Telehealth Regulation

Is the use of telehealth permitted?

Yes. Telehealth has been active in the UK for a number of years. Since the COVID-19 pandemic, the use of telehealth has grown significantly, and a range of different healthcare providers are making use of new and innovative technologies in order to provide services to patients.

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

The type of healthcare services for which telehealth is currently available in the UK includes the following:

• General practice – Doctors have been providing remote video and telephone consultations to patients.
• Pharmaceutical – prescriptions can be ordered via an app.
• Dentistry – During the COVID-19 pandemic, many dentists were providing dental care services remotely. There are also a number of companies on the market in the UK which provide clear aligner therapy remotely.
• Psychological – telephone and video counselling has been provided to patients.

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

The NHS (the UK’s public health system) is using telehealth to supplement its current provision of healthcare services and as an alternative during the COVID-19 pandemic. These services are free of charge and are part of the national health service coverage provided to UK citizens. During the COVID-19 pandemic, many consultations were carried out remotely, and via video conferencing.

The NHS has recognised the benefit of using technologies as part of healthcare for some time. It developed the Technology Enabled Care Services ("TECS") Resource for Commissioners in January 2015. The intention of this resource was to raise awareness of how the wide range of TECS can support commissioning intentions and benefit patients, families, health and social care professionals and provider managers. No specific examples of services are provided in the resource (although a TECS evidence database and TECS Case study database can be accessed separately), and it is instead designed to promote the use of technology including the use of telehealth services within the healthcare profession. This does, however, illustrate the NHS’s endorsement of telehealth and its appreciation that such can be used in the provision of healthcare.

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

There are no specific data privacy requirements relating to telehealth, therefore the usual principles of the General Data Protection Regulation ("GDPR") as implemented and tailored by the Data Protection Act 2018 apply. Organisations engaging in telehealth will need to comply with the following 7 key principles and ensure they have a lawful basis for processing.

• lawfulness, fairness and transparency;
• purpose limitation (i.e. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes);
• data minimisation (i.e. data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accuracy (and kept up to date);
• storage limitation (i.e. kept for no longer than necessary for the purposes for which the data is processed);
• integrity and confidentiality (security) (i.e. processed in a manner that ensures appropriate security of the personal data); and
• accountability (which requires organisations to take appropriate processes and records in place to demonstrate compliance)

Given telehealth is likely to involve the processing of special category data (health data, genetic data, biometric data (where used for identification purposes), the provisions relating to special category data in the GDPR will apply.

Therefore, before processing any special category data an organisation must have a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9 (these do not have to be linked) and document the relevant conditions. In respect of health data, if an organisation relies on the "health or social care (with a basis in law)" or "public health (with a basis in law)", the organisation will need to meet the associated condition in Part 1 of the Schedule 1 of the Data Protection Act 2018. Additionally, an appropriate privacy policy will be required which sets out the details of the data being collected, the purpose, the conditions under which they are being processed and any third parties with whom the data is being shared. Special category data is likely to be regarded as high risk processing and therefore a Data Protection Impact Assessment ("DPIA") will be required.

Record keeping will be especially important, including the documenting of the categories of data. Organisations should also consider the interaction of the provisions on data minimisation, security, transparency, data protection officers and individual rights to access and erase records.

If the telehealth solution incorporates any artificial intelligence to support, or make decisions about individuals (such as using algorithms underpinning symptom checkers) then there are additional considerations, such as compliance with the Medical Devices Regulations 2002. The specific restriction in the GDPR on automated decision making (Article 22) may also apply in these cases, so will need to be carefully addressed. We also highlight the general non-sector specific guidance the Information Commissioner’s Office ("ICO") has issued jointly with The Alan Turing Institute on use of AI, which highlights the need to follow the following principles:

• be transparent;
• be accountable;
• consider the context you are operating in; and
• reflect on the impact of your AI system on the individuals affected, as well as wider society.

These principles relate to providing explanations of AI-assisted decision making to individuals and supplement the data protection principles in the GDPR so following these principles will enable organisations to follow "best practice" when explaining AI decisions.

Additionally, all healthcare staff have a duty of confidentiality in respect of all identifiable patient information and thus careful guidelines which are issued by bodies such as the British Medical Association and the General Medical Council should be adhered to, in addition to the normal data privacy regulations referred to above.

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

The rules set down in Chapter V of GDPR impose extra controls where the cross border transfer of personal data involves data sharing of EU originating data to a country outside the EU/EEA. These provisions place restrictions on the transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies (such as where there is a medical emergency and the transfer of the data is needed in order to give the medical care required – the imminent risk of serious harm to the individual must outweigh any data protection concerns).

Organisations transferring personal data need to ensure that there is adequate protection of the personal data being transferred in the country to which the data is being transferred. Certain third countries will already have an "adequacy decision" granted by the European Commission which confirms that the relevant country has an adequate level of protection for data transfers. If an adequacy decision is not in place, many organisations look to put in place Standard Contractual Clauses (which are EU-approved terms). There are other alternatives that can be consider to ensure the transfer is covered by appropriate safeguards, such as EEA-approved binding corporate rules, but the most common approach is the use of the Standard Contractual Clauses.

For transfers to the US, the European Commission had previously found that if transfers to the US were conducted in accordance with EU-US Privacy Shield framework then this would give sufficient protection as it placed requirements on US companies certified by the scheme to protect personal data and provide redress mechanisms for individuals. However, as a result of the recent Schrems II case (16 July 2020) Privacy Shield is no longer a valid route.

Due to Brexit, at the end of the transition period (31 December 2020), in the absence of an adequacy decision in respect of the UK, transfers from the EEA to the UK will need to comply with EU GDPR transfer restrictions as the UK will be regarded as a third country.

The UK will also be adopting its own equivalent rules on data transfers to countries outside the UK after that date.

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

The UK’s Medicines and Healthcare Products Regulatory Agency is responsible for regulating apps, smartphone-connected devices and wearable technologies which constitutes a medical device and has published useful guidance which helps organisations distinguish between simply a technology-enabled care device and a medical device falling under the UK Medical Devices Regulations 2002 (as amended).

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

Whilst at this stage, we are not aware of any pending changes to the regulatory framework around the provision of telehealth in the UK, given that there has been an increase in the use of telehealth in the last few years, we would anticipate that regulators will continue to respond with any relevant guidance or codes of conduct (or updates to those that have already been issued), specific to the healthcare service which they regulate. This is likely to be the case in the event that any regulatory gaps are identified.

Legislation can at times fail to keep up with technological advances, and therefore it is possible that that this will become an area which is subject to further scrutiny and legislative updates in the future.