Key Contacts

Is the use of telehealth permitted?

Yes, telehealth is permitted in Sweden.

How is telehealth regulated?

The National Board of Health and Welfare (Sw: Socialstyrelsen) has issued the guidance "Digital care. Overarching principles for treatment and care" ("Digitala vårdtjänster Övergripande principer för vård och behandling") regarding when provision of treatment and care digitally is suitable, available (only in Swedish) here.

Strama, the Swedish strategic programme against antibiotic resistance, has also issued certain recommendations, available (only in Swedish) here.

Furthermore, the Swedish Regions and County Councils (Sw. Sveriges regioner och kommuner (SKR)) has issued certain recommendations regarding digital healthcare services, available (only in Swedish) here, as well as recommendations on marketing of such services, available (only in Swedish) here.

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

Telehealth in the form of digital healthcare visits is mainly provided within primary care and psychology as well as for veterinary care. In general, such services are provided through the use of proprietary platforms.

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

Telehealth in the form of digital healthcare visits is included in the public health system. Patients pay a patient fee (Sw: patientavgift) for such visits. The Swedish Regions and County Councils (Sw. Sveriges regioner och kommuner (SKR)) have issued recommendations for the public sector regarding minimum patient fees for such visits, available (only in Swedish) here. The price of the patient fee depends on the county council (region) in which the healthcare provider is registered.

Fees for veterinary care is generally covered by private health insurance.

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

In Sweden, there are no privacy and/or data protection laws that apply specifically to the provision of telehealth services. In general, processing of personal data is instead regulated by the General Data Protection Regulation, (EU) 2016/679 ("GDPR"), and supplementary legislation, including the Data Protection Act (2018:218) and the Data Protection Ordinance (2018:219).

Moreover, sector and processing specific regulations may apply, such as:

• the Patient Data Act (2008:355);
• the Patient Data Ordinance (2008:360);
• the Pharmacy Data Act (2009:367);
• the Act (2018:744) on Medical Insurance Investigations;
• the Patient Safety Act (2010:659); and
• as of 1 January 2023, the new Act (2022:913) on Shared Health and Care Documentation.

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

General remarks

General GDPR requirements on cross-border transfers of personal data apply. Controllers and processors intending to transfer personal data to third countries must ensure that the conditions laid down in the GDPR are met. In particular, the conditions for third country transfers in Chapter V of the GDPR must thus be observed.

Adequacy decisions

Transfers of personal data outside the EU/EEA are permitted to countries that are subject to a so-called adequacy decision from the European Commission, whereby the Commission has determined that the area provides an adequate level of data protection (Article 45(1) of the GDPR).

Appropriate safeguards

Transfers to third countries are also permitted insofar as appropriate safeguards have been provided by the controller or processor (Article 46 of the GDPR), and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The appropriate safeguards include binding corporate rules and standard contractual clauses.

On 16 July 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-US Privacy Shield in the so-called Schrems II case (judgement of the CJEU in Case C-311/18). Moreover, the CJEU clarified that exporters of personal data to third countries may continue to rely on standard contractual clauses. When doing so, however, exporters need to carry out a so-called transfer impact assessment and implement supplementary measures as necessary in each individual case, in order to be able to ensure that a level of protection essentially equivalent to that which is guaranteed within the EU can be upheld.

Derogations

By way of exception, a third country transfer of personal data may take place subject to a limited number of derogations set out in Article 49 of the GDPR. Such derogation exists, inter alia, if the transfer is necessary to safeguard the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving his or her consent.

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

Regulations which do not apply specifically to the provision of telehealth services, but i.a. regulate healthcare providers' processing of personal data apply. The National Board of Health and Welfare has issued "Regulations and general advice on record keeping and processing of personal data in healthcare" ("Socialstyrelsens föreskrifter och allmänna råd om journalföring och behandling av personuppgifter i hälso- och sjukvården (HSLF-FS 2016:40)"), which includes provisions on information security, as well as guidance on how to apply the aforementioned provisions ("Handbok vid tillämpningen av Socialstyrelsens föreskrifter och allmänna råd (HSLF-FS 2016:40) om journalföring och behandling av personuppgifter i hälso- och sjukvården"), available (only in Swedish) here and here.

Moreover, different regions may have issued guidance/policies regarding information security when providing telehealth services.

In addition, the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap) ("MSB") has issued "Regulations and general advice on information security for operators of essential services" ("MSBFS 2018:8 föreskrifter och allmänna råd om informationssäkerhet för leverantörer av samhällsviktiga tjänster"), available (only in Swedish) here. These regulations apply to operators of essential services, as defined in Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the so-called NIS1 Directive), and set out a framework for the systematic and risk-based information security work that must be carried out by such operators.

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

An official report (SOU 2019:42) was presented to the government in October 2019 proposing, i.a., that all healthcare providers should provide telehealth in the form of digital healthcare visits (in addition to physical visits), and that all telehealth service providers must be able to provide physical healthcare. The report has been sent for consultation to relevant government agencies, organisations, municipalities and other stakeholders. Whether or not the report will result in a proposal for a governmental bill is yet to be seen. The report is available (in Swedish only) here.

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union ("NIS2 Directive") was published in the Official Journal of the European Union on 27 December 2022. National implementing measures must be adopted by Member States and shall be applied from 18 October 2024. With effect from the latter date, the NIS2 Directive will repeal Directive (EU) 2016/1148 (commonly known as NIS1 Directive). The NIS2 Directive is a minimum harmonization directive and therefore Member States can adopt regulations that ensure a higher level of cyber security nationally.

The NIS2 Directive aims to raise the level of cybersecurity across both public and private sectors, including the health sector, and sets out inter alia required risk management measures and reporting obligations.

On an EU-level, in May 2022 the European Commission published a proposal for a Regulation on the European Health Data Space, intended to establish the European Health Data Space by providing for rules, common standards and practices, infrastructures and a governance framework for the primary and secondary use of electronic health data. On 12 July 2022 the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion on the proposal upon request from the Commission (available here). In the Opinion, the regulators raised several concerns regarding the proposal from a data protection point of view, inter alia with regard to the proposal's wording on secondary use of health data.