Data Security Obligations

Health information is “sensitive information” for the purpose of Privacy Act, and is afforded greater protection (express and implied) than other types of personal information.  The guidance from the Office of the Australian Information Commissioner (the Privacy Act regulator) provides that online health services and telehealth providers are "health service providers” within the meaning of the Privacy Act.

Other government and regulatory bodies have issued guidance which addresses the security of telehealth data.  For example, the Federal Department of Health has issued a "Privacy Checklist for Telehealth Services".  This checklist provides high level guidance on key obligations, including obtaining patient consent, disclosure of cross-border transfers, privacy notices, and ensuring that other "relevant measures" (such as end-to-end encryption, multi-factor authentication, etc.) have been adopted in accordance with guidance made available by bodies such as the Australian Cyber Security Centre.

The TeleHealth Commission (see Availability of Telehealth) has presented a recommendation, which mainly comprises:

• a catalogue of criteria for the evaluation of telehealth services in terms of prioritisation, including the application of these evaluation criteria to identify specific telemonitoring projects in the areas of diabetes and cardiovascular diseases that have the greatest potential for introduction into mainstream care, and

• a list of questions on possible business or organisational models for the roll-out of telehealth services into mainstream care, including answers to these questions for the areas of diabetes and cardiovascular disease. A corresponding directive issued by the Ministry of Health has been adopted which deals with the technical implementation of telehealth.

Yes, please refer to Regulation of Telehealth.

Currently, there are no general codes of conduct on the use of telehealth systems and/or security of telehealth in Belgium. Telehealth is subject to the general ethical, legal and deontological rules inherent to the practice of medicine. However, the NCOP has issued specific guidelines with regard to teleconsultations, as described under the chapter about telehealth regulation.

Not yet. As mentioned above, the ANPD is now in operation and it is important to monitor its activities in relation to such matter.

No.

Provincial medical and / or dental Colleges may publish their own guidance documents or codes of conduct related to the use of telehealth systems in Canada.

For example:

• the Royal College of Dental Surgeons of Ontario published "COVID-19: Guidance for the Use of Teledentistry", which includes requirements for the implementation of teledentistry in Ontario; and
• the Royal College of Physicians and Surgeons of Canada (the "Royal College") has a helpful resource page providing links to telemedicine and virtual care guidelines for each province. The Royal College has also published a "Virtual Care Playbook" to help Canadian physicians introduce virtual patient encounters into their daily practices, including video visits through phone calls and patient messaging.

The Ministry of Health has issued several manuals and instructions for the implementation of the program in 20 Health Services throughout the country. Further, the Ministry of Health in 2018 published the Guide for the "National Program for Telehealth" (as discussed above).

Moreover, the regulations issued by the health emergency, such as Resolution No. 54/2020 or Circular No. 7/2020 (discussed above), have incorporated certain standards of conduct applicable to the provision of telehealth services, such as the information that must be given to patients when scheduling a time for care, the places where health personnel must provide telehealth to safeguard the confidentiality and protection of patient data, and the protection and safeguarding of patient clinical record and background, among others. Furthermore, it is necessary to keep in mind the principles of legislation 21180, which we have previously highlighted, when it comes to health data security.

Also, private organisations have been working on guides with good practices in telemedicine, particularly considering the fact the COVID-19 pandemic has provoked an increase on telehealth consultations. In this sense, in April 2020, the National Centre for Health Information Systems ("CENS") produced a document "Good practices and recommendations during the pandemic in Chile", which consists of:

• clinical recommendations for teleconsultations;
• basic recommended assets and safety of patients’ data;
• operational recommendations, for providing a successful telemedicine service;
• recommendations concerning the physical site where the telehealth service is going to be provided;
• technical recommendations related to the quality of technological systems;
• ethical and legal recommendations for the implementation of teleconsultations, and process for obtaining the patients’ consent during the pandemic; and
• particular considerations for Public and Private Health Systems in Chile

No specific codes of conduct for medical professionals has been instituted for provision of internet healthcare services. The medical professionals are expected to comply with the general laws and regulations governing their profession, including PRC Law on Licensed Physicians and Regulation on Nurses.

Yes, Resolution 2654 of 2019 set general rules regarding the security of the platforms and communication mechanisms used for the provision of telehealth services (as mentioned in Regulation of Telehealth). Moreover, the data privacy regulation and medical records regulation mentioned in Cross-border data transfer shall be applied.

According to publicly available information, there are no official guidelines adopted by Croatian authorities exclusively for telehealth – i.e., on how to provide health services. Therefore, general guidelines on privacy and the code of ethics for health workers adopted by Croatian authorities and guidelines of EU authorities are most relevant.

There are no applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in the Czech Republic.

The Danish Health Authority has issued codes of conduct regarding the criteria and requirements for operators of essential services within the healthcare sector. The Danish Health Authority has also issued a "checklist" and guidelines for evaluation of telehealth projects.

Separately, the Danish Health Data Authority has issued codes of conduct on how to gather telehealth data from citizens’ own measurements of health data at home.

Valvira and the Ministry of Social Affairs and Health ("STM") have issued guidance on telemedicine services, which includes e.g. the following:

• Telemedicine service providers must have access to suitable premises and equipment (including telecommunications) as well as appropriately qualified staff.
• The services must be clinically appropriate and take account of patient safety.
• Systems used to transmit and store patient information must meet the relevant legal requirements on confidentiality as well as data protection and security. Service providers are responsible for ensuring that the appropriate data protection and security arrangements are in place for the purpose of transferring data and processing personal information.
• Informed patient consent must be obtained.
• Healthcare professionals must carefully assess whether the services they provide are suitable for delivery by telehealth / telemedicine. For example, telemedicine is not appropriate for healthcare purposes, including clinical investigations, where a physical examination is required or for consultations that may lead to the patient’s right to self-determination being curtailed.
• Healthcare professionals are also required to assess whether telemedicine is appropriate for the patient as an individual.
• The patient must be identified using a reliable method. One such method is "strong electronic identification", as set out in the Act on Strong Electronic Identification and Electronic Signatures (617/2009). It must be possible to verify the method used retrospectively.
• Practitioners must keep appropriate records and maintain the patient register in accordance with relevant legislation.
• Where required, the patient must be given the opportunity for a face-to-face consultation or they must be directed to an alternative service provider.
• Healthcare service providers must compile and update a self-monitoring plan on their services as set out in the Order (3/2021, THL/4309/4.09.00/2021, only in Finnish) given by the Finnish Institute for health and welfare (Valvira). Private sector healthcare providers must compile and update a self-monitoring plan on their services as set out in the Order (2/2012, Dnro 7018/00.01.00.2012) given by Valvira.

French authorities have further published guidelines to facilitate the implementation of telehealth. In particular:

• The French National Health Authority (Haute Autorité de Santé, the “HAS”) published a set of guidelines and specific information memo (e.g., a memo intended for professionals on teleconsultation and tele-expertise, a good practice guide on teleconsultation and tele-expertise, a good practice guide on tele-care, information sheet intended for patients regarding teleconsultation and tele-care);
• The French National Health Insurance (Assurance Maladie) published a Charter of teleconsultation good practices.

The German Medical Associations ("BÄK") and the German Psychological Psychotherapists Association ("BPtK") have published the updated Model Professional Code for Physicians in Germany ("MBO-Ä") and the Model Professional Code for Psychological Psychotherapists and Child and Youth Psychotherapists ("MBO-P"), respectively, which now also include regulations relating to telehealth.

The German data protection supervisory authorities have not yet issued publications on the provision of telehealth services. The German Federal Commissioner for Data Protection and Freedom of Information ("BfDI") published two brief recommendations regarding telehealth services in the 28th Annual Activity Report on Data Protection (2019) of which only one is addressed to telehealth providers.

In the Activity Report, the BfDI recommends the implementation of a differentiated roles and rights management for electronic medical records. On a more general note, the BfDI comments that the processing of sensitive health data in large volumes in a digital environment requires a high level of data protection and data security and that patients must retain control of their own data. In his 29th Annual Activity Report, the BfDI expressed doubts about the lawfulness of some of the provisions of the German Social Code Book V ("SGB V") regarding the electronic patient record (“elektronische Patientenakte”), mainly due to the design of the access management and the access to the electronic patient record via mobile devices and the regulations on compulsory electronic medical prescriptions (“elektronisches Rezept”). The German Data Protection Conference (“Datenschutzkonferenz”), the coordinating body of all German supervisory data protection authorities, has already expressed similar concerns during the legislative procedures concerning the German Patients Data Protection Act (“PDSG”).

The Personal Data Protection Authority has not issued any specific code of conduct on the use of telehealth systems and / or the security of telehealth data in Greece.

The Medical Council of Hong Kong has issued the Guidelines, with supplemental Questions and Answers issued in March 2022 that should be read in conjunction with the Guidelines (the “Q&As”). The Guidelines and Q&As are not legislation in Hong Kong. However, doctors registered in Hong Kong are expected to adhere to them, and contravention of the Guidelines may render them liable to disciplinary proceedings.

Among other things:

• Article 21 of the Guidelines provide that any telemedicine service must be provided as part of a structured and well-organised system and the overall standard of care delivered by the system must not be less compared to a service not involving telemedicine. A Hong Kong registered doctor should receive proper training on the use and operation of the system. The doctor must also ensure that the device to be used in the system is fit for its purpose and with high stability.
• Articles 13 and 29 of the Guidelines provide that, when practising telemedicine, Hong Kong registered doctors owe the same professional responsibilities in respect of medical record keeping as for in-person consultation with patients, and should adhere to well-established principles and standards guiding privacy and security of records and informed consent.
• Article 34 of the Guidelines expressly provides that Hong Kong registered doctors must aim to ensure that patient confidentiality and data integrity are not compromised. Data obtained during a telemedical consultation must be secured through encryption and other security precautions must be taken to prevent access by unauthorised persons.

We are not aware of any such code of conduct.

The use of videoconferencing with telehealth services must comply with the HSE IT policy and standards.

The Health Information and Quality Authority ("HIQA") is responsible for developing standards for information structures and assessing compliance with those standards. The HIQA has published a Guide to the HIQA’s review programme of eHealth services in Ireland in October 2019.

The HIQA has also created national standards which apply to certain treatments, and are compulsory. Further, a number of the HIQA’s publications are recommended best practice for telehealth services, including:

• Recommendations for the national, community-based ePrescribing programme in Ireland (2018);
• Recommendations regarding the adoption of SNOMED Clinical Terms as the clinical terminology for Ireland (2014);
• Recommendations for a Unique Health Identifier for Individuals in Ireland (2009) Guidance;
• Guidance on Terminology Standards for Ireland (2017);
• Guidance on Messaging Standards for Ireland (2017); and
• Overview of Healthcare Interoperability Standards (2013).

The Data Protection Commission has not published any specific guidance on telehealth.

The MoH Guidelines only include a general statement concerning the need to comply with applicable privacy laws in using telehealth systems.

Moreover, the Italian Data Protection Authority issued Decision no. 55 of 7 March 2019 on ‘Clarifications on the enforcement of the rules for the processing of health data in the health sector’, which also mentions processing of health data in the context of telehealth services. 

Yes, Indonesian Doctors Association Regulation No. 74 of 2020 and the code of conduct of Indonesian medical code of ethics issued by the Indonesian Doctors Association.

Yes, the following guidelines are the main codes of conduct for telehealth service providers.

• Guideline 1: "オンライン診療の適切な実施に関する指針" issued by MHLW;
• Guideline 2: "新型コロナウイルス感染症の拡大に際しての電話や情報通信機器を用いた診療等の時限的・特例的な取扱いについて" issued by MHLW. This guideline is issued by MHLW in response to the COVID-19 pandemic and the measures stated in this guideline are temporary; and
• Guideline 3: "医療情報を取り扱う情報システム・サービスの提供事業者における安全管理ガイドライン" issued by the Ministry of Economy, Trade and Industry. This guideline is intended for service providers, and provides guidance regarding the storage of medical information and risk management process.

All the above-mentioned guidelines are only available in Japanese.

The Kenya Standards and Guidelines for mHealth Systems require mHealth systems to ensure that clients' data is handled in a secure manner by putting in place mechanisms that will guarantee privacy, confidentiality, integrity, availability and non-repudiation at all times. Thus, the systems must be secure from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording and destruction. It is also a requirement that the data must be secure both, in transit and when archived.

In addition, the DPA requires all organisations to implement technical and organizational measures to ensure the security and integrity of personal data, which is broadly defined to include health data.

No competent authorities have published any codes of conduct on the use of telehealth systems and / or security of telehealth data in Kuwait.

As mentioned above, the Luxembourg government published specific rules relating to teleconsultation in the context of the COVID-19 pandemic and a code of conduct on the organisation of the health system during the COVID-19 pandemic.

Not that we are aware of. But, despite the fact that telehealth is not specifically regulated in Mexico, given the Data Privacy Law, those responsible for the processing of personal data must observe the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality and responsibility and personal data must be collected and processed in a lawful manner. Likewise, the Regulations of the General Health Law regarding the Provision of Medical Care Services, NOM-004-SSA3-2012 (concerning the clinical files), and NOM-035-SSA3-2012 (regarding health information), describe how the information contained in the clinical record is handled under the principles of discretion and confidentiality, principles that must also be followed in telehealth.

Not applicable.

No, there are currently no applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in Namibia. 

On a EU-wide level, the Code of Practice for Telehealth Services in Europe has been launched, which provides a benchmark standard against which telehealth service providers could be accredited.

The EU-wide NIS2 Directive imposes stricter cyber security requirements across sectors that are vital for our economy and society and that rely heavily on ICT, such as healthcare. Operators of essential services in the vital sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents.

Save for the general applicable laws on data protection (i.e. the NDPR), there are no specific codes of conduct in relation to telehealth systems and or the security of telehealth data in Nigeria. That said, health data constitutes sensitive personal data under the NDPR and the latter imposes more stringent measures where such data is concerned. For instance, organizations that process sensitive personal data in the regular course of their business are required to do the following:

1. Develop security measures to protect the data being processed; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
2. Report any data breaches within 72 hours of becoming aware of such breach.

Also, entities that process such data must obtain explicit consent for undertaking processing and adhere to all other principles of data processing in accordance with the NDPR.

The Medical Council of New Zealand has issued a statement on telehealth which applies to doctors who are in New Zealand and / or overseas and provide health services to patients in New Zealand. Statements issued by the Medical Council have the status of standards for doctors. The Medical Council published updates on its COVID-19 response, including around prescribing and telehealth, and has published Use of the Internet and Electronic Communication guidance. The Medical Council also recently finished receiving submissions on a telehealth consultation, although the findings are yet to be released.

The New Zealand Ministry of Health has dedicated digital health information on its website including telehealth, and cloud computing health information. The Ministry has online tools to help manage patients and reporting obligations during COVID-19, and recently produced advice to help providers minimise information and technology risk while delivering health services via messaging, telehealth and virtual technology remotely.

The Health Information Standards Organisation (a committee operating under the authority of the Ministry of Health) is the governing body for health information standards in New Zealand.  Relevant to telehealth systems and/or security of telehealth data are:

• Videoconferencing Interoperability Standard HISO 100049.1
• Videoconferencing Endpoint Naming Scheme HISO 10049.2
• Connected Health Network Connectivity Standards HISO 10037
• Health Information Security Framework HISO 10029

Various professional bodies also publish guidelines and position statements on the use of telehealth in New Zealand.  This includes:

• The Royal New Zealand College of General Practitioners (a non-regulatory professional body), which issued a position statement focused on specialised GP telehealth consultations through phone, video and secure messaging. The College has a page of telehealth resources in response to COVID-19.
• The Royal Australian & New Zealand College of Psychiatrists has issued Professional Practice Guidelines for telepsychiatry. The College has provided updates for psychiatrists using telehealth for the first time in response to COVID-19, and has links to technification specifications for telepsychiatry.
• The Dental Council of New Zealand, which issued telehealth guidelines in dentistry during the COVID-19 alert level response (with guidelines remaining in force).

The Telehealth Leadership Group (a non-regulatory group) which is part of the NZ Telehealth Forum & Resource Centre, has general privacy of patient information advice and has offered some initial guidance to health providers as they rapidly adapt to providing telehealth services due to COVID-19, with information on privacy and security. The forum provides ongoing updates.

The Directorate for eHealth regularly publish and update a reference catalogue which provides an overview of mandatory and recommended standards for the health and care service, as well as other requirement documents such as technical specifications.

In particular, we highlight Normen, which is the industry Code of Conduct for IT security prepared and managed by organisations and companies in the health sector. This is a code of conduct that has been developed over the years and is applied to healthcare systems in the public healthcare system and systems that interacts with the public healthcare system. However, please note that this code of conduct has not yet received official status as a code of conduct according to GDPR Art. 40.

N/A

here are no official codes of conduct; however, certain aspects of telehealth are regulated in the law, e.g. in the Regulation of the Minister of Health of 12 August 2020 on the organisational standard of teleporting in primary healthcare.

Not specifically for telehealth. However, a Health Sector Privacy Guide was made available by SPMS – Serviços Partilhados do Ministério da Saúde, EPE ("SPMS") in order to provide information to SNS entities in relation to health sector data protection main aspects and Teleconsultation ´s Best Practices Guides for health professionals and patients has been published.

No.

We are not aware of the existence of such public codes of conduct.

As discussed in Availability of Telehealth, on 30 November 2017, the Russian Health Authority adopted the Order No. 965n "On Endorsement of the Order of Providing Medical Assistance with the Aid of Telemedicine Technologies" which sets out the requirements for providing medical services with the aid of telemedicine technologies.

Yes, see Regulation of Telehealth.

No, there are currently no applicable codes of conduct on the use of telehealth systems in South Africa, however section 19 of POPIA regulates the security and confidentiality of personal information generally. In terms of section 19 of POPIA a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.

In order to give effect to the above the responsible party must take reasonable measures to:

• identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
• establish and maintain appropriate safeguards against the risks identified;
• regularly verify that the safeguards are effectively implemented; and
• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Please refer to the guidelines set out in Regulation of Telehealth.

No.

According to publicly available information, there are no official guidelines adopted by Slovenian authorities exclusively for telehealth services. Therefore, general guidelines on privacy and code of ethics for health workers adopted by Slovenian authorities and guidelines of European Union authorities (such as European guidelines on confidentiality and privacy for health workers) shall apply.

No competent healthcare authority has published a code of conduct on a national basis. However, the Spanish Medical Association envisages telehealth in its Code of Ethics in the following terms:

• Where the clinical practice through consultation exclusively by letter, telephone, radio, newspapers or the internet, is contrary to ethical standards. The correct practice inevitably involves personal and direct contact between doctor and patient.
• In the event of a second opinion and medical check-ups, the use of email or other means of virtual communication and telehealth are allowed, whenever clear mutual identification and privacy are ensured.
• Patient guidance systems through telehealth or telephone consultation are consistent with medical ethics when used exclusively to help decision-making.

Furthermore, given the exceptional health emergency resulting from the COVID-19 pandemic, the Central Deontology Commission of the General Council of Official Medical Associations has published a document titled "Telemedicine in the Medical Act", which states, among other things, that in certain circumstances, such as the current COVID-19 pandemic, medical e-consultation may substitute for and sometimes complete the face-to-face medical act if face-to-face is not possible.

Therefore, the use of telematic means will comply with Medical Deontology, provided that there is consent by the patient, it is adapted to the deontological precepts applicable to the doctor-patient relationship, and the rights and safety of the patient is considered.

Regulations which do not apply specifically to the provision of telehealth services, but i.a. regulate healthcare providers' processing of personal data apply. The National Board of Health and Welfare has issued "Regulations and general advice on record keeping and processing of personal data in healthcare" ("Socialstyrelsens föreskrifter och allmänna råd om journalföring och behandling av personuppgifter i hälso- och sjukvården (HSLF-FS 2016:40)"), which includes provisions on information security, as well as guidance on how to apply the aforementioned provisions ("Handbok vid tillämpningen av Socialstyrelsens föreskrifter och allmänna råd (HSLF-FS 2016:40) om journalföring och behandling av personuppgifter i hälso- och sjukvården"), available (only in Swedish) here and here.

Moreover, different regions may have issued guidance/policies regarding information security when providing telehealth services.

In addition, the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap) ("MSB") has issued "Regulations and general advice on information security for operators of essential services" ("MSBFS 2018:8 föreskrifter och allmänna råd om informationssäkerhet för leverantörer av samhällsviktiga tjänster"), available (only in Swedish) here. These regulations apply to operators of essential services, as defined in Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the so-called NIS1 Directive), and set out a framework for the systematic and risk-based information security work that must be carried out by such operators.

Other than those discussed above, there is currently no other applicable codes of conduct on the use of telehealth systems and/or security of telehealth data.

In addition to the AD DOH Standards and the Dubai HA Standards, there are also a number of policies and standards which apply exclusively within the DHCC:

• DHCC Teleradiology Policy (7 May 2019);
• DHCC Teleconsultation Policy (18 May 2019);
• DHCC Telehealth Standard (6 December 2017); and
• Dubai Health Care City Rule No. 1/2018.

The DHA has also issued a set of "Guidelines for Informed Patient Consent", which set out best practice for obtaining consent in the healthcare sector.

The UK’s Medicines and Healthcare Products Regulatory Agency is responsible for regulating apps, smartphone-connected devices and wearable technologies which constitutes a medical device and has published useful guidance which helps organisations distinguish between simply a technology-enabled care device and a medical device falling under the UK Medical Devices Regulations 2002 (as amended).

Under its Security Rule, HIPAA requires three types of safeguards to ensure data security—administrative, physical, and technical—which range from requirements surrounding risk assessments and staff training on security, to alarm systems for physical locations that contain protected health information, to data encryption, and audit controls of systems that contain protected health information.

Beyond these safeguards, which apply to both telehealth services and in-person care, HIPAA also requires covered entities and their business associates to report data breaches of unsecured protected health information to Department of Health and Human Services Office for Civil Rights, all impacted individuals, and in the case of large breaches (over 500 individuals), the media.

As noted above, the FTC has authority under Section 5(a) of the FTC Act (15 USC §45), which prohibits "unfair or deceptive acts or practices in or affecting commerce", which has included actions taken against companies for unreasonable security practices.  In addition to federal law, certain state laws may also set security standards as it relates to certain personal information.

Further, many state licensing boards have released policies or codes relating to the practice of telehealth, including with respect to privacy and security standards. For example, the Federation of State Medical Boards, which does not have any regulatory authority but generally supports the licensing policies and efforts of the various state medical and osteopathic licensing boards, released a Policy on the Appropriate Use of Telehealth, which includes informed consent requirements and privacy/security standards.

There is no specific code of conduct on the use of telehealth systems and/or security of telehealth data in Zambia. However, there are strict ethical demands placed on relevant parties under the Health Provisions Act No. 24 of 2009 which, undeniably, extend to telehealth systems and/or security of telehealth data.

Yes, the Policy on International Telemedicine PCC/35/14 provides the requirements for practitioners residing outside Zimbabwe who intend to provide telemedicine in Zimbabwe. A summation of this policy is that it requires practitioners to be registered with the MDPCZ for 12 months, be employed by an overseas facility that has a contract with a health provider in Zimbabwe, ensure that they are qualified and experienced in their specific clinical setting and be supervised by the Clinical Director of the Zimbabwean Health Facility employing them.

Moreover, the Policy on Telemedicine of July 2022 provides a more extensive scope covering consent, patient confidentiality, provision of clear advice, suitability of devices and software as well as standards of practice in Telemedicine. The policy also provides information on when a physical examination is necessary, the prescription of medication via telemedicine and the requirement of digital training is applicable to the usage of Telemedicine in general.