to health data. An organisation should prepare an annual work plan for supervising compliance with the provisions of the Privacy Law and carry out periodic inspections for its implementation. An organisation’s management needs to be regularly updated on privacy issues and the employees should undergo periodic training regarding data protection.