The Israeli Privacy Protection Authority (PPA) published draft guidelines on data protection and privacy obligations in tele-health services. The guidelines are addressed to healthcare organizations, clinics, health practitioners, and relevant service providers involved in data processing operations throughout the tele-health value chain.
The draft guidelines map out the relevant privacy and data-protection-related provisions in statutes, regulations, and professional rules of ethics, and detail the potential privacy risks derived from the use of tele-health services, including, breach of confidentiality, data leaks, and collection and processing of excessive information. According to the draft guidelines, health practitioners and healthcare organizations should take the following privacy and data protection-enhancing steps, among others:
- Complying with the principle of purpose-limitation in the collection and processing of health data.
- Conducting a privacy impact assessment at the initial design stage of the tele-health system.
- Ensuring transparency with patients, and obtaining their informed consent, with emphasis on obtaining patients’ specific and freely given consent if their health data is to be used for secondary purposes (e.g., for research or improvement of the service).
- Providing enhanced transparency to data subjects concerning the use of AI-based algorithms.
- Implementing appropriate measures for authenticating the identity of patients and individuals who are authorized to access patients’ health information.
- Implementing appropriate procedures for decommissioning physical data storage media.
In addition, the guidelines provide clarifications and recommendations for health practitioners conducting remote virtual healthcare sessions.
CLICK HERE to read the Privacy Protection Authority’s draft guidelines (in Hebrew).