Privacy and Data Protection

Australian privacy and surveillance laws are generally applicable to the provision of telehealth services in Australia.

At the Federal level, the core privacy legislation is the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs").  State and territory legislation broadly aligns with the Federal framework, and have legislation which addresses how public sector agencies and health service providers manage sensitive health information.  The Privacy Act regulates the collection, use and disclosure of personal information, defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not.   All personal information collected in the course of providing a health service, including information or an opinion about the health of an individual and their wishes about the future provision of health, is considered health information under the Privacy Act.  Health information is sensitive information, which is granted additional protections under the Privacy Act and, APPs, and certain State and Territory legislation, due to its significance and the potential harm that could result from misuse.  Telehealth services are identified as a health service provider under the Privacy Act.

To comply with the Privacy Act and the APPs, telehealth service providers must handle all patient information in a manner that complies with their legal obligations.  In particular, health information can only be collected by lawful and fair means, and generally only with the patient’s (express or implied) consent and where the information is reasonably necessary for providing a health service to that patient.  Certain exemptions do apply to "health service providers" (including telehealth businesses), such as where the collection is necessary to provide a health service and is either authorised by law or it is collected in accordance with confidentiality rules established by competent health boards or medical bodies.  Consent is also not required where information is collected or disclosed in order to prevent a serious threat to life, public health or safety.  Health information can only be collected directly from the patient unless it is not reasonable or practical to do so.  There are also similar consent restrictions on the use and disclosure of health information, and typically higher standards of security are also expected.

Surveillance laws operating at the federal, and state and territory levels will also be relevant where, for example, telehealth providers intend to record the provision of services to patients.  At the federal level the Telecommunications (Interception and Access) Act 1979 (Cth) makes it an offence to intercept or access private telecommunications without the knowledge of those involved in that communication.  State and territory surveillance laws also prohibit the recording of private conversations without the consent of the participants to that conversation.  In practice, telehealth service providers would need to ensure that all participants to recorded conversations have provided their express consent to any such recording.

Beside the general applicability of GDPR and the Austrian Data Protection Act, the following specific personal data protection laws apply to defined restricted specific data applications (e.g. data transfers between doctors / hospitals):

• Federal Health Telematics Act (Gesundheitstelematikgesetz); and
• Health Telematics Regulation (Gesundheitstelematikverordnung).

There are also several data protection provisions included in the Federal Doctors Act, Federal Dentist Act, Federal Pharmacy Act, etc., which in principle do not go beyond GDPR requirements.

Emphasis should be laid on secure technical solutions (e.g. encryption).

Yes, Bahrain’s Law No. 30 of 2018 on Personal Data Protection Law ( "PDPL") sets out the requirements for processing personal data both in Bahrain and abroad. This would generally include the provision of telehealth services.

Pursuant to the PDPL, the processing of personal data shall be prohibited without the consent of the owner thereof, unless such processing is necessary for any of the following:

• implementation of a contract to which the data subject is a party;
• taking steps upon the request of the data subject for the purpose of conclusion of a contract;
• implementation of an obligation prescribed by Law, contrary to a contractual obligation, or issuance of an order from a competent court or the public prosecution;
• protection of the vital interests of the data subject; or
• exercise of the legitimate interests of the data controller or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject.

No specific rules under data protection Belgian law with regard to telehealth. General rules of the GDPR apply.

The General Data Protection Law (Federal Law no. 13,709/18 or "LGPD"), highly inspired by the European General Data Protection Regulation ("GDPR"), provides a new privacy landscape for Brazil and applies to any processing of personal data: (i) which is carried out within the Brazilian territory; (ii) which has an objective to offer / supply goods or services, or process data of the individuals localised in Brazil; or (iii) if the personal data is collected from the Brazilian territory. Thus, the offering of telehealth services in Brazil will be subject to the LGPD provisions.

The Brazilian Telehealth regulation (i.e., Federal Law n. 14,510/2022) also establishes that data privacy and the digital responsibility are fundamental principles for the provision of telehealth services, as well as the obligation to comply with the LGPD. All Brazilian self-regulatory bodies such as CFM and CFF positioned themselves in the same way.

It is important to stress that the LGPD has been in force since September 28, 2020. The penalties provided by the law, however, are only going to be enforceable in August 2021. Notwithstanding the foregoing, public authorities (such as consumer protection bodies and public prosecutors) and data subjects can enforce their rights based on the LGPD.

In addition to this, the Brazilian National Authority (i.e. the supervisory authority responsible to further regulate data protection in Brazil, also known as "ANPD") is now in operation. The LGPD has several provisions to be further regulated and interpreted by the ANPD, which may have an impact on businesses, and require further localisation and adjustments for compliance in the future. It is recommended that the actions of the ANPD in relation to such matters be monitored.

According to the LGPD, the concept of personal data shall be understood as "any information regarding an identified or identifiable natural person". Based on that definition, any collected information which is able to identify a natural person will be understood as personal data and, therefore, subject to the LGPD principles, obligations and rights. The law also includes the definition of sensitive personal data, which encompasses health data along with any information of a natural personal regarding racial or ethnic origin, religious conviction, political opinion, union membership or to a religious, philosophical or political organisation, data related to sexual life, genetic or biometric data.

No specific laws.

• Privacy and data protection laws that relate to personal health information vary from province to province. These laws apply to the provision of healthcare generally and do not relate specifically to the provision of telehealth.
• The Personal Information Protection and Electronic Documents Act ("PIPEDA") is a federal Canadian Act that applies to every organisation that collects, uses or discloses personal information in the course of commercial activities. As a general rule, PIPEDA does not apply to the core activities of municipalities, universities, schools, and hospitals. Instead, personal information collected by municipalities, universities, schools and hospitals is protected by provincial legislation. The provinces of Alberta, New Brunswick, Newfoundland, Nova Scotia, Saskatchewan, Manitoba, Ontario, and Prince Edward Island and the Northwest Territories and Yukon have enacted personal health information legislation that applies to the healthcare sector. Quebec’s Act respecting health services and social services also contains important provisions regarding personal health information. British Columbia has several laws that address health information privacy.
• Healthcare providers in private practice such as doctors, dentists, and chiropractors are engaged in a commercial activity and thus are subject to PIPEDA, unless substantially similar provincial legislation applies. The provinces of Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have passed their own health privacy laws, which have been declared substantially similar to PIPEDA with respect to health information. The Information and Privacy Commissioner of Ontario published guidance for the health sector on Privacy and Security Considerations for Virtual Health Care Visits, which includes steps that health information custodians can take to better protect personal health information, especially in the virtual care space.

The main laws that are applicable are Law No. 19,628 on Protection of Private life (when the controller is a public or private entity), and Law No. 20,285 on Access to Public Information (only when the controller is a public body). In addition, some provisions of Law No. 20,584 on Rights and Obligations of patients will also be applicable.

The provisions that rule data processing in this context are the ones that apply for any other data processing activity, which in summary require the controller to obtain from the data subject their prior, express, specific, informed and written consent. This implies providing all data subjects with enough and clear information about the data to be collected, the processing activities and the purposes of the data processing, as well as the possible communication of said data to third parties.

Furthermore, the Guides issued by the Ministry of Health on Telehealth and on Data Safety have included some obligations and / or recommendations regarding the provision of healthcare services, including the need of having an adequate technological infrastructure for providing the healthcare services, a system for tracing the data processed, and an HR policy that regulates who will have the right to access patients’ data and their responsibilities, in addition to the mandatory requirements set forth by the general data protection laws.

Moreover Law 21180, on the Digital Transformation of the State, made a shift in the way public services will interact with citizens, establishing the use of electronic means for administration management. This law and its accompanying regulations establish standards for platforms to meet in terms of information security and cybersecurity, as well as guidelines for sensitive data interoperability, where it prescribed the requirement for prior and informed consent for the transfer of sensitive data of individuals between state entities, whether or not such data is contained in databases.

Finally, the Oficio Circular No 7/2020 of the Superintendence of Health established certain guidelines for the use of technological platforms and the proper safeguarding of patient's personal data

China has yet to implement any privacy/data protection law that applies specifically to the provision of internet healthcare. Administrative Measures for Internet Diagnosis and Treatment (For Trial Implementation) stipulates that medical institutions shall comply with all relevant laws and regulations on information security and confidentiality of healthcare data. Such laws and regulations include the following:

• Cyber Security Law;
• Personal Information Proetction Law;
• Data Security Law;
• Regulations of the PRC on Administration of Human Genetic Resources promulgated by PRC State Council;
• Administrative Measures for Health Related Information promulgated by National Health Commission; and
• Administrative Measures for Cyber Security of Medical and Health Institutions promulgated by National Health Commission, National Administration of Traditional Chinese Medicine and National Administration of Disease Control and Prevention;
• Good Administrative Practice for Electronic Medical Records promulgated by National Health Commission and National Administration of Traditional Chinese Medicine.

There is no specific regulation applicable to telehealth, and instead, it is subject to the general data protection regime, in particular:

• under Law 1581 of 2012 and Decree 1377 of 2013, the processing of personal data requires the prior and express authorisation of the data subject. The data subject shall be informed of the specific purposes for which the data will be processed;
• there are certain types of personal data for which the law sets specific requirements. Personal sensitive data (which includes medical records) requires notification and the data subject is not compelled to provide it. Similarly, data owned by children or teenagers requires notification, and the child / teenager cannot be compelled to provide their information. Authorisation must be granted by the child’s legal representative accounting for that child’s opinion. There are certain exceptions under which such consent is not needed such as medical emergencies.
• the Colombian data protection regulation sets rules related to the duties of the data controller to ensure the security and confidentiality of the information, as well to allow the data subject to exercise their habeas data rights by requesting information about their data, revoking their consent, updating the data, and requesting rectifications.
• as with any other health service, during the provision of telehealth services, healthcare providers must ensure compliance with regulations relating to medical records, including Resolutions 1995 of 1999 and 823 of 3017, issued by the Ministry of Health.

Yes, the following laws apply:

• Croatian Act on Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka – "Data Protection Act");
• Croatian Ordinance on the use and protection of data from medical documentation of patients in the Central Health Information System of the Republic of Croatia (Pravilnik o uporabi i zaštiti podataka iz medicinske dokumentacije pacijenata u Centralnom informacijskom sustavu zdravstva Republike Hrvatske – "Ordinance on the Use and Protection of Data"); and
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR").

Rules for protection of personal data implemented in the GDPR apply directly in Croatia. The Data Protection Act and Ordinance on the Use and Protection of Data generally provide for the obligation on users of medical data to keep the data from the patient’s medical documentation secret.

Additionally, Article 18 of the Telemedicine Ordinance specifically provides that recording of audio and video recordings during the provision and reception of telemedicine services is allowed only with the written consent of the recipient of the service. For a recipient of a service who is unconscious, has a severe mental disorder, or is a minor, the written consent shall be given by the legal representative or guardian of the recipient of the service. The written consent must contain the reason for the recording, the type of recording and the purpose for which the recording will be used.

From 1 January 2023, providers of healthcare services are obliged to record data in the scope provided for by the Act on electronization of healthcare in core registers established by the Ministry of Health for this purpose. Healthcare services providers are required to ensure a gradual transition from the birth number to the newly introduced identifiers and to use and follow data from the core registries effective 1 January 2024.

Yes, the following laws apply to the provision of telehealth services in Denmark:

• The Danish Healthcare Act
• Danish Requirements for Security of Network – and Information Systems Within the Healthcare Sector Act
• The Danish Public Administration Act
• The General Data Protection Regulation (GDPR)
• The Danish Data Protection Act

All telemedicine, including telehealth, providers must meet the requirements set out in the Data Protection Act (1050/2018) and in the General Data Protection Regulation (the GDPR, 2016/679). In addition to the general data protection requirements, the Act on the Electronic Processing of Client Data in Social and Health Care Services (159/2007) sets out more specific requirements for all data systems irrespective of whether they are used in private or public healthcare. Systems used to transmit and store patient information must meet the requirements on confidentiality as well as data protection and security. Service providers are responsible for ensuring that the appropriate data protection and security arrangements are in place for the purpose of transferring data and processing personal information.

The processing of personal data, including health data, in the field of telehealth is governed by the General Data Protection Regulation (“GDPR”) as well as the law no. 78-17 of January 6, 1978, as last amended, the decree no. 2019-536 of May 29, 2019, as last amended, and specific provisions set forth under the French Public Health Code.

Depending on the telemedicine project, a legal analysis must be carried out, on a case-by-case basis, to identify the applicable legal framework precisely.

Please find below some of the key obligations:

• Formalities: In principle, the processing of personal data used for the implementation of telemedicine acts is not subject to any particular formality with the French data protection supervisory authority ("CNIL"). Indeed, depending on the context, this processing falls within the scope of processing necessary for preventive medicine, medical diagnosis, health care, management of health care systems and services, which do not require any formalities with the CNIL. The data must be processed by a health professional subject to an obligation of professional secrecy or by another person subject to an obligation of secrecy.
  
  By way of exception and depending on the nature of the data collected or the purpose of the processing, the processing of personal data for the implementation of telemedicine acts may give rise to a request for authorisation if it is carried out in the context of research in the health field. Depending on the nature of the research, the sponsor may either have to file with the CNIL an authorisation or a declaration of conformity to one of the reference methodologies (e.g., MR-001)

• Accountability/privacy by design: In any case, since the processing resulting from a telemedicine activity is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an analysis of the impact of the envisaged processing operations on its compliance with the abovementioned data protection legal framework prior to the processing (“DPIA”).
• Data subject rights: Data subjects of data collected through a telemedicine device should be able to exercise their rights effectively, in particular their rights of access, rectification and objection.
• Security:
• A strong authentication system must be put in place to recognise users and give them the necessary access. Sharing access is prohibited.
• A system for managing the authorisations of users of the telemedicine system must be put in place to limit access to only those data that are strictly necessary for the users. Differentiated levels of authorisation must be created according to the needs of the users.
• A system for managing traces and incidents must be put in place. The aim is to be able to identify fraudulent access or misuse of personal data or to determine the origin of an accident. The aim is to be able to react to a data breach.
• If the telemedicine system involves outsourcing, the security conditions laid down for the hosting of health data by Article L. 1111-8 of the Public Health Code must be respected.
• In addition, the data controller must implement all physical and logical security measures with regard to workstations, mobile computing, the internal computer network, servers, websites, archiving, maintenance, subcontracting, etc.

The processing of personal data in the context of the provision of telehealth services is primarily governed by the General Data Protection Regulation (EU) 2016/679 ("GDPR"), as well as the German Federal Data Protection Act ("BDSG").

Apart from that, the German Social Code Book V ("SGB V"), contains several regulations on the processing of personal data in connection with telehealth services and has only recently been subject to amendments as a result of the German Patients Data Protection Act (“PDSG”), which came into force in October 2020. Particularly, the provisions relating the use of the electronic health card (“elektronische Gesundheitskarte”) have undergone substantial amendments (Sec. 291 et seq. of the SGB V). Additionally, the new chapter 11 of the SGB V (cf. Sec. 306 – 383 of the SGB V) which now comprehensively regulates the requirements for the telematics infrastructure received great attention among stakeholders, in particular, the extensive reorganisation of the electronic patient record (“elektronische Patientenakte”) (cf. Sec. 341 et seq. of the SGB V). It should be noted, however, that the provisions of the SGB V primarily apply to service providers of the German Statutory Health Insurances ("SHI" – "GKV") and only in certain exceptional cases also to service providers of the Private Health Insurances ("PHI" – "PKV").

The following data protection and privacy laws and regulations are applicable to the provision of telehealth services in Greece:

• Article 66 par. 16 of Law 3984/2011 (A’ 150) sets forth requirements that need to be fulfilled, so that the provision of telehealth services is compliant with the data protection rules. In particular the article states that "The doctor, for the purposes of the protection of personal data, is responsible to request from the patient, or if this is not possible from a relative of first degree, the signed approval for the use of telehealth services. If this is not possible, then doctor shall offer telehealth services at his / her own discretion".
• The general provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), as well as of Law 4624/2019 (A’ 137) on the Personal Data Protection Authority, implementing the measures set forth by Regulation (EU) 2016/679 are also applicable; health data qualify as sensitive data (article 9 of GDPR), and therefore their processing is permitted only for health-related purposes.
• Given that telehealth is mostly internet-based, compliance with the provisions of Law 3471/2006 (A’ 133) on the protection of personal data and privacy in the field of electronic communications, transposing the Directive (EU) 2002/58/EC is required as well.
• Article 14 of Law 3418/2005 (Code of Medical Ethics) regulates the retention of medical records.

There are no specific privacy and / or data protection laws that apply to the provision of telehealth services in Hong Kong.

The Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") regulates the general collection and handling of personal data. Under the Code of Professional Conduct for the Guidance of Registered Medical Practitioners issued by the Medical Council of Hong Kong, Hong Kong registered doctors should have regard to their responsibilities and liabilities under the PDPO, in particular, patient’s rights of access to and correction of information in the medical record.

No, there are no specific data protection rules regarding the provision of telehealth services.

GDPR and general sectoral laws on the processing and protection of health and other related personal data, shall equally apply to telehealth and normal health services.

There are no specific privacy or data protections laws in respect of telehealth services, however there are special rules regarding how health data can be processed.

Ireland is governed by the GDPR, which is further implemented by the Data Protection Act 2018. Most of the personal data which is processed in the provision of telehealth services will be health data, which is classed as special category data under GDPR. The GDPR prohibits the processing of special category data unless there is a lawful basis under Article 6, and also an exception for processing under Article 9.

Depending on the nature and purpose of the processing, there are a number of lawful bases under Article 6 and exemptions under Article 9 which may be relevant for the processing of special category data, including health data.

In most circumstances where the processing of special category data takes place, section 36 of the Data Protection Act 2018 requires that additional "suitable and specific measures" are implemented to safeguard the fundamental rights and freedoms of data subjects. These are mainly practical measures, and include things such as specific staff training in relation to the processing activity and having appropriate security measures, logs and access controls on the personal data.

In addition, the Data Protection Commission advises that ensuring the principles of data protection are upheld when processing personal data is key, although there are no derogations from the GDPR in the Data Protection Act 2018 in this respect.

The Data Protection Act 2018 (Health Research) Regulations 2018 provides specific and additional measures required to safeguard information processed for the benefit of health research, such as appropriate consent, governance, and security.

There are no specific national laws governing the processing of personal data in the context of telehealth services so far. 

However, the Italian Government has been working on strengthening the existing database named 'Electronic Health Record' (Fascicolo Sanitario Elettronico) and establishing the new National Telehealth Platform, which will raise new severe risks for patients' privacy.  For this reason, we expect that the Italian regulator will release new rules to address the privacy-related risks arising from the implementation and use of these systems as soon as they will be in place.

Currently, the processing operations of personal data carried out in this context falls within the regulatory framework of the EU General Data Protection Regulation 2016/679 (“GDPR”) and Legislative Decree 196/2003, as lastly amended by means of Legislative Decree 101/2018 (the Italian Privacy Code), as well as the decisions and guidelines issued by the Italian Data Protection Authority and other authorities having jurisdiction in the subject matter (jointly referred to as Privacy Laws).  In particular:

• Under Article 9, let. h) of the GDPR, patient’s consent is not required where the processing of personal data is necessary for the purposes of medical diagnosis, the provision of telehealth services, or the management of telehealth systems and services, on the basis of EU or member state law or pursuant to contract with a HCP;
• Patients must be adequately informed on the processing activities related to the performance of telehealth services, by means of a privacy information notice listing any element required under Articles 13 and 14 of the GDPR;
• Personal data, including heath data, must be processed in accordance with data processing principles set forth under Article 5 of the GDPR; and
• Adequate technical and organizational security measures must be adopted. In this regard, Italian Privacy Laws do not specifically identify the required security measures, providing that both data controllers and processors must determine the measures to be implemented by taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.  Considering that special categories of data (i.e. health data) are processed in performing telehealth services, the security measures to be taken must be particularly robust.

Based on Article 2 paragraph 1 of the Minister of Communication and Informatics of the Republic of Indonesia Regulation Number 20 of 2016 on Personal Data Protection In Electronic Systems, Personal Data Protection in Electronic Systems is comprised of protection from the acquisition, collection, processing, analysing, storage, display, announcement, delivery, dissemination and erasure of Personal Data.

The Regulation of the Minister of Health of the Republic of Indonesia Number 269 of 2008 concerning Medical Records, requires that patient data must be stored for period of 10 years from the date the records were made.

Under the Regulation of Minister of Health of the Republic Indonesia Number 20 of 2019 regarding the Organisation of Telemedicine Services through Health Service Facilities, Health Service Facilities must protect the patients’ data.

The Act on the Protection of Personal Information ("APPI") applies to the provision of telehealth in Japan. Under the APPI, before collecting any personal information from patients receiving telehealth services, the medical institutions / practitioners shall inform the patients the purpose of collecting personal information and obtain consent from the patients.

There are no specific data privacy requirements relating to telehealth. The provisions of the Data Protection Act, 2019 (the “DPA”), Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021 (the "Complaints Handling Regulations”), Data Protection (General) Regulations 2021 (the “General Regulations”) and the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 (the Registration Regulations) apply.

Health data is defined under the DPA as “data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services.” Personal data relating to a data subject’s health status is considered “sensitive personal data” under the DPA.

Section 46 of the DPA provides that personal data relating to the health of a data subject may only be processed by or under the responsibility of a health care provider; or by a person subject to the obligation of professional secrecy under any law.

There are no specific privacy and / or data protection laws that apply to the provision of telehealth services in Kuwait.

Article 6 of Law No. 25 of 1981 Regulating the Medical and Dental Practitioners contains a general obligation to maintain patient confidentiality, which should apply to the telehealth services as well.

In addition, Kuwait Law No. 20 of 2014 ("E-Commerce Law") requires that client data relating to positional affairs, personal status, health status or elements of the financial disclosure of persons, or other personal information must be retained privately and confidentially, and employees are obliged to ensure such data protection. Disclosure of such information is subject to obtaining client consent or pursuant to a court order. We are of the view that obligations under the E-Commerce Law apply as well to telehealth services providers.

The General Data Protection Regulation (or the "GDPR") applies to all organisations (including medical practices) operating within the European Union and processing personal data. The Law of 1 August 2018 on the organisation of the Luxembourg National Data Protection Commission and the general data protection framework (or the "Law of 2018 on data protection") completes the GDPR at the national level.

While there are no specific laws regulating telehealth in Luxembourg, any health professional and teleconsultation website must comply with the aforementioned privacy laws.

Yes, there are several relevant laws and standards that will apply to the provision of telehealth in Mexico:

• Mexican Law for the Protection of Personal Data in Possession of Private Parties (and together with its regulations and guidelines, the "Data Privacy Laws"), ensures the correct processing of personal information held by third parties, especially in digital environments and promotes good practices and strengthens personal data protection controls outside the government sphere.
• Mexican Law for the Protection of Personal Data in Possession of Obligated Parties establishes the basis, principles and procedures for individuals’ right to the protection of their personal data which is in the possession of Obligated Parties (being any authority, entity, organ and body of the Executive, Legislative and Judicial branches, autonomous bodies, political parties, trusts and public funds).
• NOM-024-SSA3-2012 regulates the exchange of health information, electronic record information systems for health, SIRES, and establishes the mechanisms for health service providers to register, exchange and consolidate information.
• NOM-035-SSA3-2012 establishes criteria and procedures that must be followed to produce, capture, integrate, process, systematise, evaluate and disclose health information.
• NOM-004-SSA3-2012 concerns clinical files, and establishes the mandatory scientific, ethical, technological and administrative criteria applicable to the preparation, integration, use, management, filing, conservation, ownership and confidentiality of the clinical record.

There is no specific privacy and/or data protection regulations relating to telehealth, other than the general data protection regulations, which provide that health data are sensitive data and therefore subject to tighter restrictions.

This being said, telehealth regulations provides that compliance with the data protection regulations in Morocco is a condition to obtain and keep the prior authorization to provide telehealth services.

There are no specific privacy and / or data protection laws applicable to the provision of telehealth services.  In fact, there are no privacy and / or data protection laws in Namibia.  The common law right to privacy of patients will apply.

As the provision of telehealth services entail the processing of personal data, such processing should comply with the General Data Protection Regulation and the Dutch GDPR Implementation Act (Uitvoeringswet AVG). In addition, the Dutch Telecommunications Act (Telecommunicatiewet) could be applicable to the use of telecommunication services, depending on how the telehealth services carried out exactly.

Wet aanvullende bepalingen gegevensverwerking in de zorg (Wabvpz) (English: Processing of Personal Data in Healthcare (Additional Provisions) Act). This law has been in force since 2020 and regulates the preconditions for use of an electronic data exchange for healthcare providers. It also clarifies which additional rights and guarantees a client/patient has in relation to personal data exchanged via such electronic data exchange system.

The processing of personal data in Nigeria remains governed by the Nigeria Data Protection Regulation (2019) and the Implementation Framework, as well as other guidelines developed by the National Information Technology Development Agency (NITDA). However, the supervisory authority for data protection matters in Nigeria has changed from NITDA to the Nigeria Data Protection Bureau (NDPB).

The same laws and data regulations that apply to the provision of all health services apply to telehealth, including:

• The Privacy Act 2020;
• The Health Information Privacy Code 2020 which includes rules for ‘health agencies’ in relation to the collection of health information, individuals’ rights to access and correct health information, and restrictions on the use of health information;
• The Health (Retention of Health Information) Regulations 1996; and
• The Health Information Standards Organisation technical standards relating to videoconferencing and health information security

Regulation (EU) 2016/679 GDPR applies. GDPR has been implemented through the Norwegian Personal Data Act. In addition, there are several other sector specific laws and regulations relevant for telehealth and personal data.

The Health Registry (Filing System) Act applies for the processing of health data for e.g. statistical purposes, healthcare analysis, research and quality improvement, and contains requirements for the processing of health data in order to establish filing systems. These filing systems are thus not meant for treatment purposes.

A filing system is defined in GDPR Art. 4(1)(6), which the Health Registry Act references. Examples of Norwegian health filing systems are the Patient Registry, the Cause of Death Registry and the Cancer Registry. It is explicitly stated in the Act that data must be processed in accordance with GDPR Art. 5, and that the level of personal identification shall not exceed what is necessary for the concrete purpose. Data subjects have the right to access their health data in the filing systems.

The Medical Records Act applies for all processing of health data necessary for providing healthcare to individuals. This Act prohibits the acquisition of health data unless it is needed to provide healthcare to the individual, it is needed for administration purposes or there is a legal basis according to applicable legislation. The patient is allowed to access his own health data and medical records (cf. GDPR Art. 13 and 15). Furthermore, medical records systems must be designed in such a way to implement documented access control. Data subjects have a right to obtain information about who accessed their medical records (even within an organisation).

The Regulation on Electronic Software Standards in the Health Care Sector is implemented through the Medical Records Act, and contains requirements regarding use of software and application standards.

Further, the Health Care Profession Act is relevant for telehealth. This Act provides that healthcare professionals are obliged to erase patient data from patients’ medical records only if the data provides false information or if the data clearly is not necessary to provide healthcare. Unless a patient is opposed to it, healthcare professionals shall share health data with other healthcare professionals performing treatment on the patient. Healthcare professionals have a duty of confidentiality.

There is no specific privacy and data protection laws in Oman for telehealth. However, it’s regulated under the Personal Data Protection Law issued by Royal Decree No ( 6/2022) on February 9, 2022, and came into force from February 12,2023. This Royal decree applies to the personal data being processed which makes a natural person directly or indirectly identifiable, by reference to one or more identifiers, such as name, civil number, electronic identifiers data, or by reference to one or more factors related to genetic, physical, mental, psychological, social, cultural, or economic identity and it applies to any genetic, health, and biometric data being processed.

Below the main principles of the Personal Protection Law:

• Prohibits processing personal data unless the controller has obtained the data subject’s express consent and can provide proof of the written consent.
• Not permitted to process personal data except within the framework of transparency, honesty, and respect for human dignity, and after the explicit consent of the data subject.
• Poses an outright, complete ban on processing personal data relating to genetic data, biometric data, health data, racial origin, sexual life, political or religious opinions, philosophical beliefs, criminal convictions, or those relating to security measures, except and unless after obtaining a permit for such processing from the Ministry of Transportations, Communications, Information Technology, in accordance with the controls and procedures specified by the Executive Regulation.
• Prohibits processing the personal data of a child except with the approval of his or her guardian, such processing shall be based on the best interest of the child in accordance with the controls and procedures determined by the Executive Regulation

There are no specific regulations related to privacy in telehealth services, however general privacy regulations are applicable, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") and the Polish Act on Personal Data Protection of 10 May 2018.

The majority of the relevant obligations are established in the GDPR, including a number of obligations of the data controllers, rights of the data subject and legal basis for personal data processing. International data transfers are also regulated, with specific rules on extra-EEA transfers. Furthermore, the GDPR establishes specific rules on disclosing or entrusting the processing of personal data to third parties. All personal data processing activities related to the personal data of EUbased data subjects would need to be compliant with both the GDPR and any local regulations. Additionally, due to the special character of personal data processed (i.e. health data) a high and up-to-date level of organisational and technical safeguards would need to be ensured, in line with Article 32 of the GDPR.

Yes. Without prejudice of cybersecurity related laws and regulations applicable to the health sector, the collection and processing of personal data in this scope is governed by the following laws and regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data ("GDPR");
• Law no. 58/2019, 8 August ensuring execution to GDPR;
• Law 12/2005, 26 January on health and genetic data; and
• Law no. 26/2016, 22 August on public sector data / information.

Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection ("Data Protection Law"). The Data Protection La is supplemented with a set of regulatory guidelines (“Guidelines”) issued by the Compliance and Data Protection Department (now referred to as the National Data Privacy Office). The guidelines incorporate concepts from EU privacy regulatory frameworks and seek to clarify obligations under, and address matters that are not dealt with in, the Data Protection Law.

 The Data Protection Law applies to personal data when this data is any of the following:

• Processed electronically;
• Obtained, collected or extracted in any other way in preparation for electronic processing; and
• Processed by combining electronic and traditional processing.

The Data Protection Law provides that each individual shall have the right to privacy of their personal data. Such data may only be processed within a framework of transparency, honesty, respect for human dignity and in accordance with the provisions of the Data Protection Law.

Personal data is defined under the Data Protection Law as data relating to a natural person whose identity is identified or is reasonably identifiable, whether through this data or by means of combining this data with any other data or details.

Sensitive personal data means personal data consisting of information as to a natural person’s:

• ethnic origin;
• health;
• physical or mental health or condition;
• religious beliefs;
• relationships; and
• criminal records.

Generally, data subject consent is required to collect and process personal data, except to the extent processing is deemed necessary for a “lawful purpose” of the controller, or the third party to whom the personal data is sent. There are limited exceptions to this rule.

“Lawful purpose” is broadly defined to mean the purpose for which the personal data of the data subject is being processed in a legally compliant manner. The guidelines have clarified that “lawful purpose” includes cases where a data controller is processing personal data for its own legitimate interests or to comply with legal or contractual obligations.

Sensitive personal data may only be processed if the National Data Privacy Office consent to the processing of such data.

There are no telehealth-specific data protection laws in Romania, however more general privacy legislation may be relevant.

The main piece of legislation on the protection of personal data is Regulation (EU) 2016/679 (GDPR). The GDPR provides specific rules for the processing of data concerning health, which is classified as belonging to a special category of personal data.

Additionally, two national pieces of data protection legislation could also potentially impact the provision of telehealth services: (i) Law no. 190/2018 on implementing measures to Regulation (EU) 2016/679 ("Law 190/2018"), and (ii) Decision no. 174/2018 for establishing the list of the processing operations for which it is mandatory to perform a data protection impact assessment ("Decision 174/2018").

According to Law 190/2018, "the processing of genetic data, of biometric data or of health data for the purpose of automated decision-making or profiling is permitted with the explicit consent of the data subject or if the processing is carried out under explicit legal provisions, with appropriate measures protecting the rights, freedoms and legitimate interests of the data subject". Furthermore, "the processing of health data for the purpose of ensuring public health cannot be subsequently performed for other purposes by third entities".

Pursuant to Decision 174/2018, a data protection impact assessment is required inter alia in the following cases:

• the processing of personal data in order to perform a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation;
• processing on a large scale of personal data of vulnerable persons, through automatic means of systematic monitoring and/or recording of behaviour;
• processing on a large scale of personal data through the innovative use or the implementation of new technologies; and
• processing on a large scale of data generated by devices with sensors that transmit data over the Internet or other means

There are no specific privacy and / or data protection laws that apply to the provision of telehealth services in Russia, but general data protection rules would apply to require any telehealth provider to ensure that any personal data of a patient is processed properly, with the patient’s consent and / or based on an agreement with the patient, and that a copy of such data is stored in Russia (data localisation rules).

The practice of telemedicine must be compliant with the Saudi Health Information Exchange Policies ("SeHE"), including all relevant data security and privacy requirements, and must be compliant with interoperability frameworks and / or the US Health Insurance Portability and Accountability Act. The SeHE is a comprehensive document outlining various policies that govern, amongst others, the manner in which a patient’s health information must be protected and instances where such information is permitted to be disclosed.

HCPs, as per the Telehealth Regulation, are permitted access to a patient’s health information for the purposes of conducting telemedicine activities.

The Guidelines require that medical practitioners manage patient information in accordance with the requirements of the Protection of Personal Information Act 4 of 2013 (POPIA). In this regard, practitioners must ensure that:

• there is adequate safety of patient’s personal information and processing by publicand private bodies;
• the entity or practices establish minimum requirements for the processing of personal information;
• provide for the code of conduct for the management of patient data;
• they are always cognisant of rights of persons regarding unsolicited electronic communications and automated decision making protocols; and
• they ensure that the policy which regulates the flow of personal informationgenerated from telehealth is compliant to the requirements of POPIA.

Accordingly, the Protection of Personal information Act, 2013 ("POPIA") would apply to the extent that the telehealth services involve the processing of personal information and the personal information is entered in a record (i.e. recorded). "Personal information" is widely defined and includes the personal information of identifiable natural persons and existing juristic persons. The processing of personal information entered in a record would need to comply with the eight conditions for lawful processing under POPIA, i.e.

• Accountability (the responsible party must comply with the eight conditions for lawful processing);
• Processing Limitation (there must be a justification under POPIA for processing the personal information);
• Purpose Specification (the personal information must be collected for a specific, explicitly defined and lawful purpose);
• Further Processing Limitation (further processing must be compatible with the purpose for which it was initially collected);
• Information Quality (personal information must be accurate and kept up to date);
• Openness (Data subjects must be notified of certain information when processing their information, which would usually be in the form of a privacy notice);
• Security safeguards (appropriate reasonable technological and organizational measures must be implemented to safeguard the personal information and notifications of data breaches must be made to the Information Regulator and affected data subjects);
• Data Subject Participation (data subjects have the right to request access to information, to request the correction or deletion of personal information, to object to processing of personal information in certain circumstances, to submit a complaint to the Information Regulator and institute a civil claim for damages).

There is also a special category of personal information under POPIA known as special personal information (religious or philosophical beliefs; race or ethnic origin; trade union membership; political persuasion; health, sex life; criminal behaviour; or biometric information.) The processing of special personal information is generally prohibited unless the data subject consents to the processing, subject to limited exceptions.

Personal data is protected under the Personal Data Protection Act 2012 ("PDPA"). In particular, advisory guidelines for the healthcare sector have been provided for the healthcare sector. While these are not specifically in relation to the telehealth sector, telehealth providers should familiarise themselves with, and abide by this as well.

We would also highlight that telehealth service providers should, on top of the provisions as set out in the PDPA, ensure that tighter security arrangements are put in place to protect the personal data in its possession, especially where the personal data is more sensitive and confidential (such as patient’s medical records) and where the impact to an individual would be significantly more adverse if such personal data were inadvertently accessed.

The Act on Health Care stipulates processing of personal data from the medical documentation. At the same time, it also refers to the regulation stipulated in Act No. 18/2018 Coll. on Personal Data Protection, as amended, and GDPR.

Yes, as long as the telehealth services include processing of personal data, the Slovenian / EU data protection regime would need to be complied with.

Primarily, the General Data Protection Regulation ("GDPR") needs to be taken into account. Besides GDPR, the following legal acts are relevant:

• the Slovenian Personal Data Protection Act (Zakon o varstvu osebnih podatkov – "ZVOP-2");
• ZZDej; and
• ZLD-1.

The above legal acts provide basic and general protection of personal data in the health sector, but do not provide any specific regulations for the provision of telehealth service in Slovenia.

This notwithstanding, it shall be pointed out that Article 3 (3) ZZDej stipulates that health documentation in the field of Telemedicine shall be transmitted/processed in accordance with stricter rules that apply to a specific type of personal data – the so-called "sensitive personal data" (in Slovene: občutljivi osebni podatki). Therefore, in relation to the transmission of sensitive personal data or health documentation in the field of Telemedicine, special principles stemming from, among others, Article 9 GDPR shall be adhered to.

Telehealth services must be carried out in compliance with the current legislation on personal data protection. In particular, personal data processing is subject to fulfil with the obligations stated in the GDPR 2016/679. On a national level, Spanish Data Protection Act 3/2018 also applies.

In Sweden, there are no privacy and/or data protection laws that apply specifically to the provision of telehealth services. In general, processing of personal data is instead regulated by the General Data Protection Regulation, (EU) 2016/679 ("GDPR"), and supplementary legislation, including the Data Protection Act (2018:218) and the Data Protection Ordinance (2018:219).

Moreover, sector and processing specific regulations may apply, such as:

• the Patient Data Act (2008:355);
• the Patient Data Ordinance (2008:360);
• the Pharmacy Data Act (2009:367);
• the Act (2018:744) on Medical Insurance Investigations;
• the Patient Safety Act (2010:659); and
• as of 1 January 2023, the new Act (2022:913) on Shared Health and Care Documentation.

There is no specific privacy / data protection law that applies to the provision of telehealth services. Therefore, the general Personal Data Protection Act B.E. 2562 (2019) ("PDPA") (came fully into force on 1 June 2022) will apply. The PDPA governs how personal data are regulated in Thailand.

The term "personal data" means "any data pertaining to a natural person that enables the identification of that person, whether directly or indirectly, but specifically excluding the data of the deceased". "Sensitive personal data" refers to personal data under Section 26 of the PDPA such as health data and biometric data. As sensitive personal data are sensitive in nature and are susceptive to abuse, it is given a higher level of protection than personal data.

For the majority of the cases, explicit consent is required in the collection, use and disclosure of sensitive personal data. The relevant lawful basis of processing personal data (as opposed to sensitive personal data) in the context of telemedicine without an individual’s consent include but are not limited to: (i) performance of a contract; and (ii) legitimate interest as prescribed under the PDPA. For processing of sensitive data, the relevant lawful basis would include (i) vital interest (where the individual is incapable of giving consent by whatever reason); and (ii) legal compliance to achieve certain purposes such as public interest in public health or employment protection.

Additionally, the Notification puts emphasis on the confidentiality of data. Therefore, service providers must ensure that both the transmitter and recipient are aware of such obligation, and the service provider themselves must ensure that there are no loss or unauthorised disclosure of data during transmission. The IT system used for telemedicine must also be in line with the standards set out in the Electronic Transactions Act B.E. 2562 (2019),the PDPA, and the Notification of the Personal Data Protection Committee on Security Measures of Data Controller B.E. 2565 (2022).

The UAE does not have a comprehensive data protection law at a federal level. There are however a number laws in place that govern the collection and handling of personal data through telehealth services in the UAE.

Article 379 of Federal Law 3 of 1987 as amended ("UAE Penal Code") prohibits a person who, by reason of their profession, craft, situation or art, is entrusted with a "secret", from using or disclosing that secret, without the consent of the person to whom the secret pertains, or otherwise in accordance with the law. To mitigate against the risk of a breach of Article 379 of the Penal Code it is generally advised to obtain consent prior to the use or disclosure of any personal data, which would include any patient information* obtained through a telehealth service.

Article 4 of the ICT Health Law impose strict requirements around the circulation of patient information (in "authorised cases" only), as well as ensuring that it is protected from destruction or unauthorised amendment, alteration, deletion, or addition. Article 16 of the ICT Health Law further requires that "whoever circulates information related to patients must abstain from using such information for non-health purposes", unless certain exceptions apply.

In addition, Article 20 of the ICT Health Law provides that patient information must be kept for a minimum of 25 years from the date on which the last health procedure was performed on the patient. This broadly worded obligation is not targeted at any particular category of individuals or entities (e.g. Healthcare providers) and must therefore be assumed to apply any entity which uses ICT in the healthcare sector, as per Article 2 of the ICT Health Law. This law extends to health insurance brokers and insurers, claims management services and electronic services in the medical field.

The Federal Telehealth Regulations set out a number of data protection related conditions for providing various health services remotely. Those include obligations to provide:

• a system for the protection of the data and registers related to the remote health services, and prohibiting any access thereto unless by the authorised persons;
• the necessary mechanisms for the protection of the privacy of the persons who received remote health services;
• servers in the United Arab Emirates for the storage and archiving of information as well as a backup;
• internet technologies and systems that meet the requirements of providing remote health services;
• the necessary means for the archiving of the entire registers and data related to the persons who received remote health services, in addition to the documentation thereof; and
• a system for the protection of the data and registers related to the remote health services, and prohibit any access thereto unless by the authorised persons.

It is also stated within the Federal Telehealth Regulations that the "express consent" of those who receive such services is required, both to receive the service and to be recorded (by both audio and video).

At an Emirate Level, both the Dubai HA Standards and the AD DOH Standards include independent requirements relating to the protection and use of patient information.

In addition to the general requirements around the handling of health data found under DHCC Free Zone Health Data Protection Regulation No 7 of 2013, the DHCC Regulation contains requirements around the handling of patient information. Some of the key points are as follows:

• Patient information shall not be collected by unlawful means; or means that, in the circumstances of the case are unfair; or intrude to an unreasonable extent upon the personal affairs of the patient;
• Security incidents (i.e. data breaches) must be reported; and
• Patients must be issued a privacy notice at the point of data collection which meets certain requirements.

There are no specific data privacy requirements relating to telehealth, therefore the usual principles of the General Data Protection Regulation ("GDPR") as implemented and tailored by the Data Protection Act 2018 apply. Organisations engaging in telehealth will need to comply with the following 7 key principles and ensure they have a lawful basis for processing.

• lawfulness, fairness and transparency;
• purpose limitation (i.e. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes);
• data minimisation (i.e. data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accuracy (and kept up to date);
• storage limitation (i.e. kept for no longer than necessary for the purposes for which the data is processed);
• integrity and confidentiality (security) (i.e. processed in a manner that ensures appropriate security of the personal data); and
• accountability (which requires organisations to take appropriate processes and records in place to demonstrate compliance)

Given telehealth is likely to involve the processing of special category data (health data, genetic data, biometric data (where used for identification purposes), the provisions relating to special category data in the GDPR will apply.

Therefore, before processing any special category data an organisation must have a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9 (these do not have to be linked) and document the relevant conditions. In respect of health data, if an organisation relies on the "health or social care (with a basis in law)" or "public health (with a basis in law)", the organisation will need to meet the associated condition in Part 1 of the Schedule 1 of the Data Protection Act 2018. Additionally, an appropriate privacy policy will be required which sets out the details of the data being collected, the purpose, the conditions under which they are being processed and any third parties with whom the data is being shared. Special category data is likely to be regarded as high risk processing and therefore a Data Protection Impact Assessment ("DPIA") will be required.

Record keeping will be especially important, including the documenting of the categories of data. Organisations should also consider the interaction of the provisions on data minimisation, security, transparency, data protection officers and individual rights to access and erase records.

If the telehealth solution incorporates any artificial intelligence to support, or make decisions about individuals (such as using algorithms underpinning symptom checkers) then there are additional considerations, such as compliance with the Medical Devices Regulations 2002. The specific restriction in the GDPR on automated decision making (Article 22) may also apply in these cases, so will need to be carefully addressed. We also highlight the general non-sector specific guidance the Information Commissioner’s Office ("ICO") has issued jointly with The Alan Turing Institute on use of AI, which highlights the need to follow the following principles:

• be transparent;
• be accountable;
• consider the context you are operating in; and
• reflect on the impact of your AI system on the individuals affected, as well as wider society.

These principles relate to providing explanations of AI-assisted decision making to individuals and supplement the data protection principles in the GDPR so following these principles will enable organisations to follow "best practice" when explaining AI decisions.

Additionally, all healthcare staff have a duty of confidentiality in respect of all identifiable patient information and thus careful guidelines which are issued by bodies such as the British Medical Association and the General Medical Council should be adhered to, in addition to the normal data privacy regulations referred to above.

HIPAA is the prevailing federal law governing the use and disclosure of personal health information; however, this law applies only to individuals and entities meeting the definition of a "covered entity" or a "business associate" of a covered entity, leaving a substantial amount of personal health information not subject to HIPAA. There are also state-specific laws that may impact telehealth services as it pertains to more sensitive information (e.g., mental health, HIV/AIDS/STI diagnosis and treatment, and substance use disorders).

The Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR"), the federal agency charged with authority and enforcement over HIPAA, issued a Notice of Enforcement Discretion stating that it would not seek to impose penalties on providers for noncompliance with the regulatory requirements under HIPAA in connection with the good faith provision of telehealth during the PHE. In particular, OCR expressly permitted the use of "any non-public facing remote communication product that is available to communicate with patients", including Apple FaceTime, Google Hangouts, or Skype. At the same time, the associated FAQs released by OCR to help guide providers in adopting these technologies encouraged providers to notify patients that the use of these technologies potentially introduce privacy risks.

However, this enforcement discretion applies only during the PHE and will not likely be extended. Thus, to prepare for the resumption of enforcement penalties for non-compliant technology use after May 11, 2023, the telehealth platform(s)  used for the provision of telehealth services would need to be evaluated by covered entities and their business associates to confirm compliance with HIPAA. This would typically mean that the covered entity, for example, would need to enter into a business associate agreement with the platform provider (e.g., Zoom) and the platform provider would be subject to HIPAA requirements as a business associate.

Telehealth companies must also be aware of how they use online tracking technologies and associated vendors, including cookies, pixels, and session replay tracking. These tools have the risk for impermissible disclosure of protected health information under HIPAA or applicable state laws, such as the California Consumer Privacy Act of 2018 and its implementing amendments and regulations (“CCPA”) or Section 5(a) of the Federal Trade Commission Act (“FTC Act”) (15 USC §45), which prohibits "unfair or deceptive acts or practices in or affecting commerce". In December 2022, OCR released a bulletin, stating that simply identifying that a HIPAA covered entity or business associate uses tracking technologies on its website or mobile app in a privacy policy, notice, or terms and conditions does not inherently permit disclosures of PHI to online tracking technology vendors. Rather, the disclosures need to comply with the HIPAA Privacy Rule, and if the online tracking technology vendor receives PHI, the vendor must have a business associate agreement in place. To the extent HIPAA does not apply to such online tracking technologies, then telehealth providers must still look to the FTC’s laws and regulations and state laws, such as CCPA, to ensure compliance. The FTC, in particular, has been active in enforcing consumer privacy through both its Section 5 authority and recently, under its Health Breach Notification Rule.  Health information exchanged electronically is a focal point for current FTC enforcement.

States also enforce state specific data breach notification laws, which may include requirements in addition to HIPAA. While the HIPAA Breach Notification Rule requires covered entities and business associates to provide notice to OCR, impacted individuals, and in some cases, the media within 60 days of breach discovery, several states have enacted laws with more stringent notice requirements, e.g., 15- or 45-day notice windows, notification to state agencies, and varying definitions of what personal information triggers these obligations.

Not applicable.

Yes, the Cyber and Data Protection Act [Chapter 12:07] (“CDPA”) provides for the processing of health information, genetic information and healthcare history including disabilities.

In addition, the Constitution of the Republic of Zimbabwe provides its citizens with the right to privacy and this right, at times, is construed to also cover an individual’s medical information.