On July 24, 2024, following extensive deliberations, the Knesset (the Israeli legislative authority) enacted the Health Information Mobility Law-2024 (the “Law”). The material provisions of this new Law are expected to come into effect in July 2027.
Last year, we sent out a client update on the draft Law while it was still being deliberated. This update included an extensive description of the proposed legislation and can be found here.
The Law aims to modernize health information management in Israel by facilitating better coordination between healthcare providers while ensuring patient privacy and data security. Its stated purpose is: “to regulate individuals’ rights to transfer their medical information, with the goal of improving medical treatment and health outcomes, amongst others, through innovative treatments and personalized, proactive preventive medicine.”
Key provisions of the Law include:
Mandated transfer of medical information between certain healthcare providers through a dedicated interface upon request, without requiring agreements between parties;
Adoption of common data formats and communication protocols to facilitate seamless data exchange;
Introduction of “Information Baskets” – consolidated groups of information items divided by clinical or administrative content, intended to ensure that only relevant and necessary information is transferred in each instance;
License requirements for healthcare providers to receive medical information, ensuring that only qualified entities are involved in the transfer and processing of medical information, including requirements for the types of healthcare providers that can apply for such licenses, enabling the Ministry of Health to conduct audits and to impose conditions for privacy, data security, cyber protection, and use purposes (the manner in which applications for a license are to be submitted will be detailed in a directive from the Ministry of Health);
Setting circumstances under which the Ministry of Health may suspend a license, including if there is a real threat of unauthorized access to data, breach of confidentiality obligations, or cyber-attacks that may cause material damage to the data, interface, or adjacent processes;
Establishing certain requirements for processing of medical information by its recipient, such as setting data retention periods; and
Establishment of an access authorization management system for data transfers, including mandating the provision of certain information notices to the data subject and the data subject’s right to withdraw their consent and request the deletion of their information.
The Law outlines limitations and exceptions to data exchange, including privileged information and conditions under which health organizations which are data sources may refuse transfers. It also clarifies that data sources generally may not charge fees for transferring medical information pursuant to the Law.
Healthcare providers that have received a license to engage in such data transfers will be required to obtain the data subject’s consent for the transfer of medical information via a dedicated access authorization management system. This system, operated by the Ministry of Health, will maintain a list of information sources for each consenting individual. The system will be designed to be user-friendly and minimize privacy risks. Consent can be given digitally or non-digitally but must always be documented and is limited to specific use purposes set forth in the Law (for example, certain healthcare providers may obtain such consent only for providing medical treatment to the data subject, while others may obtain consent for the purpose of presenting full medical records to their insureds). Consents are typically valid for up to one year and can be renewed, with some exceptions, such as for specific medical treatments. The Law grants data subjects the right to revoke their consents at any time.
The Law authorizes the Ministry of Health, with the agreement of the Minister of Justice, to establish certain regulations concerning privacy protection, information security, risk management and cyber defense. These regulations will apply to information sources, recipients and the access authorization management system.
We note that the Law also includes certain data protection obligations which exceed the requirements of the Privacy Protection Law-1981, including an obligation for immediate notification to the Ministry of Health in case of severe security incidents or flaws in information transfer, as detailed in the Law.
The Law specifies penalties of up to 2 years imprisonment or fines (up to NIS 75,300, or 301,200 for corporations), for requesting the provisions of medical information under the Law without a license, or including false or misleading information in the application or other information provided to the Ministry of Health, as further detailed in the Law.
We note that the Law, unlike in its initial draft, does not relate to transfer of medical data for R&D purposes, and as such, the current requirements pursuant to the Patient’s Rights Law-1996, remain in effect.
As we approach the implementation date, we anticipate that the Ministry of Health will issue comprehensive directives. Our firm will closely monitor these developments and provide timely updates.
We strongly advise healthcare providers to begin preparing for implementation and compliance, in order to position themselves to smoothly transition to the new regulatory environment when the Law comes into force in July 2027. Our team stands ready to assist clients in navigating these complex regulatory changes and ensuring full compliance with the new Law.
Last year, we sent out a client update on the draft Law while it was still being deliberated. This update included an extensive description of the proposed legislation and can be found here.
The Law aims to modernize health information management in Israel by facilitating better coordination between healthcare providers while ensuring patient privacy and data security. Its stated purpose is: “to regulate individuals’ rights to transfer their medical information, with the goal of improving medical treatment and health outcomes, amongst others, through innovative treatments and personalized, proactive preventive medicine.”
Key provisions of the Law include:
Mandated transfer of medical information between certain healthcare providers through a dedicated interface upon request, without requiring agreements between parties;
Adoption of common data formats and communication protocols to facilitate seamless data exchange;
Introduction of “Information Baskets” – consolidated groups of information items divided by clinical or administrative content, intended to ensure that only relevant and necessary information is transferred in each instance;
License requirements for healthcare providers to receive medical information, ensuring that only qualified entities are involved in the transfer and processing of medical information, including requirements for the types of healthcare providers that can apply for such licenses, enabling the Ministry of Health to conduct audits and to impose conditions for privacy, data security, cyber protection, and use purposes (the manner in which applications for a license are to be submitted will be detailed in a directive from the Ministry of Health);
Setting circumstances under which the Ministry of Health may suspend a license, including if there is a real threat of unauthorized access to data, breach of confidentiality obligations, or cyber-attacks that may cause material damage to the data, interface, or adjacent processes;
Establishing certain requirements for processing of medical information by its recipient, such as setting data retention periods; and
Establishment of an access authorization management system for data transfers, including mandating the provision of certain information notices to the data subject and the data subject’s right to withdraw their consent and request the deletion of their information.
The Law outlines limitations and exceptions to data exchange, including privileged information and conditions under which health organizations which are data sources may refuse transfers. It also clarifies that data sources generally may not charge fees for transferring medical information pursuant to the Law.
Healthcare providers that have received a license to engage in such data transfers will be required to obtain the data subject’s consent for the transfer of medical information via a dedicated access authorization management system. This system, operated by the Ministry of Health, will maintain a list of information sources for each consenting individual. The system will be designed to be user-friendly and minimize privacy risks. Consent can be given digitally or non-digitally but must always be documented and is limited to specific use purposes set forth in the Law (for example, certain healthcare providers may obtain such consent only for providing medical treatment to the data subject, while others may obtain consent for the purpose of presenting full medical records to their insureds). Consents are typically valid for up to one year and can be renewed, with some exceptions, such as for specific medical treatments. The Law grants data subjects the right to revoke their consents at any time.
The Law authorizes the Ministry of Health, with the agreement of the Minister of Justice, to establish certain regulations concerning privacy protection, information security, risk management and cyber defense. These regulations will apply to information sources, recipients and the access authorization management system.
We note that the Law also includes certain data protection obligations which exceed the requirements of the Privacy Protection Law-1981, including an obligation for immediate notification to the Ministry of Health in case of severe security incidents or flaws in information transfer, as detailed in the Law.
The Law specifies penalties of up to 2 years imprisonment or fines (up to NIS 75,300, or 301,200 for corporations), for requesting the provisions of medical information under the Law without a license, or including false or misleading information in the application or other information provided to the Ministry of Health, as further detailed in the Law.
We note that the Law, unlike in its initial draft, does not relate to transfer of medical data for R&D purposes, and as such, the current requirements pursuant to the Patient’s Rights Law-1996, remain in effect.
As we approach the implementation date, we anticipate that the Ministry of Health will issue comprehensive directives. Our firm will closely monitor these developments and provide timely updates.
We strongly advise healthcare providers to begin preparing for implementation and compliance, in order to position themselves to smoothly transition to the new regulatory environment when the Law comes into force in July 2027. Our team stands ready to assist clients in navigating these complex regulatory changes and ensuring full compliance with the new Law.
_____________________________________________________________________________________________________________________
The content in this communication is provided for informational purposes only and is not intended to be comprehensive. It does not serve to replace professional legal advice required on a case by case basis.
_____________________________________________________________________________________________________________________
For further questions, please get in touch with:
Hili Cohen, Head of the Life Science Practice, International and Hi-Tech Department
Roee Laor, Partner, Intellectual Property and Privacy Department
Ofir Goldstein, Associate, Life Science Practice, International and Hi-Tech Department
