In March 2024, the Israeli Privacy Protection Authority (the “Authority“) published a policy document regarding the protection of patients’ privacy in the transfer of medical information using digital means by healthcare providers (the “Policy Document“).
The Policy Document was published in light of a recent phenomenon of non-secured transfer of medical data by healthcare providers through digital devices, while using software that is not designated for transmitting medical information (e.g., Signal; Telegram; Gmail; WhatsApp) and may compromise patient privacy. The Policy Document presents various risks involved in the use of non-designated software and private devices for the transfer of personal health information, such as the possibility of data leakage, accidental exposure of the information due to human error, possible theft of sensitive information, and the risk of misuse by commercial companies that provide infrastructure for transferring information.
The Authority has not determined categorically that medical information should not be transferred through private devices or non-designated software. However, the Authority provided recommendations in view of patient privacy.
Such recommendations include, inter alia:
- Minimize the use of non-designated software. Healthcare institutions must minimize, as much as possible, their employees’ use of software that is not intended to transmit identifiable medical data, and refrain from storing such information on private devices.
- Ensure adequate security. Security measures should be adopted with respect to devices and software used to transmit medical data, such as the use of a strong and complex device login password, two-factors authentication, biometric identification, etc. Health officials should condition their employees’ use of non-specialized software for transferring medical data upon the installation of software designated to protect both the information and the device used, such as firewall and antivirus software.
- Compliance with the Israeli Patient’s Rights Law. Transfer of medical data performed not in accordance with the provisions of the Patient’s Rights Law, or under authorization in another law, must be done with the patient’s consent.
In addition, the Authority calls on the management of medical institutions to increase the awareness of healthcare providers to the privacy risks involved in the use of private digital devices and non-designated software, as well as guide healthcare providers on proper conduct related to such transfer of medical data.
Although the document is defined as a “recommendation only”, the Authority clarifies that due to the sensitivity of the medical data and the potential for damage as a result of leakage of such data, it will adopt a severe approach towards violations of applicable privacy laws, inter alia as detailed in the Policy Document.
_____________________________________________________________________________________________________________________
The content in this communication is provided for informational purposes only and is not intended to be comprehensive. It does not serve to replace professional legal advice required on a case by case basis.
_____________________________________________________________________________________________________________________
For further questions, please get in touch with:
Ella Tevet, Head of the Intellectual Property and Privacy Department
Hili Cohen, Head of the Life Science Practice, International and Hi-Tech Department