Client Update | New Regulation on the Use of Health Data for Research and Commercial Purposes
22 February 2018
Dear clients and friends,
In Israel, health information is constantly being processed and recorded on a large scale, and due to the significant advantages of the Israeli health system, the information is linked throughout the chain of medical treatment. In recent years, with the advancement of information technology and analysis tools in the field of Big Data, many opportunities have emerged for generating valuable insights based on such information.
The Israeli Ministry of Health recently published two General Director circulars, regarding the use for research and commercial purposes of health information which is maintained in health institutions in Israel. As stated in the circulars, the Ministry of Health encourages health institutions to expand their use of the information resource in order to improve health care by sharing health information with research entities from the academia and the industry alike, including start-up companies in the field.
The circulars determine, for the first time, principles for the use of health information for research and commercialization purposes. Therefore these circulars require both the preparation of health institutions and the attention of companies that enter into agreements with health institutions for the provision of health information to these companies.
The circulars are intended to set the principles for “secondary” use of health information. Secondary use is defined as the use of health information for any use other than medical treatment, for example, research use, whether public or commercial. The Ministry of Health is working on full regulatory regime on this matter, and until it completes the formulation of such regulation, these circulars will apply to secondary use of health information.
The circulars apply to each “health institution”, a broad definition that includes any medical caregiver, medical institution, service provider, Israeli sick funds (HMO equivalent), hospitals, pharmacies, ambulance and first aid services (e.g. Magen David Adom) and any other person that holds identified health information due to its responsibility for treating patients, whether public or private.
Circular no. 1/2018 re: Secondary Uses of Health Information
A key principle in the circulars is the de-identification of health information. As a default, secondary use of health information will be done only in de-identified information, i.e. information that has undergone a process of reducing the risk of identifying the individual from the applicable health information. Reducing the risk of identification shall be done, inter alia, by aggregation, reducing the accuracy of the data by using a range instead of a unique value, omitting details, coding and encryption.
Following a period of 180 days from the publication of the circular, each health institution will perform de-identification through means and technology as will be determined on the basis of its professionals’ opinion using their professional discretion. Following a period of one year from the publication of the circular, each health institution will be required to have a written confirmation from a statistician that the information has been de-identified at a level that does not allow for its re-identification by reasonable means and resources available to the general public. The confirmation will be obtained prior to the use of the information.
The circular further states that sharing of health information for the purpose of secondary use will be considered by the health institution on a case by case basis, subject to the law and directives of the Ministry of Health, and will be carried out in accordance with the information security procedures set by such health institution. It should be noted that the Ministry of Health intends to set rules or minimum technological measures for carrying out the process of de-identification in order to create uniformity in the field.
Secondary use of health information for research purposes will be subject to the approval of a Helsinki Ethics Committee (IRB equivalent), which will include a member with knowledge in statistics in order to assess the level of risk for identifying the information. The obligation to include a member with knowledge in statistics in the Helsinki Ethics Committee takes effect immediately. In addition, the request to approve the research will be reviewed by the officer in charge of information security in the institution, who will provide an opinion on the matter. The approval of the Helsinki Ethics Committee will only be given after receiving the approval of the officer.
The circular states that, as a general rule, health institutions should avoid providing copies of the information to third parties where the institution does not have control of such copies. Instead of providing copies, in cases in which information is shared with third parties, the institutions will allow limited access to the information within a secured environment set in the institution facilities.
If the institution provides to third parties copies of health information, including de-identified information, then the level of security used should be no less than the level directed by the Ministry of Health. This will also require the specific approval of the Helsinki Ethics Committee and the authorized body in the institution.
Circular no. 2/2018 re: Collaborations based on Secondary Uses of Health Information
Each health institution is required to provide the Director General of the Ministry of Health a quarterly report which shall include details of any new agreement allowing the secondary use of health information by a third party.
The circular sets forth mandatory guidelines with respect to the drafting of agreements that allow a third party to make secondary use of health information. If a health institution wishes to deviate from the guidelines it must approach the Director General of the Ministry of Health.
Among others, the circular sets forth the following guidelines:
- Agreement Purposes – the agreement will clearly define the purposes for the use of health information and specify how the use of health information shall be beneficial for the general public or to a specific group of patients. The agreement will prohibit the use of information for any purpose not defined in the agreement, for any purpose that does not serve the advancement of medical treatment, public health or medical research, or for any inappropriate social purpose, and specifically discrimination in insurance or employment.
- Exclusivity – the agreement will not provide exclusivity with respect to the secondary use of health information for any third party, nor will it prevent other collaborations that include the use of existing health information in the institution, except for health information which is collected at the request of the other party, at the other party’s expense, as part of the contemplated collaboration, in which case any such exclusivity shall not exceed a period of 18 months.
- Privacy, Confidentiality and Information Security – the agreement will define confidentiality obligations with respect to the processing and collection of health information, including the establishment of control mechanisms, responsibility for data breaches, and the use of information security technological and organizational means. The agreement will also include a personal confidentiality undertaking by any employee which may be exposed to the information.
- Principles for using the Information – the agreement shall not allow providing copies of identified or identifiable information where the institution does not have control of the health institution without obtaining the consent of the patients or if it is not in accordance with the law.
- Additional Provisions –
- The agreement will include provisions for remedies and sanctions in case of failure to comply with the circular guidelines, taking into account the nature of the agreement, the scope of the underlying information and the identity of the parties. Such provisions shall ensure that a breach will result in significant remedies, including the right to terminate the agreement.
- The agreement will include one of the following provisions: the agreement will be performed subject to any future regulatory change, or alternatively, the term of the agreement will not exceed five years, with the possibility of extending it for additional fixed periods, subject to any regulation that will apply at such time.
- The agreement will include a provision allowing the health institution to terminate or suspend it if the Director General of the Ministry of Health directs that it be terminated due to a breach of the circular (subject to an administrative hearing).
Herzog Fox & Neeman