In October 2019, the Israel Ministry of Health published draft regulations regarding the use of personal health information for research purposes. (Article is in Hebrew.) These regulations are intended to set the legal framework for the use of health data for research purposes while striving to balance the desire to encourage and promote collaborations and researches in health data and the need to protect the privacy and confidentiality of health data to improve the quality of medical care and advance medical research. Since the publication of the draft regulations, the COVID-19 pandemic and current political situation in Israel have stalled the operation of government bodies. 

The draft regulations propose the adoption of an approval mechanism for the performance of research in health data, like the existing mechanism established in connection with the approval of clinical trials in humans, rules for privacy and confidentiality protection, and implementation of technological and organizational tools and means adapted to research in data.

They differentiate between three categories of data: identifying data, identifiable data and deidentified data. Additionally, the regulations introduce new definitions for health information and identifying components.

Under the proposed regulations, health information is now defined as the “medical information … relating indirectly to the state of physical or mental health of a person or to the medical treatment, including information about the patient's behavior that may affect the state of health, physical or mental, or treatment.” An identifying component is information that includes unique characteristics of an individual, including any of the following: first and last name, ID number, driver's license number, another identifying number granted by a government authority or a health organization, facial photograph, personal contact information and payment means.       

Identifying data is defined as health information that includes an identifying component. Identifiable data constitutes health information about a certain person, which does not include an identifying component but could, with a reasonable amount of effort, be used to identify that person, including through cross-referencing with information contained in other databases. Deidentified data is information that underwent a deidentification process (in accordance with Regulation 13 of the regulations), and, in the context of the relevant research, the information cannot be used to identify that person with a reasonable amount of effort.

The draft regulations also further define the scope of use for a research purpose as the use of health information for research purposes, including granting access or transferring health information to a third party but excluding:

• Use for the purpose of providing medical treatment or service to the data subject.
• Transfer of data to which the data subject has given consent.
• Transfer regarding that there is a legal obligation to transfer to data.
• Where the ethics committee has approved the transfer for reasons of the protection of public health.
• The transfer of data between public entities.

The general principle established by these regulations is that health information cannot be used for research purposes unless approved by a research use committee, in accordance with the guidelines set in the regulations.

Limitations on the use of health information

The use of health information for research purposes would be limited to the use of deidentified data only while implementing data minimization by the organization conducting the research.

Using health information for research purposes will only be approved by the committee for a specific purpose and only if the benefit of the use exceeds the risk of violating the data subject’s privacy.

Under the proposed framework, access to health data would only be granted to access authorizations, and the data shall not be transferred to any third party.

Right to opt out

A data subject is entitled to opt out of using their health information for research purposes at any time through a national opt-out mechanism managed by the Ministry of Health.

Obligations of health organizations

Under the proposed regulations, health organizations are obligated to meet the data protection standards applicable to databases classified at the high data protection level, which contains the personal data of more than 100,000 data subjects or has more than 100 people with access to authorizations of the database, including after the data has been identified.

Health organizations would be required to ensure that individuals granted access to health information for research purposes have knowledge of the regulations. Alternatively, an individual may be granted access if the recipient has fulfilled certain obligations under the regulations, including maintaining confidentiality of the information and agreeing not to engage in identifying data subjects.

Health organizations shall publish their organizational policies in connection with such use, including a privacy policy, minimum requirements for sharing of health information, information regarding the research use committee, and mechanism to file complaints in connection with the above. Such policies will be made publicly available on the Ministry of Health's website.

Under the regulations, health organizations would be required to appoint an internal officer whose responsibilities include handling complaints regarding the use of health information for research purposes, inspecting deficiencies in the organization's research activities, reporting such deficiencies to the organization's management and recommending remedial actions.

The research use committee would also create an independent privacy protection office and data analyst and not include individuals affiliated with the organization's research unit or who may have a conflict of interest.

Additionally, the regulations require the formation of a national committee for the use of health information for research purposes. The national committee will discuss and approve the use of health information for research purposes across several health organizations, activities on a national level, or matters of special interest or public importance.  

The draft regulations provide much-needed clarity and structure in the relatively unregulated field of secondary uses of health information. The regulations apply already well-established privacy and data principles, such as data minimization and purpose limitation, and implements safeguards, such as deidentification and the right to opt out, more to the processing of health information.

The question remains whether such extensive changes to the legislative framework are appropriately addressed through regulations as opposed to an amendment by the Israeli Parliament, the Knesset, to the Patient's Rights Law. The principle issues and far-reaching implications of the regulations require, in the opinion of certain privacy professionals (the undersigned included), a more substantial legislative process and constitute another example of Israeli ministries' attempt to bridge gaps in Israel's privacy regime through regulations instead of striving for a comprehensive legislative process in the Knesset with the adequate participation of relevant stakeholders.

It is likely that, after the pandemic, there will be new perspectives regarding the draft regulations, emphasizing the public and government interests in the collection and processing of health data in public emergencies and shifting the focus from the individual's control of personal data to lawful processing in the public interest. When and how the draft regulations are passed and enacted will be determined once government activities return to normal.

Photo by Cole Keister on Unsplash