Protection of Patients’ Privacy in the Transfer of Medical Information Through Digital Means
7 March 2024
Dear Clients and Colleagues,
On March 5th, 2024, the Protection of Privacy Authority (the “Authority“) published a document regarding the protection of patients’ privacy in the transfer of medical information through digital means. The document examines the phenomenon and the relevant legal provisions, raising clarifications and recommendations aimed at clarifying the obligations imposed in this context on owners of medical information databases, which mainly arising from the provisions of the Protection of Privacy Law, 5741–1981, and the regulations enacted thereunder.
The purpose of the document is to address and deal with the growing phenomenon in recent years, where many healthcare providers, who provide health and medical treatment services, transfer medical information about patients through non-designated software (e.g. WhatsApp, free email programs, cloud services), installed on digital devices, whether personal or organizational owned, inter alia, as part of communication between healthcare entities and other healthcare providers or patients.
According to the Authority, the transfer of medical information in the aforementioned manner may result in sensitive information being retained on digital devices (private or institutional) and in many databases, including those of commercial companies that provide the infrastructure for the data transfer (including cloud services). All the above pose a risk to the privacy of patients, which may manifest, among other things, in the leakage or exposure of medical information, its theft, disruption, and even its use for commercial or other purposes. The Authority also emphasized that the transfer of medical information by healthcare entities through non-designated software or personal devices may occur without the knowledge or consent of the patients.
In response to the phenomenon and its associated risks, the Authority has published the following clarifications and recommendations:
- Healthcare entities should minimize the use of personal devices or non-designated software for transferring identifiable medical information. Even where usage is permitted, efforts should be made to anonymize patient personal identifiers, transfer information to a dedicated software, and even delete the information from the device afterward.
- The transfer and storage of medical information in non-designated software or personal devices should be minimal and necessary for the transfer and storage of information.
- Avoid storing medical information also in private non-designated backup services (and if stored, delete the information as soon as possible).
- Organizations allowing the use of personal devices or non-designated software are subject to specific obligations regarding data security in the use of devices and systems, as detailed in the Protection of Privacy Regulations (Information Security), 5777–2017, including the installation of software for data protection and prevention of device penetration.
- Use applications originating from official app stores and examine the permissions defined in the applications (minimizing unnecessary data collection).
- Healthcare providers should act in accordance with their employer’s guidelines. Unauthorized transfer of sensitive information from the organization’s data repositories (by an employee) may, in certain circumstances, be considered a serious security incident, as determined by law.
- Medical information about patients stored on digital devices or transferred through data transfer programs may be considered a “computerized medical record,” and therefore the storage and transfer of information are subject to guidelines from the Ministry of Health regarding medical records, their storage and security, in addition to the security obligations imposed on sensitive information under the law and regulations.
- Clear internal organizational policies regarding the storage of medical information about patients on digital devices and the transfer of medical information through non-designated software, should be formulated.
- Assessment of the provision of dedicated devices to employees and promoting the implementation of closed systems for the transfer of medical information that ensure appropriate data security.
The Authority emphasized that it does not seek to prevent the transfer of medical information through personal digital devices or non-designated software but to provide recommendations and clarifications regarding the obligations imposed by law. However, due to the potential harm that may result from the exposure of medical information and its sensitivity, the Authority will not hesitate to exercise its powers under the law if the provisions of the law and regulations are violated.
Healthcare entities, including organizations and institutions providing health services and medical treatment, are responsible for safeguarding the privacy of personal information about their patients and securing it, ensuring compliance with the law and regulations, and structuring (if necessary) their operations accordingly. We recommend contacting us for any specific advice on the subject.
A link to the document (in Hebrew) – click here.
Best regards,
Commercial Department
Herzog Fox & Neeman