Patient Rights Regulations Memorandum

On January 6, 2020, ITPI released a letter to the Digital Health Division of the Israeli Ministry of Health regarding the “Patient Rights Regulations Memorandum.”

In the past few years, the State of Israel has been striving to conduct research on digital health information in various ways and seeks to apply a universal and updated government policy to balance the right to research and information, while simultaneously respecting the patients’ rights to health and privacy. The Israeli Ministry of Health’s “Patient Rights Regulations Memorandum,” as part of the National Digital Health Plan, attempts to reach such a balance.

Using the “Privacy by Design” methodology (PbD), the Israel Tech Policy Institute’s position regarding this proposal is that it represents an achievable balance between two basic human rights, privacy, and health, and is also constitutional under Israel’s Basic Law of Human Dignity and Liberty. The “Patient Rights Regulations Memorandum” is proportionate and reasonable, and constitutes a series of compromises that embodies a necessary response to the constant technological changes of our era.

The “Privacy by Design” methodology is a set of privacy policy principals, creating a process that puts privacy in the forefront from the start of the project. They also offer an evaluation procedure, used ultimately to find a compromise between two competing human rights principles. In the case of “Patient Rights Regulations Memorandum,” the government strives to choose the necessary measures and processes to improve the quality of health-care and the advancement of medical research, while at the same time, formulating rules for maintaining confidentiality and privacy of information and protecting people’s rights. Between these two poles is a policy that will be placed at some point on balance, which represents the price we are willing to risk for the benefit we expect to gain.

The Privacy by Design analysis of the “Patients Rights Regulation Memorandum” concluded that the Government took into consideration the right to privacy, examined the risks, and devised solutions to mitigate the potential risks and vulnerabilities. Multiple suggestions and recommendations were also given to better comply with privacy guidelines. Some suggestions are:

The arrangement is based on a distributed group of Internal boards in the health organizations (Sick Funds, Hospitals, Army and Prison system) that will include experts and public representatives. They will evaluate the risk analysis and mitigating measures to be applied and will decide whether to approve the access request.

A risk assessment analysis should be performed on every application for access to patient health data for research and use approved if the expected benefit from the study outweighs the risk

Appropriate measures should be taken to reduce the risk of re-identifying people using different types of anonymization and encryption

Health organizations must make binding contractual arrangements with researchers, enforce them, and sanction those who violate procedures

An obligation to examine the purpose of the research in the requested information, and to conclude whether the use of the data is beneficial to the health of the individual or the public, will contribute to improving the quality of health care or medical research, or the promotion of human knowledge in the health field

Data approved should be minimized to research applicant actual need

The default will be giving access to the data in a virtual research platform controlled by the health organization. Releasing data to a researcher outside the health organization should be under the proof of significant circumstances not allowing for the use of the virtual platform and considerable gains to health by the research

The arrangement is a product of a 3-year process that included a multi-stakeholder National Health Council research, consultation and recommendations process

A full listing of the recommendations ITPI has made to the memorandum can be found in our full report.

On December 25, 2019, ITPI, with the Zvi Meitar Institute at IDC Herzliya, conducted a multi-stakeholder roundtable discussion on the suggested policy, and the implementation of the arrangement on hypothetical cases of health information requests. All sides of the debate, academia and industry researchers, health organizations, security experts and policymakers, came together to discuss their respective thoughts on the issue. 

The researchers commented that the anonymization and encryption of information present difficulties in cross-referencing data on patients. That the study of big data and artificial intelligence inherently requires for large data bodies in scope and cannot be limited in scope, and that Israeli bureaucracy and regulation demands that the researcher’s identity be Israeli and the research conducted in Israel, which limits the scope of research and international collaboration.

Health professionals contributed their concerns, mostly the difficulties of navigating the policies and regulations and recommend for the establishment of a central state infrastructure in which all the information of the health organizations can be concentrated. Policymakers added their concern regarding their requirement of strict due diligence, a lack of ranking for sensitive information, and the need for an appeal mechanism.

The entire ITPI report, in Hebrew, can be downloaded here.