Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

In 2018, a national digital health programme was approved by the Israeli government. This programme forms part of the Digital Israel Initiative, which is an ongoing and comprehensive government effort to leverage information and communication technologies and harness innovation in the public sector in an endeavour to improve services and provide effective digital governance in the healthcare sector. 

Some of the goals of the national digital health programme include the establishment of a national infrastructure for innovation and advanced health; promotion of discourse and perception of innovation and the implementation of innovative healthcare services in the health system; and promotion of equal access to advanced healthcare services.

However, to date, no specific legislation has been enacted regulating digitalised healthcare.

The Protection of Privacy Law 1981 (the POP Law) and its regulations cover some relevant issues. In addition, the Ministry of Health (MOH) has published several circulars specifically pertaining to the digitalised healthcare programme (eg, the provision of telemedicine services, patients' access to electronic medical records and files maintained on their behalf by the applicable sick funds, secondary use of medical data and the process of obtaining informed consent).

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

The provision of digital health services is currently not regulated by a specific law. Some aspects are covered by the POP Law, as well as by the Patient's Rights Law 1996. In addition, the MOH has published several circulars that specifically address some areas of digital health and telemedicine. The Privacy Protection Authority (PPA) has also recently published guidelines relating to the provision of telemedicine services (the PPA Guidelines).

According to the PPA Guidelines, the telemedicine services that are provided in Israel include remote access to medical information and actions, online virtual consultations, connected medical devices, self-monitoring by using applications or home-use medical devices, as well as by using wearable or implant devices, and preliminary diagnosis based on artificial intelligence. It is clarified that the PPA Guidelines are not intended to limit the scope of telemedicine services, but rather to ensure that the privacy of patients is protected when such services are provided.

The MOH Circular 'Criteria for Operating Telemedicine Services' (Circular 6/2019) also sets out the principles relating to the provision of telemedicine services. According to Circular 6/2019, the provision of telemedicine services need not be approved by the MOH. Instead, it is for the management of the health organisation or medical institution operating the telemedicine services to prescribe conditions facilitating their operation, provided that it shall have determined that the quality and safety of the telemedicine services align with those provided in face-to-face consultations with patients. Circular 6/2019 clarifies that telemedicine services are not intended to replace the corresponding face-to-face consultations, and it is thus recommended that both types of consultation services are available for patients to choose at their discretion. Additional rules and guidance are set out in Circular 6/2019.

In addition, the MOH Circular 'Access of Personal Health Data for the Patient – Health in the Palm of One’s Hand' (Circular 8/19), contains rules and guidance for broadening the medical data that is available to patients online through the electronic medical records and files maintained on their behalf by the applicable sick funds.

Finally, the Israeli Medical Association has published a position paper, setting out the ethical rules that apply to the provision of telemedicine services.

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

The PPA is the Israeli regulatory and enforcing authority tasked with responsibility for ensuring the due and proper protection of personal digital information, in accordance with the POP Law. The MOH is also responsible for ensuring compliance by the relevant health organisations or medical institutions with the relevant data protection and privacy requirements in the healthcare sector, as set out in the relevant MOH circulars. In January 2020, a code of ethics was published by the MOH, which must be adhered to by all healthcare providers and workers in medical organisations and health institutions, including, personnel, students and volunteers, who, owing to their positions or in fulfilment of their duties, may be exposed to patient data.

Additional applicable legislation includes the Patient's Rights Law 1996 and the Genetic Information Law 2000. Each of the latter addresses certain aspects pertaining to the due and proper protection of data and privacy in the healthcare sector.

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

Healthcare providers are obliged to maintain confidential any and all medical records and information relating to a patient coming to their knowledge during the course of the fulfilment of their duties or as part of their ongoing work, and must take all required measures to ensure that their employees similarly maintain the confidentiality of all such records and information. It is accordingly prohibited for healthcare providers to access medical records and information without permission or for no reason. Medical records and information may only be used for the express purpose for which they were collected and stored, and cannot be transferred to third parties, unless the consent of the patient was obtained or if otherwise permitted by law.

The POP Law and its regulations contain general provisions relating to the ownership, management and holding of databases, as well as data protection, which may also be relevant to healthcare providers (eg, a database owner will be obliged to register same with the Registrar of Databases). There is no requirement to appoint a data protection officer, but it is considered by the PPA best practice to do so.

The MOH has issued several circulars and guidelines relating to certain aspects of data protection and privacy. Among others, the MOH Circular 'Data Protection in Computerised Systems' (Circular 3/15) sets out the principles and standards for the protection of data stored on the computerised health system; MOH Circular 2/2021, 'Use of Cloud Computing in the Israeli Healthcare System', establishes the criteria for the proper operation of computerised applications using cloud computing by healthcare organisations, to encourage the introduction of advanced technologies for use by healthcare organisations; and MOH Guideline 169/01 outlines the use of digital means for the informed consent process in clinical trials.

In addition, the MOH Circulars 'Secondary Use of Medical Data' (Circular 1/2018) and 'Collaboration Based on Secondary Use of Medical Data' (Circular 2/2018), establish the principles relating to secondary uses of medical data and collaborations based on such use. In general, only de-identified data may be the subject of secondary use, unless the prior consent of the patient to use identifiable data was obtained or if otherwise permitted by law. A request to make secondary use of data must be individually reviewed by the health organisation, and additional approvals may be required if the secondary use is for research purposes or if it is intended to be transferred between public bodies. The means for ensuring adequate data protection is also specified.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

According to a report that was published by the PPA in 2020, some of the common infringements among medical institutes and laboratories include non-compliance (or partial compliance) with data protection regulations and standards, especially among small institutions and laboratories. These types of infringements were also common among mental health institutions and service providers. Infringements relating to outsourcing data processing were also common. These infringements give rise to a concern of data leakage to third parties.