Privacy and Data Protection

Is the use of telehealth permitted?

Yes. However, it is important to note that Colombian regulation differentiates between telehealth ("telesalud"), being any activity related to health, services and methods, delivered using ICT, and telemedicine ("telemedicina"), which is the delivery of health services including prevention, diagnostic, treatment and rehabilitation of diseases and injuries, by health services providers using ICT. The definition of "telesalud" provided by the Colombian law compresses the concepts of telemedicine and health tele-education in health matters.

How is telehealth regulated?

Telehealth is governed by Law 1419 of 2010, which allows the provision of health services in this manner, and Resolutions 2654 and 3100 of 2019, issued by the Ministry of Health. These rules set out specific requirements and standards to be fulfilled in order to provide telehealth. These requirements are related to the compliance with data protection regulation, as well as the security and reliability of the platforms (ICT) used for telehealth (see below).

As any other health services, the provision of telehealth requires the prior authorisation of the local authority. For this purpose, the provider is required to demonstrate that it complies with the minimum standards in relation to infrastructure, management of clinical records, human resources, medicine and medical devices, among others. However, as a result of the COVID-19 pandemic, through Decree 538 of 2020, authorised health services providers can request transitory authorisation from the Ministry of Health to provide services in different conditions or new services that they were not previously authorised to provide (e.g., telemedicine).

These laws and requirements are in addition to the applicable laws and regulations that govern the authorisations necessary to provide health services generally.

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

Telehealth has always been available for the provision of health services of any specialty. However, it is important to note that in 2022 the Ministry of Health issued an assessment and balance of the use of telehealth and telemedicine in Colombia, which stated that the most required specialties are: general medicine, psychology, internal medicine, pediatrics, nutrition and dietetics, gynecoid-obstetrics, dermatology, orthopedics, traumatology, nursing, psychiatry, neurology, physiotherapy, cardiovascular diagnostics and cardiology.

In any case, the provision of telehealth services requires prior authorisation granted by the local health authority. This authority will verify that the provider complies with the requirements for the provision of the specific health service, as well as the provision through telehealth.

Resolutions 2654 and 3100 of 2019 regulate four kinds of telehealth:

• Interactive: Real-time services provided via video call. Video calls can only be recorded with the prior and express consent of the patient, and such recording shall be included in the patient’s medical records.
• Non-interactive: Asynchronous communication for the provision of health services.
• Tele-expertise: Asynchronous or synchronous communication for the provision of health services. It can take place between:
  • two healthcare professionals in which one provides in presence attention while the other provides remote assistance;
  • a healthcare professional that provides remote assistance and a nonprofessional healthcare provider (such as technician, technologist or assistant) that provides in presence attention to the patient; or
  • healthcare professionals meeting in medical boards.
• Telemonitoring: The relationship between healthcare professionals and patients, through a technological infrastructure that records and transfers medical data and allows healthcare professionals to maintain monitoring of the patient status.

In each of the above instances, the law requires specific mechanisms for communication with the patient. The mechanism used must comply with the following rules:

• It shall ensure the information security, and particularly personal data protection, is in accordance with the applicable law. The used platforms need to have mechanisms that control access to protected information, have security certificates and encryption algorithms.
• The used platform shall comply with interoperability standards regarding the content and the data exchange.
• The provider shall ensure the reliability, integrity and availability of the information collected, generated or transferred.

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

Yes, the Colombian public healthcare system states that any person shall have access to a public basic plan which includes the provision of telehealth services.

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Cross-border transfer of any personal data (including telehealth data) is forbidden by law, unless it is made to a country which offers adequate levels of data protection (as defined by the Colombian data protection authority).

To date, the following countries have been declared to have adequate levels of data protection: Australia, Austria, Belgium, Bulgaria, Costa Rica, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Korea, the Republic of Korea, Latvia, Lithuania, Luxembourg, Malta, Mexico, the Netherlands, Norway, Peru, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, the United Kingdom and the United States, and the countries that has been declared as the ones with adequate protection standards by the European Community.

The above mentioned prohibition does not apply in certain cases, including when the data subject authorises the cross-border transfer, or in the case of medical data where required for health or public hygiene reasons.

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

Yes, Resolution 2654 of 2019 set general rules regarding the security of the platforms and communication mechanisms used for the provision of telehealth services (as mentioned in Regulation of Telehealth). Moreover, the data privacy regulation and medical records regulation mentioned in Cross-border data transfer shall be applied.

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

On February 13th, 2023 the Colombian government submitted before the House of Representatives of the Congress of the Republic a health reform bill, which aims to improve and strengthen the General Social Security Health System and guarantee the provision of health services as a universal right through 5 axes:

1. Creation of a network of Primary Care Centers (in Spanish, Centros de Atención Primaria - CAP) in the country with a focus on preventive and preventive medicine.
2. Assignment of the execution of Primary Care resources to the Health System Resources Administrator (in Spanish, Administradora de los Recursos del Sistema de Salud – ADRES).
3. Improvement of working conditions for health workers.
4. Construction of a public online information system to ensure transparency of resources.
5. Reform of the Health Provider Entities – (in Spanish, Entidades Promotoras de Salud – EPS).

Regarding the provision of telemedicine and telehealth services, the bill contains dispositions aimed to the Ministry of Health for it to regulate technically and operationally the information and communication technology systems for the provision of these services, as well as to propose the technological architecture that will support them. It also introduces guidelines for health care providers for them to guarantee medical care through the use of technological tools and telehealth.

Thus, although this bill has yet to go through the entire legislative process, if approved, it could introduce modifications to the provision of health services in Colombia, including telemedicine and telehealth services.