The Israeli Ministry of Health (the “MOH”) issued, on February 21, 2021, circular no. 2/2021, titled “Use of Cloud Computing in the Israeli Healthcare System”, which provides guidelines for engagements by healthcare organizations with cloud computing providers (the “Cloud Circular”). The provisions of the Cloud Circular also apply to the usage of cloud computing for medical data related research purposes, when access to such medical data is provided by healthcare organizations.
The Cloud Circular states that a healthcare organization may use a cloud computing application, only in accordance with the provisions of the Cloud Circular, and only after an organizational internal procedure for examining the transition to cloud computing usage has been implemented.
The level of risk for using the cloud computing application would dictate the process for obtaining the approval required for the relevant engagement: (i) if the risk is low or moderate – the approval of the Organizational Cloud Committee (i.e. committee that operates within that healthcare organization) should be sought; and (ii) if the risk is high – the opinion of the Sectoral Cloud Committee (i.e. committee operating in the MOH) shall be required in addition to the approval of the Organizational Cloud Committee.
The Cloud Circular determines that, any use of cloud computing by a healthcare organization, shall require such healthcare organization to enter into a written agreement with the cloud computing provider. Healthcare organizations are required to examine and evaluate the applicable cloud computing provider’s ability to provide the requested services. Among others, the healthcare organization should examine and evaluate the implications of the use of cloud computing outside of Israel. The Cloud Circular permits the use of computing services located outside of Israel, in a country that meets the requirements of the applicable Israeli privacy protection regulations. Generally, such privacy protection regulations permit transfer of data from a database in Israel to outside of Israel, if the law in the country to which the data is transferred ensures at the minimum the same level of protection over the data as the level of protection under Israeli law (such as the EU). The Cloud Circular further determines that, among the characteristics that should be considered when choosing a cloud computing provider, preference should be given to selecting a cloud computing provider which implements a recognized and accepted international standards, such as ISO 27001, ISO 27017, ISO 27018, SOC 2, CSA, AICPA as well as those that are compatible with the GDPR.
Healthcare organizations are required to comply with the terms of the Cloud Circular by August 21, 2021. However, with respect to usage of cloud computing that has begun before the Cloud Circular’s issuance, the terms of the Cloud Circular’s shall enter into effect on the time of renewal of the applicable engagement with the cloud computing provider, or by February 21, 2023, whichever is earlier.
An unofficial translation to the Cloud Circular is available at: https://www.health.gov.il/hozer/mk02_2021-en.pdf.
For additional information please contact your GKH attorney or one of the following Adv. Hili Cohen, partner and head of life sciences department (Hili@gkh-law.com), Adv. Tami Fishman, partner (Tamif@gkh-law.com), or Adv. Ofir Goldstein (Ofirg@gkh-law.com).