On March 3, 2024, the Privacy Protection Authority (PPA) announced that it had published a policy document on the protection of patient privacy in the transfer of medical information by digital means. In particular, the PPA stated that the policy document is intended for organizations, medical authorities, and institutions that provide health services and clarifies the duties that apply to them along with instructions and recommendations.

More specifically, the policy document highlights that the medical sector uses digital means for transferring information about patients, including sending pictures on social media or the results of a medical examination via email. The PPA states that even though such digital means are convenient, they represent a significant challenge to privacy and information security, including:

• the possibility of data leaks;
• inadvertent exposure of the information due to human error;
• possible theft of sensitive information; and
• the risk of misuse by commercial companies that provide infrastructure for information transmission.

What are the key recommendations?

To ensure the protection of patient privacy and address the risks, the policy document recommends: 

• reducing the use of non-designated software - that is not intended for transferring medical information and to avoid saving information on personal devices;
• maintaining the confidentiality of the patient's identity - only the minimum necessary medical details should be transmitted;
• adequate security - installing software to protect information and improving security by using a strong and complex login password for the device, two-step verification, etc.;
• fast transfer to dedicated software - after achieving the intended goal of transfer, to transfer the medical information to the dedicated medical systems as soon as possible, in accordance with the guidelines of the Ministry of Health and the medical institution, and then delete it from the device, from the memory of the software that is not intended for transferring medical information, and ensure it is not saved in private cloud back-up services such as Google Drive or Dropbox; and
• establishing a clear organizational policy - that relates to the various issues such as the deletion of information, a policy for using login passwords for devices, control over access permissions to information, etc.

You can read the press release here and the policy document here, both only available in Hebrew.