Data protection and management
Definition of `health data'What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?
‘Health data’ is medical information as defined in the Patient Rights Act 1996, and also includes data about the patient’s behaviour, which directly relates to the physical or mental health of a patient or to their medical treatment.
The draft Patient Rights Regulations (Research Use of Health Data) 2019 (Research Regulations), which has not yet been adopted, broadens the definition of ‘health data’ to include information that indirectly relates to the patient’s health or mental condition or the medical treatment he or she receives, including information on the patient’s behaviour that may affect his or her physical or mental health or treatment. This definition is also included in the draft circular of the Ministry of Health (MOH) Guidelines for Anonymisation of Health Data for Research Use Purposes 2019 (Draft Regulatory Circular).
Two circulars of the director-general of the MOH regarding secondary use of health data and Collaborations Based on Secondary Uses of Health Data 2018 refer to health ‘anonymised data’ as health data that has undergone an anonymisation process for a defined use and minimises the risk of identification as a result of such usage to a level that is not identifiable in the circumstances.
The Draft Regulatory Circular further defines health ‘anonymised data’ as health data that has undergone an anonymisation process in accordance with the Draft Regulatory Circular and in accordance with Regulation 13 of the Research Regulations, for a particular research use that has been lawfully approved under the Research Regulations, and in the circumstances it is not possible, with reasonable effort, to re-identify the individual.
Data protection lawWhat legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?
The Privacy Protection (Information Security) Regulations 2017 specify the security measures that need to be implemented for personal data based on the security level of each database – the higher the security level, the more stringent the requirements. The Security Regulations list health data as requiring a medium level of security. If the health data is included in a database of 100,000 or more individuals, or 100 or more persons have access to it, the level of security will become high.
As per the Patient Rights Act, a caregiver or a medical institution may only provide an individual’s health data in the following cases:
the individual has given his or her consent;
the caregiver or the medical institution is obligated by law to provide the heath data to another caregiver for the purpose of treating the individual;
the individual has not been provided with the health data under the Patient Rights Act and the Ethics Committee has approved its delivery to another;
the Ethics Committee has determined that the provision of health data is essential for the protection of the health of others or the public;
delivery of health data to the treating medical institution or to its employees for the purpose of processing the data, filing or reporting it according to law; and
for publication in a scientific journal, research or teaching purposes in accordance with instructions prescribed by the Minister of Health, provided that no identifying details of the individual have been disclosed.
Is anonymised health data subject to specific regulations or guidelines?
The two circulars of the director-general of the MOH regarding secondary use of health data and Collaborations Based on Secondary Uses of Health Data 2018 define secondary use as the use of health data for any non-medical need. However, these circulars do not apply to secondary use required for the day-to-day conduct and activity supporting medical treatment, including control, management, operation and planning of future services, as well as ongoing learning and statistics within a health organisation, or for reporting required by law.
The MOH’s director-general circular regarding secondary use of health data prohibits the use of identifiable data for purposes other than for which the data was provided. In general, even with regard to the use permitted by law, secondary use of anonymised data should be preferred over secondary use of identifiable data. In the absence of lawful approval or consent to the use of identified data, secondary use will only be permitted if the data is anonymised. Health data that accompanies or forms part of medical care may be used in an identifiable manner. Even in relation to such uses, preference should be given to anonymised data. Health organisations that were performing secondary use of identified data when the circular was published were instructed to create a plan for building a solution based on anonymisation for the maximum number of uses in which anonymisation is possible.
The MOH will establish acceptable minimum rules and technological means for carrying out the anonymisation process, which will facilitate collaborations between health organisations and other bodies that need a unified and identical anonymisation mechanism. Until such rules and measures are established, health organisations will implement the means and technology based on the opinion of their professional advisors, in accordance with their best professional judgement. The anonymisation mechanism used will be to a level that does not allow re-identification through reasonable means and resources available to the general public.
The new draft Research Regulations further detail the anonymisation process health data should undergo; a health organisation shall anonymise health data for research use before the data is made available to the researcher. The anonymisation process of health data for research use will be according to the assessment of the risk to privacy from that use, based, among other things, on examining all of the following:
the number of individuals whose data is requested;
the number and types of data fields;
the field of health to which the data relates and the degree of its sensitivity;
the existence of databases that are identified or inaccessible to the general public, to which the researcher has access;
the identity of the party that is requested to give access to the data, the nature of their activity, and the purposes of the use of the data in their possession;
number of access permissions requested;
the manner of access to the requested data and the means of data security and additional privacy protection taken; and
the applicability of Israeli law to the request.
The anonymisation process will include, at the very least, three steps:
determining the minimum amount of data required for the research;
removing all identifying details; and
performing an identification risk reduction procedure for identifiable data according to the privacy risk assessment performed regarding the research use in the study.
The anonymisation process will be performed using the best professional methods available in the field and in a manner that minimises the risks of breach of privacy under the risk assessment.
The draft circular of the MOH Guidelines for Anonymisation of Health Data for Research Use Purposes 2019 details the necessary measures to anonymise health data. The obligatory steps are:
request for research use of health data;
deriving the scope of the minimum data required for use as defined;
removing or encoding identifying data;
risk mapping and management;
creating an anonymisation model – anonymisation of identifiable data fields according to the risk management (in the case of actual provision of data to the researcher, compliance with a defined threshold of anonymity is also required);
obtaining approval from a committee of the medical institution to use the data, in accordance with the risk management and protection circles;
implementation of the anonymisation model and other protection circles; and
making the data available to the researcher and conducting the research.
How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?
There are no specific requirements applicable only to health data. As health data is considered personal data, the regular enforcement of data protection laws is applicable.
The Privacy Protection Authority (PPA), as part of an extensive inspection and audit process of compliance with the Privacy Protection Law 1981 (Privacy Law) and Security Regulations by companies that manage extensive and sensitive personal data in various sectors, conducted an inspection of medical institutes and treatment institutions for the years 2018 and 2019.
According to the PPA’s report on its findings from this audit, the inspection process may be the beginning, after which the PPA may conduct additional and more in-depth audit procedures in such supervised entities, and it may also initiate a criminal investigation or administrative inspection procedure. As part of the inspection process, the audited entities were required to respond to audit questionnaires and provide various information for the purpose of examining their compliance with the provisions of the Privacy Law and Security Regulations regarding, inter alia, how to obtain consent for the use of personal data, how to use the data and its security.
According to the PPA's published report, medium and small medical institutions are far less compliant than larger institutions or those associated with a hospital, and their awareness of the requirements of the Privacy Law and Security Regulations is very low. The most important finding is that there are great concerns about data breaches and theunauthorised disclosure of data by medium and small medical institutions when they transfer data to third parties (such as outsourcing providers or employees of other institutions accessing the data). The findings also include non-compliance by large institutions with the requirements pertaining to outsourcing. The audited entities received specific guidelines to correct the discrepancies detected.
CybersecurityWhat cybersecurity laws and best practices are relevant for digital health offerings?
The main cybersecurity law in Israel in the Computers Law 1995, which does not address digital health data specifically, but sets penalties for the illegal use of digital data, hacking computer materials, transmission or submission of false data and more. In addition, circulars of the director-general of the MOH refer to conducting secondary use of health data in accordance with the medical institutions‘ data protection policies, which are subject to applicable law and MOH guidelines.
Best practices include purchasing cyber insurance, and it should be tailored (or enhanced by purchasing an additional insurance policy) to also cover data protection, cloud storage and more.
Additional best practices are obtaining ISO 27001 or SOC2 certifications, and implementing organisational security procedures and guidelines, including periodical security audits and penetration tests.
In addition, Israel's National Cyber Directorate (NCD) is responsible for all aspects of cyber defence in the civilian sphere, from formulating policy and building technological power to operational defence in cyberspace. It aims to provide incident-handling services and guidance for all civilian entities as well as all critical infrastructure in the Israeli economy, and works towards increasing the resilience of civilian cyberspace. Best practice is to consult and receive guidance from the NCD in the event of breach incidents. The NCD has been active since 2018 in promoting a Cyber Defence Bill, which is still in the making with the Ministry of Justice.
Best practices and practical tipsWhat best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?
The ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions including secondary use, should be addressed in each contract, including any privacy policy. With respect to each category, the scope of ownership rights, licences to use, and rights to share and otherwise utilise such data (and with respect to secondary use, whether use in an aggregated and unidentifiable form, or otherwise) should be considered. As to artificial intelligence solutions in particular, the right to use data in order to enhance the solution should be addressed as well. The negotiations of the contract usually take into account factors such as who created the data, the role of each of the players involved and their negotiation leverage, the flow of the data, and each party’s current and future potential needs with respect to each category of data.
An additional best practice would be a careful review of the means used to de-identify personal data, and the allocation of risk covering the de-identification process.
In addition, we recommend appointing a data protection officer (as required by the EU General Data Protection Regulation) or privacy protection officer, as recently recommended by draft guidelines of the PPA. We further recommend organising data management and corporate governance processes in the organisation, including adopting privacy policies, implementing data protection by design processes for all data processing activities, auditing security measures in the supply chain's access to health data, and entering into appropriate agreements with all third parties having access to health data. An organisation should prepare an annual work plan for supervising compliance with the provisions of the Privacy Law and carry out periodic inspections for its implementation. An organisation’s management needs to be regularly updated on privacy issues, and employees should undergo periodic training regarding data protection.
