On August 2, 2022, the Privacy Protection Authority published a document detailing the challenges of privacy protection involved in the use of telemedicine services.1 The document presents recommendations regarding how these services should be used in order to reduce the harm of patients' privacy.
It should be noted that medical data is defined in the Protection of Privacy Law, 5741-1981 (hereinafter: "the Law") as sensitive data, and has even been determined to be at the core of privacy,2 and therefore it is of utmost importance to prevent its leakage and exposure to unauthorized parties. Against this background, and particularly in light of the growing phenomenon of the provision and receipt of medical services remotely, the document published by the Privacy Protection Authority, whose purpose is to shine a spotlight on the phenomenon and the privacy challenges involved, is intended to serve as a kind of reference manual for health organizations, external suppliers, and therapists when it comes to the proper management of medical data (including collection, documentation, storage and processing).
The document is divided into four chapters: (1) mapping the types of remote medical services currently provided in Israel; (2) a review of risks to patients' privacy when using telemedicine services; (3) a summary of legal provisions and relevant guidelines; (4) presentations of clarifications and recommendations. In this newsletter, we will briefly review the above chapters, and present the main points raised in their framework.
The first chapter of the document classifies the medical services provided remotely into five categories: 3 (a) services that allow the patient to view medical data on himself or herself, and perform actions remotely (such as an HMO application); (b) remote care services through a virtual patient-therapist meeting (synchronous); (c) self-examination services using online medical examination devices intended for home use for the purpose of consultation, diagnosis or treatment at a later time (asynchronous); (d) services of continuous medical monitoring using wearable or implantable devices; (e) services of preliminary diagnosis using Artificial Intelligence.
It is important to clarify that when receiving the services listed above, the medical data may also reach (in addition to the therapist directly treating the patient) external providers that provide and/or operate the online medical platforms and devices used in the service. In such a case, the medical data on the patient is stored in various databases, and, as a result, is more exposed to the harm of privacy. Moreover, since the patient has online access to medical data on himself, which may even be stored in the home test devices in his possession, the risk of harming his privacy increases. Therefore, the risks of privacy harm detailed below are relevant for health organizations, external providers, and patients.
As stated above, the second chapter of the document lists the risks to patients' privacy when using telemedicine services, including: (a) data leakage due to data security failures (e.g., as a result of hacking into the home Internet network/smart devices/medical devices of the patient, or hacking into the databases of the health organization or the external provider). Furthermore, it should be emphasized that medical data may be of great economic value, a fact which increases the risk of the occurrence of data security events and harm of patients privacy; (b) the lack of patient awareness of the collection of data by external providers and the purposes of use thereof. This fact prevents from patients to take actions to reduce the violation of their privacy; (c) exposure of excess information in the framework of a virtual meeting (for example, exposure of the patient's home environment, from which intimate details about the patient can be learned, that will not necessarily be relevant to the treatment); (d) disclosure of information to unauthorized parties in the therapist's environment (for example, when the treatment is provided in the therapist's home, or in a public space, and other parties are in the vicinity thereof, and may be exposed to the patient's medical information).
Since violation of the patient's privacy, including the leakage of medical data and unauthorized parties' access to it, can lead to serious harm, both at the patient level and at the level of trust in health organizations, and, in the process, to a downward trend in the use of telemedicine services, it is of utmost importance to take actions to reduce the possibility of harming patients' privacy when providing these services.
The third chapter of the document focuses on the provisions of the law and the relevant guidelines on the subject of protecting patients' privacy. For example, the chapter relates to the provisions of the Law and the regulations enacted by virtue thereof, which state, among other things, that a database containing medical data is required to have an intermediate to higher level of security.4 Additional law provisions and other guidelines mentioned in this chapter include the Patient's Rights Law, 5756-1996, the Ministry of Health's guidelines for maintaining the confidentiality and privacy of patient's personal data, and a document of ethics rules of the Israel Medical Association.
The fourth and final chapter of the document details the recommendations and clarifications of the Privacy Protection Authority to reduce the violation of the patients privacy in telemedicine services. We will present below the main recommendations:
- Information and consent to receive telemedicine services - A health organization that provides telemedicine services must obtain the consent of the patients to provide such services, and specify to the patient, among other things, which data will be collected as a result of obtaining such consent, which uses will be made of it, to whom it may be transmitted, and for which purpose. In addition, the patient must be made aware of the risks involved in receiving such a service with regard to data security. The explanation must be made in clear language and should include details regarding the patient's rights to the data, including the right to review the data.
As for external providers, insofar as they wish to use the data for non-therapeutic purposes (such as for research, advertising, streamlining other services provided by it, etc.), they are required to obtain specific consent from patients for such use (in addition to the consent of the health organization). However, in such a situation, the health organization providing the service must inform and clarify to the patient that it is not obligated to give its consent to the additional uses of the data, and that this consent will not be a condition for receiving medical services.
- Reduction of data - All parties must avoid, to the greatest extent possible, the collection and retention of data on patients that is not necessary for the purpose of the medical services. Health organizations and external providers should examine whether they hold excess data several times a year.
- Responsibility of a service provider contracting with a third provider for the provision of remote medical services - A health organization that contracts with a third provider for the provision of telehealth services, including the provision and operation of the technological platform and online medical devices, must ensure that the conduct of the third provider, with regard to protecting patient privacy and data security, is proper, and in accordance with the provisions of the law.
- Identification verification and data security obligations - For the Privacy Protection Permit, verifying a person's identity in telemedicine services is critical in terms of privacy and data protection, and therefore remote medical services must include a mechanism for identifying the therapist and identifying the patient with a good level of certainty, as is also required in the framework of the Ministry of Health's Director General's circular.5 In addition, the retention and transfer of medical data is subject to data security obligations set forth in the Data Security Regulations, as well as to the Ministry of Health's guidelines regarding medical records.6
It should be noted that the position of the Privacy Protection Authority is that online medical devices (which allow remote connection to the databases) are considered 'database systems', with all that this implies in terms of verifying the identification of patients using these devices, and the security obligations imposed on database systems according to information security regulations.
- Termination of use of online medical devices - It is recommended that the health organizations providing the service and the external providers establish procedures for securing the data stored on online medical devices used to provide remote medical services when their use ceases, including the destruction of such data and the devices.
- Privacy aspects of a virtual meeting - Therapists must strictly adhere to the rules of data security in the software and technological devices they use in the virtual meeting. In addition, therapists should take all necessary actions to avoid the exposure of patients' data to other parties in the vicinity thereof, including patients' photos and videos, as well as to reduce the exposure of patient data that is not relevant to the treatment. In addition, it is recommended that therapists work to strengthen their technological skills when it comes to mastering the systems used in the virtual meeting.
For the convenience of the users, two appendices are attached to the document, which are intended to summarize the clarifications and recommendations for remote medical service providers and external providers (Appendix A) and for therapists in an online meeting (Appendix B).
2. See LCA 06/8019, Yediot Aharonot, p. v. Levin (published in Nevo, 2009.10.13).
3. It should be noted that it is clarified in the framework of the document that the classification is intended for clarification and refinement, and is not binding.
4. See the first Addendum to the Privacy Protection Regulations (Data Security), 5777-2017 (hereafter: "Data Security Regulations")
5. See section 5.7 of the Ministry of Health Director General's circular on standards for operating a telehealth service.
6. See Ministry of Health Director General's circular on standards for managing patient records in the health system.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.