Secondary health data use in research has the potential to improve the lives of individuals, as well as transform health care systems and health-related science and innovation.
However, sharing sensitive health data can raise significant risks to individuals without clear restrictions and protections. To advance research while seeking to minimize risks, the Israeli Ministry of Health just published a framework draft for public consultation.
During the 1980s and 1990s, Israel’s public health care was a global pioneer in implementing information systems. The use of those systems created extraordinary capabilities and opportunities on a global scale to improve patient care and promote innovation.
In March 2018, the Israeli Government passed Resolution 3079, calling for a national program for the promotion of Digital Health as a means of improving health as a growth engine and removing barriers by responding to these challenges comprehensively. Among the draft regulations objectives is to balance the desire to encourage and promote research collaboration in health data with the requirement to protect the privacy and confidentiality of medical data.
The resolution outlines specific legislation drafting principals for health data secondary use, including the proper use purpose, the respect for the right to privacy and medical confidentiality, the requirement for transparency and ongoing public disclosure, a prohibition to discriminate a community or group, and calls to provide access to health data for social solidarity.
The draft regulations offer an approval mechanism for conducting health data research. This mechanism involves examination by a professional and internal ethical committee and setting standards for approvals. The regulations propose a privacy protection model based on three complementary circles – normative, technological, and procedural. The regulations apply to health organizations, most of which are subject to the regulatory authority of the Ministry of Health, but also apply to IDF and the Prison Service.
The regulations define health data very broadly as information that directly or indirectly relates to a person’s overall health or physical health, including information on behavior that may affect health statuses such as fitness and habits. Anonymized data is defined as health data that has undergone a process approved by the internal committee for particular research use, and under the circumstances of that research use, it is not possible, with reasonable effort, to re-identify the data subject.
The regulation prohibits anyone from researching health data unless it is anonymized, and only with the minimal extent of data to achieve the desired research purpose. Any application will require to obtain the internal committee’s approval. The internal committee will approve it only if the expected research benefits outweigh the risk that this anonymized data will infringe the privacy of the patients. The patient will have a right to object at any time to the use of health data concerning him or her.
The health organization will require to comply with strict information security obligations and public disclosure duties. The organization will have to establish an internal committee that will comprise health, privacy, security, law, and bio-ethics professionals as well as public representatives. The committee will perform a risk assessment and consider various aspects of the research and researcher.
The regulation calls to implement the best professional de-identification methods available at that time, a technique that is relevant to the type of data and the purposes of the research, subject to the estimated risk to privacy. The de-identification process intends to reduce the identification risk but should retain the essential data for conducting the research.
The regulations aim to provide anonymized data to researchers in a secure research environment controlled by the health organization – as opposed to it being transferred out of the organization premises. However, the National Committee can allow the transfer of health data outside the health organization premises but only for exceptional, justified circumstances and some strict conditions. Among them is the requirement of the researcher to be an Israeli resident or a company registered in Israel.
The research should significantly contribute to the advancement and improvement of medical research, and the researcher should possess unique technological or research capabilities. However, such transfer can only be allowed to a datacenter inside Israel’s geographic borders.
The Israeli Ministry of Health will also release a guideline for health organizations that will elaborate on the criteria for conducting the risk analysis and evaluating the various de-identification techniques.
ITPI will be convening stakeholders to discuss the regulations and will plan on filing comments.