Justice Ministry announces new privacy protections for medical data

Science and Health

The Justice Ministry’s Privacy Protection Authority announced a first-of-its-kind policy on patient medical privacy earlier this week. 

The new policy document is aimed at strengthening patient privacy by introducing new regulations on the transfer and use of patient data.

The new policy will target recent innovations in data transferring, which have complicated patient privacy, such as sending medical information over WhatsApp, Gmail, Telegram, or Signal.

Despite the convenience these technologies provide, transferring medical information and saving it using software and devices that are not intended for this purpose represents a significant challenge to patient privacy and raises concerns regarding the security of the information.

View of Israel’s Justice Ministry, containing the Attorney-General’s Office, in Jerusalem on March 20, 2018. (credit: MIRIAM ALSTER/FLASH90)

Privacy protection for patients

The document states that the transfer of medical information by non-designated means entails various risks to privacy.

Including but not limited to possible data leaks, inadvertent exposure of the information due to human error, possible theft of sensitive information, and the risk of misuse by commercial companies that provide infrastructure for information transmission.

The policy attempts to address these problems by reducing, as much as possible, the use of non-designated software (such as WhatsApp and Gmail) by their employees for transferring identifiable medical information while also avoiding saving identifiable patients to private devices.

Health and medical institutions are required to make every effort to omit identifiable information such as name, ID number, facial image, or other image that allows the patient to be identified.

The document recommends that data not be saved to private and non-designated cloud backup services such as Google Drive and Dropbox.

It also recommends stronger security protocols such as using a strong and complex login password for the devices, two-step verification, and biometric identification.

Organizations that use non-designated software must establish clear internal organizational policies regarding the storage and transfer of medical information, such as regular information deletion, policy for using login passwords for devices, control over access privileges to information, and the like.