On August 2, 2022, Israel’s Privacy Protection Authority (PPA) published a document containing guidance on the protection of privacy in providing telemedicine services. The PPA is the Israeli regulatory and enforcement authority for personal digital information, in accordance with the Privacy Protection Law, 5741-1981, as amended.
The document highlights the privacy challenges involved in the use of telemedicine services and presents key recommendations regarding the use of telemedicine services. Telemedicine may be defined as “medical care provided remotely to a patient in a separate location using two-way voice and visual communication (as by computer or cell phone).”
Background to the Guidelines
According to the PPA press release:
The document published by the PPA maps the remote medical services, reviews the relevant provisions of the law, presents the risks inherent in them to the privacy of patients, details the obligations imposed on health organizations, external providers, and caregivers, and includes key recommendations for maintaining privacy when using these services. …
The PPA emphasizes that medical information is sensitive personal information and its leakage may have severe consequences, both at the patient level and at the level of public trust in the country’s health institutions. Failure to secure information as required may also lead to its disruption, in a way that may serve as a basis for erroneous medical decisions, and hence even harm the health of patients [emphasis in original].
The document lists a number of recommendations for hospitals, clinics and healthcare companies (healthcare organizations), telemedicine service providers, and patients.
Healthcare organizations should receive patients’ informed consent for remote medical services, and avoid collecting and retaining information from patients that is not necessary for providing remote medical services or fulfilling the purpose of the database in which this information is used.
Healthcare organizations that contract with a third-party provider to provide telehealth services, including providing and operating the technological platform and online medical devices, should supervise the third party’s handling of privacy and information security.
In general, health organizations that provide telemedicine services own the databases in which patients’ information is stored. As such they must verify the identity of both patient and caregiver through a sound identification mechanism that utilizes degrees of identification and means adapted to the circumstances and type of action performed. As database owners, health organizations must also ensure that the access to the database is restricted to authorized persons. The PPA document clarifies that the same security requirements apply to online medical devices because they enable remote connection to the database.
Telehealth Care Providers
Care providers should act cautiously and refrain from unnecessarily exposing patients’ photos and video recordings obtained through telehealth beyond what is needed for medical treatment. Care providers must also strictly adhere to rules of information security in the software and technological devices that are used as part of providing remote care, which include keeping them in a protected place and under a password that prevents access to them without proper permission.Public Wi-Fi networks must not be used while providing telehealth care. Remote treatment may be given only through a private network that is protected by a password and software protection such as antivirus and a firewall. Patients must be informed at the beginning of their remote treatment that the session will be filmed and recorded, and they must be advised to refrain from disclosing excess information that is not required for the treatment. Care providers should also alert patients’ when they expose themselves or their household members unnecessarily.