Telehealth Regulation

Italy

Is the use of telehealth permitted?

Yes, telehealth is permitted in Italy. Italian authorities refer to telehealth as "telemedicine" (telemedicina).

Over the last three (3) years, Italian authorities have adopted several rules and guidelines on telehealth.

Italy

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

Telehealth services normally include the following subjects:

• Patients;
• One or more "Provider(s)" (Centro erogatore) – Public or private HCOs and HCPs providing telehealth services;
• A "Services Centre" (Centro Servizi) – To manage the data exchanged between patients and providers. Please note that a "Provider" may also carry out the functions of a "Services Centre".

Telehealth services may cover several areas of human medicine (e.g. cardiology, psychiatry, and paediatrics). In particular, telehealth services may play a pivotal role in laboratory and diagnostic imaging.

The MoH Guidelines consider that telehealth services may specifically apply to:

• Secondary prevention – Telehealth services for people who are classified as being at risk or who have already been diagnosed (e.g. diabetes or cardiovascular diseases);
• Diagnosis – Telehealth services may support the diagnostic process (e.g. by facilitating the performance of specific laboratory tests);
• Treatment – Telehealth services aimed at making therapeutic choices;
• Rehabilitation – Telehealth services for specific categories of patients (e.g. frail patients); and
• Monitoring – Telehealth services may help connect patients with their treating physicians / caregivers in order to properly monitor disease management.

Italy

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

Although telehealth services are still more commonly used in private practice, the rules and guidelines adopted over the last three (3) years are expected to bolster the implementation of telehealth in the public sector.

In particular, two Italian regions – Lombardy and Puglia – have been identified as "lead" regions as they are at the forefront of the implementation of telehealth solutions in compliance with the guidelines and rules issued by the Agenas and the MoH.

The Italian NHS is expected to regulate in detail the costs – and conditions for reimbursement – of telehealth services in the public sector.

Italy

Do specific privacy and/or data protection laws apply to the provision of telehealth services?

There are no specific national laws governing the processing of personal data in the context of telehealth services so far. 

However, the Italian Government has been working on strengthening the existing database named 'Electronic Health Record' (Fascicolo Sanitario Elettronico) and establishing the new National Telehealth Platform, which will raise new severe risks for patients' privacy.  For this reason, we expect that the Italian regulator will release new rules to address the privacy-related risks arising from the implementation and use of these systems as soon as they will be in place.

Currently, the processing operations of personal data carried out in this context falls within the regulatory framework of the EU General Data Protection Regulation 2016/679 (“GDPR”) and Legislative Decree 196/2003, as lastly amended by means of Legislative Decree 101/2018 (the Italian Privacy Code), as well as the decisions and guidelines issued by the Italian Data Protection Authority and other authorities having jurisdiction in the subject matter (jointly referred to as Privacy Laws).  In particular:

• Under Article 9, let. h) of the GDPR, patient’s consent is not required where the processing of personal data is necessary for the purposes of medical diagnosis, the provision of telehealth services, or the management of telehealth systems and services, on the basis of EU or member state law or pursuant to contract with a HCP;
• Patients must be adequately informed on the processing activities related to the performance of telehealth services, by means of a privacy information notice listing any element required under Articles 13 and 14 of the GDPR;
• Personal data, including heath data, must be processed in accordance with data processing principles set forth under Article 5 of the GDPR; and
• Adequate technical and organizational security measures must be adopted. In this regard, Italian Privacy Laws do not specifically identify the required security measures, providing that both data controllers and processors must determine the measures to be implemented by taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.  Considering that special categories of data (i.e. health data) are processed in performing telehealth services, the security measures to be taken must be particularly robust.

Italy

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Cross-border transfers must be carried out in accordance with Articles 45 and ff. of the GDPR.  This means that personal data, including health data, may be lawfully transferred in case one of the following requirements is met:

• There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
• The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 and ff. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to European Data Protection Board’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

Italy

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

The MoH Guidelines only include a general statement concerning the need to comply with applicable privacy laws in using telehealth systems.

Moreover, the Italian Data Protection Authority issued Decision no. 55 of 7 March 2019 on ‘Clarifications on the enforcement of the rules for the processing of health data in the health sector’, which also mentions processing of health data in the context of telehealth services. 

Italy

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

The rules and guidelines issued over the last three years have significantly improved the legislative and regulatory framework governing telehealth.  On this basis, we expect that the Italian public sector will adopt and implement several telehealth solutions in the upcoming months and years. 

The National Telehealth Platform, which should be delivered for testing and startup by November 2023, aims at ensuring uniformity in the provision of telehealth services across Italian regions.  This will represent a major challenge for the Italian NHS.