There are no specific data protection laws relating to telehealth services precisely. However, the Ministry of Health’s guide of recommendations includes a section related to data protection and, in all cases, healthcare providers should comply with Law No. 25,326 of Personal Data Protection.
Australian privacy and surveillance laws are generally applicable to the provision of telehealth services in Australia.
At the Federal level, the core privacy legislation is the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs"). State and territory legislation broadly aligns with the Federal framework. The Privacy Act regulates the collection, use and disclosure of personal information, defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not. All personal information collected in the course of providing a health service, including information or an opinion about the health of an individual and their wishes about the future provision of health, is considered health information under the Privacy Act. Health information is sensitive information, which is granted additional protections under the Privacy Act and APPs, due to its significance and the potential harm that could result from misuse. Telehealth services are identified as a health service provider under the Privacy Act.
To comply with the Privacy Act and the APPs, telehealth service providers must handle all patient information in a manner that complies with their legal obligations. In particular, health information can only be collected by lawful and fair means, and generally only with the patient’s (express or implied) consent and where the information is reasonably necessary for providing a health service to that patient. Certain exemptions do apply to "health service providers" (including telehealth businesses), such as where the collection is necessary to provide a health service and is either authorised by law or it is collected in accordance with confidentiality rules established by competent health boards or medical bodies. Consent is also not required where information is collected or disclosed in order to prevent a serious threat to life, public health or safety. Health information can only be collected directly from the patient unless it is not reasonable or practical to do so. There are also similar consent restrictions on the use and disclosure of health information, and typically higher standards of security are also expected.
Surveillance laws operating at the federal, and state and territory levels will also be relevant where, for example, telehealth providers intend to record the provision of services to patients. At the federal level the Telecommunications (Interception and Access) Act 1979 (Cth) makes it an offence to intercept or access private telecommunications without the knowledge of those involved in that communication. State and territory surveillance laws also prohibit the recording of private conversations without the consent of the participants to that conversation. In practice, telehealth service providers would need to ensure that all participants to recorded conversations have provided their express consent to any such recording.
Beside the general applicability of GDPR and the Austrian Data Protection Act, the following specific personal data protection laws apply to defined restricted specific data applications (e.g. data transfers between doctors / hospitals):
- Federal Health Telematics Act (Gesundheitstelematikgesetz); and
- Health Telematics Regulation (Gesundheitstelematikverordnung).
There are also several data protection provisions included in the Federal Doctors Act, Federal Dentist Act, Federal Pharmacy Act, etc., which in principle do not go beyond GDPR requirements.
Emphasis should be laid on secure technical solutions (e.g. encryption).
Yes, Bahrain’s Law No. 30 of 2018 on Personal Data Protection Law ("PDPL") sets out the requirements for processing personal data both in Bahrain and abroad. This would generally include the provision of telehealth services.
Pursuant to the PDPL, the processing of personal data shall be prohibited without the consent of the owner thereof, unless such processing is necessary for any of the following:
- implementation of a contract to which the data subject is a party;
- taking steps upon the request of the data subject for the purpose of conclusion of a contract;
- implementation of an obligation prescribed by Law, contrary to a contractual obligation, or issuance of an order from a competent court or the public prosecution;
- protection of the vital interests of the data subject; or
- exercise of the legitimate interests of the data controller or any third party to whom the data is disclosed, unless this conflicts with the fundamental rights and freedoms of the data subject.
The General Data Protection Law (Federal Law no. 13,709/18 or "LGPD"), highly inspired by the European General Data Protection Regulation ("GDPR"), provides a new privacy landscape for Brazil and applies to any processing of personal data: (i) which is carried out within the Brazilian territory; (ii) which has an objective to offer / supply goods or services, or process data of the individuals localised in Brazil; or (iii) if the personal data is collected from the Brazilian territory. Thus, the offering of telehealth services in Brazil will be subject to the LGPD provisions.
It is important to stress that the LGPD has been in force since September 28, 2020. The penalties provided by the law, however, are only going to be enforceable in August 2021. Notwithstanding the foregoing, public authorities (such as consumer protection bodies and public prosecutors) and data subjects can enforce their rights based on the LGPD.
In addition to this, the Brazilian National Authority (i.e. the supervisory authority responsible to further regulate data protection in Brazil, also known as "ANPD") is now in operation. The LGPD has several provisions to be further regulated and interpreted by the ANPD, which may have an impact on businesses, and require further localisation and adjustments for compliance in the future. It is recommended that the actions of the ANPD in relation to such matters be monitored.
According to the LGPD, the concept of personal data shall be understood as "any information regarding an identified or identifiable natural person". Based on that definition, any collected information which is able to identify a natural person will be understood as personal data and, therefore, subject to the LGPD principles, obligations and rights. The law also includes the definition of sensitive personal data, which encompasses health data along with any information of a natural personal regarding racial or ethnic origin, religious conviction, political opinion, union membership or to a religious, philosophical or political organisation, data related to sexual life, genetic or biometric data.
No specific laws.
- Privacy and data protection laws that relate to personal health information vary from province to province. These laws apply to the provision of healthcare generally and do not relate specifically to the provision of telehealth.
- The Personal Information Protection and Electronic Documents Act ("PIPEDA") is a federal Canadian Act that applies to every organisation that collects, uses or discloses personal information in the course of commercial activities. As a general rule, PIPEDA does not apply to the core activities of municipalities, universities, schools, and hospitals. Instead, personal information collected by municipalities, universities, schools and hospitals is protected by provincial legislation. The provinces of Alberta, New Brunswick, Newfoundland, Nova Scotia, Saskatchewan, Manitoba, Ontario, and Prince Edward Island and the Northwest Territories and Yukon have enacted personal health information legislation that applies to the healthcare sector. Quebec’s Act respecting health services and social services also contains important provisions regarding personal health information. British Columbia has several laws that address health information privacy.
- Healthcare providers in private practice such as doctors, dentists, and chiropractors are engaged in a commercial activity and thus are subject to PIPEDA, unless substantially similar provincial legislation applies. The provinces of Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have passed their own health privacy laws, which have been declared substantially similar to PIPEDA with respect to health information.
The main laws that are applicable are Law No. 19,628 on Protection of Private life (when the controller is a public or private entity), and Law No. 20,285 on Access to Public Information (only when the controller is a public body). In addition, some provisions of Law No. 20,584 on Rights and Obligations of patients will also be applicable.
The provisions that rule data processing in this context are the ones that apply for any other data processing activity, which in summary require the controller to obtain from the data subject their prior, express, specific, informed and written consent. This implies providing all data subjects with enough and clear information about the data to be collected, the processing activities and the purposes of the data processing, as well as the possible communication of said data to third parties.
Furthermore, the Guides issued by the Ministry of Health on Telehealth and on Data Safety have included some obligations and / or recommendations regarding the provision of healthcare services, including the need of having an adequate technological infrastructure for providing the healthcare services, a system for tracing the data processed, and an HR policy that regulates who will have the right to access patients’ data and their responsibilities, in addition to the mandatory requirements set forth by the general data protection laws.
Finally, the Oficio Circular No 7/2020 of the Superintendence of Health established certain guidelines for the use of technological platforms and the proper safeguarding of patient's personal data.
China has yet to implement any privacy/data protection law that applies specifically to the provision of internet healthcare. Administrative Measures for Internet Diagnosis and Treatment (For Trial Implementation) stipulates that medical institutions shall comply with all relevant laws and regulations on information security and confidentiality of healthcare data. Such laws and regulations include the following:
- Cyber Security Law;
- Regulations of the PRC on Administration of Human Genetic Resources promulgated by PRC State Council;
- Administrative Measures for Health Related Information promulgated by National Health Commission; and
- Good Administrative Practice for Electronic Medical Records promulgated by National Health Commission and National Administration of Traditional Chinese Medicine.
There is no specific regulation applicable to telehealth, and instead, it is subject to the general data protection regime, in particular:
- under Law 1581 of 2012 and Decree 1377 of 2013, the processing of personal data requires the prior and express authorisation of the data subject. The data subject shall be informed of the specific purposes for which the data will be processed;
- there are certain types of personal data for which the law sets specific requirements. Personal sensitive data (which includes medical records) requires notification and the data subject is not compelled to provide it. Similarly, data owned by children or teenagers requires notification, and the child / teenager cannot be compelled to provide their information. Authorisation must be granted by the child’s legal representative accounting for that child’s opinion. There are certain exceptions under which such consent is not needed such as medical emergencies.
- the Colombian data protection regulation sets rules related to the duties of the data controller to ensure the security and confidentiality of the information, as well to allow the data subject to exercise their habeas data rights by requesting information about their data, revoking their consent, updating the data, and requesting rectifications.
- as with any other health service, during the provision of telehealth services, healthcare providers must ensure compliance with regulations relating to medical records, including Resolutions 1995 of 1999 and 823 of 3017, issued by the Ministry of Health.
Yes, the following laws apply:
- the Act on Implementation of the General Data Protection Regulation (Official Gazette no. 42/2018);
- the Ordinance on the use and protection of data from medical documentation of patients in the Central Health Information System of the Republic of Croatia (Official Gazette no. 14/2019 – hereinafter: "Ordinance on the use and protection of data"); and
- the Ordinance and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR").
Rules for protection of personal data implemented in the GDPR apply directly in Croatia. The Act and Ordinance on the use and protection of data generally provide for the obligation on users of medical data to keep the data from the patient’s medical documentation secret.
The Ordinance specifically provides that recording of audio and video recordings during the provision and reception of telemedicine services is allowed only with the written consent of the recipient of the service. For a recipient of a service who is unconscious, has a severe mental disorder or is a minor, the written consent shall be given by the legal representative or guardian of the recipient of the service. The written consent must contain the reason for the recording, the type of recording and the purpose for which the recording will be used.
Yes, the following laws apply to the provision of telehealth services in Denmark:
- The Danish Healthcare Act
- Danish Requirements for Security of Network – and Information Systems Within the Healthcare Sector Act
- The Danish Public Administration Act
- The General Data Protection Regulation (GDPR)
- The Danish Data Protection Act
All telemedicine, including telehealth, providers must meet the requirements set out in the Data Protection Act (1050/2018) and in the General Data Protection Regulation (the GDPR, 2016/679). In addition to the general data protection requirements, the Act on the Electronic Processing of Client Data in Social and Health Care Services (159/2007) sets out more specific requirements for all data systems irrespective of whether they are used in private or public healthcare. Systems used to transmit and store patient information must meet the requirements on confidentiality as well as data protection and security. Service providers are responsible for ensuring that the appropriate data protection and security arrangements are in place for the purpose of transferring data and processing personal information.
The protection of personal data in the field of telehealth is governed by the General Data Protection Regulation ("GDPR") as well as the law "informatique et libertés" of January 6, 1978 relating to data processing, files and freedoms (n°78-17, January 6, 1978, the "French Data Protection Act of 1978") and the decree n°2015-1263 of October 9, 2015. This health data falls under a special category under Article 4.15 of the GDPR.
The processing of personal data used for the implementation of telemedicine acts is not subject to any particular formality with the national computing and freedoms commission (the "CNIL" is the French regulator for the processing of personal data).
The data must be processed by a health professional subject to a duty of confidentiality or by another person subject to a duty of secrecy.
The data controller must be able to demonstrate the compliance of data processing with the requirements of the GDPR, including the pseudonymisation and encryption of data, the ways to ensure the confidentiality and integrity, availability and resilience of data processing systems and services, the ways to restore data availability and access within appropriate time frames in the event of incidents, and finally the procedure to regularly test, analyse and evaluate the efficiency of technical and organisational measures to ensure the security of processing. It will also have to demonstrate all the steps taken, in particular the management of personal information, the setting up of a processing register, the carrying out of an impact analysis, the keeping of the processing activities register, the setting up of a strong authentication system, a system for managing user authorisations, and a system for managing traces and incidents. If the telemedicine device involves outsourcing, specific security conditions will have to be respected.
By way of exception, data processing may give rise to a request for authorisation or a declaration of conformity if it is carried out in the context of research in the field of health.
The processing of personal data in the context of the provision of telehealth services is primarily governed by the General Data Protection Regulation (EU) 2016/679 ("GDPR"), as well as the German Federal Data Protection Act ("BDSG").
Apart from that, the German Social Code Book V ("SGB V"), contains several regulations on the processing of personal data in connection with telehealth services and has only recently been subject to amendments as a result of the German Patients Data Protection Act (“PDSG”), which came into force in October 2020. Particularly, the provisions relating the use of the electronic health card (“elektronische Gesundheitskarte”) have undergone substantial amendments (Sec. 291 et seq. of the SGB V). Additionally, the new chapter 11 of the SGB V (cf. Sec. 306 – 383 of the SGB V) which now comprehensively regulates the requirements for the telematics infrastructure received great attention among stakeholders, in particular, the extensive reorganisation of the electronic patient record (“elektronische Patientenakte”) (cf. Sec. 341 et seq. of the SGB V). It should be noted, however, that the provisions of the SGB V primarily apply to service providers of the German Statutory Health Insurances ("SHI" – "GKV") and only in certain exceptional cases also to service providers of the Private Health Insurances ("PHI" – "PKV").
The following data protection and privacy laws and regulations are applicable to the provision of telehealth services in Greece:
- Article 66 par. 16 of Law 3984/2011 (A’ 150) sets forth requirements that need to be fulfilled, so that the provision of telehealth services is compliant with the data protection rules. In particular the article states that "The doctor, for the purposes of the protection of personal data, is responsible to request from the patient, or if this is not possible from a relative of first degree, the signed approval for the use of telehealth services. If this is not possible, then doctor shall offer telehealth services at his / her own discretion".
- The general provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), as well as of Law 4624/2019 (A’ 137) on the Personal Data Protection Authority, implementing the measures set forth by Regulation (EU) 2016/679 are also applicable; health data qualify as sensitive data (article 9 of GDPR), and therefore their processing is permitted only for health-related purposes.
- Given that telehealth is mostly internet-based, compliance with the provisions of Law 3471/2006 (A’ 133) on the protection of personal data and privacy in the field of electronic communications, transposing the Directive (EU) 2002/58/EC is required as well.
- Article 14 of Law 3418/2005 (Code of Medical Ethics) regulates the retention of medical records.
There are no specific privacy and / or data protection laws that apply to the provision of telehealth services in Hong Kong.
The Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") regulates the general collection and handling of personal data. Under the Code of Professional Conduct for the Guidance of Registered Medical Practitioners issued by the Medical Council of Hong Kong, Hong Kong registered doctors should have regard to their responsibilities and liabilities under the PDPO, in particular, patient’s rights of access to and correction of information in the medical record.
No, there are no specific data protection rules regarding the provision of telehealth services.
GDPR and general sectoral laws, e.g., Act 47 of 1997 on the processing and protection of health and other related personal data, shall equally apply to telehealth and normal health services.
There are no specific privacy or data protections laws in respect of telehealth services, however there are special rules regarding how health data can be processed.
Ireland is governed by the GDPR, which is further implemented by the Data Protection Act 2018. Most of the personal data which is processed in the provision of telehealth services will be health data, which is classed as special category data under GDPR. The GDPR prohibits the processing of special category data unless there is a lawful basis under Article 6, and also an exception for processing under Article 9.
Depending on the nature and purpose of the processing, there are a number of lawful bases under Article 6 and exemptions under Article 9 which may be relevant for the processing of special category data, including health data.
In most circumstances where the processing of special category data takes place, section 36 of the Data Protection Act 2018 requires that additional "suitable and specific measures" are implemented to safeguard the fundamental rights and freedoms of data subjects. These are mainly practical measures, and include things such as specific staff training in relation to the processing activity and having appropriate security measures, logs and access controls on the personal data.
In addition, the Data Protection Commission advises that ensuring the principles of data protection are upheld when processing personal data is key, although there are no derogations from the GDPR in the Data Protection Act 2018 in this respect.
The Data Protection Act 2018 (Health Research) Regulations 2018 provides specific and additional measures required to safeguard information processed for the benefit of health research, such as appropriate consent, governance, and security.
There are no specific national laws governing the processing of personal data in the context of telehealth services. However, the processing operations of personal data carried out in this context falls within the regulatory framework of the EU General Data Protection Regulation 2016/679 ("GDPR"), Legislative Decree 196/2003 (the "Italian Privacy Code"), and the decisions and guidelines issued by the Italian Data Protection Authority and other authorities having jurisdiction in the subject matter (jointly referred to as "Privacy Laws").
- Under Article 9(h) of the GDPR, a patient’s consent is not required as long as telehealth services are carried out to protect the patient’s health by health professionals subject to an obligation of professional secrecy or other professionals subject to an obligation of secrecy;
- Patients shall be adequately informed on the processing activities related to the performance of telehealth services, by means of a privacy information notice listing any element required under Articles 13 and 14 of the GDPR;
- Personal data, including heath data, shall be processed in accordance with the data processing principles set forth under Article 5 of the GDPR; and
- Adequate technical and organisational security measures shall be adopted.
In this regard, the Privacy Laws do not specifically identify the required security measures, providing that both data controllers and processors must determine the measures to be implemented by taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Considering that special categories of data (i.e. health data) is processed in performing telehealth services, the security measures to be taken must be particularly robust.
Based on Article 2 paragraph 1 of the Minister of Communication and Informatics of the Republic of Indonesia Regulation Number 20 of 2016 on Personal Data Protection In Electronic Systems, Personal Data Protection in Electronic Systems is comprised of protection from the acquisition, collection, processing, analysing, storage, display, announcement, delivery, dissemination and erasure of Personal Data.
The Regulation of the Minister of Health of the Republic of Indonesia Number 269 of 2008 concerning Medical Records, requires that patient data must be stored for period of 10 years from the date the records were made.
Under the Regulation of Minister of Health of the Republic Indonesia Number 20 of 2019 regarding the Organisation of Telemedicine Services through Health Service Facilities, Health Service Facilities must protect the patients’ data.
The Act on the Protection of Personal Information ("APPI") applies to the provision of telehealth in Japan. Under the APPI, before collecting any personal information from patients receiving telehealth services, the medical institutions / practitioners shall inform the patients the purpose of collecting personal information and obtain consent from the patients.
There are no specific data privacy requirements relating to telehealth. The provisions of the Data Protection Act, 2019 (the “DPA”) apply. Health data is defined under the DPA as “data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services.” Personal data relating to a data subject’s health status is considered “sensitive personal data” under the DPA.
Section 46 of the DPA provides that personal data relating to the health of a data subject may only be processed by or under the responsibility of a health care provider; or by a person subject to the obligation of professional secrecy under any law.
There are no specific privacy and / or data protection laws that apply to the provision of telehealth services in Kuwait.
Article 6 of Law No. 25 of 1981 Regulating the Medical and Dental Practitioners contains a general obligation to maintain patient confidentiality, which should apply to the telehealth services as well.
In addition, Kuwait Law No. 20 of 2014 ("E-Commerce Law") requires that client data relating to positional affairs, personal status, health status or elements of the financial disclosure of persons, or other personal information must be retained privately and confidentially and employees are obliged to ensure such data protection. Disclosure of such information is subject to obtaining client consent or pursuant to a court order. We are of the view that obligations under the E-Commerce Law apply as well to telehealth services providers.
The General Data Protection Regulation (or the "GDPR") applies to all organisations (including medical practices) operating within the European Union and processing personal data. The Law of 1 August 2018 on the organisation of the Luxembourg National Data Protection Commission and the general data protection framework (or the "Law of 2018 on data protection") completes the GDPR at the national level.
While there are no specific laws regulating telehealth in Luxembourg, any health professional and teleconsultation website must comply with the aforementioned privacy laws.
Yes, there are several relevant laws and standards that will apply to the provision of telehealth in Mexico:
- Mexican Law for the Protection of Personal Data in Possession of Private Parties (and together with its regulations and guidelines, the "Data Privacy Laws"), ensures the correct processing of personal information held by third parties, especially in digital environments and promotes good practices and strengthens personal data protection controls outside the government sphere.
- Mexican Law for the Protection of Personal Data in Possession of Obligated Parties establishes the basis, principles and procedures for individuals’ right to the protection of their personal data which is in the possession of Obligated Parties (being any authority, entity, organ and body of the Executive, Legislative and Judicial branches, autonomous bodies, political parties, trusts and public funds).
- NOM-024-SSA3-2012 regulates the exchange of health information, electronic record information systems for health, SIRES, and establishes the mechanisms for health service providers to register, exchange and consolidate information.
- NOM-035-SSA3-2012 establishes criteria and procedures that must be followed to produce, capture, integrate, process, systematise, evaluate and disclose health information.
- NOM-004-SSA3-2012 concerns clinical files, and establishes the mandatory scientific, ethical, technological and administrative criteria applicable to the preparation, integration, use, management, filing, conservation, ownership and confidentiality of the clinical record.
There is no specific privacy and/or data protection regulations relating to telehealth, other than the general data protection regulations, which provide that health data are sensitive data and therefore subject to tighter restrictions.
This being said, telehealth regulations provides that compliance with the data protection regulations in Morocco is a condition to obtain and keep the prior authorization to provide telehealth services.
There are no specific privacy and / or data protection laws applicable to the provision of telehealth services. In fact, there are no privacy and / or data protection laws in Namibia. The common law right to privacy of patients will apply.
As the provision of telehealth services entail the processing of personal data, such processing should comply with the General Data Protection Regulation and the Dutch GDPR Implementation Act (Uitvoeringswet AVG). In addition, the Dutch Telecommunications Act (Telecommunicatiewet) could be applicable to the use of telecommunication services, depending on how the telehealth services carried out exactly.
Yes, the processing of personal data in Nigeria is governed by the Nigerian Data Protection Regulation (2019) and the NDPR implementation framework as well as other guidelines developed by the National Information Technology Development Agency (NITDA).
The same laws that apply to the provision of all health services apply to telehealth, including:
- The Privacy Act 2020;
- The Health Information Privacy Code 2020 which includes rules for ‘health agencies’ in relation to the collection of health information, individuals’ rights to access and correct health information, and restrictions on the use of health information; and
- The Health (Retention of Health Information) Regulations 1996.
Regulation (EU) 2016/679 GDPR applies. GDPR has been implemented through the Norwegian Personal Data Act. In addition, there are several other sector specific laws and regulations relevant for telehealth and personal data.
The Health Registry (Filing System) Act applies for the processing of health data for e.g. statistical purposes, healthcare analysis, research and quality improvement, and contains requirements for the processing of health data in order to establish filing systems. These filing systems are thus not meant for treatment purposes.
A filing system is defined in GDPR Art. 4(1)(6), which the Health Registry Act references. Examples of Norwegian health filing systems are the Patient Registry, the Cause of Death Registry and the Cancer Registry. It is explicitly stated in the Act that data must be processed in accordance with GDPR Art. 5, and that the level of personal identification shall not exceed what is necessary for the concrete purpose. Data subjects have the right to access their health data in the filing systems.
The Medical Records Act applies for all processing of health data necessary for providing healthcare to individuals. This Act prohibits the acquisition of health data unless it is needed to provide healthcare to the individual, it is needed for administration purposes or there is a legal basis according to applicable legislation. The patient is allowed to access his own health data and medical records (cf. GDPR Art. 13 and 15). Furthermore, medical records systems must be designed in such a way to implement documented access control. Data subjects have a right to obtain information about who accessed their medical records (even within an organisation).
The Regulation on Electronic Software Standards in the Health Care Sector is implemented through the Medical Records Act, and contains requirements regarding use of software and application standards.
Further, the Health Care Profession Act is relevant for telehealth. This Act provides that healthcare professionals are obliged to erase patient data from patients’ medical records only if the data provides false information or if the data clearly is not necessary to provide healthcare. Unless a patient is opposed to it, healthcare professionals shall share health data with other healthcare professionals performing treatment on the patient. Healthcare professionals have a duty of confidentiality.
There are no specific regulations related to privacy in telehealth services, however general privacy regulations are applicable, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") and the Polish Act on Personal Data Protection of 10 May 2018.
The majority of the relevant obligations are established in the GDPR, including a number of obligations of the data controllers, rights of the data subject and legal basis for personal data processing. International data transfers are also regulated, with specific rules on extra-EEA transfers. Furthermore, the GDPR establishes specific rules on disclosing or entrusting the processing of personal data to third parties. All personal data processing activities related to the personal data of EUbased data subjects would need to be compliant with both the GDPR and any local regulations. Additionally, due to the special character of personal data processed (i.e. health data) a high and up-to-date level of organisational and technical safeguards would need to be ensured, in line with Article 32 of the GDPR.
The collection and processing of personal data in this scope is governed by the following laws and regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data ("GDPR");
- Law no. 58/2019, 8 August ensuring execution to GDPR;
- Law 12/2005, 26 January on health and genetic data; and
- Law no. 26/2016, 22 August on public sector data / information.
Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection ("Data Protection Law"). The Data Protection Law applies to personal data when this data is any of the following:
- Processed electronically;
- Obtained, collected or extracted in any other way in preparation for electronic processing; and
- Processed by combining electronic and traditional processing.
The Data Protection Law provides that each individual shall have the right to privacy of their personal data. Such data may only be processed within a framework of transparency, honesty, respect for human dignity and in accordance with the provisions of the Data Protection Law.
Personal data is defined under the Data Protection Law as data relating to a natural person whose identity is identified or is reasonably identifiable, whether through this data or by means of combining this data with any other data or details.
Sensitive personal data means personal data consisting of information as to a natural person’s:
- ethnic origin;
- physical or mental health or condition;
- religious beliefs;
- relationships; and
- criminal records.
Generally, data subject consent is required to collect and process personal data, except to the extent processing is deemed necessary for a lawful purpose of the controller, or the third party to whom the personal data is sent.
There are no telehealth-specific data protection laws in Romania, however more general privacy legislation may be relevant.
The main piece of legislation on the protection of personal data is Regulation (EU) 2016/679 (GDPR). The GDPR provides specific rules for the processing of data concerning health, which is classified as belonging to a special category of personal data.
Additionally, two national pieces of data protection legislation could also potentially impact the provision of telehealth services: (i) Law no. 190/2018 on implementing measures to Regulation (EU) 2016/679 ("Law 190/2018"), and (ii) Decision no. 174/2018 for establishing the list of the processing operations for which it is mandatory to perform a data protection impact assessment ("Decision 174/2018").
According to Law 190/2018, "the processing of genetic data, of biometric data or of health data for the purpose of automated decision-making or profiling is permitted with the explicit consent of the data subject or if the processing is carried out under explicit legal provisions, with appropriate measures protecting the rights, freedoms and legitimate interests of the data subject". Furthermore, "the processing of health data for the purpose of ensuring public health cannot be subsequently performed for other purposes by third entities".
Pursuant to Decision 174/2018, a data protection impact assessment is required inter alia in the following cases:
- The processing of personal data in order to perform a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- Processing on a large scale of genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation;
- Processing on a large scale of personal data of vulnerable persons, through automatic means of systematic monitoring and / or recording of behaviour;
- Processing on a large scale of personal data through the innovative use or the implementation of new technologies; and
- Processing on a large scale of data generated by devices with sensors that transmit data over the Internet or other means.
There are no specific privacy and / or data protection laws that apply to the provision of telehealth services in Russia, but general data protection rules would apply to require any telehealth provider to ensure that any personal data of a patient is processed properly, with the patient’s consent and / or based on an agreement with the patient, and that a copy of such data is stored in Russia (data localisation rules).
The practice of telemedicine must be compliant with the Saudi Health Information Exchange Policies ("SeHE"), including all relevant data security and privacy requirements, and must be compliant with interoperability frameworks and / or the US Health Insurance Portability and Accountability Act. The SeHE is a comprehensive document outlining various policies that govern, amongst others, the manner in which a patient’s health information must be protected and instances where such information is permitted to be disclosed.
HCPs, as per the Telehealth Regulation, are permitted access to a patient’s health information for the purposes of conducting telemedicine activities.
There are no specific data privacy requirements relating to telehealth but the Protection of Personal information Act, 2013 ("POPIA") would apply to the extent that the services involve the processing of personal information and the personal information is entered in a record (i.e. recorded). "Personal information" is widely defined and includes the personal information of identifiable natural persons and existing juristic persons. The processing of personal information entered in a record would need to comply with the eight conditions for lawful processing under POPIA, i.e.
- Accountability (the responsible party must comply with the eight conditions for lawful processing);
- Processing Limitation (there must be a justification under POPIA for processing the personal information);
- Purpose Specification (the personal information must be collected for a specific, explicitly defined and lawful purpose);
- Further Processing Limitation (further processing must be compatible with the purpose for which it was initially collected);
- Information Quality (personal information must be accurate and kept up to date);
- Openness (Data subjects must be notified of certain information when processing their information, which would usually be in the form of a privacy notice);
- Security safeguards (appropriate reasonable technological and organizational measures must be implemented to safeguard the personal information and notifications of data breaches must be made to the Information Regulator and affected data subjects);
- Data Subject Participation (data subjects have the right to request access to information, to request the correction or deletion of personal information, to object to processing of personal information in certain circumstances, to submit a complaint to the Information Regulator and institute a civil claim for damages).
There is also a special category of personal information under POPIA known as special personal information (religious or philosophical beliefs; race or ethnic origin; trade union membership; political persuasion; health, sex life; criminal behaviour; or biometric information.) The processing of special personal information is generally prohibited unless the data subject consents to the processing, subject to limited exceptions.
Personal data is protected under the Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA"). In particular, advisory guidelines for the healthcare sector have been provided for the healthcare sector. While these are not specifically in relation to the telehealth sector, telehealth providers should familiarise themselves with, and abide by this as well.
We would also highlight that telehealth service providers should, on top of the provisions as set out in the PDPA, ensure that tighter security arrangements are put in place to protect the personal data in its possession, especially where the personal data is more sensitive and confidential (such as patient’s medical records) and where the impact to an individual would be significantly more adverse if such personal data were inadvertently accessed.
The Act on Health Care stipulates processing of personal data from the medical documentation. At the same time, it also refers to the regulation stipulated in Act No. 18/2018 Coll. on Personal Data Protection, as amended, and GDPR.
Slovenian data protection law is primarily subject to EU General Data Protection Regulation ("GDPR"). Besides GDPR, the following three Acts are relevant: the Slovenian Personal Data Protection Act, Slovenian Patients’ Rights Act, and Slovenian Pharmacy Practice Act. These Acts provide basic and general protection of personal data in the health sector, but do not provide any specific regulations for the provision of telehealth service in Slovenia.
Nevertheless, Article 3(3) of the Slovenian Health Services Act stipulates that health documentation in the field of telehealth services shall be transmitted in accordance with stricter rules that apply to a specific type of personal data under Slovenian Personal Data Protection Act called "sensitive personal data" ("občutljivi osebni podatki") in the case of a transmission over telecommunications networks. In relation to the transmission of sensitive personal data or health documentation in the field of telehealth services, it shall be noted that whenever sensitive personal data is transmitted over telecommunications networks, it has to be properly protected, meaning cryptographic methods and electronic signature has to be used in such a way as to ensure that the sensitive personal data is illegible or unrecognisable during transmission, pursuant to Article 14 of Slovenian Personal Data Protection Act.
Telehealth services must be carried out in compliance with the current legislation on personal data protection. In particular, personal data processing is subject to fulfil with the obligations stated in the GDPR 2016/679. On a national level, Spanish Data Protection Act 3/2018 also applies.
There are no specific privacy and / or data protection laws that apply to the provision of telehealth services in Sweden. Instead use of personal data is governed by the General Data Protection Regulation (2016/679) ("GDPR") and, depending on the situation, supplementary legislation, including the Data Protection Act (2018:18), the Patient Data Act (2008:355) and the Pharmacy Data Act (2009:367).
There is no specific privacy / data protection law that applies to the provision of telehealth services. Therefore, the general Personal Data Protection Act B.E. 2562 (2019) ("PDPA") (which will be fully effective on 1 June 2022) will apply. The PDPA governs how personal data are regulated in Thailand.
The term "personal data" means "any data pertaining to a natural person that enables the identification of that person, whether directly or indirectly, but specifically excluding the data of the deceased". "Sensitive personal data" refers to personal data under Section 26 of the PDPA such as health data and biometric data. As sensitive personal data are sensitive in nature and are susceptive to abuse, it is given a higher level of protection than personal data.
For the majority of the cases, explicit consent is required in the collection, use and disclosure of sensitive personal data. The relevant lawful basis of processing personal data (as opposed to sensitive personal data) in the context of telemedicine without an individual’s consent include but are not limited to: (i) performance of a contract; and (ii) legitimate interest as prescribed under the PDPA. For processing of sensitive data, the relevant lawful basis would include (i) vital interest (where the individual is incapable of giving consent by whatever reason); and (ii) legal compliance to achieve certain purposes such as public interest in public health or employment protection.
Additionally, the Notification puts emphasis on the confidentiality of data. Therefore, service providers must ensure that both the transmitter and recipient are aware of such obligation, and the service provider themselves must ensure that there are no loss or unauthorised disclosure of data during transmission. The IT system used for telemedicine must also be in line with the standards set out in the Electronic Transactions Act B.E. 2562 (2019) and the PDPA.
The UAE does not have a comprehensive data protection law at a federal level. There are however a number laws in place that govern the collection and handling of personal data through telehealth services in the UAE.
Article 379 of Federal Law 3 of 1987 as amended ("UAE Penal Code") prohibits a person who, by reason of their profession, craft, situation or art, is entrusted with a "secret", from using or disclosing that secret, without the consent of the person to whom the secret pertains, or otherwise in accordance with the law. To mitigate against the risk of a breach of Article 379 of the Penal Code it is generally advised to obtain consent prior to the use or disclosure of any personal data, which would include any patient information* obtained through a telehealth service.
Article 4 of the ICT Health Law impose strict requirements around the circulation of patient information (in "authorised cases" only), as well as ensuring that it is protected from destruction or unauthorised amendment, alteration, deletion, or addition. Article 16 of the ICT Health Law further requires that "whoever circulates information related to patients must abstain from using such information for non-health purposes", unless certain exceptions apply.
In addition, Article 20 of the ICT Health Law provides that patient information must be kept for a minimum of 25 years from the date on which the last health procedure was performed on the patient. This broadly worded obligation is not targeted at any particular category of individuals or entities (e.g. Healthcare providers) and must therefore be assumed to apply any entity which uses ICT in the healthcare sector, as per Article 2 of the ICT Health Law. This law extends to health insurance brokers and insurers, claims management services and electronic services in the medical field.
The Federal Telehealth Regulations set out a number of data protection related conditions for providing various health services remotely. Those include obligations to provide:
- a system for the protection of the data and registers related to the remote health services, and prohibiting any access thereto unless by the authorised persons;
- the necessary mechanisms for the protection of the privacy of the persons who received remote health services;
- servers in the United Arab Emirates for the storage and archiving of information as well as a backup;
- internet technologies and systems that meet the requirements of providing remote health services;
- the necessary means for the archiving of the entire registers and data related to the persons who received remote health services, in addition to the documentation thereof; and
- a system for the protection of the data and registers related to the remote health services, and prohibit any access thereto unless by the authorised persons.
It is also stated within the Federal Telehealth Regulations that the "express consent" of those who receive such services is required, both to receive the service and to be recorded (by both audio and video).
At an Emirate Level, both the Dubai HA Standards and the AD DOH Standards include independent requirements relating to the protection and use of patient information.
In addition to the general requirements around the handling of health data found under DHCC Free Zone Health Data Protection Regulation No 7 of 2013, the DHCC Regulation contains requirements around the handling of patient information. Some of the key points are as follows:
- Patient information shall not be collected by unlawful means; or means that, in the circumstances of the case are unfair; or intrude to an unreasonable extent upon the personal affairs of the patient;
- Security incidents (i.e. data breaches) must be reported; and
- Patients must be issued a privacy notice at the point of data collection which meets certain requirements.
There are no specific data privacy requirements relating to telehealth, therefore the usual principles of the General Data Protection Regulation ("GDPR") as implemented and tailored by the Data Protection Act 2018 apply. Organisations engaging in telehealth will need to comply with the following 7 key principles and ensure they have a lawful basis for processing:
- lawfulness, fairness and transparency;
- purpose limitation (i.e. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes);
- data minimisation (i.e. data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accuracy (and kept up to date);
- storage limitation (i.e. kept for no longer than necessary for the purposes for which the data is processed);
- integrity and confidentiality (security) (i.e. processed in a manner that ensures appropriate security of the personal data); and
- accountability (which requires organisations to take appropriate processes and records in place to demonstrate compliance).
Given telehealth is likely to involve the processing of special category data (health data, genetic data, biometric data (where used for identification purposes), the provisions relating to special category data in the GDPR will apply.
Record keeping will be especially important, including the documenting of the categories of data. Organisations should also consider the interaction of the provisions on data minimisation, security, transparency, data protection officers and individual rights to access and erase records.
If the telehealth solution incorporates any artificial intelligence to support, or make decisions about individuals (such as using algorithms underpinning symptom checkers) then there are additional considerations, such as compliance with the Medical Devices Regulations 2002. The specific restriction in the GDPR on automated decision making (Article 22) may also apply in these cases, so will need to be carefully addressed. We also highlight the general non-sector specific guidance the Information Commissioner’s Office ("ICO") has issued jointly with The Alan Turing Institute on use of AI, which highlights the need to follow the following principles:
- be transparent;
- be accountable;
- consider the context you are operating in; and
- reflect on the impact of your AI system on the individuals affected, as well as wider society.
These principles relate to providing explanations of AI-assisted decision making to individuals and supplement the data protection principles in the GDPR so following these principles will enable organisations to follow "best practice" when explaining AI decisions.
Additionally, all healthcare staff have a duty of confidentiality in respect of all identifiable patient information and thus careful guidelines which are issued by bodies such as the British Medical Association and the General Medical Council should be adhered to, in addition to the normal data privacy regulations referred to above.
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is the prevailing federal law governing the use and disclosure of personal health information; however, this law applies only to individuals and entities meeting the definition of a "covered entity" or a "business associate" of a covered entity, leaving a substantial amount of personal health information not subject to HIPAA.
The Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR"), the federal agency charged with authority and enforcement over HIPAA, issued a Notice of Enforcement Discretion stating that it would not seek to impose penalties on providers for noncompliance with the regulatory requirements under HIPAA in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. In particular, OCR expressly permitted the use of "any non-public facing remote communication product that is available to communicate with patients", including Apple FaceTime, Google Hangouts, or Skype. However, the OCR released FAQs to help guide providers in adopting these technologies, including encouraging providers to notify patients that the use of these technologies potentially introduce privacy risks.
However, this enforcement discretion applies only during the public health emergency. Once lifted, the telehealth platform being used for the provision of telehealth services would need to be evaluated by covered entities and their business associates to confirm compliance with HIPAA. This would typically mean that the covered entity, for example, would need to enter into a business associate agreement with the platform provider (e.g., Zoom) and Zoom would be subject to HIPAA requirements as a business associate.
Outside of HIPAA, other state and federal laws may apply to the delivery of services via telehealth, including Section 5(a) of the Federal Trade Commission Act ("FTC Act") (15 USC §45) prohibiting "unfair or deceptive acts or practices in or affecting commerce", state data privacy laws (e.g., the California Consumer Privacy Act), state telehealth informed consent requirements, and state data breach notification laws.
Zimbabwean data and privacy laws are currently under development. The various data and privacy laws are still tabled in parliament and have not yet been promulgated into laws and statutes. However, the Constitution of the Republic of Zimbabwe provides its citizens with the right to privacy and this right, at times, is construed to also cover an individual’s medical information. As such, depending on the specific case, that law is usually widely interpreted to cover telehealth services as these address an individual’s medical conditions.
Is the use of telehealth permitted?
Yes, telehealth is permitted in Argentina.
How is telehealth regulated?
In 2019 the Argentine Ministry of Health published a guide of recommendations for the supply of ‘telehealth’ (Disposition No. 21/2019). The "Recommendations for the use of telehealth: meeting between the health professional and the patient using real-time ICT" were prepared by a group of healthcare providers, coordinated by the Ministry of Health, with the objective of creating a guideline for the provision of telehealth in a safe, efficient and ethical way. Before the COVID-19 pandemic, this guide of recommendations was voluntarily applied by private health insurers that offered this type of healthcare, but compliance with it was not mandatory. However, this has changed since the COVID-19 pandemic and the lockdown measures adopted by the Argentine Government.
Currently, the Government has ratified the application of these recommendations for diagnosing and treating COVID-19 and other general diseases. Pursuant to the General Resolution No. 282/2020 of the Superintendency of Health Services ("Superintendencia de Servicios de Salud"), all private health insurers must employ and promote the use of teleconsultation platforms in order to provide healthcare treatments. In all cases, they must guarantee that the data and information collected from the patient through the use of teleconsultation platforms would be protected in the terms of the Law No. 25,326 of Personal Data Protection. Moreover, telehealth platforms must, in all cases, be subject to a subsequent audit to carry out an effective control by the Superintendency of Health Services.
Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?
Pursuant to Law No. 27,553, the healthcare services currently available through telehealth methods are: general practice, dentistry and collaborative activities related to them, and psychology. In all cases, these activities should be previously authorised by the competent authority and they should comply with the provisions of Law No. 26,529 of Patient Rights. These services are available through the use of proprietary platforms and general videoconferencing apps. As both forms are permitted, the platform used will depend on each particular case.
Currently, during the COVID-19 pandemic, private health insurers offer services related to general practice and the diagnosis and treatment of COVID-19 through the use of proprietary platforms such as apps and websites.
Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?
The public health system is free of charge but generally does not include telehealth services because it lacks the infrastructure to provide them. However, pursuant to Law No. 27,553 on electronic prescriptions of medicines and healthcare treatments, all the healthcare providers of the public health system are empowered to do so, and can issue electronic prescriptions.
Most of private health insurers offer some telehealth services such as appointments with a medical doctor via videoconference. No additional fees are charged to the patient as this is typically covered in the health insurance policy.
Do specific privacy and/or data protection laws apply to the provision of telehealth services?
There are no specific data protection laws relating to telehealth services precisely. However, the Ministry of Health’s guide of recommendations includes a section related to data protection and, in all cases, healthcare providers should comply with Law No. 25,326 of Personal Data Protection.
How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?
Pursuant to Law No. 25,326 of Personal Data Protection, the cross-border transfer of personal data of any kind is prohibited. However, this prohibition shall not apply in the following cases:
- International judicial collaboration;
- Exchange of medical data, when required by the treatment of the affected person, or an epidemiological investigation;
- Bank or stock transfers;
- When the transfer has been agreed within the legal framework of international treaties to which the Argentine Republic is a party; and
- When the transfer is aimed at international cooperation between intelligence agencies to fight organised crime, terrorism and drug trafficking.
In all cases, for the transfer of data, the owner’s consent is required.
Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?
Yes, as discussed in Availability of Telehealth, the Ministry of Health has published the "Recommendations for the use of telehealth: meeting between the health professional and the patient using real-time ICT".
Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?
The government has recommended that public and private healthcare providers implement and promote the use of teleconsultation platforms in order to provide essential health services. Moreover, further regulations will be issued to implement Law No. 27,553 as discussed in Regulation of Telehealth.