Written by Haim Ravia and Dotan Hammer
The Israeli Privacy Protection Authority (PPA) published the final version of its guidelines on data protection and privacy obligations in tele-health services, following its March draft. The guidelines are directed to healthcare organizations, clinics, health practitioners, and relevant service providers involved in data processing operations throughout the tele-health value chain.
The guidelines map out the steps that healthcare providers and practitioners need to take regarding telehealth services such as collection and transfer of patient data, virtual appointments, and AI-based diagnostics services.
The final version of the guidelines is substantially similar to the draft guidelines, but they address these additional matters:
- The economic value of health data can lead to the excessive collection of such data. This, in turn, increases the risk of severe security incidents and unlawful use of health data.
- Service providers are not responsible for data security in the patients’ homes. Yet, they are required to clarify to patients the risks involved in tele-health services. Service providers should also inform patients that they are responsible for the security of their home computers and devices.
- A service provider may act as a “co-owner” of health databases, along with the healthcare provider. This applies where the service provider uses the data for additional purposes of its own (e.g., for research and development). In that case, the healthcare provider is required to obtain the separate consent of the patients to use their data for an additional purpose. When obtaining such consent, the healthcare provider must clarify to patients that their consent is not a condition for receiving the medical service.
- Data collected during the provision of remote medical services may constitute “medical records”. In that case, the data will be subject to other relevant provisions of the Patient’s Rights Law, 5756-1996, and any Ministry of Health guidelines regarding medical records.
CLICK HERE to read the Privacy Protection Authority’s guidelines (in Hebrew).
